# Acceptable use policy (staff) **Version:** 1.0 **Effective date:** 2026-04-17 ## 1. Applies to Every person with access to Frameboard production systems, customer data, or corporate accounts, whether employed, contracted, or advising. ## 2. What you MUST do - Use named accounts; MFA enrolled before any production access - Lock your workstation when you leave it (auto-lock 5 minutes) - Use a password manager for every production credential - Report security concerns the moment you notice them - no question is too small - Follow the principle of least privilege: only use data you need for the task at hand - Anonymise customer data when pasting into issues, screenshots, or third-party debugging tools ## 3. What you MUST NOT do - Access customer data for any reason other than a specific support or engineering task - Copy customer data to personal devices or personal cloud storage - Share screenshots of customer data in public channels, conference talks, or marketing - Install browser extensions, LLM wrappers, or "productivity tools" on your workstation that capture the screen or keyboard without a documented security review - Plug in untrusted USB devices - Disable OS-level security (FileVault/BitLocker, XProtect/Defender, firewall) - Store API keys in source repos, even private ones - Run production scripts from unsecured networks (cafes, airports) without VPN ## 4. Personal use of company systems Limited personal use is tolerated if it does not affect work output or security. Do not use company accounts for political advocacy, personal branding, or financial transactions unrelated to Frameboard. ## 5. Off-boarding On the last day of work: - Return all company-issued hardware - Wipe any copies of customer data on personal devices - Sign the off-boarding attestation confirming destruction of local data ## 6. Consequences - First breach: conversation and remediation plan - Repeated or wilful breach: termination and reporting to authorities if the law is broken ## 7. Acknowledgement Every person covered by this policy signs an annual acknowledgement kept in HR records.