Acceptable Use Policy

Limited personal use of Corporate Devices is permitted, provided it meets the following conditions:

• Incidental and Non-Disruptive: Personal use must not interfere with work responsibilities or performance.
• Legal and Ethical: Activities must comply with all local laws, Group’s policies and ethical standards.

Corporate Devices are provided exclusively for business-related purposes, including:

• Performing job functions and accessing corporate resources.
• Storing, processing, and transmitting Corporate Data securely.
• Communicating with internal teams and external stakeholders through approved channels.

• Only approved and authorized devices may be connected to Corporate Networks. This includes portable end-user devices, removable devices (e.g., USB sticks) and personally owned devices.
• Users must not install software, hardware or modify system configuration settings on any Corporate Devices, unless explicitly permitted by the User’s role and responsibility.
• Users must not engage in any activity with the intent to disrupt Corporate Assets or Corporate Networks.
• Users are strictly prohibited from bypassing authentication mechanisms or compromising the security of any user account or information system asset.
• Users must not leverage Corporate Assets for personal economic gain.
• Minimal Data Usage: Avoid excessive use of Corporate Devices for personal activities that may strain device performance or data limits (e.g., streaming or downloading large files).
• Non-Commercial: Corporate Devices must not be used for personal business or entrepreneurial activities.
• Appropriate Content: Avoid accessing, sharing or storing inappropriate, offensive or illegal content on Corporate Devices.

Limited personal use of the corporate network is allowed if it:

• Does not interfere with work responsibilities or network performance.
• Does not compromise the security or integrity of the network.

Personal use is subject to monitoring and users should have no expectation of privacy when using the corporate network.

The corporate network is to be used exclusively for business purposes, including:

• Accessing corporate systems, applications and resources necessary for job functions.
• Communicating and collaborating with colleagues and external partners through approved platforms.
• Securely transmitting, processing and storing corporate data.

• Users must not use the network to download or upload obscene, offensive or illegal material.
• Users must not use the network to send confidential information to unauthorized recipients.
• Users must not use the network to invade another person’s privacy and sensitive information.
• Users must not perform any form of network monitoring, port scanning or security scanning unless this activity is a part of the individual’s normal job and is formally authorized.

Personal use of Corporate Software is generally not permitted except when explicitly authorized by management or IT.

Under no circumstances should Corporate Software be used for:

• Personal projects, entertainment or social media unless work-related.
• Storing or processing personal files or data.

Corporate Software must be used solely for official business purposes, including:

• Performing job-specific tasks and achieving organizational objectives.
• Accessing and processing corporate data securely and efficiently.
• Collaborating and communicating with team members and external stakeholders.

The following actions are strictly prohibited:

• Using Corporate Software for illegal or unethical activities.
• Sharing Corporate Software licenses, credentials or data with unauthorized individuals or entities.
• Modifying, duplicating or distributing Corporate Software without explicit authorization.
• Installing or using unlicensed, pirated or unauthorized software on corporate devices.
• Using Corporate Software for personal gain or non-work-related activities is prohibited.
• Employees are prohibited from installing Corporate Software on personal devices without prior approval.

Personal use of Corporate Email is expressly prohibited unless authorized by management for exceptional circumstances.

Yoma Group may be legally liable for the content of emails it sends. Therefore, all email communications must adhere to the organization’s corporate identity and standards. Email content should be treated as business correspondence, as recipients may retain and forward it. When representing another individual or department in an email, ensure express authorization is obtained and clearly indicate this in the message or header.

Yoma Group retains the right to monitor and audit Corporate Email systems, and the websites employees visit on Corporate Devices. Employees are strictly prohibited from using their Corporate Email for the following purposes:

• Registering on illegal, unsafe, disreputable, unauthorized or suspect websites and services.
• Transmitting emails containing false, misleading or defamatory information regarding Yoma Group or its products, customers, staff, competitors or other entities.
• Subscribing to competitors’ services without explicit authorization.
• Sending emails that are obscene, discriminatory, abusive, offensive, or inappropriate in any manner (e.g., pornographic, illegal, may constitute harassment), including the circulation of messages, jokes or advertisements that are of an offensive nature.
• Sending unsolicited email messages, including the transmission of “junk mail” or other advertising or marketing material to individuals who have not consented to such communication (email spam).
• Soliciting email addresses for any purpose other than the sender’s account, with the intention of harassing or collecting responses (email solicitation).
• Accessing, sharing or utilizing an email account belonging to another individual without explicit authorization from the account owner.
• Altering email header information.
• Engaging in the creation or dissemination of “chain letters”, “Ponzi” or other “pyramid” schemes of any nature.
• Automatically forwarding emails intended for Corporate Email addresses to personal accounts, non-Corporate Email accounts belonging to public or external email providers, or any email account of a partner company.
• Knowingly sending or forwarding email with computer viruses, malware or malicious code.
• Misrepresenting the organization’s position or implying unauthorized authority to speak on behalf of the Group.
• Sending, forwarding or receiving sensitive, confidential or proprietary Corporate Data through non-Corporate Email accounts.

Yoma Group has a Data Classification Policy to ensure corporate information is appropriately categorized and protected based on its sensitivity and importance to the organization. Users are responsible for classifying data according to established guidelines and ensuring appropriate handling and protection. We have defined three classification levels for our data. For detailed guidelines on data classification and handling, refer to the organization’s Data Classification Policy.

• Accessing, modifying, copying or deleting Corporate Data without proper authorization.
• Sharing or disclosing sensitive Corporate Data with unauthorized individuals, entities or systems, whether internal or external.
• Transferring Corporate Data to unauthorized personal devices, storage or third parties.
• Backing up, relocating, storing or otherwise accessing any Corporate Data with unauthorized devices.
• Bypassing security controls (e.g., disabling encryption, removing access restrictions) to manipulate or extract Corporate Data.
• Engaging in activities that could lead to data breaches, leaks, or exposure of confidential corporate information.
• Retaining confidential files after employment ends.
• Failing to report suspected or actual data breaches to the IT within 1 hour of discovery.

Limited personal use of corporate storage systems may be allowed under the following conditions:

• Personal files should not exceed nominal storage capacity and should not interfere with business operations.
• Personal documents, photos or media uploaded to corporate storage must not contain sensitive, confidential or illegal content.
• Personal use should not impact system performance, security or other employees’ ability to access resources.
• The enterprise assumes no responsibility for the loss, protection or recovery of personal files stored on corporate storage systems.

Employees must use corporate storage systems primarily for:

• All corporate data related to business operations must be stored in the designated corporate storage systems, including Microsoft 365 services (OneDrive, SharePoint, Teams) and corporate file server.
• Ensuring all work-related files are stored in corporate storage to comply with backup and disaster recovery protocols.
• Confidential or sensitive information must be encrypted or stored in designated secure corporate storage.
• Access to corporate storage must only be via authorized devices and accounts.
• Storage usage will be monitored to ensure compliance with this Policy.

The following activities are strictly prohibited:

• Storing personal files of excessive size, such as movies or large media collections.
• Corporate information must not be stored on personal storage devices, personal cloud accounts or unauthorized external platforms.
• Uploading copyrighted, pirated or illegal content.
• Storing corporate data in non-secure folders.
• Sharing login credentials or granting unauthorized access to corporate storage.
• Using corporate storage for personal businesses, side hustles or commercial purposes.
• Overloading storage with irrelevant files that compromise system performance.
• Bypassing security measures, such as access controls or using unauthorized third-party apps for storage.

Upon an employee’s resignation, termination or permanent leave, individual storage accounts will be deactivated and deleted according to the following schedule:

• Data stores will be retained for 30 days after the last working day to facilitate potential handovers or reviews.

• Do not share your password with anyone, including coworkers. Passwords must be treated as sensitive and confidential information of the organization.
• Avoid writing passwords down or saving them in unsecured locations.
• Passwords must not be stored in clear text on paper or saved in non-protected files (e.g., unencrypted text files).
• The same password must not be used for multiple accounts.
• Passwords must be updated every 90 days.
• PCs must not be left unattended without activating password-protected screensaver or logging off the device.
• After 5 unsuccessful login attempts, accounts will be locked and require IT Helpdesk assistance to reset.
• Enable two-factor authentication (2FA) to add an extra layer of security to your accounts where system support.
• If you suspect your password has been compromised, report it to the IT Helpdesk immediately and reset your password.
• Passwords should not be shared via insecure transport mechanism or in clear text.
• Temporary passwords should be changed at the first logon with the default password provided by the IT Helpdesk.
• If the security of an account is in question, the password must be changed immediately. If passwords are discovered exposed, secure them and report the discovery to IT.

When creating a password, all employees must follow the standard password guidelines below to ensure strong and secure passwords

• Passwords must be at least 8 characters long (a longer password is recommended). For privileged and service accounts, a minimum length of 16 characters is required.
• Passwords must not contain your username, full name or any other personally identifiable information.
• Passwords must include at least one uppercase letter, one lowercase letter, one number and one special character.
• Passwords should not contain repetitive sequences (e.g., “aaaa”) or sequential patterns (e.g., “abc”, “1234”).
• Do not reuse old passwords or use simple variations of previous passwords (e.g., “Password1” to “Password2”).
• Users cannot reuse the same password within a certain timeframe (7 password entries).
• Multi-factor authentication shall be used where the system supports it for all accounts on SaaS platforms, externally hosted and internet facing systems.
• Sharing your credentials gives others access to your identity on the network, making you responsible for any misuse or security incidents that may occur under your ID.