Transmute · Legal
Acceptable Use Policy
Version 1.0 · Effective: July 14, 2026 · Last updated: July 14, 2026
This Acceptable Use Policy (the "AUP") is published by 403 Finance, Inc., a Delaware corporation ("403 Finance," "we," "us," or "our"), and describes uses of Transmute — our hosted SWIFT MT and ISO 20022 message conversion, normalization, and validation service (the "Service") — that are prohibited or restricted. Capitalized terms used but not defined in this AUP have the meanings given to them in our Terms of Service (the "Terms").
1. Scope and Incorporation
(a) Part of the Terms. This AUP is incorporated into and forms part of the Terms. It supplements, and does not limit, the obligations in the Terms. If there is a conflict, the order of precedence in the Terms governs.
(b) Who it applies to. This AUP applies to you as the Customer and to everyone who accesses or uses the Service through your account or your API Credentials, whether or not you authorized that access. It applies to every request you or those users submit, regardless of the Plan under which you access the Service.
(c) Your responsibility for users. You are responsible for the acts and omissions of everyone who uses the Service through your account or API Credentials as if they were your own, including your personnel, contractors, affiliates, and any of your own clients on whose behalf you use the Service. You must ensure that all such users comply with this AUP.
2. Unlawful Use
(a) No use in furtherance of financial crime. You must not access or use the Service in furtherance of, or to facilitate, fraud, money laundering, terrorist financing, sanctions evasion, or any other unlawful activity, and you must not submit any Message Content that relates to an underlying transaction you know or should know to be unlawful.
(b) We do not screen; you are the regulated party. This is fundamental to how the Service works. The Service converts message formats and does not inspect, screen, or filter Message Content. We do not perform sanctions screening, transaction monitoring, anti-money-laundering or counter-terrorist-financing (AML/CTF) checks, fraud detection, or any other examination of the content or legality of what you submit. Sanctions screening, AML/CTF compliance, and the lawfulness of the underlying transactions represented in your Message Content are exclusively your obligation as the regulated party. You must not treat the Service, its Output, or any successful validation result as a control that discharges any legal or regulatory obligation.
(c) Rights and lawful basis to submit. You must not submit any data to the Service that you lack the rights, consents, or a lawful basis to submit and to have us process as described in the Terms and the DPA. This includes any personal data of third parties contained in Message Content.
3. Technical Abuse
(a) No circumvention of limits or metering. You must not circumvent, or attempt to circumvent, the rate limits, quotas, included volumes, spend caps, or metering that apply to your Plan, and you must not interfere with the accuracy of our metering records. Rate limits and quotas are enforced as a per-tenant aggregate across all of your API Credentials and OAuth clients; you must not distribute traffic across multiple keys, clients, accounts, or tenants to defeat them.
(b) No allowance farming. You must not create or operate multiple accounts, tenants, or registrations to obtain, multiply, or farm Free-tier allowances, the one-time test-request pool, or any other benefit that is intended to be provided once or on a per-tenant basis.
(c) No credential sharing. You must not sell, sublicense, lease, or otherwise share your API Credentials with, or make the Service available under your account to, anyone outside your own organization, except as expressly permitted for your own clients under Section 5.
(d) No unauthorized security testing. You must not perform penetration testing, vulnerability scanning, load or stress testing, fuzzing, or other security probing of the Service without our prior written consent, except as expressly permitted by our Vulnerability Disclosure Policy (which constitutes that consent for research conducted within its terms). Our Vulnerability Disclosure Policy is the sanctioned channel for reporting security issues and for any authorized testing; please use it rather than probing the Service on your own.
(e) No interference. You must not interfere with, disrupt, degrade, or impair the integrity, security, or performance of the Service, the infrastructure on which it runs, or any other customer's use of it — including by introducing malware, mounting a denial-of-service attack, attempting to gain unauthorized access to any account, system, or data, or transmitting requests designed to overload or destabilize the Service.
4. Restrictions on the Service
(a) No reverse engineering. You must not reverse engineer, decompile, or disassemble the Service, or attempt to derive its source code, underlying mapping tables, or algorithms, except to the extent applicable law prohibits this restriction notwithstanding this limitation.
(b) No removal of notices. You must not remove, obscure, or alter any copyright, trademark, or other proprietary notice that appears in or on the Service, the Documentation, or any Output.
(c) No competing or benchmark use of the Service or Output. You must not use the Service, the Output, or any corpus of Output derived from the Service to design, develop, train, or improve a product or service that competes with the Service, including any message-conversion, normalization, or validation offering.
5. Service Bureau and Resale
(a) Processing for your own clients is permitted. We recognize that many customers are themselves service providers, processors, or bureaus. You may use the Service to convert, normalize, or validate Message Content on behalf of your own clients, provided that: (i) you remain the party contracting with us and the account holder; (ii) you remain responsible to us for your clients' Message Content and for their compliance with the Terms and this AUP as if it were your own; and (iii) you flow down to your clients terms that are no less protective of us and the Service than the Terms and this AUP.
(b) White-label resale requires a separate agreement. Reselling, rebranding, white-labeling, or otherwise offering the Service itself — as distinct from your own service that uses the Service on the back end — to third parties requires a separate written agreement with us (an Enterprise arrangement). Absent such an agreement, you must not represent the Service as your own product or hold it out for resale.
6. Enforcement
(a) Graduated enforcement where practicable. Where practicable, we will enforce this AUP in a graduated manner — for example, by giving you notice and an opportunity to cure before we suspend or, if the violation is not cured, terminate your access. We are not required to exhaust these steps in every case.
(b) Immediate action for serious risk. We may suspend or restrict your access to the Service immediately, and without prior notice, where we reasonably believe that doing so is necessary to protect the Service, other customers, or third parties from a security risk, a sanctions or other legal risk, or unlawful use, or to comply with law or a governmental order.
(c) Reasonable-belief standard. Our determinations under this AUP are made on the basis of our reasonable belief. We will limit the scope and duration of any suspension or restriction to what is reasonably necessary to address the risk.
(d) Restoration. Where the cause of a suspension or restriction is cured, or the risk is otherwise resolved, we will restore your access in the ordinary course.
7. Reporting and Contact
If you become aware of any violation of this AUP, or of any misuse of the Service, please contact us at support@403fin.io. To report a security issue, use security@403fin.io or the Vulnerability Disclosure Policy. For questions about this AUP, contact legal@403fin.io.
Change History
| Version | Date | Summary |
|---|---|---|
| 1.0 | July 14, 2026 | Initial release |