Acceptable Use Policy

Vendelux

Data Classification: Internal Use Only

---

Purpose

The purpose of this policy is to outline the acceptable use (also known as approved use) of Vendelux’s application, database, OS and network resources as well as other organizational assets. These rules are in place to protect our employees and Vendelux itself, as inappropriate use exposes the organization to various risks, including but not limited to: cyber attacks, breach of contract with our customers and vendors, legal and regulatory violations, and exposure of sensitive data.

Scope

This policy applies to employees, contractors, consultants, and other staff at Vendelux, including personnel affiliated with third parties accessing Vendelux systems. This policy also applies to IT resources (physical and digital) that are owned or leased by Vendelux.

Policy

General Use and Ownership

Users of Vendelux’s IT resources are expected to abide by the following guidelines that are built around the underlying principles of acceptable use of organizational assets:

• Comply with all local and applicable international laws, contractual obligations, and security requirements.

• Comply with all information security policies, regulations, procedures, and rules.

• Respect and protect the intellectual property rights of Vendelux, its customers, and other users within Vendelux.

• Refrain from sharing passwords or accounts with anyone, including trusted friends or family members. Users may be held responsible for any actions performed using their accounts.

• Demonstrate professionalism in all communication using Vendelux’s IT resources as expected in non-electronic communication.

• Respect others when using Vendelux’s IT resources.

• Only access files or data if they belong to you or are publicly available, or the owner of the data has permitted you to access them.

• Use corporate email accounts, Internet IDs and web pages for corporate-sanctioned communications only.

• Use the Internet and email judiciously. The use of the Internet and email may be subject to monitoring for security and/or network management reasons.

• The distribution of any information through the Internet, computer-based services, e-mail, and messaging systems is subject to the scrutiny of the IT / Security team. Vendelux reserves the right to determine the suitability of this information.

• While Vendelux desires to provide a reasonable level of privacy, users should be aware that the data they create on company systems remains the property of Vendelux.

• Employees must use caution when opening email attachments received from unknown senders, which may contain viruses or other malware.

• The organization permits personal use of the Internet in your own time (for example during your lunch break), provided it does not interfere with your work and follows the requirements defined in this policy. Anyexception to this is at the discretion of your direct manager.

Prohibited Usage of IT Resources

The following usage of Vendelux’s IT Resources is prohibited. Under no circumstances is an employee of Vendelux authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing company owned resources.

The list below is not exhaustive, but attempts to provide guidelines for activities which fall into the category of unacceptable use:

• Circumvention of any security measure of Vendelux, its customers, or another organization.

• Intentional interference with the normal operation of the network, including the propagation of computer viruses and sustained high volume network traffic that substantially hinders others in their use of the network.

• Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Vendelux.

• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of copyrighted sources and the installation of any copyrighted software for which Vendelux or the end user does not have an active license is strictly prohibited.

• Reveal or publicize Vendelux’s confidential or proprietary information which includes, but is not limited to: financial information, new business and product ideas, marketing strategies and plans, databases and the information contained therein, customer lists, technical product information, computer software source codes, computer/network access codes, and business relationships.

• Make or post inappropriate remarks, proposals, or materials on the Internet.

• Create, download, upload, display or access knowingly, sites that contain pornography or other “unsuitable” material that might be deemed illegal, obscene or offensive

• Download any software or electronic files without implementing anti-virus protection measures approved by Vendelux.

• Intentional use, distribution or creation of viruses, worms, or other malicious software.

• Operating a business, usurping business opportunities, organized political activity, or conducting activity for personal gain.

• Implying that the user is representing, giving opinions, or otherwise making statements on behalf of Vendelux without prior authorization or using Vendelux trade names, logos, or trademarks without prior written authorization.

Email and Electronic Communications Activities

• Do not send unsolicited email or other types of electronic messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material.

• Do not send unsolicited emails originating from within Vendelux’s networks or from other service providers on behalf of, or to advertise, any service hosted by Vendelux or connected via Vendelux’s network.

• Do not solicit emails that are unrelated to business activities or for personal gains.

• Do not send confidential emails without suitable encryption.

• Do not click links that you do not recognize, whether it’s within your corporate email or your personal email.

• Never respond to MFA requests that you receive via email or text message if you did not initiate the MFA authentication attempt. This includes codes and passwords sent to your email/phone as an additional validation mechanism.

Blogging and Social Media

Vendelux makes use of social media to communicate directly with our customers as part of our marketing activity, toprovide support for our products and services, and to obtain useful feedback on how our organization is perceived.

You must be authorized to use corporate social media accounts and to represent the organization to the general public, and only if that is part of your job role.

Only authorized accounts should be used to publish messages and respond to other users of relevant social media channels. Do not use your own personal accounts.

Vendelux respects your personal online activity as a medium of self-expression, but remember you continue to have responsibilities to the organization outside of working hours.

When using social media to engage on matters relevant to Vendelux, make it clear it is your own opinion you are expressing and not that of the organization.

Additional considerations include:

• Employees are prohibited from revealing any Vendelux confidential or proprietary information, trade secrets or any other confidential information when engaged in blogging or social media.

• Employees shall not engage in any blogging or social media use that may harm or tarnish the image, reputation or goodwill of Vendelux and any of its employees.

• Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or using social media.

• Employees may also not attribute personal statements, opinions or beliefs to Vendelux when engaged in blogging or using social media.

• If an employee is expressing his or her beliefs or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of Vendelux. Employees assume any risks associated with blogging or using social media.

Freeware, Browser Extensions, Free third party add-ons and plugins

The use of freeware could result in the loss of Vendelux data and create opportunities for the inability of Vendelux to sufficiently protect data that flows through the environment in accordance with applicable laws and regulations related to security and privacy as well as contractual commitments that Vendelux has made to customers. Individuals should validate that the use of specific freeware, browser extensions, or free third party add-ons and plugins are explicitly approved by the organization prior to installing any of these tools on Vendelux owned assets.

External Media (removal storage devices, backup drives, etc.)

Use of non-encrypted and password protected external media, such as removable external storage devices (e.g., USB flash drives) is strictly prohibited. If the need arises to use external media on Vendelux assets, employees can contact the Security Team ([email protected]) to identify suitable devices which provide sufficient encryption and password protection mechanisms.

QR Codes

The scanning of QR codes with company devices is strictly prohibited, as it is nearly impossible to tell the difference between a legitimate and illegitimate QR code until after you’ve scanned it. Furthermore, it is highly encouraged that you do not scan QR codes with your personal devices either, for the above-mentioned reason.

Cloud Computing

Vendelux makes use of cloud services to enable business processes in a responsive and flexible way. These services are subject to a due diligence procedure to ensure that they meet our business, security and legal requirements.As part of your job role, you must only make use of cloud services that have been put in place by Vendelux . The storing of classified information in unapproved cloud services is strictly prohibited.

Clear Desk Policy

Employees are required to ensure that classified data in hardcopy or electronic form, including paper notebooks, printed sheets, and whiteboards, must be removed from their desks or other unattended places to prevent unauthorized access.

This must be done at the end of the day and any time an employee is away from their desk for an extended period of time as well as whenever they vacate a meeting room or common area.

Equipment (such as laptops and tablets) shall be locked or be taken with the individual after business hours to protect from unauthorized access.

Passwords should never be left on sticky notes posted on or under a computer, nor should they be written down physically or electronically.

Keys for accessing drawers or filing cabinets should not be left on a desk.

When traveling with company devices, it is your responsibility that they are securely stored. When storing in a vehicle, your devices should be kept out of sight from outside the vehicle or preferably stored in the trunk.

The above mentioned requirements apply to any location that the employee is working from, including corporate office, home office, or remote location.

Clear Screen Policy

Workstations, laptops, tablets and cellphones must be screen locked when not in use or not attended. Screensavers must be set to automatically lock after a defined period of inactivity.

Protection of Shared Facilities and Equipment

• Whiteboards must be cleaned at the end of a meeting.

• Waste paper that contains confidential data must be placed in the designated confidential waste bins or shredded. Under no circumstances, this information will be placed in regular waste paper bins.

• Printers and fax machines should be treated with the same care under this policy.

• Documents containing sensitive information must immediately be removed from printers, fax and copy machines.

Information Security Incidents

If you detect, suspect or witness an incident that may be a breach of security, or if you observe any suspected information security weaknesses in systems or services, you should in the first instance inform your line manager, or contact the support team.

Unusual or unexplained events, such as messages appearing on your device, can indicate that an incident is happening, and these should be reported as soon as possible.

If an incident is detected by Vendelux, you may be asked to take specific action, such as logging off systems or closing your device down. You should comply with such requests immediately to potentially reduce the impact of the incident.

Policy Compliance

Compliance with this policy will be validated through varying mechanisms, including but not limited to, internalreporting, internal audit and continuous control monitoring, independent third party audits, and periodic reviews.

This policy gives a summary of the main points of the relevant information security related policies, and you are expected to read it and understand its provisions. Where your role involves tasks or access to information that are the subject of a more detailed topic-specific policy, you will be made aware of your additional responsibilities as part of your role.

As an employee, you will be expected to comply fully with all of the information security policies that are in place and to report any breaches of these policies of which you may become aware.

Anyone breaching information security policy may be subject to disciplinary action. If a criminal offense has been committed, further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, please seek advice from your immediate manager as soon as possible

Enforcement

The company will enforce this policy through appropriate disciplinary action for any violations. The disciplinary action may include, but is not limited to, termination of employment, legal action, and reporting to appropriate law enforcement authorities.

Revision History

Version
2.0

Date
4/15/2025

Editor
Ben Pfeifer, Amanda Waselewski

Approver
Ben Pfeifer

Description of Changes
Annual Policy Review