> ## Documentation Index
> Fetch the complete documentation index at: https://docs.botbrains.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Acceptable Use Policy

> Acceptable Use Policy defines how personnel may use company information, devices, accounts, and AI and SaaS tooling

export const PolicyVersion = ({version, effective}) => <p><strong>Version {version}</strong> · Effective {effective}. Change history is tracked in version control.</p>;

The Acceptable Use Policy defines how personnel may use company information, devices, accounts, and AI and SaaS tooling. It protects botBrains, our customers, and our personnel against misuse, malware, and unauthorized disclosure of information, and it sets the everyday behaviour expected of everyone who handles company assets.

<Warning>
  botBrains is **not yet ISO 27001 certified**. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
</Warning>

<PolicyVersion version="1.0" effective="July 1, 2026" />

## Scope

This policy applies to both botBrains team members and to any future employee, contractor, or third party who uses botBrains information, accounts, or devices. botBrains operates fully remote with no company office, so the rules below assume work from home, while travelling, and across cloud services rather than a managed office network.

## Acceptable use

| Area                                       | What personnel must do                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Purpose.**                               | Use company accounts, devices, and information for legitimate business purposes. Occasional reasonable personal use is acceptable when it doesn't affect security or work.                                                                                                                                                                                                                                                                                                                                                                   |
| **Devices.**                               | Work only on full-disk-encrypted laptops (FileVault on macOS, BitLocker on Windows) with automatic operating-system and software updates enabled and the screen set to lock when idle.                                                                                                                                                                                                                                                                                                                                                       |
| **Accounts and passwords.**                | Store every credential in the shared password manager, never in plaintext files, browsers, or messages. Local development secrets are the exception: keep them in untracked `.env` files on your encrypted laptop, never committed to source control or shared. Authentication, password strength, and MFA requirements live in the [Access Control Policy](/trust/policies/access-control-policy).                                                                                                                                          |
| **AI and SaaS tooling.**                   | Use only approved, company-owned tools for company work. Never put **customer conversation data**, or other personal data we process for customers, into any tool that isn't a listed [subprocessor](/trust/subprocessors). **Confidential** company information, such as billing or financials, may go into approved company-owned systems, including our ChatGPT and Claude business accounts under `@botbrains.io` with no-training terms. Classify data by the [Data Classification Policy](/trust/policies/data-classification-policy). |
| **Clean screen.**                          | Lock your device whenever you step away, keep confidential information off screen when others can see it, and don't leave devices unattended in public spaces.                                                                                                                                                                                                                                                                                                                                                                               |
| **Information handling.**                  | Store and share company information only in approved systems, following the [Data Classification Policy](/trust/policies/data-classification-policy).                                                                                                                                                                                                                                                                                                                                                                                        |
| **External support and public questions.** | Before you raise a support request with a vendor or ask a public technical question on forums, GitHub issues, or similar channels, strip out customer data and Confidential information first. Share only the minimum needed to describe the problem.                                                                                                                                                                                                                                                                                        |
| **Reporting.**                             | Report a lost or stolen device, a suspected compromise, phishing, or any policy violation to the CISO without delay through the [Incident Management Policy](/trust/policies/incident-management-policy).                                                                                                                                                                                                                                                                                                                                    |

## Unacceptable use

Personnel must not:

* Put customer conversation data or other customer personal data into any tool that isn't a listed subprocessor, or put Confidential company information into a personal or unapproved account.
* Reuse company passwords elsewhere, share individual credentials, or store credentials outside the shared password manager.
* Install unlicensed or unvetted software, or disable security controls such as full-disk encryption, the firewall, or automatic updates.
* Store company confidential or customer data on personal cloud accounts, removable media, or unmanaged personal devices.
* Connect to untrusted public networks for sensitive work without the company WireGuard VPN.
* Use company assets for unlawful, harassing, or infringing activity.

## AI tooling guardrails

botBrains builds AI agents, so personnel use AI tools every day. botBrains binds the product's own model subprocessors to three enforced rules, namely EU data residency, EU inference residency, and no training on botBrains data, as the [Technical and Organizational Measures](/trust/toms) describe. For general-purpose AI tools, the rule depends on the data and the account. In approved company-owned accounts (ChatGPT and Claude under `@botbrains.io`, with business no-training terms), personnel may use Internal and Confidential information, but never customer conversation data. In any unapproved or personal tool, treat anything you submit as if it were public, and never submit customer data, secrets, or Confidential information.

## Device management

Laptops are full-disk-encrypted and kept current, but botBrains doesn't yet run mobile device management (MDM), so remote wipe and centrally enforced device policies aren't in place. Until botBrains adopts MDM, personnel are individually responsible for the device controls above. The [Future Improvements](/trust/roadmap) roadmap tracks evaluating an MDM solution.

Because botBrains can't yet centrally manage or remotely wipe mobile devices, personnel must not download or store customer data on any phone or tablet. Mobile access stays limited to email, Slack, and GitHub, each protected by MFA. Do all work that touches customer data on a managed, full-disk-encrypted laptop.

## Monitoring

To protect company and customer information, botBrains may monitor security-relevant system and administrative activity, such as access logs and security telemetry, as the [Logging and Monitoring Policy](/trust/policies/logging-and-monitoring-policy) describes. That policy defines what botBrains actually logs and how long it keeps the records. This monitoring stays limited to security and operational purposes and doesn't extend to the content of personal communications. By accepting this Acceptable Use Policy, personnel accept this monitoring.

## Enforcement

Violations may lead to revoked access and disciplinary action under the [Human Resource Security Policy](/trust/policies/human-resource-security-policy). Exceptions require written approval from the CISO, who records them with an expiry date.

## ISO 27001 mapping

This policy supports Annex A 5.10 (acceptable use of information and associated assets), 6.7 (remote working), and 8.1 (user endpoint devices).

## Review

The CISO owns this policy and reviews it at least annually and after any material change.
