ACCEPTABLE USE & WORKPLACE MONITORING POLICY

SECTION 1 - PURPOSE AND SCOPE

1.1 Policy Objectives

1.1.1 This policy establishes:

(a) Employee responsibilities for proper use of Company IT resources and systems

(b) Acceptable and prohibited uses of internet, email, and technology

(c) Company's rights to monitor workplace, systems, and communications

(d) Employee acknowledgment of monitoring and consent requirements

(e) Consequences for misuse or violations

1.2 Dual Purpose

1.2.1 This policy serves two functions:

(a) Acceptable Use Policy: Defining employee obligations for IT resource usage

(b) Monitoring Disclosure: Informing employees of Company's monitoring practices

1.2.2 Both aspects are interconnected - monitoring enables enforcement of acceptable use standards.

1.3 Scope of Application

1.3.1 This policy applies to:

(a) All Company IT resources including computers, networks, email, internet

(b) Company-issued devices (laptops, phones, tablets)

(c) Personal devices used for Company work (BYOD)

(d) All locations: office, remote work, client sites, travel

(e) All times when accessing Company systems or conducting Company business

PART A: ACCEPTABLE USE OF IT RESOURCES

SECTION 2 - GENERAL IT USAGE PRINCIPLES

2.1 Business Purpose Requirement

2.1.1 Company IT resources provided for:

(a) Legitimate business purposes only

(b) Performing assigned job duties and responsibilities

(c) Authorized Company projects and activities

(d) Approved training and professional development

2.1.2 Employees shall:

(a) Use IT resources primarily for business purposes

(b) Limit personal use to incidental and reasonable amounts

(c) Not use Company resources for personal gain or business

(d) Not allow personal use to interfere with work performance

2.2 Ownership and Access Rights

2.2.1 Employees acknowledge that:

(a) All Company IT systems, devices, and data are Company property

(b) Company has right to access, inspect, and monitor all systems

(c) No expectation of privacy when using Company resources

(d) Company may access systems at any time without prior notice

(e) Assigned accounts and devices are for authorized employee use only

2.3 Compliance with Policies

2.3.1 When using IT resources, employees must comply with:

(a) This Acceptable Use & Workplace Monitoring Policy

(b) Information Security Policy

(c) IP, Confidentiality & Non-Solicitation Policy

(d) Code of Conduct Policy

(e) All other Company policies and procedures

(f) Applicable laws and regulations

SECTION 3 - INTERNET USAGE

3.1 Acceptable Internet Use

3.1.1 Employees may use Company internet for:

(a) Work-related research and information gathering

(b) Communication with clients, vendors, and colleagues

(c) Accessing business tools, cloud services, and applications

(d) Professional development and learning resources

(e) Reasonable personal use during breaks (non-work hours)

3.2 Prohibited Internet Activities

3.2.1 Employees shall NOT:

(a) Illegal Content: Access, download, or distribute illegal content

(b) Inappropriate Material: Visit websites containing:

• Pornography, sexually explicit content
• Violent, hateful, or extremist content
• Illegal gambling or gaming sites
• Content promoting discrimination or harassment

(c) Piracy: Download or share pirated software, movies, music, books

(d) Unauthorized Streaming: Stream entertainment content during work hours

(e) Malicious Sites: Visit suspicious websites that may contain malware

(f) Bandwidth Abuse: Activities consuming excessive bandwidth (torrents, streaming)

(g) Proxy/VPN Bypass: Use proxies or VPNs to circumvent Company filters or monitoring

(h) Cryptocurrency Mining: Use Company resources for cryptocurrency mining

3.3 Social Media Usage

3.3.1 Personal social media use during work hours:

(a) Limited to break times and should not interfere with work

(b) Must not use Company devices for extensive personal social media

(c) Must not access social media if it impacts productivity

3.3.2 When posting about Company or work:

(a) Clearly state views are personal, not Company's position

(b) Not disclose confidential Company information

(c) Not disparage Company, colleagues, or clients

(d) Not misrepresent or impersonate Company

(e) Follow Code of Conduct principles online

(f) Understand that public posts may be viewed by Company

3.4 Online Shopping and Banking

3.4.1 Personal online activities:

(a) Avoid online shopping during work hours

(b) Avoid online banking on Company devices (security risk)

(c) If essential, use personal device and secure connection

(d) Understand Company monitoring may capture activity

(e) Company not responsible for personal financial information security

SECTION 4 - EMAIL USAGE

4.1 Business Email Standards

4.1.1 Company email accounts:

(a) Provided for business communication purposes

(b) Must be checked regularly during business hours

(c) Professional tone and language required

(d) Subject to Company monitoring and retention policies

(e) Considered Company records and property

4.2 Acceptable Email Use

4.2.1 Employees may use email for:

(a) Business correspondence with internal and external parties

(b) Project collaboration and information sharing

(c) Approved personal communication (minimal and occasional)

(d) Receiving business-related newsletters and updates

4.3 Prohibited Email Activities

4.3.1 Employees shall NOT use email for:

(a) Sending or forwarding inappropriate content (jokes, offensive material)

(b) Chain letters, spam, or mass unsolicited emails

(c) Personal business promotion or solicitation

(d) Harassment, bullying, or hostile communications

(e) Sending confidential information to personal email accounts

(f) Impersonating others or forging sender information

(g) Subscribing to non-business mailing lists or newsletters

(h) Excessive personal correspondence

4.4 Email Security Obligations

4.4.1 Employees must:

(a) Verify recipient addresses before sending sensitive information

(b) Use encryption for confidential or sensitive emails

(c) Not open suspicious attachments or click unknown links

(d) Report phishing attempts and suspicious emails immediately

(e) Not share email credentials or allow others to access account

(f) Use appropriate subject lines and classify email sensitivity

4.5 Email Retention and Deletion

4.5.1 Employees should:

(a) Retain business emails per retention policy (typically 90 days to 1 year)

(b) Delete unnecessary emails to manage mailbox size

(c) Not delete emails subject to legal hold or investigation

(d) Understand that deleted emails may be recoverable from backups

(e) Archive important project emails per document management policy

SECTION 5 - SOFTWARE AND APPLICATION USAGE

5.1 Approved Software Only

5.1.1 Employees shall:

(a) Use only Company-approved and licensed software

(b) Obtain IT approval before installing new software or applications

(c) Not install unauthorized, unlicensed, or pirated software

(d) Use software only as per license terms and restrictions

(e) Not exceed user limits or share licenses

5.2 Prohibited Software Activities

5.2.1 Employees shall NOT:

(a) Download or install pirated or cracked software

(b) Use key generators, license crackers, or bypass tools

(c) Install unauthorized remote access or file sharing software

(d) Install personal productivity software without approval

(e) Install browser extensions or plugins without vetting

(f) Use software for purposes other than licensed usage

(g) Share Company software licenses with non-employees

5.3 Cloud Services and SaaS Applications

5.3.1 When using cloud services, employees must:

(a) Use only approved cloud platforms (Google Workspace, Microsoft 365, approved tools)

(b) Not upload Company data to unapproved cloud storage (personal Dropbox, Google Drive, etc.)

(c) Not sign up for free trials of SaaS tools without IT approval

(d) Use Company-provided accounts, not personal accounts for work

(e) Configure proper security settings and access controls

(f) Not share Company cloud storage with external parties without authorization

5.4 Mobile Applications

5.4.1 On Company-issued mobile devices:

(a) Install only approved business applications

(b) Obtain IT approval for new app installations

(c) Not install games or entertainment apps

(d) Keep apps updated to latest versions

(e) Uninstall apps no longer needed for work

SECTION 6 - DEVICE USAGE AND SECURITY

6.1 Company-Issued Devices

6.1.1 Employees using Company laptops, phones, or tablets must:

(a) Use devices primarily for business purposes

(b) Implement required security controls (passwords, encryption, MFA)

(c) Not remove security software or disable protections

(d) Report lost or stolen devices immediately

(e) Not lend devices to family members or unauthorized persons

(f) Return devices promptly upon separation

6.1.2 See Information Security Policy for comprehensive device security requirements.

6.2 Personal Device Usage (BYOD)

6.2.1 If authorized to use personal devices for Company work:

(a) Install Company-required security software and MDM profile

(b) Maintain device security updates and patches

(c) Use separate work profiles/containers for Company data

(d) Consent to Company monitoring of work-related activity

(e) Consent to remote wipe of Company data if device lost/stolen

(f) Understand Company not responsible for personal data loss

(g) Remove all Company data upon separation

6.2.2 Personal device usage subject to same acceptable use standards as Company devices.

6.3 USB Drives and External Storage

6.3.1 Employees shall:

(a) Use only Company-approved and encrypted USB drives

(b) Not use personal USB drives on Company computers

(c) Scan all external storage for malware before use

(d) Not store confidential Company data on unencrypted storage

(e) Properly erase Company data before disposing external media

SECTION 7 - COMMUNICATION TOOLS

7.1 Instant Messaging and Chat

7.1.1 When using Company-approved messaging platforms (Slack, Teams, etc.):

(a) Use for business communication and collaboration

(b) Maintain professional tone and language

(c) Not share confidential information in public channels

(d) Understand messages are Company records subject to retention

(e) Not use for excessive personal conversations during work hours

(f) Follow same standards as email communication

7.2 Video Conferencing

7.2.1 During video calls and virtual meetings:

(a) Ensure appropriate and professional background

(b) Dress professionally as per office standards

(c) Mute when not speaking to reduce noise

(d) Not record meetings without participants' consent

(e) Protect meeting links and passwords from unauthorized access

(f) Understand meetings may be recorded by Company for training/documentation

7.3 Voice over IP (VoIP) and Phone Systems

7.3.1 Company phone systems and VoIP:

(a) Used primarily for business calls

(b) Occasional personal calls permitted if brief and necessary

(c) International personal calls prohibited

(d) Calls may be monitored for quality, training, or compliance

(e) Professional greeting and conduct required

PART B: WORKPLACE MONITORING PRACTICES

SECTION 8 - MONITORING DISCLOSURE AND CONSENT

8.1 Notice of Monitoring

8.1.1 Employees are hereby notified that Company monitors:

(a) All IT systems, networks, and devices

(b) Internet usage and web browsing

(c) Email communications (work email accounts)

(d) Instant messaging and collaboration tools

(e) Phone calls and voice communications

(f) Physical workplace via CCTV cameras

(g) Productivity and computer activity

(h) Access control systems and employee movement

(i) GPS tracking of Company vehicles

8.2 No Expectation of Privacy

8.2.1 Employees acknowledge and agree that:

(a) There is NO expectation of privacy when using Company IT resources

(b) All activity on Company systems may be monitored and recorded

(c) Company has right to access, inspect, and review all systems and communications

(d) Monitoring may occur in real-time or through review of logs and records

(e) Deleted files and emails may be recovered and reviewed

(f) Personal activities on Company systems are not private

8.3 Consent to Monitoring

8.3.1 By signing employment agreement and acknowledging this policy, employee:

(a) Consents to all monitoring practices described in this policy

(b) Understands Company has legitimate business reasons for monitoring

(c) Agrees not to use Company systems for activities requiring privacy

(d) Acknowledges monitoring is condition of employment and system access

(e) Waives any expectation of privacy on Company systems

8.4 Legitimate Business Purposes

8.4.1 Company monitors for:

(a) Security: Detecting and preventing security breaches, malware, unauthorized access

(b) Policy Compliance: Ensuring compliance with Company policies and procedures

(c) Performance Management: Assessing employee productivity and work quality

(d) Legal Compliance: Meeting regulatory and legal obligations

(e) Investigation: Investigating misconduct, policy violations, or legal matters

(f) Quality Assurance: Monitoring customer service and communication quality

(g) Asset Protection: Protecting Company intellectual property and confidential information

(h) Business Operations: Managing IT resources and optimizing systems

SECTION 9 - TYPES OF MONITORING

9.1 Internet and Network Monitoring

9.1.1 Company monitors and logs:

(a) Websites Visited: URLs, domains, page titles, access times

(b) Search Queries: Search terms entered in browsers

(c) Downloads: Files downloaded, sources, timestamps

(d) Upload Activity: Data transferred from Company network

(e) Network Traffic: Data volume, destinations, protocols

(f) Bandwidth Usage: Applications and users consuming bandwidth

(g) Access Attempts: Attempts to access blocked or restricted sites

9.1.2 Web filtering and blocking:

(a) Company blocks access to categories of inappropriate or non-business websites

(b) Blocked sites may include: adult content, gambling, malware, social media (if restricted)

(c) Employees notified when attempting to access blocked content

(d) Repeated attempts to access blocked sites = policy violation

9.2 Email Monitoring

9.2.1 Company email system monitoring:

(a) Email Content: Subject lines, message bodies, attachments may be scanned and read

(b) Metadata: Sender, recipients, timestamps, size, routing information

(c) Automated Scanning: Emails scanned for spam, malware, data loss prevention

(d) Manual Review: Emails may be reviewed during investigations or audits

(e) Archiving: All emails archived and retained per retention policy

(f) Keyword Alerts: Flagging emails containing sensitive keywords or patterns

9.2.2 Personal email access:

(a) Accessing personal email (Gmail, Yahoo, etc.) on Company devices is monitored

(b) No expectation of privacy for personal email accessed on Company systems

(c) Employees advised not to access personal email on work devices

9.3 Phone and Voice Communication Monitoring

9.3.1 Company phone systems and mobile devices:

(a) Call Logs: Phone numbers called/received, duration, timestamps

(b) Call Recording: Calls may be recorded for quality, training, or compliance

(c) Voicemail: Voicemail messages may be accessed and reviewed

(d) SMS/Text Messages: Text messages on Company devices may be monitored

(e) Notification: Recording notification may or may not be provided depending on jurisdiction

9.3.2 Recording consent:

(a) Employee consent to recording obtained through this policy

(b) External parties notified of recording via greeting or announcement

(c) Recordings retained per retention policy

9.4 Productivity and Activity Monitoring

9.4.1 Productivity tracking software monitors:

(a) Active vs. Idle Time: Time actively working vs. inactive periods

(b) Applications Used: Programs opened, duration of use, frequency

(c) Websites Visited: During work hours, time spent on each site

(d) Files Accessed: Documents opened, edited, created

(e) Keystrokes: Keystroke logging may be used (with notice)

(f) Screenshots: Periodic screenshots of employee screens (with notice)

(g) Work Hours: Login/logout times, break durations

9.4.2 Purpose of productivity tracking:

(a) Ensure employees engaged in work during working hours

(b) Manage remote and work-from-home arrangements

(c) Verify time reporting and attendance accuracy

(d) Identify productivity patterns and training needs

(e) Detect unauthorized activities or policy violations

9.4.3 Employee obligations:

(a) Install and run productivity tracker on assigned devices

(b) Not disable, tamper with, or bypass tracking software

(c) Understand all computer activity is tracked

(d) Avoid personal activities on tracked devices

9.4.4 Screenshots and keystroke logging:

(a) If implemented, employees notified explicitly

(b) Captured data used only for legitimate business purposes

(c) Access restricted to authorized personnel (managers, HR, IT security)

(d) Data retained per productivity monitoring retention policy

9.5 CCTV and Video Surveillance

9.5.1 Company premises monitored via CCTV cameras:

(a) Coverage Areas: Office entrances, exits, corridors, workspaces, parking areas

(b) Not Monitored: Restrooms, changing rooms, private areas

(c) Purpose: Security, safety, theft prevention, incident investigation

(d) Recording: Video footage recorded and retained 30-90 days

(e) Signage: Signs posted notifying of video surveillance

9.5.2 Access and review:

(a) Footage reviewed during security incidents or investigations

(b) May be provided to law enforcement upon legal request

(c) Access restricted to security, management, HR

(d) Employees may request access to footage involving them

9.6 Access Control and Physical Monitoring

9.6.1 Access card and biometric systems track:

(a) Entry/Exit Logs: Times employees enter and leave premises

(b) Door Access: Doors accessed, areas entered

(c) Attendance: Biometric or RFID-based time and attendance

(d) Movement Patterns: Employee movement within facility

9.6.2 Purpose:

(a) Security and access control

(b) Attendance verification

(c) Emergency roll call and safety

(d) Investigation of security incidents

9.7 GPS and Location Tracking

9.7.1 Company vehicles equipped with GPS tracking:

(a) Vehicle location, routes, speed, stops tracked in real-time

(b) Used for fleet management, safety, and business purposes

(c) Employees using Company vehicles consent to GPS tracking

9.7.2 Mobile device location tracking:

(a) Company-issued phones may have location services enabled

(b) Used for device security (find lost device) and business purposes

(c) Field employees' location may be tracked during working hours

(d) Location tracking for business purposes only, not personal surveillance

SECTION 10 - MONITORING DATA USAGE AND PROTECTION

10.1 Use of Monitoring Data

10.1.1 Monitoring data used for:

(a) Performance Evaluation: Assessing productivity and work quality

(b) Disciplinary Actions: Evidence in misconduct investigations

(c) Security Incidents: Responding to breaches or threats

(d) Legal Proceedings: Evidence in lawsuits, regulatory matters, disputes

(e) Compliance Audits: Demonstrating policy compliance

(f) Training and Development: Identifying training needs and improvement areas

10.1.2 Monitoring data NOT used for:

(a) Harassment or intimidation of employees

(b) Unfair discrimination or bias

(c) Purposes unrelated to legitimate business interests

10.2 Access to Monitoring Data

10.2.1 Monitoring data accessible to:

(a) IT and Security teams for system management

(b) Supervisors and managers for performance management

(c) HR for policy compliance and investigations

(d) Legal and compliance teams for legal matters

(e) Senior management as needed

10.2.2 Access controls:

(a) Role-based access - only authorized personnel can view data

(b) Logging of access to monitoring data

(c) Confidentiality obligations for those accessing data

10.3 Data Retention Periods

10.3.1 Monitoring data retained:

(a) Email archives: 90 days to 1 year

(b) Internet logs: 90 days to 6 months

(c) Productivity tracking: 90 days to 1 year (performance cycle)

(d) CCTV footage: 30-90 days

(e) Call recordings: 90 days to 1 year

(f) Access logs: 1-3 years

10.3.2 Extended retention:

(a) Data retained longer if part of investigation or legal proceeding

(b) Litigation hold overrides standard retention periods

(c) Deleted after retention period unless legal requirement

10.4 Employee Access to Own Monitoring Data

10.4.1 Employees may request:

(a) Access to their own productivity tracking data

(b) Copy of CCTV footage involving them

(c) Logs of their system usage (within reason)

10.4.2 Requests processed:

(a) Submit written request to HR or IT

(b) Response within 30 days

(c) May be denied if interferes with investigation or legal matter

(d) Redacted to protect other employees' privacy

SECTION 11 - LIMITATIONS ON MONITORING

11.1 Areas NOT Monitored

11.1.1 Company does NOT monitor:

(a) Private Areas: Restrooms, changing rooms, meditation rooms

(b) Personal Devices: Employee-owned devices not used for Company work

(c) Personal Communications: Communications on personal devices/accounts unless accessed via Company systems

11.2 Restrictions on Monitoring

11.2.1 Company shall NOT:

(a) Install hidden cameras without notice

(b) Monitor employees in areas where privacy expected (restrooms)

(c) Use monitoring data for discriminatory purposes

(d) Share monitoring data externally except for legal purposes

(e) Engage in excessive or unreasonable surveillance

(f) Monitor employees' personal lives outside work context

11.3 Protection Against Misuse

11.3.1 Safeguards in place:

(a) Monitoring data access restricted to authorized personnel

(b) Disciplinary action for misuse of monitoring capabilities

(c) Audit trails of who accesses monitoring data

(d) Compliance with data protection laws

SECTION 12 - CONSEQUENCES OF VIOLATIONS

12.1 Acceptable Use Violations

12.1.1 Violations of acceptable use standards may result in:

(a) Verbal or written warning

(b) Suspension of IT access privileges

(c) Suspension without pay

(d) Termination of employment

(e) Legal action for damages

(f) Criminal prosecution for illegal activities

12.2 Severity-Based Consequences

12.2.1 Minor violations (first offense, minimal impact):

(a) Verbal warning and counseling

(b) Mandatory training on acceptable use

(c) Monitoring of future activity

12.2.2 Moderate violations (repeated, productivity impact):

(a) Written warning

(b) Temporary suspension of privileges

(c) Performance improvement plan

(d) Suspension without pay

12.2.3 Serious violations (immediate termination):

(a) Accessing illegal content

(b) Downloading or distributing pirated software

(c) Sending harassing or offensive communications

(d) Compromising system security

(e) Stealing or misusing confidential information

(f) Deliberately disabling monitoring or security tools

(g) Using Company resources for personal business or gain

12.3 Legal Consequences

12.3.1 Serious misuse may result in:

(a) Civil liability for damages to Company

(b) Criminal prosecution under IT Act, 2000 or other laws

(c) Recovery of costs through salary deduction or legal action

(d) Referral to law enforcement

SECTION 13 - EMPLOYEE ACKNOWLEDGMENT AND CERTIFICATION

13.1 Acknowledgment of Acceptable Use Obligations

13.1.1 By signing employment documents or annual certification, employee acknowledges:

(a) Understanding of acceptable use standards and restrictions

(b) Obligation to use IT resources responsibly and for business purposes

(c) Consequences of violations including termination

(d) Right of Company to access and monitor all systems

13.2 Consent to Monitoring

13.2.1 Employee explicitly consents to:

(a) All monitoring practices described in this policy

(b) Recording of emails, phone calls, and communications

(c) CCTV surveillance in workplace

(d) Productivity tracking and activity monitoring

(e) Internet usage logging and filtering

(f) Access control and movement tracking

(g) GPS tracking in Company vehicles

13.2.2 Employee understands:

(a) Monitoring is continuous and comprehensive

(b) No expectation of privacy on Company systems

(c) Monitoring data may be used in performance reviews and disciplinary actions

(d) Consent is ongoing and covers future monitoring technologies

13.3 Annual Recertification

13.3.1 Employees must annually:

(a) Review this policy

(b) Complete acceptable use training

(c) Certify compliance with policy

(d) Renew consent to monitoring practices

SECTION 14 - CONTACT INFORMATION

14.1 Acceptable Use Questions

IT Support:
Email: support@webreinvent.com
For technical questions about IT usage

14.2 Monitoring and Privacy Questions

IT Security Team:
Email: security@webreinvent.com
For questions about monitoring practices

14.3 Policy Compliance

Human Resources:
Email: hrd@webreinvent.com
For policy interpretation and compliance matters