Acceptable Use Policy (AUP)

Document ID: DPWAT-ISMS-POL-002
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)

1. Scope

This policy applies to all users of DP WAT information and systems (employees, contractors, consultants, and third parties).

2. Baseline rules

• Use DP WAT systems only for authorized business purposes.
• Do not share credentials. Store credentials only in approved password managers (DP WAT standard: iCloud Keychain and 1Password, as applicable).
• MFA is mandatory on all in-scope systems where available.
• Lock screens when unattended; enable device encryption (Apple FileVault on Macs).
• Report suspected security incidents immediately (see 03.07-incident-management-policy).
• No unauthorized recording: Do not use personal devices to record audio, video, or photographs of work screens, documents, or meetings without explicit approval from the CISO or customer (as applicable). This protects customer IP and confidential information.
• Slack is used operationally and file uploads are allowed. DP WAT uses the Slack workspace devplant, which is tenant-owned by DP COWORKING SRL (related entity). However:
• Do not upload or paste credentials/secrets in chat.
• Do not upload customer deliverables or Confidential customer data to Slack; prefer links to approved repositories (e.g., Google Drive, GitHub, YouTrack attachments where appropriate).
• If a project requires sharing customer Confidential content via Slack, it must be explicitly approved and risk-assessed (exception/risk acceptance).
• Slack retention is configured to 90 days; Slack is not used as an evidence-critical record repository.
• No guest users / Slack Connect are allowed for DP WAT workspaces unless explicitly approved and risk-assessed.

3. Data handling (cloud-first)

DP WAT’s default is cloud storage and SaaS tools.

• Store work information in approved services (e.g., Google Drive, GitHub, YouTrack) rather than local-only copies.
• Do not store customer production data exports locally unless explicitly required and approved (use the exception process).
• External storage (USB/HDD/SSD) is prohibited without written approval from the CISO or an Administrator.

4. Remote work and networks

• Remote work is allowed from within the EU, subject to customer/contract requirements.
• All networks (including DP COWORKING and home) are treated as untrusted (zero trust model).
• Prefer known, password-protected networks; avoid open public WiFi for sensitive work.
• If using public WiFi, use VPN or limit activity to non-sensitive tasks.
• VPN use is recommended; if a customer requires VPN/Zero Trust access, it becomes mandatory for that project.
• Do not leave equipment unattended in public spaces (cafes, airports, coworking common areas). When stepping away, take devices with you or secure them out of sight.

5. Customer-owned devices (third-party assets)

Some employees/contractors may be issued customer-owned devices. These devices are managed by the customer.

• Treat customer devices as third-party assets with customer rules taking precedence.
• Customer-owned devices may access DP WAT internal systems for basic collaboration (e.g., email/chat) when needed for delivery.
• Use of customer-owned devices to access additional DP WAT systems and/or other customers’ resources must be risk-assessed and controlled (least privilege, project separation) and recorded where applicable (exception/risk acceptance if needed).

6. Intellectual property

• Use only properly licensed software. DP WAT provides licenses for standard tools (e.g., JetBrains, 1Password).
• Customer IP ownership is defined in customer contracts; respect customer ownership of code and deliverables.
• Open source license compliance (e.g., GPL, MIT, Apache) follows customer-specific requirements as defined in contracts.
• DP WAT's own reusable tooling and IP is stored in the devplant GitHub organization.

7. Information exchange

When sharing information with external parties (customers, partners, suppliers):

• Use approved channels: email (Google Workspace), customer-provided collaboration tools, secure file sharing (Google Drive links, GitHub).
• Verify recipient identity before sharing sensitive information. Be cautious of email/chat requests that seem unusual.
• Do not send credentials, secrets, or API keys via email or chat. Use secure vaults or direct secure transfer methods.
• For customer deliverables, follow customer-specified channels and classification requirements.
• Code exchange uses version control (GitHub, customer repos); avoid sending code as email attachments.

8. Enforcement

Violations can lead to access revocation, disciplinary measures, contract termination, and/or legal action depending on severity.

Disciplinary escalation

Policy violations are handled proportionately:

1. Verbal warning — minor first-time violations, documented informally
2. Written warning — repeated minor violations or moderate violations
3. Formal disciplinary action — serious violations or pattern of non-compliance
4. Contract/employment termination — severe violations or continued non-compliance
5. Legal action — where violations cause material harm or involve criminal conduct