Acceptable Use Policy

1. Purpose

This policy sets out the rules and standards for how CompleteFlow personnel use CompleteFlow-managed devices, accounts, networks, and sanctioned software, and the conditions under which personnel may perform work on CompleteFlow customer data. It is designed to protect customer data, personnel, and CompleteFlow Ltd.

Personnel use of generative AI tools is governed specifically by CF-POL-008 AI Governance and Acceptable Use Policy. This policy cross-references that document but does not duplicate it.

2. Scope

This policy applies to:

• All CompleteFlow employees, directors, and contractors
• Any sub-processor personnel performing work on CompleteFlow customer data (where such arrangements apply)
• All devices, accounts, networks, and services provided or authorised by CompleteFlow
• Any use of a personally-owned device for work incidentally (for example, personal mobile for MFA push notifications)

3. General principles

• CompleteFlow-issued devices and accounts are provided for CompleteFlow work. Personal use should be minimal, lawful, and consistent with this policy.
• Personnel have no expectation of privacy in their use of CompleteFlow-managed systems. CompleteFlow monitors usage to the extent necessary for security, legal, and contractual reasons, consistent with UK employment law and UK GDPR.
• All use must comply with applicable laws, including the Computer Misuse Act 1990, UK GDPR, and the laws of any jurisdiction in which the user is located.
• Users report suspicious activity, lost or stolen devices, and suspected incidents via the process set out in CF-PLAN-001.

4. Devices

4.1 Use CompleteFlow-managed devices for CompleteFlow work

Work involving CompleteFlow customer data must be performed on a CompleteFlow-issued, CompleteFlow-managed device. This requirement applies regardless of the individual's employing legal entity.

Personal devices must not be used to access customer data, store customer data, or perform development work that touches customer data. Limited exceptions (for example, mobile phones for MFA push or authenticator app, not for accessing customer data directly) are permitted under this policy.

4.2 Device configuration standard

CompleteFlow-managed devices are configured with:

• Full-disk encryption (FileVault on macOS; BitLocker on Windows)
• Automatic security updates for operating system and critical applications
• Anti-malware with automatic signature updates
• Screen lock after no more than 10 minutes of inactivity, with password or biometric required to unlock
• Central management (MDM) for compliance monitoring and remote wipe
• Administrator account separated from the daily-use account
• Patch cadence: Critical patches within 7 days of release; High within 14 days
• Approved browsers and work apps only for customer data handling

4.3 Lost or stolen devices

Personnel must report lost or stolen devices immediately (within the same working day). On report:

• CompleteFlow remotely wipes the device and revokes its certificates and tokens
• Credentials that the device may have had access to are rotated
• The Information Security Officer assesses the event under CF-PLAN-001 to determine whether it constitutes a reportable incident

4.4 Travel

• Devices should be carried as hand luggage when travelling; checked baggage is not permitted
• Public-network use (hotel, airport, cafe) must be via CompleteFlow VPN or trusted tethering
• Extra care is required when travelling to jurisdictions known for device inspection or confiscation; personnel should consult the Information Security Officer in advance

5. Accounts and credentials

• Do not share account credentials with anyone, including colleagues and family members.
• Use the CompleteFlow-approved password manager for any service not federated via SSO.
• Enable MFA on every work account (see CF-POL-003 section 4.3).
• Report any suspected account compromise (for example, unexpected sign-in alert, MFA prompt you did not initiate) immediately.
• Do not leave credentials in source code, configuration files, ticketing systems, or email.

6. Networks and remote working

• Use CompleteFlow VPN when connecting to customer Azure subscriptions over the public internet.
• Home networks used for remote work should have WPA2 or WPA3 encryption, a unique router admin password, and current firmware.
• Do not use unattended public devices (for example, business-centre computers) for work.
• Screen privacy filters are required when working on customer data in public spaces.

7. Software and sanctioned tools

7.1 Approved software list

Software used for CompleteFlow work must come from the approved software list, which is maintained by the Information Security Officer. The list is reviewed quarterly. To request addition of new software, submit a request with intended purpose, data categories affected, vendor information, and any relevant security attestations; approval requires Information Security Officer sign-off.

7.2 Prohibited activity

The following are prohibited:

• Installing software that has not been approved, including browser extensions that process customer data
• Disabling anti-malware, endpoint management, or other security controls
• Connecting unauthorised storage media (external drives, USB sticks) to CompleteFlow-managed devices
• Downloading customer data to personal devices, personal cloud storage, or unsanctioned third-party services
• Uploading customer data to any service that has not been explicitly sanctioned in the customer's deployment specification
• Uploading customer data to public or consumer AI services (see CF-POL-008 section 8)
• Using CompleteFlow systems for unlawful activity, harassment, discrimination, or any activity contrary to CompleteFlow's codes of conduct
• Bypassing or attempting to bypass access controls, rate limits, or monitoring
• Running security testing tools against CompleteFlow or customer systems without written authorisation

7.3 AI tools

Use of generative AI tools by personnel (whether for coding assistance, document drafting, analysis, or other purposes) is governed by CF-POL-008. In summary: sanctioned enterprise AI tools may be used subject to data-handling rules; customer data must never be pasted into unsanctioned AI services.

8. Communication and data handling

• Use CompleteFlow-managed email accounts for all CompleteFlow business correspondence; do not forward CompleteFlow email to personal addresses.
• Customer data may only be transmitted over approved channels. Email attachments are discouraged for confidential customer content; use the customer's own secure channel where available.
• When sharing screenshots, recordings, or demo environments externally, ensure no real customer data is visible; use synthetic or redacted samples.
• Printed material containing customer information must be shredded using a cross-cut shredder or equivalent.

9. Social media and public communication

• Do not disclose customer names, configurations, contracts, or any confidential CompleteFlow business information on social media or in public forums without explicit authorisation.
• Do not post technical or security findings discovered in the course of CompleteFlow work to public issue trackers, forums, or Q&A sites.
• Use discretion when commenting on the wider AI, legal-tech, insurtech, or cybersecurity industries; any opinion expressed should be clearly personal.

10. Incident reporting

All suspected incidents, including phishing attempts, lost devices, unintended data disclosure, suspicious sign-in alerts, or any event that might indicate a compromise, must be reported immediately via the channel documented in CF-PLAN-001. Reporting in good faith will not lead to disciplinary action, even if the event ultimately turns out to be a false alarm. Failing to report a known incident is a breach of this policy.

11. Monitoring and privacy

CompleteFlow monitors the use of CompleteFlow-managed devices, accounts, and networks for security, legal, and contractual reasons. Monitoring is proportionate, documented, and conducted in line with UK employment law and UK GDPR. Personnel are informed of the categories and purposes of monitoring during induction.

12. Enforcement

Breach of this policy may result in:

• Informal coaching or formal warning
• Suspension or revocation of access
• Disciplinary action up to and including dismissal, in accordance with CompleteFlow's disciplinary procedures
• Termination of a contractor or sub-processor arrangement
• Referral to law enforcement or regulatory bodies where the breach involves a criminal offence or regulatory-notifiable event

13. Acknowledgement

All personnel acknowledge acceptance of this policy at induction and at each annual refresher. Acknowledgement records are retained per CF-POL-001 section 7.3.

14. Document control