FFML TLD Domain Policies

This document contains:

1. gTLD Acceptable Use and Takedown Policy

2. DATA PROTECTION AND PRIVACY POLICY

3. Reserved Names Policy

4. WHOIS POLICY

1. gTLD Acceptable Use and Takedown Policy



Version 1.0

("Acceptable Use Policy")

What is in the Acceptable Use Policy?

As the owner of a domain name, you are required to act responsibly in

your use of that domain and in accordance with this policy.

Abusive or malicious conduct in registration of your domain name or in

content on a website will not be tolerated by the Registry.

The Registry will act as set out in this Acceptable Use Policy to deal with

abusive or malicious conduct of which it becomes aware or which is

brought to its attention.

In all cases the Registry reserves the right to bring offending sites into

compliance using any of the methods set out in this policy, or others as

may be necessary in exceptional cases, whether or not stated in this

policy.

Should a complaint be made, the Registry (or its designees) will alert its

relevant Registrar partners about any identified threats, and will work

closely with them.

Who can bring a complaint under the Acceptable Use Policy?

The Acceptable Use Policy may be triggered through a variety of

channels, including, among other things, private complaint, public alert,

government or enforcement agency outreach, and the on-going

monitoring by the Registry or its partners.

What actions can constitute abusive or malicious conduct?

“Abuse” or “malicious conduct” includes but is not limited to:

- Infringement of Intellectual Property; which includes, but is not limited

to, passing off as the brand of another, unauthorised distribution of

copyrighted material or the sale of counterfeit goods.

- Phishing; a criminal activity employing tactics to defraud and defame

Internet users via sensitive information with the intent to steal or

expose credentials, money or identities.

- Malware; malicious software that was intentionally developed to

infiltrate or damage a computer, mobile device, software and?or

operating infrastructure or website without the consent of the owner or

authorized party. This includes, amongst others, viruses, trojan horses, and worms.

- Domain Name or Domain Theft; the act of changing the registration of a

domain name without the permission of its original registrant.

- Botnet Command and Control; services run on a domain name that is

used to control a collection of compromised computers or “zombies,” or

to direct Distributed Denial of Service attacks (“DDoS attacks”)

- Distribution of Malware; the intentional creation and intentional or

unintentional distribution of “malicious” software designed to infiltrate

a computer system without the owner’s consent, including, without

limitation, computer viruses, worms, keyloggers and trojan horses.

- Fast Flux Attacks / Hosting; a technique used to shelter phishing,

pharming and malware sites and networks from detection and to

frustrate methods employed to defend against such practices, whereby

the IP addresses associated with fraudulent sites are changed rapidly so

as to make the true location of the sites difficult to find.

- Hacking; the attempt to gain unauthorized access (or exceed the level of

authorized access) to a computer, information system, user account or

profile, database, or security system.

- Pharming; the redirecting of unknown users to fraudulent sites or

services, typically through, but not limited to, DNS hijacking or

poisoning.

- Spam; the use of electronic messaging systems to send unsolicited bulk

messages. The term applies to email spam and similar abuses such as

instant messaging spam, mobile messaging spam, and spamming of

websites and Internet forums.

- Child Pornography; the storage, publication, display and ?or

dissemination of pornographic materials depicting individuals under the

legal age in the relevant jurisdiction.

- If the domain name is being used in a manner that appears to threaten

the stability, integrity or security of the Registry, or any of its Registrar

partners and ?or that may put the safety and security of any registrant

or user at risk, the domain name may be cancelled or suspended by the

Registry or any of the actions listed in the “what we can do” section

below.

How do I complain? Abuse Point of Contact

All complaints should be addressed to: abuse@famousfourmedia.com

Certain registries require an APM seal to be displayed on the homepage

of your domain name. Implementing the seal is extremely easy and

instructions will be provided to you when you register.

If you do not plan on using your domain for a website immediately, or at

all or there are other reasons why this is not technically possible, please

let us know by completing a self-exception form, details of which will be

sent to you upon registration.

Our automated systems will check any website hosted on your domain in

120 days from the registration of your domain. If your website is active,

and the APM seal not be found, you will be notified and have 30 days to

enact the seal. Should the seal not be enacted within that time, the

Registry reserves the right to suspend your domain.

Should your domain be ready for testing before the 120 day period has

elapsed, simply click the relevant link in the instructions sent to you to

start the validation process immediately.

What happens to your complaint?

We operate a policy of Rapid Domain Compliance, meaning we will

provide a timely response to abuse complaints concerning all names

registered in the gTLD by Registrars and their resellers.

The Registry Operator's customer support team is operational 24?7?365.

We will endeavour (but cannot guarantee) to address and potentially

rectify the issue as it pertains to all forms of abuse and fraud within 24

hours.

Once abusive behaviour is detected or reported, the customer support

centre immediately creates a support ticket in order to monitor and

track the issue through resolution.

A preliminary assessment will be performed in order to determine

whether the abuse claim is legitimate. The Registry will use

commercially reasonable efforts to verify the information in the

complaint.

If that information can be verified to the best of the ability of the

Registry, the sponsoring Registrar will be notified and Registrar will

endeavour to investigate the activity within 12 hours and either take

down the domain name by placing the domain name on hold or by

deleting the domain name in its entirety, or to provide a compelling

argument to the Registry to keep the name in the zone.

If the Registrar has not taken the requested action after the 12-hour

period (i.e., is unresponsive to the request or refuses to take action),

the Registry may place the domain on “hold”.

We will classify each incidence of legitimately reported abuse into two

categories based on the probable severity and immediacy of harm to

registrants and Internet users.

Category 1:

- Probable Severity or Immediacy of Harm: Low

- Examples of types of abusive behaviour: Spam, Malware

- Mitigation steps:

- Investigate

- Notify registrant

- Response times – up to 3 days depending on severity.

Category 2:

- Probable Severity or Immediacy of Harm: Medium to High

- Examples of types of abusive behaviour: Fast Flux Hosting,

Phishing, Illegal Access to other Computers or Networks, Pharming,

Botnet command and control

- Mitigation steps:

- Investigate

- Notify registrant

- Response times – up to 5 days depending on severity.

Uniform Rapid Suspension system (“URS”)

We are obliged to follow ICANN's requirements in respect of URS3. All

definitions in this section are as per the website.

The URS

rules and procedures and all URS related definitions used in this policy are available on ICANN's website at

newgtlds.icann.org/en/applicants/urs/

URS Lock: If a URS Provider has instructed us to set up a URS Lock, we

are obliged to activate the following EPP-statuses in respect of the

affected domain name:

- ServerUpdateProhibited

- ServerTransferProhibited

- ServerDeleteProhibited

URS Suspension: If a URS Provider has instructed us to set up a URS

Suspension, we are obliged to redirect the suspended domain name to a

webpage that mentions that the URL has been suspended due to a URS

Complaint.

URS Rollback: If a URS Provider instructs us to "roll-back" a suspended

or locked domain name, we will restore the original information on the

domain name at the time of the suspension or lock.

Domain Name Life Cycle: We are obliged to follow the normal domain

name life-cycle for a URS Locked domain name. If a domain name that is

subject to a URS procedure is purged (if we operate a Redemption Grace

Period) or deleted, the URS procedure will automatically terminate.

Extension In the case where a URS Complainant has prevailed, the

Registry Operator MUST offer the option for the URS Complainant to

extend a URS Suspended domain name's registration for an additional

year. The Registrar MUST pay the renewal fee for such domain name to

the Registry Operator.

What we can do.

We reserve the right for the Registry, at our sole discretion and without

notice to any other party, to take the appropriate actions (whether

administrative, operational or otherwise) based on the type of abuse,

including but not limited to:

lock down of the domain name preventing any changes to the contact

and name server information associated with the domain name.

placing the domain name “on hold” rendering the domain name nonresolvable

or transferring the domain name to another Registrar.

substituting name servers in cases in which the domain name is

associated with an existing law enforcement investigation in order to

collect information about the DNS queries and when appropriate, we

will share information with law enforcement to assist the investigation.

cancelling or transferring or taking ownership of any domain name,

either temporarily or permanently.

denying attempted registrations from repeat violators (see the Section

on registrant Disqualification, below).

using relevant technological services, whether our own or third party,

such as computer forensics and information security.

sharing relevant information on abuse with other registries, Registrars,

ccTLDs, law enforcement authorities (see , security professionals, etc

not only on abusive domain name registrations within its own gTLD, but

also information uncovered with respect to domain names in other

registries to enable such parties to take appropriate action.

We may also take preventative measures at our sole discretion including

(without limitation):

DNSSEC deployment which reduces the opportunity for pharming and

other man-in-the-middle attacks.

Why will we act?

We will always endeavour to act with reasonable cause. Some examples

of where we might act (not limited):

protecting the integrity and stability of the Registry.

complying with any applicable laws, government rules, ICANN or court

orders or requirements, requests or orders of law enforcement, or any

dispute resolution process.

avoiding any liability, civil or criminal, on the part of the Registry as well

as its affiliates, subsidiaries, officers, directors, and employees.

if required by the terms of the registration agreement or the registry

Registrar agreement or ICANN.

to correct mistakes made by the Registry or any Registrar in connection

with a domain name registration.

during resolution of a dispute of any sort whether or not the dispute

appears to be unmerited or unsubstantiated.

What to do if you feel we have taken inappropriate action to deal with abuse or alleged abuse.

We take our goal of tackling abuse extremely seriously and we will

always endeavour to take prompt action as set out in this Acceptable

Use Policy to deal with abuse or alleged abuse when we believe that

there is reasonable justification for the complaint.

However, we are not an adjudicator of any dispute between parties

and cannot and do not accept any responsibility for any loss or

damage you or anyone else may suffer as a result of any action or

omission by us or by anyone else under this Acceptable Use Policy.

If you have an issue with abuse that we are unable to assist with,

please approach the appropriate forum for dispute resolution. We

will be able to act in the case that you are able to provide:

(i) the final determination of an internationally recognised

dispute resolution body or a court of law, settling the

inter-parties dispute in your favour or which otherwise

mandates us to act as you request.

(ii) any requirement of ICANN or other recognised authority

which mandates us to act as you request.

In the case of a wrongful transfer of a domain name, you may also

provide written agreement of the Registrar of record and the gaining

Registrar sent by email, letter or fax that the transfer was made by

mistake or procedural error or was unauthorised

(http://archive.icann.org/en/transfers/policy-12jul04.htm)

All notices served under this section should be served by email to

clo@famousfourmedia.com or otherwise addressed to:

Chief Legal Officer

Famous Four Media

2nd floor, Leisure Island Business Centre

Ocean Village

Gibraltar

Proof of posting is not proof of delivery. You are responsible for all

costs, fees, damages and other expenses relating to any action you

take, or which you require us to take, under this section.

How we work with law enforcement

The Registry will respond to legitimate law enforcement inquiries within

one business day from receiving the request. Such a response shall

include, at a minimum, an acknowledgement of receipt of the request,

questions or comments concerning the request, and an outline of the

next steps to be taken by the Registry for rapid resolution of the

request.

In the event such request involves any of the activities which can be

validated by the Registry and involves the type of activity set out in the

Acceptable Use Policy, the sponsoring Registrar will endeavour to

further investigate the activity within 24 hours and either take down the

domain name by placing the domain name on hold or by deleting the

domain name in its entirety or providing a compelling argument to the

Registry to keep the name in the zone.

If the Registrar is not able to take the requested action after 24 hours or

if the matter is urgent, (i.e., is unresponsive to the request or refuses to

take action), the Registry may place the domain on “hold”.

How we disqualify registrants.

Registrant disqualification provides an additional disincentive for

qualified registrants to maintain abusive registrations in that it puts at

risk even otherwise non-abusive registrations, through the possible loss

of all registrations.

Registrants, their agents or affiliates found through the application of

the Acceptable Use Policy to have repeatedly engaged in abusive

registration may be disqualified from maintaining any registrations or

making future registrations.

This will be triggered when the registry backend services provider’s

records indicate that a registrant has had action taken against it an

unusual number of times through the application of our Acceptable Use

Policy.

In addition, name servers that are found to be associated only with

fraudulent registrations may be added to a local blacklist and any

existing or new registration that uses such fraudulent NS record will be

investigated.

The disqualification of ‘bad actors’ and the creation of blacklists

mitigates the potential for abuse by preventing individuals known to

engage in such behaviour from registering domain names.

For a registrant to be placed on a list of bad actors, the Registry will

examine the factors noted above, and such determination shall be made

by the Registry at its sole discretion.

Once the Registry determines that a registrant should be placed onto

the list of bad actors, the Registry will notify its Registry backend

services provider, who will be instructed to cause all of the registrant’s

second-level domains in the gTLD to resolve to a page which notes that

the domain has been disabled for abuse-related reasons.

The second-level domains at issue will remain in this state until the

expiration of the registrant’s registration term or a decision from a

UDRP panel or court of competent jurisdiction requires the transfer or

cancellation of such domains.

Leisure Island Business Centre

23, Ocean Village Promenade

Gibraltar GX11 1AA

P: +350 216 50 000

E: pyoung@famousfourmedia.com

W: www.famousfourmedia.com

Famous Four Media Limited, registered in Gibraltar with company no. 105658 and Registered Office at 6A Queensway, Gibraltar.

2. DATA PROTECTION AND PRIVACY POLICY



Version 1.0

What personal data does the Registry collect?

The Registry Operator will collect all registrant data required by

specification 4 of the Registry Agreement with ICANN. This data

is provided to us by the registrant’s domain Registrar for the

purpose of operating the Registry Operator's WHOIS directory

If you are an individual registrant, the collected data will include

personal details which you provide to the Registrar which may be

considered sensitive and from which you may be personally

identifiable (“Personal Data”).

As part of our commitment to compliance with data privacy

requirements, and to reflect changes in Registry Operator

operating procedures, we may need to update the terms of this

policy from time-to-time.

How do we process data?

We will only use data provided to us about any registrant,

including Personal Data, for the following purposes:

- inclusion in the said searchable WHOIS directory providing

free public query-based access to the details as required by

clauses 1.5 and 1.6 of specification 4 of the Registry

Agreement (please see our WHOIS Policy);

- research on an anonymised amalgamated statistical basis;

- day to day operations of the Registry Operator, including

email contact by the Registry Operator with the registrant as

required in accordance with our Acceptable Use Policy;

- to our service providers which/who provide legal, accounting,

delivery, installation, systems support, escrow, marketing,

clearinghouse and directory services on our behalf;

- as may be required by law enforcement agencies or a court

order or other compulsory operation of law applicable to the

Registry Operator;

- as may be required by ICANN in accordance with a zone file

access request in accordance with specification 4 of the

Registry Agreement.

For more information please contact abuse@famousfourmedia.com

Third party use:

We will only share Personal Data with third parties as stated

above. Our service providers companies are prohibited from

retaining, sharing, storing or using Personal Data for any

secondary purposes. However, please note that these third

parties may use cookies and action tags to measure advertising

effectiveness on an anonymous basis.

We will never sell Personal Data to a third party. However, we

cannot control the use made by third parties of WHOIS data

which is in the public domain and is searchable globally. We

disclaim all liability for any misuse of the data made by a third

party of WHOIS data.

We will also provide Personal Data to third parties when obliged

by applicable law. We may also provide such information where

legal action is proceeding or contemplated or as requested by a

legitimate law enforcement agency.

How can you correct or delete Data if you are a registrant?

We only accept registrant data from the relevant Registrar. In the

case that you may wish to access, update, correct, rectify or

delete Personal Data, please contact the relevant Registrar.

In case that the Registrar has failed to take the appropriate

action within the timelines they have specified, you may contact

your national data protection or information commissioner or

our abuse point of contact: abuse@famousfourmedia.com

Please note that deactivation an account with the Registrar does

not mean that relevant that Personal Data for that account has

been deleted from our database entirely. While as a general rule

we will not retain Personal Data records for more than two years

after the expiry of the relevant domain name registration, we

reserve the right to retain and use Personal Data for longer in

order to comply with our legal obligations, resolve disputes or to

enforce our agreements.

How do we prevent unauthorised access to Personal Data?

We have implemented the appropriate technical and

organizational security measures to protect Personal Data,

including internal security procedures that restrict access to and

disclosure of Personal Data.

We also use encryption, firewalls and other technology and

security procedures to help ensure the accuracy and security of

Personal Data and to prevent unauthorized access or improper

use.

We will also cooperate with duly authorised law enforcement

agencies regarding any allegations of abuse or violation of system

or network security as set out in our Acceptable Use Policy.

Regulatory:

Any party who feels that its data protection issue has not been

dealt with appropriately under the Registrar’s procedures can

consult the Registry Operator's Acceptable Use Policy and may

submit a data protection complaint directly to the Registry at

abuse@famousfourmedia.com or contact the Gibraltar

Regulatory Authority.

Further data protection issues can be raised with:

The Gibraltar Regulatory Authority

Suite 603, Europort

Gibraltar GX11 1AA

Tel:(+350) 20074636

Fax:(+350) 20072166

Email:

www.gra.gi/index.php

%20us

3.  Reserved Names Prolicy



Version 1.0

Registry Operator Obligations

Except to the extent that ICANN otherwise expressly authorises in writing, the

Registry Operator is obliged to comply with the requirements set out in

Clause 2.6 and Specification 5 of the Registry Agreement.

Right to reserve domain names

The Registry Operator may at any time establish or modify policies

concerning Registry Operator’s ability to reserve (i.e. withhold from

registration or allocate to the Registry Operator) or block any character

strings within the TLD at its discretion. The Registry Operator

has the right to reserve any unallocated domain names at any time and

reserves the right to sell certain domain names at a premium at its discretion.

Registry Operator's Use

Registry Operator may activate in the DNS at all levels up to 100 names (plus

IDN variants where applicable) necessary for the operation or the promotion

of the TLD as set out in Section 3.2 of Specification 5. All such withheld or

allocated names may be released for registration to another person or entity

at Registry Operator's discretion in compliance with the Registry Agreement.

Other Uses EXAMPLE: The ASCII label “EXAMPLE” has been allocated to Registry Operator at the

second level within the TLD at which Registry Operator offers registrations.

Two character labels

All two character ASCII labels have been either withheld from registration or

allocated to Registry Operator at the second level, provided that such twocharacter

label strings may be released to the extent that Registry Operator

reaches agreement with the related government or ICANN as set out in

Section 2 of Specification 5.

WWW,RDDS, WHOIS, NIC.

The following ASCII labels have been allocated to Registry Operator at all

levels for use in connection with the operation of the registry for the TLD:

WWW, RDDS, WHOIS and NIC and may not be released to a third party.

International Olympic Committee; International Red Cross and Red Crescent Movement and other IGOs and INGOs

As instructed from time to time by ICANN, the names (including their IDN

variants, where applicable) relating to the International Olympic Committee,

International Red Cross and Red Crescent Movement listed at

www.icann.org/en/resources/registries/reserved and any other IGOs

and INGOs identified as part of an ICANN Policy Development Process shall be

withheld from registration or allocated to Registry Operator at the second

level within the TLD. Additional International Olympic Committee,

International Red Cross and Red Crescent Movement names (including their

IDN variants) IGO or INGO identifiers may be added to the list upon ten (10)

calendar days' notice from ICANN to Registry Operator. Such names may not

be activated in the DNS, and may not be released for registration to any

person or entity other than Registry Operator.

What if there are more IGOs or INGOs with an interest in the same domain names?

Where there are competing rights to any label, the Registry reserves the right

(but is not obliged) to place a hold on the label and/or to notify other parties

with an interest or potential interest ("Potential Parties") in the string in the

case there is an applicant for the label. Depending on the response from the

Potential Parties, the Registry Operator reserves the right to write to ICANN

to seek advice on how to allocate the label or to determine another basis for

allocation, based on all the circumstances.

Countries and Territories

Country and territory names contained in the following internationally

recognized lists shall be initially reserved at the second level and at all other

levels within the TLD at which the Registry Operator provides for

registrations:

- the short form (in English) of all country and territory names contained

on the ISO 3166-1 list, as updated from time to time, including the

European Union, which is exceptionally reserved on the ISO 3166-1 list,

and its scope extended in August 1999 to any application needing to

represent the name European Union

http:??www.iso.org?iso?support?country_codes?iso_3166_code_lists?iso-

3166-1_decoding_table.htm#EU>;

- the United Nations Group of Experts on Geographical Names, Technical

Reference Manual for the Standardization of Geographical Names, Part

III Names of Countries of the World; and

- the list of United Nations member states in 6 official United Nations

languages prepared by the Working Group on Country Names of the

United Nations Conference on the Standardization of Geographical

Names”.

The Registry will reserve all labels appearing on the above referenced lists

from time to time, and prevent registration, delegation or use of such names

in accordance with ICANN requirements and as described above.

Note on Capital Cities:

While capital city names are not required by ICANN to be reserved or

withheld from registration, Registry Operator implements a Capital City Claim

(CCC) service whereby additional protection will be granted to the capital city

names of a country or territory listed in the ISO 3166-1 standard as follows:

A prospective registrant applying to register a domain name identical to the

capital city name of a listed country or territory will receive a CCC notification

highlighting that fact. The applicant must then agree to comply with all

requirements as to representations and warranties requested by the Registry

as notified to them by ICANN, GAC or the official designate of the country or

territory in order to protect the reputation of the city as well as other

relevant terms. From time to time,

Registry Operator will send a notification in writing to the ICANN Government

Advisory Committee (?GAC?) Chair advising on all capital city names

registered. This process also applies during Sunrise and Landrush.

4. WHOIS POLICY version 1.0



Thick WHOIS

The Registry Operator will include a thick searchable WHOIS database both

accessible on port 43 as well as on port 80 (http) as required in specification

4 of the Registry Agreement.

ICANN requirements

The WHOIS data will be held by the Registry Operator in accordance with its

Registry Agreement with ICANN (“Registry Agreement”).

The Registry Operator will also comply with all the security, WHOIS, and

privacy requirements required by ICANN whether in the Consensus or

Temporary Policies (as defined in the Registry Agreement) or elsewhere.

Efforts to promote WHOIS Accuracy

The Registry Operator or its outsourced service provider will must perform

a biannual review of a random sampling of domain names within the

applied-for gTLD to test the accuracy and authenticity of the WHOIS

information. Registrars must verify WHOIS data for each record they have

registered in the gTLD twice a year or as required by the relevant ICANN

consensus policy or accreditation agreement.

The Registry Operator will examine WHOIS data for evidence of inaccurate

or incomplete WHOIS information. In the event that such errors or missing

information exists, it shall be forwarded to the relevant Registrar, who shall

be required to address such deficiencies with the relevant registrants.

All registrants are required to provide accurate WHOIS contact details, and

to keep those details current.

Registrars are obliged to obtain accurate WHOIS information from all

registrants and to submit this data to the Registry for information for all

domain names they sponsor.

Correcting errors

The registrant's first point of contact for correcting any WHOIS error is the

Registrar. Registrar shall accept written complaints from a registrant or any

third party regarding false and/or inaccurate WHOIS data which they are

required to investigate and to correct in accordance with their guidelines.