This Annex forms part of the IT Master Services Agreement and describes the scope, responsibilities and limitations relating to Security Hardening Requirements.
The AUP is designed to help protect you, your users and Cultrix from security incidents, data loss and misuse of technology. It applies to all users who access or use Cultrix-managed Services under your Order.
1. Scope and applicability
This AUP applies to:
- all employees, contractors and third parties who use Cultrix-managed systems and Services under your account;
- all devices, networks, cloud services and applications that Cultrix manages or supports for you;
- use of the internet, email, messaging and collaboration tools provided under your Order.
You are responsible for ensuring that your users understand and follow this AUP.
2. General acceptable use
Users must:
- use systems, applications and data only for legitimate business purposes and in line with your internal policies;
- follow reasonable security guidance provided by Cultrix, including patching, security updates and policy changes;
- take reasonable care to avoid actions that could compromise systems, data or networks;
- promptly report suspected security incidents, data loss or unusual behaviour to your nominated contacts and to Cultrix.
3. Unacceptable use
Users must not:
- attempt to bypass or disable security controls, including antivirus, EDR, firewalls, DNS filtering or access controls;
- install unauthorised software or hardware on Cultrix-managed devices or networks;
- use systems or Services to engage in illegal activity, harassment, discrimination, or any form of abuse;
- deliberately introduce malware, ransomware or other malicious code into any system;
- use business systems for excessive personal use that impacts performance, security or productivity;
- share company data with unauthorised parties or store it on unapproved personal services or devices.
4. Accounts, passwords and authentication
Users must:
- keep passwords and authentication factors confidential and not share them with others;
- use strong, unique passwords and, where provided, password managers approved by your organisation;
- use multi-factor authentication (MFA) wherever it is enabled or required;
- not use shared accounts unless these are explicitly approved and controlled;
- notify your internal support or Cultrix promptly if they suspect an account has been compromised.
5. Email, messaging and internet use
Users must:
- be cautious when opening attachments or clicking links, especially in unsolicited or unexpected messages;
- not use business email for unlawful, offensive or fraudulent communications;
- avoid visiting websites that are clearly inappropriate, malicious or unrelated to business needs;
- follow guidance from phishing simulations and awareness training where provided.
6. Data protection and confidentiality
Users must:
- handle personal and confidential data in line with your organisation's data protection policies;
- store business data only in approved locations (for example managed file shares, Microsoft 365 or Google Workspace);
- avoid copying data to personal USB drives, personal cloud storage or unmanaged devices unless explicitly authorised;
- ensure screens are locked when devices are left unattended.
7. Devices, remote access and BYOD
Where you use mobile devices, remote access or bring-your-own-device (BYOD) arrangements:
- devices accessing business systems should be enrolled in your agreed mobile device management (MDM) solution, where applicable;
- users must keep devices updated and protected with antivirus and security patches;
- remote access should only be via approved VPNs or secure gateways;
- local security features (for example PINs, biometrics, encryption) must not be disabled.
8. Monitoring and logging
To protect systems and data, Cultrix and your organisation may monitor:
- system and network activity (for example firewall logs, EDR telemetry, access logs);
- use of business email and collaboration tools; and
- security alerts generated by managed tools and platforms.
Monitoring is carried out in line with applicable law and is aimed at protecting systems, detecting misuse and responding to incidents, not at unreasonable surveillance of individuals.
9. Reporting incidents and suspected breaches
Users must promptly report:
- suspected phishing or malicious emails;
- lost or stolen devices;
- suspected account compromise or unusual activity;
- accidental data loss or unauthorised data disclosure.
Incidents should be reported through your internal processes and, where appropriate, to Cultrix via the Service Desk.
10. Breaches of this AUP
Breaches of this AUP may:
- increase security risk for your organisation and other customers; and
- lead to restriction or suspension of affected accounts, devices or Services where necessary to protect systems and data.
Disciplinary action for users is a matter for your organisation's internal policies. Cultrix may require that specific users or devices are restricted or remediated where their behaviour presents an ongoing risk.
11. Changes to this Annex
Cultrix may update this AUP to reflect changes in Services, security best practice or legal requirements. Updated versions will be published on our website and, for material changes, we will provide reasonable notice.