HostPapers - article Building an Acceptable Use Policy and Terms of Service

In today's world, you hear about lawsuits every other day on the news, and if you run a hosting company, you own a business which needs to be protected by forcing clients to read and agree to policies you have set forth before they sign-up through your company.

What don't you want customers doing?

That's the question you have to ask yourself or your own internet provider or reseller. An acceptable use policy is self-explanatory; it determines what is acceptable use, and what is not. Here are some good suggestions on what should not be acceptable:

Any illegal usage of your services
Forgery or impersonation
Unsolicited commercial email (UCE) or spam
Fraudulent activity
Harassment or threats
Harm to minors or child pornography
Header forging on e-mails
Email or news bombing or spamming
Unauthorized access to your server or other computers or networks
Copyright, trademark, or patent infringement
Distribution of viruses, trojans, or other malicious applications
Collection of personal data
File sharing
Hacking or attacking other networks or computers (network disruption)
Adult content, if that is not desirable
Excessive consumption of resources (CPU, RAM, bandwidth)

Put Some Responsibility on Your Customer's Shoulders

Require customers to choose a secure password
Don't permit customers to share their password with anyone
Inform customers that they are responsible for what occurs on their account

Put Your Money Where Your Mouth Is

Customers are going to be looking for some sort of guarantee that your services will actually operate, and that is usually in the form of an "uptime guarantee." Downtime is inevitable, but at what point should you credit your customers for the inconvenience of that downtime?

"Five-nine uptime," or 99.999% equates to about 5.4 minutes of downtime in a year, and is one of the most common promises, but what if that downtime isn't your fault? Keep this in mind:

Your own internet provider probably has their own uptime guarantee; check their AUP and ToS.
You can limit the credit of customer accounts to unplanned downtime only, so you and your own internet provider can perform necessary upgrades and services to the network, provided that you give notice to your customers.
You don't have to shell out hundreds of dollars if you're only up 99.998% of the time, you can specify in your terms of service that you will give, for example, a $5.00 credit.
A more reasonable uptime estimate is 99.9%, which gives you 17.3 minutes per year of downtime.

How Will You Handle Abuse?

What if someone reports that one of your customers is spamming? Ignoring that could cause your business to become blacklisted on spam-prevention lists. Even worse, what if someone is hacking from your web server? If you don't take timely action, law enforcement could get involved.

When someone reports abuse, you will need to require a specific amount of information or evidence, such as the date, time, and time zone, IP address, and some sort of logs of the event. After investigation, you need to take action against the offender:

Written or verbal warnings
Suspension of the customer's account
Termination of the customer's account
Billing of fines to the customer's account
Taking legal action

Remember that different abuse situations deserve different treatment. A child pornographer might deserve to have their account suspended or terminated, when someone who went above their monthly bandwidth does not. Sorry, but spamming isn't punishable by death in the United States.

Billing and Accounting

Now that we have determined what isn't permitted on the network, we can move on to how your customer will be charged so that both you and your customer know what to expect.

Set the service rate up front, and before the customer signs up, including the frequency of payment
If there is any setup fee, make sure the customer knows about it and whether it is refundable or not.
How can customers pay? Do you accept credit cards, PayPal, personal checks...?
When is payment due?
How many days does the customer have between the payment being due and when you suspend their service?
What happens if the customer refuses to pay?
How much notice do you need if a customer intends on canceling their account, and does it have to be an email or phone call?
Are payments non-refundable?
How will you handle chargebacks, or customers telling their bank that a charge is "unauthorized?"
- You can protect yourself from credit card fraud by verifying the customer's information, such as their ZIP+4, CVV2, or by calling the customer up. If their sign-up address is in Florida, and their phone number is in Minnesota, a red flag should go up.
- Having evidence of verifying the customer's identity can help you fight the chargeback.
How will you handle checks being returned for "non-sufficient funds" or "account closed?"

You May Need To Be More Specific

For most hosting businesses, you will outline how much disk space (quota), bandwidth, domains, email accounts, etc. the customer will receive, but you need to outline in this document what will happen if those limits are exceeded, and if there are overage charges. You will need to determine if that is an abuse situation, or if they simply need to re-evaluate their hosting plan.

To protect yourself and your company, you may want to include an:

Indemnification clause, stating that you are not responsible for the customers actions or any suffering the customer has
Privacy policy, and how you will handle your customer's personal information
Dispute resolution agreement, and how claims will be handled
Licensing requirement agreement, for Windows servers
Updated contact information agreement, requiring that customers keep current information with your company
Denial of Service, do you reserve the right to refuse service to anyone for any reason?

Look Around!

As long as you don't copy and paste, there is nothing wrong with looking at your competitors' acceptable use policies, terms of service, and privacy policies to get some educational advice. Read a few to get the jargon down, to make a professional-sounding set of policies.

Good luck!

Disclaimer

Your own internet provider will have policies set forth; make sure your customers follow those as well.

I am not a lawyer, so if you have any questions, be sure to have a lawyer look over your acceptable use policy and terms of service, because it is a legal agreement between you and your customer!