Acceptable Use Policy

Appropriate use of Maelstrom AI information systems and resources

Public

Purpose

This Acceptable Use Policy defines appropriate and inappropriate use of Maelstrom AI’s information systems, devices, networks, and information assets.

Scope

Applies to all:

  • Team members (employees, contractors)
  • Devices accessing Maelstrom AI systems
  • Cloud resources (GitHub, Cloudflare)
  • Information and data

Acceptable Use

General Principles

You may use Maelstrom AI systems to:

  • Perform your assigned job duties
  • Collaborate with team members
  • Access approved cloud services and tools
  • Reasonable personal use (minimal, non-disruptive)

Workstation Security

Required:

  • ✅ Full disk encryption (FileVault on macOS, BitLocker on Windows)
  • ✅ Strong password or biometric unlock
  • ✅ Automatic screen lock (5-minute timeout maximum)
  • ✅ OS security updates within 7 days of release
  • ✅ Approved password manager (1Password, Bitwarden)
  • ✅ MFA enabled for all critical services

Operating System:

  • Keep OS up to date
  • Enable built-in security features (Gatekeeper, Windows Defender)
  • Use current, supported OS versions

Remote Work Security

Since we’re fully remote:

  • Home office: Secure physical area, lock devices when away
  • Public WiFi: Acceptable (HTTPS encrypts traffic), VPN available if concerned
  • Video calls: Use virtual backgrounds to avoid exposing sensitive information
  • Physical documents: Shred when no longer needed (minimise printing)

Software Installation

Approved without request:

  • Development tools (IDEs, compilers, debuggers)
  • Official SDKs and libraries
  • Password managers
  • Communication tools (Signal, Slack if used)

Requires approval:

  • Monitoring/profiling software
  • Network analysis tools
  • Software that modifies system security settings

Prohibited:

  • Pirated or unlicensed software
  • Key generators or cracks
  • Tor or anonymisation tools (without business justification)

Internet and Email Use

Acceptable:

  • Research related to work
  • Professional development
  • Reasonable personal use during breaks
  • Personal email (minimal)

Prohibited:

  • Illegal activities
  • Harassment or discrimination
  • Downloading pirated content
  • Accessing malicious websites
  • Phishing or social engineering
  • Cryptocurrency mining
  • Excessive personal use disrupting work

Prohibited Activities

Security Violations

Never:

  • Share passwords or credentials
  • Store passwords in plain text
  • Disable security features (MFA, encryption, firewalls)
  • Bypass authentication or access controls
  • Access data without authorisation
  • Introduce malware intentionally
  • Conduct unauthorised security testing

Data Handling Violations

Never:

  • Store secrets in source code or logs
  • Email or transmit secrets insecurely
  • Store company data on personal cloud storage (except approved: GitHub, Cloudflare)
  • Use personal devices for company secrets (use company-provided or approved devices)
  • Share confidential information publicly

System Misuse

Never:

  • Use Maelstrom AI resources for personal business ventures
  • Conduct illegal activities
  • Attack or compromise any systems
  • Circumvent monitoring or logging
  • Mine cryptocurrency on company resources

Device Requirements

Company-Provided Devices

If company provides a device:

  • Primary use: Work
  • Security settings must not be disabled
  • Full disk encryption required
  • Security updates mandatory
  • Return upon termination

BYOD (Bring Your Own Device)

If using personal device for work:

  • Must meet same security requirements
  • Full disk encryption
  • MFA for all work access
  • Separation between work and personal data encouraged
  • Company may remote-wipe work data only (if technically feasible)

Mobile Devices

If accessing work resources from mobile:

  • Passcode/biometric lock required
  • MFA for email and cloud access
  • Install security updates promptly
  • Report loss or theft immediately

Network Security

Home Networks

Recommended:

  • Change default router password
  • Enable WPA3 or WPA2 encryption
  • Keep router firmware updated
  • Separate IoT devices if possible

Public Networks

When using public WiFi:

  • HTTPS everywhere (already implemented for Maelstrom AI services)
  • VPN available if desired
  • Avoid sensitive transactions on untrusted networks
  • Disable file sharing
  • Forget network after use

Incident Reporting

What to Report

Report immediately to security@maelstrom.au:

  • Lost or stolen devices
  • Suspected malware infection
  • Phishing attempts
  • Unusual system behaviour
  • Unauthorised access attempts
  • Accidental data disclosure
  • Policy violations you witness

How to Report

  1. Email: security@maelstrom.au
  2. Direct contact: Security Lead
  3. If unavailable: Any manager

No penalties for good-faith reporting

Monitoring and Privacy

What We Monitor

  • GitHub: Code commits, pull requests, audit logs
  • Cloudflare: API access, Workers invocations
  • Audit logs: Authentication, administrative actions
  • Security scanning: CodeQL, dependency audits

What We Don’t Monitor

  • Personal email
  • Personal browsing (on personal time)
  • Personal communications
  • Content of private conversations on approved tools

Privacy Commitment

Monitoring is for:

  • Security and compliance
  • System performance
  • Incident investigation

Not for:

  • Surveillance
  • Micromanagement
  • Unnecessary intrusion

Consequences

Policy Violations

Minor violations (first-time, non-malicious):

  • Verbal warning
  • Mandatory security training
  • Increased monitoring (temporary)

Serious violations (repeated, reckless):

  • Written warning
  • Access restrictions
  • Suspension
  • Termination

Severe violations (intentional, malicious):

  • Immediate termination
  • Legal action (if criminal)
  • Law enforcement notification (if required)

Examples

Minor: Forgotten screen lock, delayed OS update Serious: Repeated password sharing, ignoring multiple warnings Severe: Intentional data theft, introducing malware, attacking systems

Acknowledgment

All team members must acknowledge this policy:

  • Upon hiring/onboarding
  • After significant updates
  • Annually as part of security training

Acknowledgment indicates:

  • You have read and understood the policy
  • You agree to comply
  • You understand consequences of violations

Document Information

  • Version. 1.1
  • Effective Date. 2025-01-13
  • Last Updated. 2026-05-21
  • Owner. ISMS Owner
  • Review Frequency. Annually
  • Next Review. 2026-11-21
  • Classification. Public