Abuse and DMCA Policy

How Oxshield receives, evaluates, and acts on abuse reports, DMCA takedown notices, security disclosures, and law-enforcement requests. This is the operational sibling to our Acceptable Use Policy — the AUP says what isn't allowed; this page says what we actually do when someone breaks it.

1. Contacts

• Abuse, DMCA, security disclosures: abuse@oxshield.io
• General legal notices, GDPR / privacy requests: hello@oxshield.io
• Billing / technical customer support: support@oxshield.io

All three mailboxes are monitored. abuse@oxshield.io is the right channel for anything urgent or actionable: confirmed violations, vulnerability reports, intellectual-property complaints, or court process.

2. Response SLA

• Acknowledgement: within 1 working day, with a reference number for follow-up.
• Initial action on confirmed violations: within 1 working day of acknowledgement (key revocation, account suspension).
• Final disposition: typically within 5 working days; longer for cases requiring legal review or external coordination.

Reports involving CSAM or imminent harm are escalated immediately on receipt — they don't queue.

3. What to include in a report

Every kind of report shares some core elements. The more of this you give us, the faster we can act.

• What happened, in plain language. Time, target, and the effect on you or your systems.
• Evidence: log lines, headers, message IDs, timestamps in UTC, IP addresses, screenshots. We can't act on claims that aren't verifiable.
• Identification of the apparent source: an Oxshield exit IP, an email address, an account number — whatever links the conduct to our network.
• How to reach you for follow-up: an email address we can reply to.

4. DMCA / copyright notices

We act on copyright-infringement notices in good faith. Because Oxshield is a connectivity provider — not a hosting provider — we don't hold the allegedly infringing material itself. What we can do is identify the access key responsible for the egress traffic at the moment the alleged infringement occurred and revoke it.

4.1. Required notice format

To be actionable, a DMCA notice must include:

• A description of the copyrighted work claimed to be infringed (a title, registration number, or other identifier).
• Identification of the allegedly infringing material with enough specificity for us to locate the responsible session — typically the Oxshield exit IP, the destination domain or URL, and the timestamp of the activity (UTC).
• A statement of good-faith belief that the use is not authorized by the rights-holder, an agent, or law.
• A statement, under penalty of perjury, that the notice is accurate and the sender is the rights-holder or authorized to act on the rights-holder's behalf.
• A physical or electronic signature of the rights-holder or authorized agent.
• The complainant's name, address, telephone number, and email.

Send to abuse@oxshield.io with subject [DMCA] <short description>.

4.2. Repeat infringers

Per our Terms §4.3, repeat infringers are terminated. Internally we track verified DMCA strikes per account; the third confirmed strike within a 12-month rolling window terminates the account. We document the basis for any termination decision and preserve the record in case of a counter-notice.

4.3. Counter-notices

If you believe an action against your account was the result of a mistaken or fraudulent DMCA notice, send a counter-notice to abuse@oxshield.io including the items required under 17 U.S.C. § 512(g)(3). On a valid counter-notice we restore the disabled access within 10–14 business days unless the original complainant initiates court proceedings.

5. Security disclosures

We'd much rather hear about a vulnerability from a researcher than from an exploited customer. If you believe you've found a security issue in Oxshield's infrastructure, applications, or contributor pipeline:

1. Email abuse@oxshield.io with subject [SECURITY] <short description>.
2. Include reproduction steps, the affected component, and the impact you observed. Optional but appreciated: a suggested remediation.
3. Don't exploit the issue beyond what's necessary to confirm it. Don't access accounts you don't own. Don't exfiltrate user data. We treat ethical research incidents differently from intentional intrusion — but we cannot make that distinction if the access pattern is indistinguishable.

We aim to acknowledge security reports within 24 hours, triage within 72, and disclose patches publicly once they're shipped. We do not currently run a paid bug bounty; we do credit researchers who request it and we'll happily reference your disclosure in our public commit history.

6. What enforcement looks like in practice

On a confirmed violation of our Acceptable Use Policy (see Terms §4.1, §4.2):

1. Key revocation: the responsible Oxshield access key is revoked across all of the user's registered devices. Outline Manager API call from our backend to the affected server(s); end-to-end latency from "decision made" to "key dead on the wire" is under 30 seconds.
2. Account suspension: pending investigation, the account is locked from sign-in. The user is notified at the email on file unless doing so would tip off active criminal conduct or violate a lawful order.
3. Termination on confirmed violation: account is permanently closed. Active subscriptions are cancelled; refunds for the unused remainder are issued at our discretion (we don't refund where the violation involved fraud against us).
4. Contributor-server cases: if the source of abuse is a contributor-operated server (rather than the user directly), the server is removed from the public directory (soft-delete via removed_at) and, where appropriate, the underlying droplet is destroyed via the stored provider OAuth token.
5. Record retention: we keep billing and authentication metadata for the legally-required period (see Privacy Policy §5). We do not have VPN traffic logs to retain — the underlying Outline / Shadowsocks stack does not generate them.

7. Law-enforcement requests

We cooperate with lawful legal process — subpoenas, MLAT requests, and court orders — issued by authorities with proper jurisdiction. We will challenge process we consider overbroad, improper, or obtained outside applicable legal protections.

What we can produce on lawful legal process:

• Account existence, creation date, and current status.
• Billing metadata: subscription tier, current period, payment method type (without card or wallet details), Polar customer ID for fiat subscribers.
• Authentication metadata: most recent login timestamp, last-known-IP at login if retained.
• Email address on file (for accounts created with email; not available for anonymous account-number signups).

What we cannot produce — because we don't collect or retain it:

• VPN traffic content of any kind.
• Per-key bandwidth ledgers beyond the rolling 30-day window required for free-tier data-cap enforcement.
• Records of which destination servers were contacted by a given access key (Outline / Shadowsocks does not produce these).
• Plaintext payment instruments (handled by Polar as merchant of record; cardholder PAN never touches our infrastructure).

Where the law permits us to notify the user of a request, we will. Where it does not, we won't.

8. Sanctions and restricted parties

Our Terms §4.4 prohibits use of Oxshield by entities listed on applicable restricted-party lists (OFAC SDN, EU CFSP, UK OFSI, UN Security Council consolidated). Fiat subscriptions are processed through Polar as merchant of record; Polar's payment-rail compliance applies sanctions screening at the card-network level — the same mechanism every payment-card-accepting VPN relies on.

We do not blanket-block access from comprehensive-sanctions jurisdictions where OFAC General License D-2 and equivalent personal-communications carve-outs apply. Iranian, Cuban, and Syrian individuals using Oxshield to access information and communicate with people abroad are exactly the population GLD-2 was written to protect. Mullvad, Proton, and other privacy-focused VPNs operate under the same framework. Where carve-outs do not apply (notably North Korea), we decline service.

9. Contributor-server pipeline

Community-contributor servers join the network through a DigitalOcean OAuth flow. Two implications for abuse handling:

• We hold the master Outline Manager apiUrl and a cert-pinned certSha256 for every server in the fleet — Oxshield-operated and contributor-operated alike. Contributors do not have admin access to mint or revoke keys on the servers they host. Only we do.
• Free-tier users are gated to Oxshield-operated servers only (enforced in canTierAccessServer in lib/outline/client.ts). Contributors are insulated from freemium abuse — paid users are the only population that can route through community-operated exits.

When abuse originates from a contributor-operated server, our actions are the same as for the Oxshield-operated fleet: revoke the responsible key immediately, then if patterns indicate the server itself is a problem (compromise, contributor running a relay against our terms), remove the server from the directory and notify the contributor.

10. Changes

We may update this policy. Material changes are announced by email and on the dashboard at least 14 days before they take effect. Each version is timestamped at the top of this page.