Skip to main content

Policy

Acceptable Use Policy

This Acceptable Use Policy governs use of MARCUS and related services provided by surgicAI. It applies to all users, customers, organizations, administrators, and anyone who accesses MARCUS.

You may not use MARCUS in a way that violates this policy, our Terms of Service, your organization agreement, or applicable law.

Last updated: May 20, 2026

MARCUS is PHI-off by default. Public demos, trial workspaces, and uncontracted deployments are not approved for protected health information, patient identifiers, or patient-specific clinical facts. Do not upload, type, paste, or transmit PHI into MARCUS unless your organization has executed a Business Associate Agreement with surgicAI and your workspace has been approved for PHI-enabled use.

1. Healthcare and Clinical Safety

MARCUS is an institutional-document retrieval and synthesis tool. It is not an autonomous clinical decision-maker.

  • Do not use MARCUS as the sole basis for diagnosis, treatment, triage, medication selection, dosing, emergency care, or patient-specific clinical decisions.
  • Do not use MARCUS as an emergency or time-critical medical system.
  • Do not use MARCUS to provide autonomous patient-facing medical advice.
  • Do not represent outputs as independently verified medical guidance without source review.

2. PHI Restrictions

You may not submit PHI unless your organization has executed a BAA with surgicAI, your workspace has been approved for PHI-enabled use, your use is authorized by your organization, and your submission is limited to the minimum necessary information for the approved purpose.

Examples of prohibited PHI submission in a default workspace include patient names, MRNs, dates of birth, addresses, photos, operative notes, clinical notes, lab values tied to a person, appointment details, or case descriptions that identify or could reasonably identify a patient.

3. Security Restrictions

  • Do not probe, scan, or test system vulnerability without written authorization.
  • Do not bypass authentication, authorization, rate limits, tenant boundaries, or workspace controls.
  • Do not access another organization's workspace, documents, users, indexes, or audit logs without authorization.
  • Do not upload malware, spyware, ransomware, or malicious code.
  • Do not attempt prompt injection, data exfiltration, jailbreaks, or model manipulation to access unauthorized data.
  • Do not interfere with system integrity, availability, security, or performance.

Good-faith security research must follow our Vulnerability Disclosure Policy.

4. Content Restrictions

  • Do not submit, generate, retrieve, or distribute content that violates law or regulation.
  • Do not submit content that infringes intellectual property, privacy, publicity, or contractual rights.
  • Do not submit content you do not have the right to submit.
  • Do not submit highly sensitive personal information unrelated to the approved use of the service.
  • Do not use content to mislead users about legal, medical, academic, or institutional authority.

5. Organization Responsibilities

  • Authorize users and manage roles and permissions.
  • Upload only approved source documents and remove outdated or superseded documents.
  • Train users on appropriate use.
  • Ensure PHI is not submitted unless the workspace is PHI-enabled under BAA.
  • Review outputs before operational or clinical reliance.
  • Promptly notify surgicAI of suspected unauthorized access or data submission errors.

6. Enforcement and Reports

We may investigate suspected violations and may suspend, restrict, quarantine, delete, or terminate access if we reasonably believe use violates this policy, creates risk, or is required by law or contract. Report misuse, security concerns, or suspected PHI submission errors to security@surgic.ai, privacy@surgic.ai, or support@surgic.ai.

Contact

Securitysecurity@surgic.aiPrivacyprivacy@surgic.aiLegallegal@surgic.ai