← All policies

Acceptable Use Policy

1. Purpose

To define the rules personnel must follow when using Company information, systems, and devices, and the obligations they accept in exchange for that access.

2. Scope

Applies to all personnel of the Company. The Company has one director and no other personnel, and this Policy applies to the Director in that capacity. The Policy applies in the same form to any additional personnel engaged in future (employees, contractors, interns, or external advisors with access to Company systems or information).

The EU Representative is not personnel of the Company. They are external to the operation, have no access to Company systems or data, and are not bound by this Policy. Their obligations are set out in the EU Representative Mandate.

3. General principles

Personnel shall:

• Use Company systems and information solely for authorised business purposes.
• Comply with all applicable laws, regulations, and Company policies.
• Protect Company information at the level appropriate to its classification (see Data Classification & Handling Policy).
• Report suspected security incidents promptly per the Incident Management Policy.
• Not undermine, bypass, or disable any security control without prior written approval from the Director.

4. Account and credential use

Personnel shall:

• Use only their assigned, individually-attributed accounts.
• Not share passwords, MFA codes, or hardware keys with any other person.
• Store all Company credentials in the Company password manager only.
• Use a unique strong password (≥16 characters, generated by the password manager) per service.
• Enable MFA on every account that supports it, on day one.
• Lock or sign out when leaving a workstation unattended.
• Report a lost or compromised credential immediately.

5. Workstation and device use

Personnel shall ensure that any device used for Company work has:

• Full-disk encryption enabled (FileVault on macOS, BitLocker on Windows).
• An automatic screen-lock timeout of no more than 5 minutes.
• The operating system and primary applications set to auto-update.
• An antivirus / endpoint-protection solution where required by the Endpoint Security Policy.
• Backup configured to an encrypted destination (e.g. Time Machine to an encrypted volume).
• No unmanaged remote-desktop access (TeamViewer, AnyDesk) installed unless required for support and approved.

Personal use of Company devices is permitted in moderation but is subject to all of this Policy. The Company makes no commitment of privacy in relation to data on Company devices except as required by applicable law.

6. Email and communications

Personnel shall:

• Use the Company-provided email address for all Company business.
• Not auto-forward Company email to personal accounts.
• Not transmit Confidential or Restricted information through unencrypted channels (SMS, plain email outside corporate accounts, consumer chat apps without encryption).
• Treat unsolicited emails — even apparently from regulators or customers — with caution; verify out-of-band before acting on instructions in such messages.

7. Internet and software use

Personnel shall:

• Not download or install pirated, unlicensed, or unverified software on Company devices.
• Not use unauthorised file-sharing services for Company information (only Company-approved cloud drives).
• Not connect Company devices to untrusted public Wi-Fi without using the Company's approved VPN, where required for the activity.
• Not install browser extensions or developer tools that have access to Company secrets without review.

8. Use of generative AI

Personnel shall:

• Not paste Customer Personal Data, Confidential business information, source-code secrets, or credentials into general-purpose AI assistants (ChatGPT consumer, Gemini, Claude.ai, etc.) unless those tools are governed by a Company-procured enterprise agreement with no-training and EU-residency commitments.
• Use only Company-approved AI tools for work that touches Confidential or Restricted information.
• Disclose any AI-assisted output that is incorporated into Company artefacts where the disclosure is material.

9. Source code and intellectual property

Personnel shall:

• Commit Company source code only to the Company repository (GitLab).
• Not push Company code to personal accounts or public repositories.
• Not use Company source code or data outside the scope of the Company's purpose, including after departure.

10. Data handling and disposal

Personnel shall:

• Treat all Customer Personal Data as Restricted (see Data Classification & Handling Policy).
• Not export Customer Personal Data to local devices except through ephemeral, audited operations.
• Securely dispose of physical or digital materials at end-of-use (shred paper containing Confidential information; perform certified erasure on storage media before disposal or transfer).

11. Reporting

Personnel are required to report, immediately:

• Lost or stolen devices.
• Suspected phishing or social-engineering attempts.
• Suspected unauthorised access to any Company system.
• Any change to their personal circumstances that may affect security clearance (where relevant).

Reports go to security@cadences.work or directly to the Director. Reporting in good faith does not result in negative consequences, even if the reported event turns out to be benign.

12. Sanctions

Violations of this Policy may result in disciplinary action up to and including termination of employment or contract, and may be reported to law enforcement or regulatory authorities where appropriate.

13. Acknowledgement

The Director acknowledges this Policy by approving it at §15 below, and re-acknowledges annually as part of the policy review cycle. Any future personnel shall acknowledge this Policy in writing on joining and at least annually thereafter; acknowledgement records are retained in HR.

14. Compliance and references

ISO/IEC 27001:2022 Annex A: A.5.10 (acceptable use of information and other associated assets), A.6.3 (information security awareness, education and training), A.6.7 (remote working), A.8.1 (user end point devices).

15. Version history