Skip to content

Appcircle Acceptable Use Policy

Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)

Purpose

This policy establishes the standards for acceptable use of Appcircle's systems, devices, and data. Employees and other authorised users play a critical role in protecting Appcircle's information assets. This includes responsible management of endpoint devices, appropriate handling of sensitive information, protection of access credentials, and security-aware behaviour that minimises the risk of breaches or misuse.

All employees, contractors, and other applicable third parties with access to Appcircle systems and data must read, acknowledge, and accept the terms of this policy.

Scope

This policy applies to:

  • All Appcircle employees, contractors, and authorised third parties.
  • All devices used to access Appcircle systems and data, whether company-issued or personal (BYOD).
  • All Appcircle systems, applications, data, and communication channels.

General security behaviours

All personnel must:

  • Read, acknowledge, and comply with Appcircle's information security policies.
  • Not disclose or share confidential information related to Appcircle or its customers without formal management approval.
  • Apply least privilege principles — share information, documents, and system access only where there is a legitimate business need.
  • Complete mandatory information security awareness training.
  • Report any policy breaches, security incidents, system failures, or suspected near-miss events to Engineering Management promptly.

Use of systems and devices

  • Appcircle systems and devices must be used for intended business purposes only.
  • All sensitive and confidential data must be stored in approved, secure storage locations (approved devices, databases, cloud services, and shared drives). Sensitive data must not be saved to local device drives.
  • Devices must be kept up to date with the latest operating system patches and security updates.
  • Only approved cloud services may be used for Appcircle business activities.
  • Email and other Appcircle accounts must be used for business purposes; only Appcircle-provided accounts may be used for external communications related to Appcircle business.
  • Anti-virus / endpoint protection software must be installed and kept up to date.
  • Full-disk encryption must be enabled on all devices: FileVault (macOS) or BitLocker (Windows).
  • Any loss, damage, or theft of an Appcircle information asset must be reported to Engineering Management immediately.
  • Security alerts, virus notifications, phishing attempts, or other security-related matters must be reported to Engineering Management and must not be forwarded to other employees.

Network security

  • Public or unencrypted Wi-Fi must not be used for Appcircle business activities.
  • Only encrypted Wi-Fi connections (WPA2 or stronger) may be used when connecting to Appcircle systems.

Authentication and access

  • Multi-factor authentication (MFA) must be applied for all system logins — directly per application where supported, or through the company SSO (Microsoft Entra ID) which enforces MFA.
  • Strong passwords must be used across all systems, managed through the approved password manager (Vaultwarden) and in accordance with the Password Policy.
  • Passwords and accounts must not be shared with anyone, including other Appcircle employees.
  • Passwords must not be stored in written or unencrypted electronic form.
  • Systems and devices must be locked or logged out when not in active use, including during breaks.
  • The same password must not be reused across multiple accounts or systems.

Data handling

Data must be kept secure, confidential, and handled in accordance with its classification as defined in the Asset Management and Data Classification Policy. When in doubt, treat data as confidential and seek management approval before any disclosure or sharing.

Bring Your Own Device (BYOD)

Appcircle provides company-issued laptops to all employees. These devices are configured to meet security requirements prior to issue and are returned, wiped, and decommissioned upon separation.

Personal mobile devices (phones and tablets) may be used to access Appcircle systems such as communication tools. The following requirements apply to personal devices used for this purpose:

  • MFA must be applied to all logins from personal devices.
  • Devices must have a screen lock and current OS version.
  • Confidential or customer data must not be downloaded or stored on personal devices.
  • Personal devices must not be shared with others while accessing Appcircle systems.

Lost or stolen personal devices used for Appcircle access must be reported to Engineering Management immediately to enable access revocation.

Roles and responsibilities

  • Engineering Management (Policy Owner): Accountable for this policy; ensures implementation, enforcement, and communication; approves exceptions.
  • Engineering: Monitors for breaches and handles reports of security concerns or policy violations.
  • All personnel: Read, acknowledge, and strictly adhere to this policy; report violations to Engineering Management.

Regulatory alignment

This policy supports compliance with:

  • SOC 2 (Trust Services Criteria — Common Criteria, Logical and Physical Access Controls)
  • ISO/IEC 27001:2022 (A.6.2 Terms and conditions of employment; A.8.1 User endpoint devices)
  • GDPR (Article 32 — Security of processing)
  • KVKK (Article 12 — Data security obligations)

Exceptions

Exceptions to this policy must be:

  • Documented with justification, scope, duration, and compensating controls.
  • Approved by the policy owner or an authorised delegate.
  • Reviewed before expiry and retired when no longer required.

Policy review and updates

This policy is reviewed at least annually and when significant changes occur to systems, working arrangements, or regulatory requirements.

Note

This public policy describes Appcircle's acceptable use requirements at a high level. Detailed internal guidance (including lists of approved systems, specific BYOD compliance checks, and incident reporting procedures) is maintained separately and may be shared under appropriate agreements when required.

  • Information Security Policy
  • Asset Management and Data Classification Policy
  • Endpoint Device Security Policy
  • Network Security Policy
  • System Access Control Policy
  • Password Policy
  • Physical Security Policy