fremforge Acceptable Use Policy

title: fremforge Acceptable Use Policy author: fremverk date: 2026-05-25 status: Published v1.2 version: “1.2” lang: en #

Last updated: 2026-05-25

Effective Date: 2026-05-19 — Version: 1.1

This Acceptable Use Policy (“AUP”) forms part of the agreement between fremverk ApS (“fremverk”, “we”) and the customer organisation (“Customer”, “you”) that subscribes to the fremforge Service at frem.sh. In case of conflict between this AUP and the Terms of Service, the order of precedence in Terms of Service §22 governs. The AUP supplements the Terms of Service and the Data Processing Agreement; it does not override them.

1. Scope and intent #

fremforge is a commercial, multi-tenant EU-sovereign Git and CI/CD hosting service. It is provided in good faith for lawful software engineering use. The purpose of this AUP is to:

• Define the conduct and content that is not permitted on the Service.
• Describe the procedures by which fremverk and third parties may report abuse.
• Explain the enforcement actions fremverk may take, and the Customer’s rights of appeal.
• Discharge fremverk’s obligations under the EU Digital Services Act (DSA), the General Data Protection Regulation (GDPR), and Danish law.

This AUP applies to every user authorised by the Customer to use the Service (members, administrators, and owners of a Customer organisation), to any AI agent acting on behalf of such a user under a delegated mandate (see §12), and to any visitor accessing public content hosted on the Service where the Customer has enabled public repositories.

2. Lawful use #

You may use fremforge only for lawful purposes and in accordance with this AUP, the Terms of Service (ToS), and all applicable EU, Danish, and — where relevant to your use — local laws. You may not use the Service in any way that would cause fremverk to violate a law or regulation it is subject to.

3. Prohibited content and activity #

The following content and activity are prohibited on fremforge. The list is illustrative, not exhaustive.

3.1 Illegal content #

• Child sexual abuse material (CSAM). Any suspected CSAM is immediately reported to the competent authority — the Danish National Police’s National Cyber Crime Centre (NC3, nc3@politi.dk) and Red Barnet’s AnmeldDet hotline (anmelddet.dk) for parallel notification — per Danish law and the EU regulation on combating child sexual abuse material; the responsible org is suspended without prior notice.
• Content that incites terrorism, genocide, or violence against an identifiable person or group.
• Content that infringes the copyright, trademark, or other intellectual property rights of a third party, where a valid takedown request has been received.
• Content that contains personal data and that the data subject has, through the Customer’s controller-side process, validly requested be erased — or that a competent supervisory authority has ordered erased. (Note: fremverk acts as processor here; data subjects address Customer first per DPA §7. fremverk acts directly only on an order from a competent supervisory authority.)
• Content that violates applicable export controls (EU dual-use regulation, national sanctions regimes).

3.2 Malicious software and content #

• Distribution of malware, ransomware, spyware, rootkits, botnets, command-and-control or beaconing infrastructure, or functionally equivalent code intended to compromise systems you do not own or have authorization to compromise. Repositories that contain security research, proof-of-concept exploits, or defensive tooling are permitted when clearly labelled, responsibly disclosed, and not being actively weaponised.
• Phishing kits, credential-harvesting tools, or fraud infrastructure intended for deployment against third parties.
• Code or artifacts whose primary purpose is to bypass platform security controls — for example, scripts whose purpose is to evade fremforge’s rate limiters, secret scanners, or abuse controls.

3.3 Abuse of shared infrastructure #

• Cryptocurrency mining, sustained proof-of-work hashing, or other computation whose principal purpose is to generate cryptocurrency or similar digital assets. This is prohibited on both hosted runners and bring-your-own runners integrated into the Service. Cryptocurrency mining is the primary abuse vector for CI-included services and is treated as a bright line, not a case-by-case judgement. Limited unit / integration tests of validator or consensus-protocol software (e.g., proof-of-stake validator code under test) within ordinary CI build/test minutes are not prohibited; the rule targets the production operation of consensus participation, not its development.
• Using fremforge or its CI runners as a proxy, VPN endpoint, general-purpose hosting for external services, or as a compute resource for workloads unrelated to software development, build, test, or deployment for the Customer’s own projects.
• Sustained distributed denial-of-service activity launched from runners or from Git operations against the Service or third parties.
• Network scanning, port scanning, or unauthorized probing of third-party infrastructure from runners.
• Systematically exceeding the fair-use concurrency limit published at frem.sh/pricing (currently 2 concurrent jobs per seat, max 100 per organisation on the standard plan; Enterprise-on-Demand customers may negotiate a higher cap) without prior written agreement. Occasional bursts are normal; sustained patterns of hundreds of concurrent jobs against the fair-use ceiling are not.
• Circumventing seat metering, storage quotas, or egress caps by design (e.g., creating sockpuppet organisations, coordinated-team abuse across multiple organisations).

3.4 Security-critical prohibitions (non-negotiable) #

• Attempting to compromise fremforge infrastructure, other tenants’ data, or the authentication, authorisation, or audit systems of the Service, except as authorised under a responsible-disclosure submission to security@frem.sh.
• Attempting to disable or bypass the platform-floor controls that cannot be disabled by tenant administrators: high-confidence pre-receive secret scanning, mandatory TLS, audit logging, and the SSRF outbound-proxy filter.
• Extracting other tenants’ data through any means — the tenant-isolation controls are security guarantees, not technical suggestions.

3.5 Spam, harassment, and deceptive practices #

• Using issues, pull requests, wiki pages, or package registries to host content unrelated to software development (spam, SEO backlink farms, bulk promotional content).
• Targeted harassment of individuals or groups — on public repositories, on private repositories where the recipient is a Customer user, or via abuse of the issue/comment systems.
• Impersonation of fremverk, fremforge, or any other person or organisation.
• Publishing private information of third parties (“doxxing”) without a lawful basis.

3.6 Public-repository-specific restrictions #

The Customer may enable public repositories within an organisation. When public repositories are enabled, additional constraints apply:

• All content on public repositories must comply with §3.1–3.5 above, and the Customer organisation is treated as responsible for that content as a “hosting service provider” under the DSA.
• The fair-use limits in §4 (1,000 minutes/seat/month, 2 concurrent jobs/seat, max 100/org) are enforced strictly for any organisation that hosts one or more public repositories. Public repos are the primary abuse vector for runner-based cryptocurrency mining; sustained operation at or near the ceiling triggers review and may result in temporary throttling pending verification of the workload’s legitimacy.
• Public repositories must not be used to distribute software or data subject to export controls outside the permitted jurisdiction.
• fremverk reserves the right to restrict the public-repo feature for an organisation without prior notice where abuse patterns indicate coordinated mining, spam, or similar platform-level harm.

3.6A Public-docs wiki — anonymous read on private repos #

The Customer may opt in, per repository, to anonymous public read of the repository wiki at frem.sh/<org>/<repo>/wiki[/...] independent of whether the underlying repository is public or private. When this opt-in is set, the same DSA “hosting service provider” framing in §3.6 above applies to the wiki content even though the repository itself may remain private:

• All wiki content rendered on the anonymous read path must comply with §3.1–3.5; the Customer is responsible for that content as a hosting-service-provider under the DSA.
• The Customer may embed presentation customisation via a per-repo custom_css field (8 KB textarea). The customer accepts that the CSS is served verbatim to anonymous visitors of the public-docs wiki. fremverk performs write-time and render-time sanitisation against < byte injection but does not block CSS-level data exfiltration vectors (e.g. background-image: url(https://tracker.example/...)); the customer is responsible for the privacy implications of any external URLs they reference from their wiki CSS.
• Public-docs wiki bandwidth counts toward the fair-use ceiling of §4 in the same way as other anonymous read paths.
• fremverk reserves the right to disable the anonymous-read opt-in on a per-repo basis where abuse patterns indicate coordinated phishing, brand impersonation, or similar platform-level harm.

3.7 No AI training on Customer data #

fremverk does not, and does not permit any sub-processor to, use Customer Content, Customer Personal Data, or operational metadata to train, fine-tune, evaluate, or develop AI/ML models. The full prohibition is set out in DPA §6A and is a material term of the contract. This commitment applies to fremverk’s own infrastructure and to fremverk-appointed sub-processors. Customer-configured AI vendors (DPA Annex B §B.8) operate under the Customer’s own contract with the vendor and are not bound by this commitment — the Customer is responsible for ensuring its chosen AI vendor’s terms align with the Customer’s own AI-training-data posture.

4. Hosted CI runner fair use #

The fremforge standard plan includes hosted CI minutes and concurrency under a fair-use model:

• 1,000 runner minutes per seat per month, pooled at organisation level, overage metered at €0.010/min.
• 2 concurrent jobs per seat, max 100 per organisation as a soft limit. Occasional bursts beyond the cap (for example, after a large merge) are expected and absorbed; sustained operation above the cap is not included in the standard plan.
• Global concurrency cap across the entire platform. In the rare case where platform-wide demand exceeds the cap, jobs queue with per-organisation fair-share scheduling.

Customers with legitimate needs above these thresholds can contract for dedicated CCI capacity under the Enterprise-on-Demand arrangement. Do not work around the thresholds; contact us.

5. Reporting abuse (DSA Art. 16 notice-and-action) #

fremforge is a hosting service within the meaning of Regulation (EU) 2022/2065 (Digital Services Act). We operate a notice-and-action mechanism that meets the requirements of DSA Art. 16 and is available to any person or entity:

Abuse contact: abuse@frem.sh

Structured reporting form: published at https://frem.sh/_app/legal/abuse-report — supplies the fields required under DSA Art. 16(2): identification of the allegedly illegal content (URL or unambiguous indication), reasons it is illegal, the notifier’s identity and contact details (anonymous notices are accepted for content categories that don’t depend on the notifier’s identity), and a good-faith statement. The form posts same-origin to the api, recording the notice into the operator review queue (with a dsa_notice_received LTS log line for operator visibility).

First-response commitment: acknowledgement within 24 business hours of receipt. Decision within 7 calendar days of acknowledgement, absent exceptional circumstances requiring further investigation, in which case we will inform the notifier of the extension.

Decision types:

• Content removed, user or organisation notified of the removal and the reason.
• Content restricted (made non-public) pending further investigation.
• Content left in place, notifier informed of the reason with reference to this AUP, the applicable law, or the absence of a sufficient basis for action.
• Repeated or egregious violation: account or organisation suspended, with notification and right of appeal.

Right of appeal: every decision under this mechanism is subject to internal review on request by the notifier or by the affected user/organisation. An appeal is resolved within 14 days. The outcome of the internal review does not preclude the affected party from pursuing out-of-court dispute resolution under DSA Art. 21 or judicial remedies.

Law-enforcement contact: compliance@frem.sh with a 48-hour first-response SLA for formally addressed requests from competent authorities.

Emergency response: in cases involving imminent risk to life, ongoing child sexual abuse, or other critical situations, we prioritise immediate action over formal process and coordinate directly with the relevant authority.

5.1 Trusted Flaggers (DSA Art. 22) #

Notices submitted by entities designated as Trusted Flaggers by the Digital Services Coordinator under DSA Art. 22 are processed with priority. fremverk maintains an internal register of recognised Trusted Flaggers and publishes the count in the annual transparency report.

5.2 Intellectual property takedowns #

A notice alleging copyright, trademark, or other intellectual-property infringement is a special case within the DSA Art. 16 mechanism and is handled through the same abuse@frem.sh channel. In addition to the general DSA Art. 16 requirements, an IP takedown notice must include, as applicable:

• Identification of the copyrighted, trademarked, or other protected work alleged to be infringed.
• Identification of the material that is claimed to be infringing (specific URL or unambiguous locator).
• A statement that the notifier has a good-faith belief that the use is not authorised by the rights-holder, its agent, or the law.
• A statement that the information provided is accurate and that the complainant is the rights-holder or authorised to act on the rights-holder’s behalf, made subject to liability for false declarations under Danish law (Straffeloven §163 — false declaration to a public authority — applies where the notice is forwarded to a competent court or supervisory authority).
• Contact details sufficient for fremverk to reach the notifier.

Counter-notice: the affected user or organisation may submit a counter-notice through the same channel, containing a statement — subject to liability for false declarations under Danish law (Straffeloven §163, where the matter is forwarded to a competent court or supervisory authority) — that the material was removed as a result of mistake or misidentification, consent to jurisdiction in Denmark, and contact details. On receipt of a valid counter-notice, fremverk notifies the original notifier and, unless the original notifier confirms within 14 days that they have commenced legal action seeking to prevent further infringing use, restores the removed material.

Where a notice is later determined to have been fraudulent or made in bad faith, fremverk reverses any restriction applied to Customer Content within 24 hours of the determination and pursues recovery of operational costs from the complainant per DPA §13. The impacted period is treated as in-scope for SLA credit calculation per SLA §7.

Repeat-infringer policy: consistent with DSA Art. 23, an organisation whose users repeatedly submit content that is the subject of valid and uncontested IP takedown notices is subject to increasing enforcement actions under §7, up to and including termination of the agreement.

This IP takedown channel operates alongside, and does not replace, the DSA Art. 16 notice-and-action mechanism for other categories of illegal content.

6. Transparency reporting #

fremverk publishes an annual transparency report per DSA Art. 15 covering the volume, nature, and outcome of notices received, member-state authority orders received, actions taken on its own initiative, and the average time-to-decision. The report is published at www.frem.sh/trust/dsa/ and is reissued annually.

The year-1 entry — covering the partial period from launch to 31 December 2026 — is a partial-period statement reflecting that fremforge entered general availability mid-year. DSA Art. 15 explicitly accommodates a “we launched and have nothing to report” first-year statement; the partial-period framing is not a deferral of the obligation. Subsequent reports cover full calendar years and publish in Q1 of the following year.

In addition to Art. 15, fremverk publishes the average monthly active EU recipients of the service at the same URL, refreshed at least every six months, per DSA Art. 24(2). fremforge is below the very-large-online-platform (VLOP) threshold; this metric is published for completeness, not because designation is anticipated.

7. Enforcement actions #

Depending on the severity, pattern, and context of a violation, fremverk may take one or more of the following enforcement actions:

• Content removal or restriction — remove the offending content or make it non-public, retaining a record for audit and appeal purposes.
• User suspension — suspend the offending user’s access across the Service. The organisation administrator is notified and can decide whether to remove the user from the organisation entirely.
• Organisation throttling — reduce rate limits, pause runner minutes, or temporarily disable public repositories for an organisation whose usage patterns indicate systemic abuse.
• Organisation suspension — suspend the organisation’s access. All users lose access; the data is retained for 60 days to allow export before primary deletion (matches §11 below + DPA §9 — was previously stated as 30 days, which contradicted §11; reconciled per audit P1-57).
• Immediate termination — for egregious violations (CSAM, coordinated attack on fremforge infrastructure, severe repeated abuse after prior warnings), the contract is terminated immediately with data retained only where legal or regulatory obligations require.
• Law-enforcement referral — where Danish or EU law requires us to report, or where the violation involves conduct that warrants referral, we refer the matter to the competent authority.

Where possible without compromising an active investigation or legal process, we notify the affected organisation administrator before applying a suspension or termination and allow a reasonable period to respond. The right of appeal under §5 applies to all enforcement actions.

For non-egregious AUP violations (i.e. violations not posing immediate risk to other Customers, the Service, or third parties), fremverk applies a notice-and-cure sequence: written notice to the Customer’s account-of-record administrator describing the violation, followed by a 7 calendar-day cure period. Suspension or termination follows only if the violation is not cured within that period or recurs after cure. Egregious violations (illegal content, active attacks, mass abuse, court-ordered takedowns) may trigger immediate suspension without cure.

8. Your obligations as an organisation administrator #

If you are an administrator of a fremforge organisation, you are responsible for ensuring that your organisation’s members use the Service in accordance with this AUP. You must:

• Communicate the relevant parts of this AUP to members of your organisation.
• Respond to abuse notices forwarded to you by fremverk within a reasonable time.
• Not knowingly authorise, direct, or facilitate AUP violations by members of your organisation.
• Ensure that any AI agent you grant a delegated mandate to (see §12) operates within the scope of this AUP in the same way your human users do.

9. Your obligations as a User #

As a user of fremforge, you must:

• Comply with this AUP, the ToS, and applicable law.
• Not share your credentials, OIDC session, or personal access tokens with another person.
• Report suspected security vulnerabilities to security@frem.sh rather than demonstrate them against live infrastructure (a responsible-disclosure commitment applies — see the trust page for details).
• Report suspected abuse to abuse@frem.sh.

9A. Vulnerability disclosure #

fremverk publishes a vulnerability-disclosure policy at frem.sh/.well-known/security.txt per RFC 9116, with safe-harbour for good-faith research. Third-party penetration test reports, when commissioned, are available to Customers under NDA on written request per DPA §12.1; Enterprise-on-Demand contracts may agree to a specific testing cadence in the Order Form.

10. Security-patching commitment #

fremverk commits to patch security vulnerabilities in the platform within the following CVE patch SLA, which is a standalone contractual commitment under this AUP and is cited verbatim in DPA Annex A:

• Critical (CVSS ≥ 9.0): within 48 hours of upstream fixed release.
• High (7.0–8.9): within 72 hours.
• Medium (4.0–6.9): within 7 days.
• Low: next scheduled maintenance window.

Security patches are not deferred to honour a tenant maintenance window. Adherence is published on the trust page. This stance is part of our obligations to you under this AUP and the ToS, not a gift.

11. Service suspension on non-payment #

Non-payment after a reasonable dunning process (typically 30 days from the first failed charge, with at least three notification attempts) results in Service suspension. On suspension, Customer Content is held in read-only-no-egress mode for 60 days from the date of suspension, during which the Customer may cure (pay outstanding Fees) or export. After 60 days without cure, primary deletion follows within a further 30 days, with backup purge complete within an additional 30 days thereafter (per DPA §9 and the staged sequence in the next paragraph) — total time from suspension to backup-purge completion is up to 120 days. This sequence harmonises with terms.md §16.5 (60-day export) and dpa.md §9. This clause is operational and does not affect the enforcement provisions of §7 where a violation has also occurred.

The retention sequence depends on whether suspension converts to termination. Two paths, both ending in primary deletion + backup purge — clarified per audit P1-57 (the previous “120 days total” arithmetic only worked for the non-payment-without-termination path; the termination path is longer):

• Non-payment without termination: (a) suspension hold of 60 days during which Customer Content is read-only-no-egress and the Customer may cure or export (ToS §4.6). If the Customer cures within (a), no further deletion happens. If the Customer never cures and never terminates: (c) post-suspension primary deletion within 30 days of the end of (a); (d) backup purge within a further 30 days. Total: up to 120 days (60 + 30 + 30).

• Termination after suspension: (a) 60-day suspension hold (above), then on termination (b) post-termination export window of 60 days during which the Customer may export Customer Content (ToS §16.5); (c) post-export deletion within 30 days of the end of the export window (DPA §9); (d) backup purge within a further 30 days. The 30-day windows in DPA §9 measure from the end of (b); they do not run concurrently. Total: up to 180 days (60 + 60 + 30 + 30).

12. AI agents and delegated mandates #

Where a user of your organisation authorises an AI agent to act on their behalf under a delegated mandate (the Phase 2+ agent-native access feature — see the AI posture page in the documentation):

• The mandate is bounded by the authorising user’s role. An agent holding a mandate from a Member-role user cannot change organisation policy; an agent holding a mandate from an Admin can, within the scope of the mandate.
• All actions by the agent are your organisation’s responsibility under this AUP in the same way actions by your human users are. An agent violating this AUP is a violation by the organisation, not by an independent third party.
• Enforcement actions against agents follow the same structure as enforcement actions against users. Revoking a mandate by the authorising user is equivalent to a voluntary suspension of that agent’s access.
• Audit-log transparency: agent actions are recorded with actor=agent:<agent_id>, on_behalf_of=<user_id> so you and fremverk can distinguish them from human actions for compliance and incident review.

13. Changes to this AUP #

We may update this AUP to address new abuse patterns, new legal requirements, or clarifications based on operational experience. Material changes are announced at least 30 days in advance on the trust page and via the security mailing list. Emergency updates to address active abuse (for example, a new cryptocurrency-mining pattern requiring a more specific prohibition) may take effect on shorter notice; such changes are limited to the minimum necessary to address the issue and are documented transparently.

14. Governing law and dispute resolution #

This AUP is governed by Danish law. Disputes are subject to the jurisdiction of the competent Danish courts, without prejudice to any mandatory provision protecting consumers (where the Customer is a consumer, which is rare for fremforge as a B2B service) or to out-of-court dispute resolution mechanisms available under DSA Art. 21.

15. Contact #

• Abuse reports: abuse@frem.sh (24h first response)
• Law enforcement: compliance@frem.sh (48h first response)
• Security vulnerabilities: security@frem.sh
• General support: support@frem.sh

Change log #