Acceptable Use

Purpose and Scope

This Acceptable Use Policy (AUP) provides clear guidelines for the appropriate use of Helpcare AI, Inc.'s, DBA Careforce (hereinafter referred to as "the Company") information technology resources, systems, and data. This policy aims to protect these resources from misuse, safeguard sensitive information, and ensure compliance with applicable legal, regulatory, and contractual obligations.

This policy applies to all individuals who have access to the Company's information technology (IT) systems, including employees (permanent, temporary, and part-time), contractors, vendors, consultants, and third-party service providers. The policy covers all IT resources, including computers, mobile devices, software, networks, cloud services, data storage, and any other assets managed or owned by the Company.

System Access and Authentication

Users must access systems only through their assigned unique credentials. Sharing of credentials is strictly prohibited except where explicitly authorized for shared service accounts. All shared account credentials must be stored in a Company-approved password manager. Multi-factor authentication is required for all system access where available. Users must maintain secure password practices, including using unique passwords for each system and maintaining complexity requirements. Passwords must never be shared and should only be stored in approved password managers. Users must change their passwords immediately if compromise is suspected.

Resource Usage Requirements

The Company's IT resources are provided primarily for business purposes. Limited personal use is permitted, provided such use does not interfere with work duties, violate Company policies, burden systems or network resources, pose security risks, or incur additional costs.

All data created, transmitted, or stored on Company systems remains the property of the Company and may be monitored or audited at any time. Users should have no expectation of privacy when using Company resources for personal purposes.

User Responsibilities

Users are required to protect and secure any devices used to access Company systems and must report all security incidents and suspected compromises immediately. All users must follow established data handling and protection requirements while completing required security awareness training. Systems must be locked or logged out when unattended, and users should only utilize approved software and services while ensuring their systems and software remain up to date.

Prohibited Activities

The use of Company resources for any unlawful purpose is strictly prohibited. Users must not attempt to circumvent security controls, share access credentials (except for approved shared accounts), or install unauthorized software or hardware. The use of Company resources for personal financial gain, accessing or sharing inappropriate content, sending spam or phishing emails, or introducing malware is forbidden. Additionally, users must not perform unauthorized system scanning or testing, access systems or data without authorization, or remove security controls or protections.

Users are explicitly prohibited from attempting to access, modify, or delete system logs, audit trails, or security data.

Data Protection Requirements

All users must handle data according to its established sensitivity level, ensuring appropriate encryption for sensitive data both in transit and at rest. Users must implement approved cryptographic controls based on risk assessment and follow specific requirements for cryptographic key management. Additional controls must be applied for sensitive data categories as defined by the Company's data classification policy.

Data storage is restricted to approved systems and services only. The sharing of sensitive data outside the Company requires proper authorization. Any suspected data breaches must be reported immediately, and users must adhere to all backup and retention requirements. Data should be deleted when it is no longer needed for business purposes.

Communication and Internet Usage

Email and messaging systems are provided primarily for business communications. Users must maintain professional communication standards and protect sensitive data appropriately when transmitted. Recipients must be verified before sending communications, and automatic email forwarding to external addresses is prohibited. Personal email accounts should not be used for Company business.

Internet access is provided for business purposes, with limited personal use permitted within the bounds of other policy requirements. Users must exercise good judgment when accessing internet resources through Company systems.

Software and Device Management

All software installations must be approved by IT, and users must maintain proper software licenses and compliance. Regular security patches and updates must be applied to all systems and software. Users may only utilize approved cloud services and applications. Any devices used for Company business must be registered and follow all configuration and security requirements.

Personal devices used for Company business activities must comply with the Company's Bring Your Own Device (BYOD) policy requirements.

Monitoring and Privacy

The Company maintains comprehensive audit logs documenting user activities, access patterns, system configuration changes, security events, administrator activities, time synchronization, and system alerts. These logs are essential for maintaining system security and investigating potential incidents.

The Company maintains the right to monitor all system and network activity, audit user actions and access, review stored data and communications, block access to resources, and remove unauthorized software or data. Users should understand that they have no expectation of privacy when using Company systems.

Security Incident Reporting

Security incidents must be reported immediately, including any suspected breaches, lost or stolen devices, credential compromises, unusual system behavior, security control failures, or policy violations. Prompt reporting enables the Company to respond effectively to security threats and minimize potential damage.

Non-Compliance

Any violation of this policy may result in disciplinary action, including but not limited to revocation of system access or termination of employment. The Company reserves the right to pursue legal action where applicable, and violators may be held responsible for any damages or losses resulting from their actions. All policy violations will be documented and thoroughly investigated.