DMCA or copyright policy exists if app hosts user-uploaded content

Why it matters

Platforms that allow user file uploads without a DMCA policy forfeit protection under the DMCA Section 512 safe harbor — the law that shields platforms from copyright liability for user-uploaded content. Without safe harbor, you are directly liable for every infringing file your users upload, with statutory damages of $750–$150,000 per work. Copyright holders routinely target platforms with no documented takedown process for expedited litigation. Safe harbor is not automatic; it requires a registered designated DMCA agent with the US Copyright Office, a published policy, and a functioning takedown procedure — all three must be present.

Remediation

Create a DMCA policy page at /dmca listing your designated agent's contact information and the takedown submission process. Register a DMCA agent with the US Copyright Office at dmca.copyright.gov/osp (one-time $6 fee) to claim safe harbor.

// Required elements for DMCA policy page:

Designated Agent
DMCA Agent: [Name or "Legal Department"]
Email: dmca@example.com
Mailing Address: [Physical address — required for DMCA registration]

Takedown Notice Requirements
- Your contact info (name, address, phone, email)
- Identification of the copyrighted work
- URL of the infringing material on our platform
- Good faith belief statement
- Statement under penalty of perjury of authority to act
- Your physical or electronic signature

Repeat Infringer Policy
We terminate accounts of repeat copyright infringers.

Add a <a href="/dmca">Copyright / DMCA</a> link to your footer alongside Terms and Privacy.

Detection

ID: legal-pages-compliance.required-pages.dmca-if-ugc
Severity: medium
What to look for: Enumerate every relevant item. Determine whether the application allows users to upload files — images, videos, documents, audio, or any other media. Signals: file upload libraries (multer, uploadthing, @aws-sdk/client-s3, cloudinary, @uploadcare/react-uploader), routes like /api/upload, /api/media, storage bucket references (S3, Supabase Storage, Cloudinary), or database columns for file URLs. If uploads are present, check for a DMCA takedown policy. Common routes: /dmca, /copyright, /legal/dmca. The policy may also be within the Terms of Service. For US-based platforms, a valid DMCA safe harbor (Section 512 of the DMCA) requires a registered DMCA agent with the US Copyright Office, a public notice of the agent's contact info, and a documented takedown procedure. The policy should specify: how to submit a takedown notice, what information is required, the counter-notification process, and a repeat-infringer termination policy.
Pass criteria: At least 1 of the following conditions is met. If file upload features are present, a DMCA or copyright takedown policy exists with a designated contact for receiving notices (an email address or web form). The policy describes the takedown submission process. For US platforms: the designated agent's contact information is publicly listed.
Fail criteria: File upload features exist but no DMCA policy or copyright notice exists. A policy exists but provides no actual contact information or submission process.
Skip (N/A) when: No file upload features detected. Application does not allow users to upload images, videos, documents, or other media files. Text-only UGC (comments, posts with no attachments) does not require a DMCA policy — but an AUP is still required.
Detail on fail: Specify what was found. Example: "File upload feature detected (uploadthing dependency, /api/upload route, storage URLs in posts table). No DMCA policy or copyright contact page found." or "DMCA policy page exists but lists no designated agent contact information — only states 'contact us about copyright issues.'".

Remediation: Create a DMCA / copyright policy page. For US platforms, also register a DMCA agent with the US Copyright Office (a one-time $6 fee at dmca.copyright.gov/osp — required to claim safe harbor protection).

DMCA Takedown Policy — required elements:

1. Designated Agent Contact
   DMCA Agent: [Name or "Legal Department"]
   Email: dmca@example.com
   Mailing Address: [Physical address — required for DMCA registration]

2. Takedown Notice Requirements
   Your notice must include:
   - Your contact information (name, address, phone, email)
   - Identification of the copyrighted work being infringed
   - Identification of the infringing material and its URL on our platform
   - A statement that you have a good faith belief the use is not authorized
   - A statement under penalty of perjury that you are the copyright owner
     or authorized to act on their behalf
   - Your physical or electronic signature

3. Counter-Notice
   If your content was removed and you believe it was a mistake:
   [Describe counter-notice process and requirements]

4. Repeat Infringer Policy
   We terminate the accounts of users who are repeat copyright infringers.

Submit takedown notices to: dmca@example.com

Why it matters

Remediation

// Required elements for DMCA policy page:

Designated Agent
DMCA Agent: [Name or "Legal Department"]
Email: dmca@example.com
Mailing Address: [Physical address — required for DMCA registration]

Takedown Notice Requirements
- Your contact info (name, address, phone, email)
- Identification of the copyrighted work
- URL of the infringing material on our platform
- Good faith belief statement
- Statement under penalty of perjury of authority to act
- Your physical or electronic signature

Repeat Infringer Policy
We terminate accounts of repeat copyright infringers.

Add a <a href="/dmca">Copyright / DMCA</a> link to your footer alongside Terms and Privacy.

Detection

ID: legal-pages-compliance.required-pages.dmca-if-ugc
Severity: medium
What to look for: Enumerate every relevant item. Determine whether the application allows users to upload files — images, videos, documents, audio, or any other media. Signals: file upload libraries (multer, uploadthing, @aws-sdk/client-s3, cloudinary, @uploadcare/react-uploader), routes like /api/upload, /api/media, storage bucket references (S3, Supabase Storage, Cloudinary), or database columns for file URLs. If uploads are present, check for a DMCA takedown policy. Common routes: /dmca, /copyright, /legal/dmca. The policy may also be within the Terms of Service. For US-based platforms, a valid DMCA safe harbor (Section 512 of the DMCA) requires a registered DMCA agent with the US Copyright Office, a public notice of the agent's contact info, and a documented takedown procedure. The policy should specify: how to submit a takedown notice, what information is required, the counter-notification process, and a repeat-infringer termination policy.
Pass criteria: At least 1 of the following conditions is met. If file upload features are present, a DMCA or copyright takedown policy exists with a designated contact for receiving notices (an email address or web form). The policy describes the takedown submission process. For US platforms: the designated agent's contact information is publicly listed.
Fail criteria: File upload features exist but no DMCA policy or copyright notice exists. A policy exists but provides no actual contact information or submission process.
Skip (N/A) when: No file upload features detected. Application does not allow users to upload images, videos, documents, or other media files. Text-only UGC (comments, posts with no attachments) does not require a DMCA policy — but an AUP is still required.
Detail on fail: Specify what was found. Example: "File upload feature detected (uploadthing dependency, /api/upload route, storage URLs in posts table). No DMCA policy or copyright contact page found." or "DMCA policy page exists but lists no designated agent contact information — only states 'contact us about copyright issues.'".

DMCA Takedown Policy — required elements:

1. Designated Agent Contact
   DMCA Agent: [Name or "Legal Department"]
   Email: dmca@example.com
   Mailing Address: [Physical address — required for DMCA registration]

2. Takedown Notice Requirements
   Your notice must include:
   - Your contact information (name, address, phone, email)
   - Identification of the copyrighted work being infringed
   - Identification of the infringing material and its URL on our platform
   - A statement that you have a good faith belief the use is not authorized
   - A statement under penalty of perjury that you are the copyright owner
     or authorized to act on their behalf
   - Your physical or electronic signature

3. Counter-Notice
   If your content was removed and you believe it was a mistake:
   [Describe counter-notice process and requirements]

4. Repeat Infringer Policy
   We terminate the accounts of users who are repeat copyright infringers.

Submit takedown notices to: dmca@example.com

DMCA or copyright policy exists if app hosts user-uploaded content

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

DMCA or copyright policy exists if app hosts user-uploaded content

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History