FFML TLD domain policies

This document contains: 1. gTLD Acceptable Use and Takedown Policy 2. DATA PROTECTION AND PRIVACY POLICY 3. Reserved Names Policy 4. WHOIS POLICY

1. gTLD Acceptable Use and Takedown Policy

Version 1.0 ("Acceptable Use Policy") What is in the Acceptable Use Policy? As the owner of a domain name, you are required to act responsibly in your use of that domain and in accordance with this policy. Abusive or malicious conduct in registration of your domain name or in content on a website will not be tolerated by the Registry. The Registry will act as set out in this Acceptable Use Policy to deal with abusive or malicious conduct of which it becomes aware or which is brought to its attention. In all cases the Registry reserves the right to bring offending sites into compliance using any of the methods set out in this policy, or others as may be necessary in exceptional cases, whether or not stated in this policy. Should a complaint be made, the Registry (or its designees) will alert its relevant Registrar partners about any identified threats, and will work closely with them. Who can bring a complaint under the Acceptable Use Policy? The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring by the Registry or its partners. What actions can constitute abusive or malicious conduct? “Abuse” or “malicious conduct” includes but is not limited to: - Infringement of Intellectual Property; which includes, but is not limited to, passing off as the brand of another, unauthorised distribution of copyrighted material or the sale of counterfeit goods. - Phishing; a criminal activity employing tactics to defraud and defame Internet users via sensitive information with the intent to steal or expose credentials, money or identities. - Malware; malicious software that was intentionally developed to infiltrate or damage a computer, mobile device, software and?or operating infrastructure or website without the consent of the owner or authorized party. This includes, amongst others, viruses, trojan horses, and worms. - Domain Name or Domain Theft; the act of changing the registration of a domain name without the permission of its original registrant. - Botnet Command and Control; services run on a domain name that is used to control a collection of compromised computers or “zombies,” or to direct Distributed Denial of Service attacks (“DDoS attacks”) - Distribution of Malware; the intentional creation and intentional or unintentional distribution of “malicious” software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, keyloggers and trojan horses. - Fast Flux Attacks / Hosting; a technique used to shelter phishing, pharming and malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP addresses associated with fraudulent sites are changed rapidly so as to make the true location of the sites difficult to find. - Hacking; the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system. - Pharming; the redirecting of unknown users to fraudulent sites or services, typically through, but not limited to, DNS hijacking or poisoning. - Spam; the use of electronic messaging systems to send unsolicited bulk messages. The term applies to email spam and similar abuses such as instant messaging spam, mobile messaging spam, and spamming of websites and Internet forums. - Child Pornography; the storage, publication, display and ?or dissemination of pornographic materials depicting individuals under the legal age in the relevant jurisdiction. - If the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its Registrar partners and ?or that may put the safety and security of any registrant or user at risk, the domain name may be cancelled or suspended by the Registry or any of the actions listed in the “what we can do” section below. How do I complain? Abuse Point of Contact All complaints should be addressed to: abuse@famousfourmedia.com Certain registries require an APM seal to be displayed on the homepage of your domain name. Implementing the seal is extremely easy and instructions will be provided to you when you register. If you do not plan on using your domain for a website immediately, or at all or there are other reasons why this is not technically possible, please let us know by completing a self-exception form, details of which will be sent to you upon registration. Our automated systems will check any website hosted on your domain in 120 days from the registration of your domain. If your website is active, and the APM seal not be found, you will be notified and have 30 days to enact the seal. Should the seal not be enacted within that time, the Registry reserves the right to suspend your domain. Should your domain be ready for testing before the 120 day period has elapsed, simply click the relevant link in the instructions sent to you to start the validation process immediately. What happens to your complaint? We operate a policy of Rapid Domain Compliance, meaning we will provide a timely response to abuse complaints concerning all names registered in the gTLD by Registrars and their resellers. The Registry Operator's customer support team is operational 24?7?365. We will endeavour (but cannot guarantee) to address and potentially rectify the issue as it pertains to all forms of abuse and fraud within 24 hours. Once abusive behaviour is detected or reported, the customer support centre immediately creates a support ticket in order to monitor and track the issue through resolution. A preliminary assessment will be performed in order to determine whether the abuse claim is legitimate. The Registry will use commercially reasonable efforts to verify the information in the complaint. If that information can be verified to the best of the ability of the Registry, the sponsoring Registrar will be notified and Registrar will endeavour to investigate the activity within 12 hours and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety, or to provide a compelling argument to the Registry to keep the name in the zone. If the Registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), the Registry may place the domain on “hold”. We will classify each incidence of legitimately reported abuse into two categories based on the probable severity and immediacy of harm to registrants and Internet users. Category 1: - Probable Severity or Immediacy of Harm: Low - Examples of types of abusive behaviour: Spam, Malware - Mitigation steps: - Investigate - Notify registrant - Response times – up to 3 days depending on severity. Category 2: - Probable Severity or Immediacy of Harm: Medium to High - Examples of types of abusive behaviour: Fast Flux Hosting, Phishing, Illegal Access to other Computers or Networks, Pharming, Botnet command and control - Mitigation steps: - Investigate - Notify registrant - Response times – up to 5 days depending on severity. Uniform Rapid Suspension system (“URS”) We are obliged to follow ICANN's requirements in respect of URS3. All definitions in this section are as per the website. The URS rules and procedures and all URS related definitions used in this policy are available on ICANN's website at http://newgtlds.icann.org/en/applicants/urs/ URS Lock: If a URS Provider has instructed us to set up a URS Lock, we are obliged to activate the following EPP-statuses in respect of the affected domain name: - ServerUpdateProhibited - ServerTransferProhibited - ServerDeleteProhibited URS Suspension: If a URS Provider has instructed us to set up a URS Suspension, we are obliged to redirect the suspended domain name to a webpage that mentions that the URL has been suspended due to a URS Complaint. URS Rollback: If a URS Provider instructs us to "roll-back" a suspended or locked domain name, we will restore the original information on the domain name at the time of the suspension or lock. Domain Name Life Cycle: We are obliged to follow the normal domain name life-cycle for a URS Locked domain name. If a domain name that is subject to a URS procedure is purged (if we operate a Redemption Grace Period) or deleted, the URS procedure will automatically terminate. Extension In the case where a URS Complainant has prevailed, the Registry Operator MUST offer the option for the URS Complainant to extend a URS Suspended domain name's registration for an additional year. The Registrar MUST pay the renewal fee for such domain name to the Registry Operator. What we can do. We reserve the right for the Registry, at our sole discretion and without notice to any other party, to take the appropriate actions (whether administrative, operational or otherwise) based on the type of abuse, including but not limited to: lock down of the domain name preventing any changes to the contact and name server information associated with the domain name. placing the domain name “on hold” rendering the domain name nonresolvable or transferring the domain name to another Registrar. substituting name servers in cases in which the domain name is associated with an existing law enforcement investigation in order to collect information about the DNS queries and when appropriate, we will share information with law enforcement to assist the investigation. cancelling or transferring or taking ownership of any domain name, either temporarily or permanently. denying attempted registrations from repeat violators (see the Section on registrant Disqualification, below). using relevant technological services, whether our own or third party, such as computer forensics and information security. sharing relevant information on abuse with other registries, Registrars, ccTLDs, law enforcement authorities (see , security professionals, etc not only on abusive domain name registrations within its own gTLD, but also information uncovered with respect to domain names in other registries to enable such parties to take appropriate action. We may also take preventative measures at our sole discretion including (without limitation): DNSSEC deployment which reduces the opportunity for pharming and other man-in-the-middle attacks. Why will we act? We will always endeavour to act with reasonable cause. Some examples of where we might act (not limited): protecting the integrity and stability of the Registry. complying with any applicable laws, government rules, ICANN or court orders or requirements, requests or orders of law enforcement, or any dispute resolution process. avoiding any liability, civil or criminal, on the part of the Registry as well as its affiliates, subsidiaries, officers, directors, and employees. if required by the terms of the registration agreement or the registry Registrar agreement or ICANN. to correct mistakes made by the Registry or any Registrar in connection with a domain name registration. during resolution of a dispute of any sort whether or not the dispute appears to be unmerited or unsubstantiated. What to do if you feel we have taken inappropriate action to deal with abuse or alleged abuse. We take our goal of tackling abuse extremely seriously and we will always endeavour to take prompt action as set out in this Acceptable Use Policy to deal with abuse or alleged abuse when we believe that there is reasonable justification for the complaint. However, we are not an adjudicator of any dispute between parties and cannot and do not accept any responsibility for any loss or damage you or anyone else may suffer as a result of any action or omission by us or by anyone else under this Acceptable Use Policy. If you have an issue with abuse that we are unable to assist with, please approach the appropriate forum for dispute resolution. We will be able to act in the case that you are able to provide: (i) the final determination of an internationally recognised dispute resolution body or a court of law, settling the inter-parties dispute in your favour or which otherwise mandates us to act as you request. (ii) any requirement of ICANN or other recognised authority which mandates us to act as you request. In the case of a wrongful transfer of a domain name, you may also provide written agreement of the Registrar of record and the gaining Registrar sent by email, letter or fax that the transfer was made by mistake or procedural error or was unauthorised (http://archive.icann.org/en/transfers/policy-12jul04.htm) All notices served under this section should be served by email to clo@famousfourmedia.com or otherwise addressed to: Chief Legal Officer Famous Four Media 2nd floor, Leisure Island Business Centre Ocean Village Gibraltar Proof of posting is not proof of delivery. You are responsible for all costs, fees, damages and other expenses relating to any action you take, or which you require us to take, under this section. How we work with law enforcement The Registry will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such a response shall include, at a minimum, an acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by the Registry for rapid resolution of the request. In the event such request involves any of the activities which can be validated by the Registry and involves the type of activity set out in the Acceptable Use Policy, the sponsoring Registrar will endeavour to further investigate the activity within 24 hours and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the Registry to keep the name in the zone. If the Registrar is not able to take the requested action after 24 hours or if the matter is urgent, (i.e., is unresponsive to the request or refuses to take action), the Registry may place the domain on “hold”. How we disqualify registrants. Registrant disqualification provides an additional disincentive for qualified registrants to maintain abusive registrations in that it puts at risk even otherwise non-abusive registrations, through the possible loss of all registrations. Registrants, their agents or affiliates found through the application of the Acceptable Use Policy to have repeatedly engaged in abusive registration may be disqualified from maintaining any registrations or making future registrations. This will be triggered when the registry backend services provider’s records indicate that a registrant has had action taken against it an unusual number of times through the application of our Acceptable Use Policy. In addition, name servers that are found to be associated only with fraudulent registrations may be added to a local blacklist and any existing or new registration that uses such fraudulent NS record will be investigated. The disqualification of ‘bad actors’ and the creation of blacklists mitigates the potential for abuse by preventing individuals known to engage in such behaviour from registering domain names. For a registrant to be placed on a list of bad actors, the Registry will examine the factors noted above, and such determination shall be made by the Registry at its sole discretion. Once the Registry determines that a registrant should be placed onto the list of bad actors, the Registry will notify its Registry backend services provider, who will be instructed to cause all of the registrant’s second-level domains in the gTLD to resolve to a page which notes that the domain has been disabled for abuse-related reasons. The second-level domains at issue will remain in this state until the expiration of the registrant’s registration term or a decision from a UDRP panel or court of competent jurisdiction requires the transfer or cancellation of such domains. Leisure Island Business Centre 23, Ocean Village Promenade Gibraltar GX11 1AA P: +350 216 50 000 E: pyoung@famousfourmedia.com W: www.famousfourmedia.com Famous Four Media Limited, registered in Gibraltar with company no. 105658 and Registered Office at 6A Queensway, Gibraltar.

2. DATA PROTECTION AND PRIVACY POLICY

Version 1.0 What personal data does the Registry collect? The Registry Operator will collect all registrant data required by specification 4 of the Registry Agreement with ICANN. This data is provided to us by the registrant’s domain Registrar for the purpose of operating the Registry Operator's WHOIS directory If you are an individual registrant, the collected data will include personal details which you provide to the Registrar which may be considered sensitive and from which you may be personally identifiable (“Personal Data”). As part of our commitment to compliance with data privacy requirements, and to reflect changes in Registry Operator operating procedures, we may need to update the terms of this policy from time-to-time. How do we process data? We will only use data provided to us about any registrant, including Personal Data, for the following purposes: - inclusion in the said searchable WHOIS directory providing free public query-based access to the details as required by clauses 1.5 and 1.6 of specification 4 of the Registry Agreement (please see our WHOIS Policy); - research on an anonymised amalgamated statistical basis; - day to day operations of the Registry Operator, including email contact by the Registry Operator with the registrant as required in accordance with our Acceptable Use Policy; - to our service providers which/who provide legal, accounting, delivery, installation, systems support, escrow, marketing, clearinghouse and directory services on our behalf; - as may be required by law enforcement agencies or a court order or other compulsory operation of law applicable to the Registry Operator; - as may be required by ICANN in accordance with a zone file access request in accordance with specification 4 of the Registry Agreement. For more information please contact abuse@famousfourmedia.com Third party use: We will only share Personal Data with third parties as stated above. Our service providers companies are prohibited from retaining, sharing, storing or using Personal Data for any secondary purposes. However, please note that these third parties may use cookies and action tags to measure advertising effectiveness on an anonymous basis. We will never sell Personal Data to a third party. However, we cannot control the use made by third parties of WHOIS data which is in the public domain and is searchable globally. We disclaim all liability for any misuse of the data made by a third party of WHOIS data. We will also provide Personal Data to third parties when obliged by applicable law. We may also provide such information where legal action is proceeding or contemplated or as requested by a legitimate law enforcement agency. How can you correct or delete Data if you are a registrant? We only accept registrant data from the relevant Registrar. In the case that you may wish to access, update, correct, rectify or delete Personal Data, please contact the relevant Registrar. In case that the Registrar has failed to take the appropriate action within the timelines they have specified, you may contact your national data protection or information commissioner or our abuse point of contact: abuse@famousfourmedia.com Please note that deactivation an account with the Registrar does not mean that relevant that Personal Data for that account has been deleted from our database entirely. While as a general rule we will not retain Personal Data records for more than two years after the expiry of the relevant domain name registration, we reserve the right to retain and use Personal Data for longer in order to comply with our legal obligations, resolve disputes or to enforce our agreements. How do we prevent unauthorised access to Personal Data? We have implemented the appropriate technical and organizational security measures to protect Personal Data, including internal security procedures that restrict access to and disclosure of Personal Data. We also use encryption, firewalls and other technology and security procedures to help ensure the accuracy and security of Personal Data and to prevent unauthorized access or improper use. We will also cooperate with duly authorised law enforcement agencies regarding any allegations of abuse or violation of system or network security as set out in our Acceptable Use Policy. Regulatory: Any party who feels that its data protection issue has not been dealt with appropriately under the Registrar’s procedures can consult the Registry Operator's Acceptable Use Policy and may submit a data protection complaint directly to the Registry at abuse@famousfourmedia.com or contact the Gibraltar Regulatory Authority. Further data protection issues can be raised with: The Gibraltar Regulatory Authority Suite 603, Europort Gibraltar GX11 1AA Tel:(+350) 20074636 Fax:(+350) 20072166 Email: http://www.gra.gi/index.php?site=dataprotection&topic=contact%20us

3. Reserved Names Policy

Version 1.0 Registry Operator Obligations Except to the extent that ICANN otherwise expressly authorises in writing, the Registry Operator is obliged to comply with the requirements set out in Clause 2.6 and Specification 5 of the Registry Agreement. Right to reserve domain names The Registry Operator may at any time establish or modify policies concerning Registry Operator’s ability to reserve (i.e. withhold from registration or allocate to the Registry Operator) or block any character strings within the TLD at its discretion. The Registry Operator has the right to reserve any unallocated domain names at any time and reserves the right to sell certain domain names at a premium at its discretion. Registry Operator's Use Registry Operator may activate in the DNS at all levels up to 100 names (plus IDN variants where applicable) necessary for the operation or the promotion of the TLD as set out in Section 3.2 of Specification 5. All such withheld or allocated names may be released for registration to another person or entity at Registry Operator's discretion in compliance with the Registry Agreement. Other Uses EXAMPLE: The ASCII label “EXAMPLE” has been allocated to Registry Operator at the second level within the TLD at which Registry Operator offers registrations. Two character labels All two character ASCII labels have been either withheld from registration or allocated to Registry Operator at the second level, provided that such twocharacter label strings may be released to the extent that Registry Operator reaches agreement with the related government or ICANN as set out in Section 2 of Specification 5. WWW,RDDS, WHOIS, NIC. The following ASCII labels have been allocated to Registry Operator at all levels for use in connection with the operation of the registry for the TLD: WWW, RDDS, WHOIS and NIC and may not be released to a third party. International Olympic Committee; International Red Cross and Red Crescent Movement and other IGOs and INGOs As instructed from time to time by ICANN, the names (including their IDN variants, where applicable) relating to the International Olympic Committee, International Red Cross and Red Crescent Movement listed at http://www.icann.org/en/resources/registries/reserved and any other IGOs and INGOs identified as part of an ICANN Policy Development Process shall be withheld from registration or allocated to Registry Operator at the second level within the TLD. Additional International Olympic Committee, International Red Cross and Red Crescent Movement names (including their IDN variants) IGO or INGO identifiers may be added to the list upon ten (10) calendar days' notice from ICANN to Registry Operator. Such names may not be activated in the DNS, and may not be released for registration to any person or entity other than Registry Operator. What if there are more IGOs or INGOs with an interest in the same domain names? Where there are competing rights to any label, the Registry reserves the right (but is not obliged) to place a hold on the label and/or to notify other parties with an interest or potential interest ("Potential Parties") in the string in the case there is an applicant for the label. Depending on the response from the Potential Parties, the Registry Operator reserves the right to write to ICANN to seek advice on how to allocate the label or to determine another basis for allocation, based on all the circumstances. Countries and Territories Country and territory names contained in the following internationally recognized lists shall be initially reserved at the second level and at all other levels within the TLD at which the Registry Operator provides for registrations: - the short form (in English) of all country and territory names contained on the ISO 3166-1 list, as updated from time to time, including the European Union, which is exceptionally reserved on the ISO 3166-1 list, and its scope extended in August 1999 to any application needing to represent the name European Union http:??www.iso.org?iso?support?country_codes?iso_3166_code_lists?iso- 3166-1_decoding_table.htm#EU>; - the United Nations Group of Experts on Geographical Names, Technical Reference Manual for the Standardization of Geographical Names, Part III Names of Countries of the World; and - the list of United Nations member states in 6 official United Nations languages prepared by the Working Group on Country Names of the United Nations Conference on the Standardization of Geographical Names”. The Registry will reserve all labels appearing on the above referenced lists from time to time, and prevent registration, delegation or use of such names in accordance with ICANN requirements and as described above. Note on Capital Cities: While capital city names are not required by ICANN to be reserved or withheld from registration, Registry Operator implements a Capital City Claim (CCC) service whereby additional protection will be granted to the capital city names of a country or territory listed in the ISO 3166-1 standard as follows: A prospective registrant applying to register a domain name identical to the capital city name of a listed country or territory will receive a CCC notification highlighting that fact. The applicant must then agree to comply with all requirements as to representations and warranties requested by the Registry as notified to them by ICANN, GAC or the official designate of the country or territory in order to protect the reputation of the city as well as other relevant terms. From time to time, Registry Operator will send a notification in writing to the ICANN Government Advisory Committee (?GAC?) Chair advising on all capital city names registered. This process also applies during Sunrise and Landrush.

4. WHOIS POLICY Version 1.0

Thick WHOIS The Registry Operator will include a thick searchable WHOIS database both accessible on port 43 as well as on port 80 (http) as required in specification 4 of the Registry Agreement. ICANN requirements The WHOIS data will be held by the Registry Operator in accordance with its Registry Agreement with ICANN (“Registry Agreement”). The Registry Operator will also comply with all the security, WHOIS, and privacy requirements required by ICANN whether in the Consensus or Temporary Policies (as defined in the Registry Agreement) or elsewhere. Efforts to promote WHOIS Accuracy The Registry Operator or its outsourced service provider will must perform a biannual review of a random sampling of domain names within the applied-for gTLD to test the accuracy and authenticity of the WHOIS information. Registrars must verify WHOIS data for each record they have registered in the gTLD twice a year or as required by the relevant ICANN consensus policy or accreditation agreement. The Registry Operator will examine WHOIS data for evidence of inaccurate or incomplete WHOIS information. In the event that such errors or missing information exists, it shall be forwarded to the relevant Registrar, who shall be required to address such deficiencies with the relevant registrants. All registrants are required to provide accurate WHOIS contact details, and to keep those details current. Registrars are obliged to obtain accurate WHOIS information from all registrants and to submit this data to the Registry for information for all domain names they sponsor. Correcting errors The registrant's first point of contact for correcting any WHOIS error is the Registrar. Registrar shall accept written complaints from a registrant or any third party regarding false and/or inaccurate WHOIS data which they are required to investigate and to correct in accordance with their guidelines.