Skip to end of metadata
Go to start of metadata

Guidance for on the intended use of this Acceptable Use Policy and Conditions of Use (AUP) text.

The AUP text below is intended to form part of the information presented to a member of a community (the user) at the time they register to access the services comprising an infrastructure. The AUP provides the user with information about their expected behaviour and restrictions on their use of the infrastructure. This "baseline" text can, optionally, be augmented with additional, community or infrastructure specific, clauses as required, but the numbered clauses should not be changed. The registration point where the user is presented with the AUP may be operated directly by the user's research community or by a third party on the community's behalf.

The motivation to provide this "baseline" text is to facilitate -

  • rapid community infrastructure ‘bootstrap’ - communities do not have to build their own AUP from scratch

  • ease the trust of users across an infrastructure - services within an infrastructure have a common framework describing the behaviour of users coming from multiple communities

  • provide a consistent and more understandable enrolment for users - as users move between communities and projects come and go, users have a common understanding of their responsibiities.

Other information to be presented to a user, as addition to the AUP, to properly define their rights and responsibilities when using the infrastructure and services are -

  • Privacy Notice - information about the processing of their personal data together with their rights under law regarding this processing
  • Service Level Agreements - information about what the user can expect from the service in terms of quality such as reliability and availability
  • (Optional) Terms of Service - additional requirements or information which does not naturally fit within the AUP, PN and SLA policies. (e.g. a requirement to cite a sponsoring body in publications or the assignment of Intellectual Property rights.)

When using the baseline AUP text given below, curly brackets "{ }" (coloured blue) indicate text which should be replaced as appropriate to the community, agency or infrastructure presenting the AUP to the user. Angle brackets "< >" (coloured green) indicate text which is optional and should be deleted or replaced as appropriate as above.


Acceptable Use Policy and Conditions of Use

This Acceptable Use Policy and Conditions of Use (“AUP”) defines the rules that govern your access to and use (including transmission, processing, and storage of data) of the resources and services (the “Services”) as granted by {community, and/or the agency, or infrastructure name} (the "Granting Authority").

<This document may be augmented by additional agreements or terms and conditions, in which case the granting authority may optionally add specific clauses - or references thereto - here that are not in conflict with the clauses below and that further define and limit what constitutes acceptable use. The wording of the following clauses must not be changed.>

1. You shall only use the Services in a fashion consistent with the stated goals and policies of the Granting Authority.

2. You shall not use the Services for any purpose that is unlawful and you shall not breach, attempt to breach, nor circumvent any administrative or security controls.

3. You shall respect intellectual property and confidentiality agreements.

4. You shall protect your access credentials (e.g. private keys or passwords).

5. You shall keep all your registered information correct and up to date.

6. You shall immediately report any known or suspected security breach, credential compromise, or misuse to the security contact stated below; and report any compromised credentials to the relevant issuing authorities.

7. Reliance on the Services shall only be to the extent specified by the applicable service level agreements listed below. Use without such agreements is at your own risk.

8. The Granting Authority and the provider of the Services process your personal data in accordance with their privacy policies listed below.

9. The Granting Authority or the provider of the Services may, for administrative, operational, or security reasons, restrict or suspend your use without prior notice and without compensation, within their domain of authority, and you shall immediately comply with their instructions regarding your use of the Services.

10. If you violate these rules, you are liable for the consequences, which may include but are not limited to a report being made to your home organisation and, if the activities are thought to be illegal, to appropriate law enforcement agencies.

The administrative contact for this AUP is: {email address for the Granting Authority}

The security contact for this AUP is: {email address for the infrastructure, community, and/or Granting Authority security contact}

The privacy policies are located at: {URL}

Applicable service level agreements are located at: <URLs>




  • No labels

4 Comments

  1. #4: In ELIXIR, we explicitly added that "you must not share your credentials" (or use a shared account for login). The rationale is that shared accounts kill accountability – you can't hold anyone accountable for use if you don't know who was the person using the account. If the AUP doesn't ban it it is not forbidden.

  2. #7: "... specified by the applicable service level agreements listed below." This implies that the <URLs> for Applicable service level agreements are mandatory. 

  3. Concerning the linking of an AUP with Privacy statement in context of a service federation: The sentence: "The privacy policies are located at: {URL}" should be optional; having no {URL} specified, must not imply the absence of any privacy statement. Infact, the {URL} of the privacy statement must be provided, but not necessarily on the AUP document. Basically a federation can have one single AUP but individual service- and provider-specific privacy statements. A mandatory statement about the location of the privacy statement would make it necessary that every federation member has to provide individual AUPs as they have to provide individual privacy statements.

    Raising awareness about the necessity and importance of privacy statements to be provided by every service provider collecting and managing personal information is a good thing and a topic for WISE.

    But in this particular case it should be possible for a service provider federation to publish and maintain just one single AUP that apply to all federation members and leave the publication or the specific privacy statements to the federaion members.


  4. Coupling AUP with SLAs: referring to the statement of Terrence on #7, I also think that a general AUP should not mandatorily provide a statement to the SLAs. Therefore I suggest to remove the term "listed below" in statement #7 and to make the sentence "Applicable service level agreements are located at: <URLs>" optional.

    Why? SLAs can be service- and even service option-specific. A federation should be able to have and manage only one AUP and leave and further specification of SLAs to the federation members that are providing a specific service (option). In general it should be anticipated that an AUP is generic but SLAs are service(option) specific.