Official Community Regulations Policy

Section 1 — Definitions

1.1 "CRN" means the Cybersecurity Response Network, operated by its governing body reachable at contact@crnsecure.com.

1.2 "Community" means any Discord server or online community formally admitted to CRN membership.

1.3 "Director" means the individual(s) holding ultimate ownership or administrative authority over a Community, who bears personal accountability under this Policy.

1.4 "Participant" means any individual member of a Community within the CRN network.

1.5 "ChevLink Cyber" means the official CRN-operated moderation and enforcement bot.

1.6 "Network Ban" means a ban applied across all CRN-member Communities simultaneously against a specific individual or entity.

1.7 "Personal Data" has the meaning given to it under UK GDPR Article 4(1) and, where applicable, the CCPA, encompassing any information relating to an identified or identifiable natural person.

1.8 "Minor" means any individual under the age of 13 for the purposes of COPPA (US), under the age of 13 for UK GDPR, or under the applicable age of digital consent in their jurisdiction, whichever is highest.

1.9 "CSAM" means Child Sexual Abuse Material as defined under 18 U.S.C. § 2256 (US) and the Protection of Children Act 1978 (UK).

1.10 "Policy" means this Community Regulations Policy in its current version as published at crnsecure.com/legal/regulations.

Section 2 — Scope & Applicability

2.1 This Policy applies to all Communities that have been formally admitted to CRN, including their Directors, staff teams, and moderation personnel.

2.2 This Policy governs conduct within CRN-affiliated Communities and all interactions conducted through CRN's own platforms, systems, and official channels.

2.3 Where a Community participates in both CRN and any other network or alliance, this Policy governs the Community's obligations with respect to CRN specifically and does not purport to override contractual obligations to unrelated third parties, except as set out in Section 8 regarding inter-Community blacklists.

2.4 This Policy applies regardless of whether a Community's Participants are located in the United States, the United Kingdom, or any other jurisdiction. CRN will endeavour to comply with applicable local law in its dealings with Participants.

Section 3 — Formation of Agreement

3.1 A binding agreement under this Policy is formed upon a Community completing CRN's formal admission process, which includes affirmative acceptance of this Policy via the CRN Network Join Request form at crnsecure.com/register.

3.2 The Director must explicitly confirm acceptance by checking a designated acknowledgment box or equivalent affirmative action during the join process, which shall constitute a valid and enforceable electronic signature under the Electronic Signatures in Global and National Commerce Act (US) and the Electronic Communications Act 2000 (UK).

3.3 Adding the ChevLink Cyber bot alone, or displaying CRN branding, does not independently constitute acceptance. These actions may, however, be used as supporting evidence of continued participation in any enforcement or dispute proceeding.

3.4 CRN will provide a copy of the accepted Policy version to the Director via the email address registered at the time of application. Directors are responsible for maintaining an accurate registered contact email.

3.5 Where CRN materially amends this Policy, participating Communities will be given no fewer than 14 days' written notice before the amended Policy takes effect. Continued participation after the notice period constitutes acceptance of the amended terms. Communities that do not accept the amendments may exit pursuant to Section 16.

Section 4 — Eligibility Requirements

4.1 Communities must maintain a minimum of 250 genuine human members as verified through Discord's API or equivalent audit methodology. Artificially inflated membership figures (bot accounts, purchased members) constitute grounds for immediate removal.

4.2 All Communities must comply in full with Discord's Terms of Service and Community Guidelines at all times. CRN is an independent organisation and is not affiliated with, endorsed by, or partnered with Discord Inc.

4.3 Where a Community's primary subject matter or Participant base involves the Roblox platform, that Community must additionally comply with Roblox's Terms of Use and Community Standards. This requirement applies only to Communities where Roblox is a relevant operational context and does not apply universally.

4.4 Any Community found to be supporting, endorsing, or tolerating violations of Discord's Terms of Service will be subject to enforcement action under Section 13.

Section 5 — Mandatory Security Settings

5.1 The Discord Verification Level for all CRN Communities must be permanently set to High or Highest.

5.2 The Explicit Media Content Filter must be configured to scan all media content for all members, without exception.

5.3 Discord AutoMod must be fully enabled with active rules addressing, at minimum:

• Profanity and slurs
• Sexually suggestive content
• Personally identifiable information
• Malicious or harmful links
• Spam or mention spam

5.4 Communities may request a documented exception to a specific security setting where a legitimate operational reason exists. Any such exception must be approved in writing by CRN prior to implementation and is subject to review at each audit.

5.5 Failure to maintain the required security settings constitutes a breach of this Policy and shall be addressed under Section 13.

Section 6 — Child Safety & COPPA Compliance

6.1 Family-Friendly Mandate. All CRN Communities must remain strictly family-friendly across all public channels at all times. The following content is strictly prohibited:

• Profanity, slurs, hate speech, or discriminatory language of any kind
• NSFW, sexually suggestive, or adult content
• Grooming behaviour, sexual conversation, or predatory conduct directed at any person
• Solicitation or sharing of personal information from or about Minors
• Promotion of self-harm, substance use, weapons, or illegal activity

6.2 COPPA Compliance. CRN Communities must not knowingly collect, solicit, or retain Personal Data from Minors (persons under 13) without verifiable parental consent, in accordance with the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and associated FTC regulations (16 C.F.R. Part 312). Directors are responsible for implementing age-verification or age-gating mechanisms appropriate to their Community's nature and audience.

6.3 Mandatory Response. Upon discovery of prohibited content as defined in clause 6.1, the content must be removed and the offending Participant permanently banned without undue delay. Documentation of the incident must be retained.

6.4 CSAM Reporting. Suspected CSAM must be reported to the following authorities as soon as reasonably practicable following discovery, without undue delay:

• US: National Center for Missing & Exploited Children (NCMEC) — CyberTipline at missingkids.org
• UK: Internet Watch Foundation (IWF) at iwf.org.uk and local law enforcement
• Platform: Discord's Trust & Safety team
• CRN: contact@crnsecure.com and crnsecure.com/report

6.5 CRN does not impose a specific reporting deadline on volunteer Directors, recognising that civilian reporting obligations under US and UK law do not mandate a fixed timeframe. Directors must act promptly and in good faith. Deliberate delay or concealment constitutes a serious violation.

6.6 Suspected child grooming or exploitation must similarly be reported to CRN and relevant authorities as soon as reasonably practicable. Directors should not attempt to investigate such matters independently; rather, they should preserve evidence and refer promptly.

Section 7 — Data Protection & Privacy Compliance

7.1 Lawful Basis. Where a Community or CRN processes Personal Data of Participants, such processing must be conducted on a lawful basis as defined under UK GDPR Article 6. For the purposes of the CRN network-ban system and audit functions, CRN relies on legitimate interests (Article 6(1)(f)) in maintaining platform safety, subject to balancing against individual rights.

7.2 Transparency. Directors must make CRN's Privacy Policy (crnsecure.com/legal/privacy) and, where applicable, the Data Processing Agreement (crnsecure.com/dpa) accessible to their Community's Participants. Directors must not represent CRN's data practices inaccurately.

7.3 Data Minimisation. CRN and participating Communities shall collect only Personal Data that is necessary for the purposes set out in this Policy and CRN's Privacy Policy. Retention of Personal Data beyond operational necessity is not permitted.

7.4 Special Category Data. CRN Communities must not solicit or store special category data (including health, biometric, ethnic origin, or sexual orientation data) from Participants, except where strictly necessary and with explicit consent under UK GDPR Article 9.

7.5 Automated Decision-Making. Network bans applied through ChevLink Cyber may constitute automated decision-making with significant effect on Participants. CRN shall, upon request, provide meaningful information about the logic involved and afford affected individuals the right to request human review, as required by UK GDPR Article 22.

7.6 Data Subject Rights. Participants have the right to request access to, rectification of, erasure of, or restriction on processing of their Personal Data held by CRN. Requests should be directed to contact@crnsecure.com. CRN will respond within the timeframes required by applicable law (generally 30 days under UK GDPR).

7.7 Data Breach. Where a data breach occurs within a Community that affects Participants' Personal Data, the Director must notify CRN as soon as reasonably practicable. CRN will handle notification obligations under UK GDPR Article 33 (to the ICO within 72 hours) where the breach arises from CRN-operated systems. Directors are independently responsible for breaches arising within their own Community infrastructure.

7.8 International Transfers. Where Personal Data is transferred between the US and UK, CRN will implement appropriate safeguards in accordance with UK GDPR Chapter V, including Standard Contractual Clauses or the UK International Data Transfer Agreement where required.

7.9 CCPA Rights. California residents whose Personal Data is processed by CRN or in connection with CRN-member Communities have the right to know what Personal Data is collected, the right to delete their Personal Data, and the right to opt out of any sale of their Personal Data. CRN does not sell Personal Data. Requests may be submitted to contact@crnsecure.com.

Section 8 — Inter-Community Relations & Blacklist Policy

8.1 CRN Regulations as Governing Framework. This Policy constitutes the supreme governing framework for all conduct between CRN member Communities. Where any Community purports to issue, maintain, or enforce a unilateral blacklist against another CRN member Community, this Policy overrides and supersedes any such action within the context of the CRN network.

8.2 Prohibition on Unilateral Inter-Community Blacklists. No CRN member Community may unilaterally blacklist another CRN member Community. A "unilateral blacklist" means any formal declaration, list, notice, or instruction issued by one CRN member Community that purports to designate another CRN member Community as persona non grata, harmful, or prohibited for the purposes of the CRN network, without CRN's involvement.

8.3 Ineffectiveness of Unauthorised Blacklists. Any blacklist issued by one CRN member Community against another CRN member Community, without the prior involvement and approval of CRN, is null, void, and of no legal or operational effect within the CRN network. No CRN member Community is under any obligation to honour, enforce, or give effect to such a blacklist.

8.4 Mandatory CRN Dispute Meeting. Where a CRN member Community purports to issue or enforce a blacklist against another CRN member Community, CRN shall convene a formal Dispute Meeting within a reasonable timeframe (ordinarily within 14 days of notification). The Dispute Meeting shall include:

• A representative from the Community proposing the blacklist
• A representative from the Community subject to the proposed blacklist
• At least one senior CRN staff member as an impartial facilitator

8.5 Outcomes of Dispute Meeting. Following the Dispute Meeting, CRN may: (a) find that the proposed blacklist is unwarranted and direct that it be withdrawn; (b) facilitate a formal mediated resolution between the Communities; (c) determine that one or both Communities have breached this Policy and take enforcement action under Section 13; or (d) in exceptional circumstances where a Community presents clear and serious evidence of misconduct, authorise a formal network-level action. Only CRN may authorise a network-level action against a member Community.

8.6 Retaliation Prohibited. Communities must not take retaliatory action against another Community for raising a complaint with CRN or participating in a Dispute Meeting. Retaliation constitutes an independent breach of this Policy.

8.7 Individual-Level Actions. Nothing in this section prevents a Community from taking moderation action (including bans) against individual Participants from another Community, where those individuals have violated the Community's own rules or this Policy. Such actions are distinct from blacklisting an entire Community.

Section 9 — ChevLink Cyber Bot & Automated Systems

9.1 Use of the ChevLink Cyber bot is available to all CRN member Communities and is strongly recommended. It is not mandatory; Communities that opt out must demonstrate equivalent protective capability during audits under Section 10.

9.2 Participation in CRN grants CRN authorisation to instruct ChevLink Cyber to apply Network Bans automatically across participating Communities in response to confirmed child-safety or cybersecurity violations. This authorisation may be withdrawn by removing ChevLink Cyber from the Community, subject to Section 16.

9.3 Automated enforcement actions taken by ChevLink Cyber are subject to human review on request pursuant to clause 7.5. Affected individuals should contact contact@crnsecure.com to request review.

9.4 ChevLink Cyber's data collection and processing practices are governed by the Cyber Privacy Policy at crnsecure.com/cyber/privacy and the Cyber Terms of Use at crnsecure.com/cyber/terms, which Directors and Participants should review independently.

9.5 CRN does not warrant that ChevLink Cyber will prevent all harmful conduct and expressly excludes liability for any harm arising from the bot's failure to detect or act upon a violation, subject to clause 15.

Section 10 — Inspection & Audit Rights

10.1 CRN staff have the right to inspect any member Community for the purposes of verifying compliance with this Policy. Inspections may be conducted with or without advance notice.

10.2 Inspections may include review of: audit logs; server security settings (verification level, AutoMod configuration, role permissions); moderation records; and publicly accessible channel content.

10.3 Private Channel Limitation. CRN staff will not inspect private or members-only channel content without the Director's explicit written consent, except where required to investigate a specific, documented safeguarding concern or serious ToS violation. Any private channel inspection will be conducted by a minimum of two senior CRN staff and the findings documented. This limitation reflects CRN's obligations under the Electronic Communications Privacy Act (US) and the Investigatory Powers Act 2016 (UK).

10.4 Directors must cooperate fully with inspections and implement any required remedial changes within 48 hours of written notice, or such longer period as CRN may agree in writing.

10.5 Obstruction of, or failure to cooperate with, a legitimate inspection shall be treated as a major violation under Section 13.

Section 11 — Director Accountability

11.1 The Director is personally accountable for ensuring their Community's ongoing compliance with this Policy. This accountability is not diminished by delegation to other staff members.

11.2 Where the Director personally commits a violation of this Policy, ignores substantiated reports of violations, or knowingly permits prohibited conduct to continue, the entire Community may be removed from CRN pursuant to Section 13.

11.3 A Director who is removed from CRN may also receive a permanent network-wide ban, preventing them from serving as Director of any other CRN member Community.

11.4 Where a Director transfers ownership of a Community, they must notify CRN in writing within 7 days. The incoming Director must independently complete the CRN acceptance process under Section 3 within 30 days of assuming ownership.

Section 12 — Required CRN Reporting Channel

12.1 All CRN member Communities must maintain at least one publicly visible method by which any Participant can report serious safety or security concerns directly to CRN.

12.2 Communities must maintain at least one public channel containing a clearly visible link to crnsecure.com/report, with a brief description explaining that the channel is for serious incidents including safeguarding concerns, doxxing, raids, organised harassment, or major platform ToS violations.

12.3 The reporting channel must be accessible to all members and must clearly identify CRN by name.

12.4 Routine moderation matters remain the sole responsibility of the Community's internal staff. CRN's reporting route is reserved for serious incidents that the Community's staff is unable or unwilling to address appropriately.

12.5 Failure to maintain a compliant CRN reporting channel may result in suspension of CRN coverage following written notice and a 7-day remediation period.

Section 13 — Enforcement & Consequences

Violation Tiers

Minor Violation — Examples: security setting lapse; missing reporting channel; minor procedural non-compliance. Consequence: Formal written warning + 7-day remediation period.

Major Violation — Examples: repeated minor violations; obstruction of audit; unilateral blacklist enforcement; failure to remove prohibited content promptly. Consequence: Immediate suspension pending review; may escalate to removal and public record.

Critical Violation — Examples: CSAM; child endangerment; deliberate concealment of safeguarding incidents; major Discord ToS breach. Consequence: Immediate removal; permanent network ban; law enforcement referral where applicable.

13.1 Public Records. Where a Community is removed from CRN for a major or critical violation, CRN may publish a factual record of the removal in its public-facing communications. Any published record shall be limited to factual statements supported by documented evidence. CRN shall retain the underlying documentation in the event of a legal challenge.

13.2 Notice Prior to Public Record. Before publishing any public record identifying a Community or Director by name, CRN shall provide the Director with at least 48 hours' written notice and an opportunity to provide a brief written response for inclusion, unless doing so would compromise an active safeguarding or law enforcement matter.

Section 14 — Dispute Resolution & Appeals

14.1 Any Community or Director wishing to appeal an enforcement decision must submit a written appeal to contact@crnsecure.com within 14 days of the decision.

14.2 Appeals will be reviewed by a CRN panel of at least two senior staff members who were not involved in the original decision. The appellant will be notified of the outcome within 21 days of receipt of the appeal.

14.3 Critical Violation decisions involving CSAM or child endangerment are not subject to the standard appeals process. CRN may, at its discretion, conduct a post-outcome review in such cases.

14.4 Inter-Community Disputes. Disputes between CRN member Communities shall be resolved through the Dispute Meeting process set out in Section 8. Where a Dispute Meeting does not resolve the matter, either party may request escalation to CRN's senior leadership for a final determination.

14.5 Nothing in this section prevents any party from seeking relief from a court of competent jurisdiction. CRN encourages internal resolution as a first step.

Section 15 — Limitation of Liability

15.1 CRN provides its services, platforms, and network infrastructure on an "as is" basis. To the fullest extent permitted by applicable law, CRN excludes all warranties, express or implied, regarding the fitness of its services for any particular purpose.

15.2 CRN shall not be liable for any indirect, consequential, incidental, or special damages arising from participation in the network, including but not limited to loss of reputation, loss of data, or loss of Participants, even if CRN has been advised of the possibility of such damages.

15.3 CRN's total aggregate liability to any Community or Director arising under or in connection with this Policy shall not exceed the total fees (if any) paid by that Community to CRN in the 12-month period preceding the event giving rise to the claim.

15.4 Nothing in this clause limits CRN's liability for: death or personal injury caused by CRN's negligence; fraud or fraudulent misrepresentation; or any other liability that cannot lawfully be excluded or limited under applicable law, including the Consumer Rights Act 2015 (UK) and applicable US consumer protection statutes.

15.5 Directors and Communities assume full responsibility for their own compliance with applicable law, including data protection law, and CRN shall not be liable for a Community's independent legal compliance failures.

Section 16 — Termination

16.1 CRN may terminate a Community's membership immediately upon a Critical Violation as defined in Section 13, or upon persistent failure to comply with this Policy following written notice.

16.2 A Community may voluntarily withdraw from CRN by providing 30 days' written notice to contact@crnsecure.com, provided that no enforcement proceedings are outstanding at the time of notice. Where proceedings are outstanding, withdrawal will take effect only upon their conclusion.

16.3 Upon termination or withdrawal, the Community must: remove all CRN branding and affiliation references; remove ChevLink Cyber (if installed); and cease representing itself as CRN-affiliated.

16.4 Termination of membership does not affect any accrued rights or obligations, including any obligations to cooperate with ongoing safeguarding or law enforcement matters.

Section 17 — Governing Law & Jurisdiction

17.1 For Communities and Directors based in the United States, this Policy is governed by the laws of the State of Florida, United States, and the parties submit to the exclusive jurisdiction of the courts of Florida for any dispute arising under this Policy.

17.2 For Communities and Directors based in the United Kingdom, this Policy is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

17.3 For Communities and Directors based outside the United States and United Kingdom, the applicable governing law and jurisdiction shall be determined by CRN on a case-by-case basis, with a preference for Florida law where no other jurisdiction is more appropriate.

17.4 Nothing in this section prevents CRN from seeking urgent injunctive or other equitable relief in any jurisdiction where it has a legitimate interest in doing so.

Section 18 — Acceptance & Entire Agreement

18.1 By completing the CRN Network Join Request process and providing affirmative acceptance in accordance with Section 3, the Director confirms on behalf of themselves and their Community that they have read, understood, and agree to be legally bound by this Policy in full.

18.2 This Policy, together with CRN's Privacy Policy, Acceptable Use Policy, Terms and Conditions, and any executed Data Processing Agreement, constitutes the entire agreement between CRN and the Community with respect to the subject matter herein and supersedes all prior representations, negotiations, or understandings.

18.3 Severability. If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, that provision shall be modified to the minimum extent necessary to make it enforceable, or severed if modification is not possible. All remaining provisions shall continue in full force and effect.

18.4 Waiver. CRN's failure to enforce any provision of this Policy on any occasion shall not constitute a waiver of its right to enforce that provision or any other provision in future.

18.5 Updates. CRN reserves the right to update this Policy from time to time. Updates will be communicated in accordance with clause 3.5. The current version of this Policy is always available at crnsecure.com/legal/regulations.

Cybersecurity Response Network (CRN) — Version 2.0 · Effective January 30, 2026 · Last Updated March 2026
contact@crnsecure.com | crnsecure.com

This Policy is stored permanently on CRN systems and is binding upon all member Communities. It does not constitute legal advice. Communities are encouraged to seek independent legal counsel to assess their own compliance obligations.