Acceptable Use Policy

1. Purpose

This Acceptable Use Policy (AUP) defines appropriate and responsible use of Swedwise AB's information technology resources, including equipment, systems, networks, and data. It aims to:

• Protect Swedwise's information assets and reputation
• Ensure productive and professional use of IT resources
• Prevent misuse that could harm the organization, staff, or customers
• Establish clear expectations and guidelines for all users
• Support compliance with legal and contractual obligations

This policy complements our Information Security Policy and provides practical guidance for daily IT usage.

2. Scope

This policy applies to:

• All Swedwise employees, contractors, consultants, and temporary staff
• All third parties granted access to Swedwise IT resources
• All IT equipment and systems provided by Swedwise or used for Swedwise business
• Personal devices used to access Swedwise data or systems (BYOD)
• Use of IT resources at all locations (offices, remote work, customer sites)

IT resources covered include:

• Computers, laptops, tablets, mobile phones
• Networks (wired, wireless, VPN)
• Email and communication platforms
• Internet access
• Cloud services and SaaS applications
• Software and applications
• Data storage and file sharing systems
• Printers, copiers, and other peripherals

3. General Principles

3.1 Business Use Priority

Swedwise IT resources are provided primarily for business purposes. Reasonable personal use is permitted when:

• It does not interfere with work responsibilities
• It does not consume significant resources
• It complies with all policy requirements
• It does not expose the organization to risk

Excessive personal use, determined by manager or IT review, is not permitted.

3.2 Professional Conduct

Users must:

• Conduct themselves professionally when representing Swedwise
• Respect others in all electronic communications
• Maintain confidentiality of sensitive information
• Not bring Swedwise into disrepute through IT use
• Use respectful and inclusive language

3.3 Legal Compliance

Users must comply with all applicable laws and regulations, including:

• Copyright and intellectual property rights
• Data protection and privacy laws (GDPR)
• Computer misuse and hacking laws
• Anti-discrimination and harassment laws
• Export control and licensing restrictions

Swedwise will cooperate with law enforcement and may report illegal activity.

3.4 Security Awareness

Users are expected to:

• Exercise care and good judgment when using IT resources
• Follow security policies and procedures
• Protect credentials and access privileges
• Report security incidents and suspicious activity
• Complete required security awareness training

4. Equipment and Systems Use

4.1 Corporate Devices

Swedwise-provided devices (laptops, phones, tablets):

Permitted:

• Use for assigned work and reasonable personal use
• Installation of approved business software via company processes
• Secure storage when not in use
• Taking reasonable care to prevent damage or theft

Prohibited:

• Lending devices to others without IT approval
• Installing unauthorized software or circumventing security controls
• Storing illegal, offensive, or inappropriate content
• Using devices for commercial personal business or competing interests
• Tampering with security settings or removing security software
• Connecting to untrusted or malicious networks

Responsibilities:

• Report lost, stolen, or damaged equipment immediately
• Return equipment upon request or when leaving Swedwise
• Maintain devices in good working condition
• Allow IT access for maintenance, updates, and security checks
• Back up important work data regularly

4.2 Mobile Devices

Corporate and BYOD mobile devices accessing Swedwise data:

Requirements:

• Device passcode/PIN enabled
• Automatic screen lock configured
• Remote wipe capability enabled for corporate devices
• Operating system and apps kept current
• Only download apps from official app stores
• Antivirus/security software where applicable

Cautions:

• Avoid using public charging stations (risk of data theft)
• Be aware of surroundings when discussing sensitive matters
• Use device privacy screens in public places
• Don't leave devices unattended in vehicles or public spaces

4.3 Personal Devices (BYOD)

Personal devices may access Swedwise resources only when:

• Explicitly permitted for specific services (e.g., email on personal phone)
• Device meets minimum security requirements
• User agrees to security controls and monitoring
• Segregation between personal and business data is maintained
• Device can be remotely wiped of corporate data if lost or user departs

Restrictions:

• Personal devices may not store or process [TBD - customer data, restricted data, etc.] without explicit approval
• Swedwise reserves right to remove corporate data from personal devices
• Swedwise is not responsible for personal data loss during security actions
• Device must comply with email retention and legal hold requirements

Users should carefully consider privacy implications before using personal devices for work.

5. Internet and Email Use

5.1 Internet Access

Internet access is provided for business purposes and reasonable personal use.

Acceptable Use:

• Work-related research and communication
• Professional development and learning
• Reasonable personal browsing during breaks
• Online banking and personal business during non-work time

Prohibited Activities:

• Accessing, storing, or distributing illegal, obscene, or offensive material
• Streaming video/audio for entertainment during work hours (bandwidth impact)
• Online gambling
• Downloading or distributing pirated software, media, or content
• Cryptocurrency mining
• Activities that violate copyright or licensing
• Circumventing web filtering or security controls
• Visiting sites known for malware distribution

Security Practices:

• Be cautious of phishing and suspicious websites
• Verify URLs before clicking links
• Download files only from trusted sources
• Report suspicious websites to IT
• Use VPN when accessing company resources over public WiFi

5.2 Email Use

Email is a primary business communication tool and creates records of company business.

Professional Email Use:

• Use professional tone and language
• Include appropriate signature with contact information
• Check email regularly during work hours
• Use descriptive subject lines
• Avoid REPLY ALL unless truly necessary
• Classify and handle emails according to data classification

Prohibited Email Activities:

• Sending or forwarding offensive, discriminatory, or harassing content
• Chain letters, hoaxes, or spam
• Subscribing to non-work mailing lists with corporate email
• Using company email for personal commercial activities
• Automatically forwarding company email to external addresses
• Impersonating others or sending anonymous messages
• Creating email rules that circumvent security controls

Email Security:

• Be vigilant for phishing attempts - verify unexpected requests
• Don't click links or open attachments from unknown senders
• Verify requests for sensitive information or financial transactions
• Use encryption for confidential information sent externally [TBD - method]
• Report suspected phishing to IT/Security immediately
• Don't share email credentials or allow others to access your mailbox

Email Retention:

• Email is subject to legal and regulatory retention requirements
• Don't delete emails subject to legal holds or investigations
• Follow document retention policy [TBD - reference]
• Email may be disclosed in legal proceedings

5.3 Email Signature and Disclaimers

Corporate email signatures should include:

• Full name and job title
• Swedwise AB
• Contact phone number
• Standard confidentiality footer [TBD - if required]

6. Social Media and Public Communications

6.1 Professional Social Media

When using social media professionally (LinkedIn, Twitter, etc.):

Guidelines:

• Clearly indicate if opinions are personal, not company positions
• Maintain professional conduct and respect
• Protect confidential company and customer information
• Don't speak on behalf of Swedwise without authorization
• Be mindful that posts can be widely shared and archived
• Follow Swedwise brand guidelines when posting company content

Prohibited:

• Disclosing confidential or proprietary information
• Disparaging Swedwise, colleagues, customers, or partners
• Posting content that could damage Swedwise reputation
• Creating fake profiles or accounts
• Violating customer confidentiality or contractual obligations

6.2 Company Social Media Accounts

Official Swedwise social media accounts:

• Managed by authorized marketing/communications staff only
• Content reviewed before posting
• Security credentials protected and not shared
• Activity monitored for unauthorized access
• Separated from personal accounts

6.3 Personal Social Media Use

Personal social media use during work hours should be minimal and not interfere with productivity.

Employees should remember:

• You may be associated with Swedwise even on personal accounts
• Confidential information must remain confidential
• Professional conduct standards apply online
• Employment agreements may include non-disparagement clauses

7. Software and Applications

7.1 Software Installation

Corporate Devices:

• Software must be approved and installed via authorized channels
• Only licensed, authorized software permitted
• No pirated, cracked, or unauthorized software
• No installation of software that circumvents security controls
• No peer-to-peer file sharing applications unless approved

Licensing:

• Software must be properly licensed
• Don't exceed license counts or violate license terms
• Don't share license keys externally
• Report software licensing questions to IT

7.2 Cloud Services and SaaS Applications

Use of cloud services for Swedwise business:

Approved Services:

• Use only IT-approved cloud services for work data
• Follow provisioning process for new cloud service needs
• Ensure services meet security and compliance requirements
• Understand data location and privacy implications

Prohibited:

• Uploading company data to unapproved cloud storage
• Using personal cloud accounts for company files
• Shadow IT - using services without IT knowledge or approval
• Sharing company data via consumer file sharing services

Exceptions:

• Request IT approval before using new cloud services
• Security review may be required for certain services
• Contractual review required for services processing customer data

7.3 AI and Emerging Technologies

Use of AI tools and emerging technologies (e.g., ChatGPT, Copilot):

Guidelines:

• Follow company guidance on approved AI tools
• Don't input confidential or customer data into unapproved AI services
• Understand data usage and privacy policies of AI services
• Verify and validate AI-generated content before use
• Be transparent about AI-assisted work where appropriate
• Respect intellectual property in AI tool usage

8. Data Handling and Storage

8.1 Data Classification

Handle data according to its classification level (refer to SW-ISMS-POL-004: Data Protection Policy):

• Public: Can be freely shared
• Internal: For Swedwise use only
• Confidential: Restricted access, business impact if disclosed
• Restricted: Very limited access, serious impact if disclosed

8.2 Data Storage

Approved Storage:

• Use approved company file storage and collaboration platforms
• Store work files on company-managed systems, not local-only storage
• Ensure important work is backed up regularly
• Follow retention and disposal policies

Prohibited Storage:

• Don't store company data on unapproved cloud services
• Don't store sensitive data on removable media without encryption and approval
• Don't store confidential data on personal devices
• Don't keep local-only copies of critical business data

8.3 Data Sharing

Internal Sharing:

• Share data with colleagues based on business need
• Use approved collaboration tools
• Verify recipient before sharing sensitive data

External Sharing:

• Ensure recipient is authorized to receive data
• Use secure transmission methods for confidential data (encryption, secure portals)
• Don't send sensitive data to personal email addresses
• Follow customer data sharing requirements and contracts
• Remove or redact sensitive information when not required

8.4 Data Disposal

When data is no longer needed:

• Delete from all locations (including personal devices and cloud)
• Follow secure disposal procedures for sensitive data
• Shred physical documents containing sensitive information
• Wipe devices before disposal or reuse

9. Network and Connectivity

9.1 Network Use

Acceptable:

• Use of corporate network for business purposes
• Reasonable personal use during breaks
• Remote access via approved VPN

Prohibited:

• Running servers or services without IT approval
• Operating wireless access points or routers on corporate network
• Bridging corporate network to untrusted networks
• Network scanning or penetration testing without authorization
• Circumventing network security controls

9.2 Wireless Networks

Corporate WiFi:

• Use approved corporate WiFi networks
• Protect WiFi passwords and don't share with unauthorized persons
• Guest network available for visitors (isolated from corporate network)

Public WiFi:

• Use caution when connecting to public WiFi
• Always use VPN when accessing company resources over public WiFi
• Avoid accessing sensitive information over untrusted networks
• Disable automatic connection to open networks
• Verify network names before connecting (beware of fake hotspots)

9.3 Remote Access

Remote access to Swedwise systems:

• Use only approved VPN or remote access solutions
• Require multi-factor authentication
• Ensure remote location is reasonably secure and private
• Don't allow others to view screen when accessing confidential data
• Disconnect VPN when not actively needed

10. Monitoring and Privacy

10.1 Monitoring

Swedwise reserves the right to monitor IT resource usage to:

• Ensure policy compliance
• Protect security and prevent incidents
• Investigate suspected misconduct
• Meet legal and regulatory obligations
• Optimize performance and capacity

Monitoring may include:

• Network traffic analysis
• Email and communication content (when legally permitted)
• Internet browsing history
• Application usage
• Login and access patterns
• Data access and transfers

10.2 Privacy Expectations

Limited Privacy:

• Users should have no expectation of privacy when using Swedwise IT resources
• All data on corporate systems is considered company property
• Monitoring is conducted in accordance with applicable privacy laws
• Personal use of company resources may be visible to IT/management

Handling of Monitoring Data:

• Monitoring data used only for legitimate business purposes
• Access to monitoring data limited to authorized personnel
• Privacy protections applied consistent with applicable law
• Notification provided where legally required

10.3 Personal Data on Corporate Systems

Minimize Personal Data:

• Avoid storing personal data on company systems where practical
• Use personal devices for personal activities
• Be aware that company devices may be searched or monitored

Incident Response:

• In security incidents, company may access all data on corporate systems
• Personal data may be disclosed if relevant to investigation
• Remote wipe may erase all data on device including personal content

11. Specific Use Cases

11.1 Working at Customer Sites

When working at customer locations:

• Follow customer acceptable use policies in addition to Swedwise policies
• Use customer resources only for customer business
• Protect Swedwise confidential information
• Don't install Swedwise software on customer systems without approval
• Maintain professional conduct as representative of Swedwise
• Report any conflicts between Swedwise and customer policies to manager

11.2 Remote Work

When working remotely:

• Ensure workspace is reasonably secure and private
• Protect against "shoulder surfing" when handling confidential data
• Use VPN for all access to company resources
• Secure devices when not in use
• Follow all security policies even when working from home
• Report security incidents or concerns promptly

11.3 Travel

When traveling with company devices:

• Be extra vigilant against theft - never leave devices unattended
• Use device privacy screens in public
• Be cautious using hotel or airport WiFi - always use VPN
• Be aware of foreign surveillance and espionage risks in certain countries
• Consider travel-specific security measures for sensitive trips (contact IT)
• Report device theft immediately for remote wipe

11.4 Consultants and External Workers

Contractors and consultants with access to Swedwise resources:

• Subject to same acceptable use requirements as employees
• Sponsor/manager accountable for external worker compliance
• Access limited to duration of engagement
• Must sign acceptable use acknowledgment before receiving access
• Violations may result in immediate access termination

12. Reporting and Incidents

12.1 Reporting Violations

Report suspected policy violations to:

• Direct manager
• CISO or IT/Security team
• HR for harassment or discrimination issues
• Anonymous reporting channel if preferred [TBD]

Reports made in good faith will not result in reprisal.

12.2 Security Incidents

Report immediately:

• Lost or stolen devices
• Suspected malware or virus infection
• Phishing or social engineering attempts
• Suspicious emails or communications
• Unauthorized access or data disclosure
• Any security concerns or anomalies

Report to: [TBD - IT helpdesk, security email, phone number]

Early reporting enables faster response and reduces impact.

12.3 Whistleblower Protections

Employees reporting serious violations are protected under Swedish whistleblower laws. Good faith reports will not result in retaliation.

13. Roles and Responsibilities

Chief Information Security Officer (CISO)

• Policy ownership and maintenance
• Investigation of policy violations
• Security monitoring and compliance
• Awareness and training programs
• Reporting to management on compliance

IT Operations

• Technical implementation of controls
• Monitoring and alerting
• Investigation support
• User support and guidance
• Exception evaluation

Managers

• Ensuring team awareness and compliance
• Approving exceptions within authority
• Addressing violations promptly
• Promoting culture of responsible use
• Leading by example

Human Resources

• Incorporating policy into onboarding
• Supporting violation investigations
• Disciplinary action coordination
• Exit procedures including equipment return

All Users

• Reading and understanding this policy
• Complying with all requirements
• Reporting violations and incidents
• Completing required training
• Using IT resources responsibly

14. Consequences of Violations

Violations may result in:

First-Time/Minor Violations:

• Warning and counseling
• Mandatory training
• Temporary access restrictions

Serious or Repeated Violations:

• Access suspension or termination
• Formal disciplinary action
• Termination of employment or contract
• Legal action if warranted
• Reporting to law enforcement for criminal activity

Factors Considered:

• Intent (accidental, negligent, malicious)
• Impact (security, reputation, financial, legal)
• History (isolated vs. pattern)
• Cooperation with investigation

The goal is education and prevention for unintentional violations, with stronger measures for negligent or malicious conduct.

15. Policy Acknowledgment

All users must acknowledge:

• They have read and understood this policy
• They agree to comply with all requirements
• They understand consequences of non-compliance
• They will report violations and incidents

Acknowledgment required:

• Before receiving access to IT resources
• Annually as part of policy refresh
• After significant policy updates

16. Related Documents

Policies:

• SW-IMS-POL-001: Integrated Management System Policy
• SW-ISMS-POL-001: Information Security Policy
• SW-ISMS-POL-002: Access Control Policy
• SW-ISMS-POL-004: Data Protection Policy
• [TBD - HR Code of Conduct]

Procedures:

• [TBD - SW-ISMS-PRO-002: Incident Management Procedure]
• [TBD - SW-IT-PRO-001: Device Management Procedure]
• [TBD - SW-HR-PRO-001: Employee Onboarding Procedure]
• [TBD - SW-HR-PRO-002: Disciplinary Action Procedure]

Guidelines:

• [TBD - SW-ISMS-GUI-001: Information Classification Guideline]
• [TBD - SW-ISMS-GUI-002: Remote Working Security Guideline]
• [TBD - SW-ISMS-GUI-003: Password and Authentication Guideline]
• [TBD - SW-ISMS-GUI-005: Email Security Guideline]
• [TBD - SW-ISMS-GUI-006: Social Media Guideline]

Forms:

• [TBD - Acceptable Use Policy Acknowledgment Form]
• [TBD - BYOD Agreement]

17. Document Control

Version	Date	Author	Changes	Approved By
1.0	[TBD]	[TBD - CISO name]	Initial policy creation	[TBD - CEO name]

Next Review Date: [TBD - typically 12 months from effective date]

Document Classification: Internal

Document Owner: CISO

---

This policy is approved by Swedwise AB management and is effective from the date specified above. All users of Swedwise IT resources are required to read, understand, and comply with this policy.

By using Swedwise IT resources, you acknowledge acceptance of this Acceptable Use Policy and agree to comply with all requirements.