Acceptable use policy

1. Purpose

This document establishes mandatory requirements for HLD Group personnel, contractors, and third parties with access to HLD Group systems, facilities, or data. It supports our information security management system (ISMS), regulatory obligations, and customer contractual commitments.

Compliance with this policy is a condition of access to company resources. Exceptions require documented approval from the Chief Information Security Officer (CISO) or delegate and must include compensating controls.

2. Scope

This policy applies globally to all HLD Group employees, contractors, consultants, interns, and agency staff ("Personnel"). It covers all information assets owned, leased, or processed by HLD Group, including cloud services, customer environments under our management, development systems, corporate IT, and removable media.

Where a customer contract or applicable law imposes stricter requirements, the stricter requirement prevails. Customer-specific security addenda form part of the compliance baseline for assigned personnel.

• Corporate and production information systems
• Endpoints, mobile devices, and removable media used for company business
• Collaboration tools, email, and messaging platforms
• Source code repositories, CI/CD pipelines, and artefact stores
• Physical offices, co-working facilities, and data centre space under our control

3. Definitions

• Information asset — any data, system, application, or service that stores, processes, or transmits information
• Sensitive data — confidential, restricted, regulated, or customer data requiring heightened protection
• Privileged access — administrative or elevated rights that can alter security configuration or access unrelated data
• Security incident — a confirmed or suspected breach of policy, loss of confidentiality, integrity, or availability
• Compensating control — alternative safeguard that achieves equivalent risk reduction when a primary control cannot be met

4. Permitted use

Company systems and networks may be used for authorised business purposes, professional development directly related to role, and limited personal use that does not interfere with work or consume material bandwidth.

• Accessing systems with assigned credentials only
• Storing customer data only in approved locations
• Installing software only from approved sources or IT
• Following classification rules when sharing information

5. Prohibited use

The following activities are strictly prohibited on HLD systems and networks:

• Unauthorized access, port scanning, or penetration testing without written approval
• Introducing malware, ransomware, cryptominers, or denial-of-service tools
• Circumventing security controls, MFA, or monitoring
• Harassment, hate speech, or threatening communications
• Illegal content, pirated software, or export-controlled data without authorization
• Sharing credentials or using another person’s account
• Excessive personal streaming, gaming, or cryptocurrency mining
• Operating Tor exit nodes or anonymizers on corporate networks
• Using company resources for personal commercial ventures without approval

6. Internet and email

Internet access is filtered and logged. Email must not be used to transmit chain letters, spam, or Confidential data to personal accounts. Phishing reports are mandatory within one hour of suspicion.

7. Software and intellectual property

Only licensed software is installed. Open-source use follows licence compliance review. Customer and HLD IP is protected; no unauthorised copying to personal devices.

8. Monitoring

HLD reserves the right to monitor systems and networks for security and policy compliance consistent with law and internal privacy notices. Personnel should have no expectation of privacy for business communications on company systems.

9. Public websites and trials

Public website visitors must not abuse contact forms, scrape at scale, or attempt unauthorized access. Trial environments are for evaluation only; production data must not be loaded without anonymisation approval.

10. Consequences

Violations may result in suspension, termination, civil remedies, and criminal referral. Report abuse to [email protected]; security issues to the responsible disclosure programme.

Roles and responsibilities

Enforcement, exceptions, and review

Violations may result in access suspension, disciplinary action up to termination, contract remedies for third parties, and referral to law enforcement where appropriate.

Exception requests must be submitted in writing, include business justification, risk assessment, expiry date, and compensating controls. Exceptions are reviewed at least quarterly.

This policy is reviewed at least annually and upon significant regulatory, organisational, or technology changes. Version history is maintained in the compliance repository.