Run: Acceptable Use of Technology Policy

This policy establishes the rules for acceptable use of company technology resources and personal devices used for work. It is intended to protect company systems, confidential information, employee and customer data, and business operations while supporting lawful and productive use of technology. This policy is designed to be applied consistently with applicable law, including employees’ rights under the **NLRA Section 7** to engage in protected concerted activity, wage-and-hour requirements under the **FLSA**, and anti-discrimination obligations under **Title VII** and the **ADA**.

This policy applies to all employees, interns, temporary workers, contractors, consultants, and any other individual who uses company technology resources or accesses company data. It applies to: - Company-owned computers, laptops, tablets, phones, printers, networks, servers, cloud services, and collaboration tools - Company email, messaging, video conferencing, and internet access - Personal devices used for work, including BYOD devices that access company systems, email, or data **California employees:** monitoring, privacy, and data-use practices must be implemented consistently with applicable California privacy laws, including the **CCPA/CPRA** where applicable. **Employees in other jurisdictions:** local privacy, labor, and data-protection requirements may add obligations beyond this policy. Where a conflict exists, the company will apply the law that provides the greater protection or is otherwise required by law.

- **Company technology resources:** All hardware, software, networks, accounts, systems, and services provided, paid for, or administered by the company. - **BYOD (Bring Your Own Device):** A personal device used to access company email, applications, data, or networks. - **Confidential information:** Non-public business, employee, customer, financial, technical, or operational information. - **Monitoring:** Review, logging, filtering, recording, or auditing of device, network, account, or usage activity. - **Company data:** Information created, received, stored, transmitted, or processed in the course of company business, regardless of where it is stored. - **Reasonable accommodation:** A workplace adjustment required under the **ADA** through the interactive process for a qualified individual with a disability.

Employees must use company technology resources responsibly, lawfully, and in a manner that supports business operations. Permitted use generally includes: - Performing assigned job duties and authorized business activities - Limited personal use that does not interfere with work, consume excessive resources, create security risk, or violate law or company policy - Accessing approved business applications and communications tools Prohibited use includes: - Accessing, storing, transmitting, or distributing illegal, harassing, discriminatory, obscene, or threatening content - Using company systems to violate the law, infringe intellectual property rights, or engage in fraud, phishing, malware distribution, or unauthorized access - Circumventing security controls, installing unauthorized software, or connecting unapproved devices or peripherals - Using company resources for outside business activity, political activity, or personal gain without authorization - Excessive personal use that interferes with work performance, system performance, or network capacity Employees must exercise good-faith judgment and follow manager or IT instructions regarding approved tools, file-sharing methods, and communication channels.

Employees must follow all security requirements applicable to their role and access level. Required practices include: - Use strong, unique passwords and multi-factor authentication where provided - Lock devices when unattended and log out of systems when not in use - Do not share passwords, authentication codes, or access badges - Report suspected phishing, malware, lost devices, unauthorized access, or data loss immediately to IT or Security - Store company data only in approved systems and locations - Encrypt or otherwise protect sensitive data when required by company controls - Use only approved storage, transfer, and collaboration tools for confidential information The company may implement technical controls such as access logs, content filtering, endpoint protection, and remote wipe for company-managed or BYOD devices enrolled in a management program, subject to applicable law. Employees must not expect privacy when using company systems to the extent permitted by law and company notice. Monitoring may include network traffic, email metadata, device activity, application usage, and access logs for legitimate business, security, compliance, and investigative purposes.

Employees who use personal devices for work must comply with all BYOD enrollment, security, and support requirements before accessing company data. BYOD requirements may include: - Device passcode or biometric protection - Current operating system and security updates - Mobile device management (MDM) or equivalent enrollment - Separation of company data from personal data where technically feasible - Consent to remote removal of company data if the device is lost, stolen, reassigned, or the employee leaves the company The company may restrict BYOD access for certain roles, systems, or data types based on security, regulatory, or business needs. Employees remain responsible for personal device costs unless otherwise approved in writing. The company is not responsible for personal data loss caused by lawful security actions, including remote wipe of company-managed containers or devices where permitted by law and notice.

Company email and messaging tools are business communication systems and must be used professionally. Employees must: - Use approved signatures and identity information - Verify recipients before sending sensitive information - Avoid forwarding company email to personal accounts unless authorized - Use caution when clicking links, opening attachments, or sharing files - Follow the company’s social media and confidentiality rules when referencing work, coworkers, customers, or company matters Employees may not use company systems to send spam, chain messages, unauthorized solicitations, or communications that violate anti-harassment, confidentiality, or record-retention requirements. Use of email and messaging systems may be monitored and retained in accordance with company policy and applicable law.

All company data remains the property of the company, regardless of whether it is created, stored, or accessed on company-owned or personal devices. Employees must: - Save work-related materials in approved company repositories - Not delete, alter, or conceal records subject to retention, legal hold, audit, or investigation requirements - Return all company devices, access tokens, records, and confidential information upon request or separation from employment The company may preserve, access, review, export, or delete company data as needed for business continuity, legal compliance, security, or investigations, subject to applicable law and any required notice.

**Employees and workers** must follow this policy, complete required training, protect credentials, and report incidents promptly. **Managers** must reinforce compliance, ensure team members use approved tools, and escalate suspected violations. **IT / Security** must maintain security controls, manage access, investigate incidents, and administer device and account protections. **HR** must coordinate policy acknowledgements, training, and disciplinary actions where appropriate. **Legal / Compliance** must review jurisdiction-specific requirements, litigation holds, privacy obligations, and investigation protocols. **Policy holder / business owner** must approve exceptions, review business needs, and ensure the policy remains aligned with operational risks.

Violations of this policy may result in corrective action up to and including revocation of access, device removal from the network, written warning, final warning, suspension, termination of employment, civil liability, or referral to law enforcement where appropriate. The company may use a documented warning and, where appropriate, a **PIP** for performance-related misuse or repeated noncompliance. Serious violations, including intentional data theft, malware deployment, harassment, or unauthorized access, may bypass progressive discipline. Nothing in this policy is intended to interfere with rights protected by the **NLRA**, including protected concerted activity, or to limit legally protected whistleblowing, accommodation requests, or other rights under applicable law.

Exceptions to this policy must be approved in writing by the policy holder or designated authority and documented with the business reason, scope, duration, and any compensating controls. If an employee needs a technology-related accommodation due to a disability, the employee should request assistance through HR so the company can engage in the **interactive process** and determine whether a **reasonable accommodation** is available under the **ADA**. This policy will be reviewed at least annually and updated as needed to reflect changes in law, technology, security risks, and business operations.