SafeLaw
AUP-01 · PCI DSS reference: Req 12.2, 12.3, 12.6, 12.7

Acceptable Use Policy

Rules for the use of information assets, corporate accounts, and payment infrastructure.

SELLAI LLC

SafeLaw Service (safelaw.ai)

TIN 312530703, Nukus, Republic of Karakalpakstan, Uzbekistan

ACCEPTABLE USE POLICY

Document AUP-01

Version 1.0

Effective date: 15 May 2026

Compliance: PCI DSS v4.0.1, SAQ A

Master language: Russian. In case of any discrepancy between the English translation and the Russian master, the Russian version shall prevail.

1. Purpose

This Acceptable Use Policy (the «Policy») sets out the rules for the use of information assets, systems, equipment and communication channels of SELLAI LLC (the «Company») by employees, contractors and other persons with authorised access to such resources. The purpose of the Policy is to ensure the safe, correct and legally compliant use of the Company's information resources.

2. Scope

The Policy applies to:

  • all employees of the Company regardless of the form of their engagement;
  • contractors, consultants and parties under civil-law contracts with access to the Company's information resources;
  • interns and other persons granted temporary access to the Company's resources.

The Policy covers all devices used (including personal devices, where used for business purposes), networks, software and services, including cloud services.

3. General Use Principles

  • the Company's information assets are provided for the performance of business duties;
  • limited personal use (e.g., checking a personal mailbox) is permitted provided it does not interfere with business duties, does not violate the law or this Policy, and does not create security risks;
  • the employee is personally responsible for all actions performed using their credentials;
  • sharing credentials with any third party, including other Company employees, is strictly prohibited.

4. Authentication and Passwords

4.1. Password Requirements

  • minimum length — 12 characters;
  • must contain letters and digits (special characters are recommended);
  • must not repeat any of the user's last 4 passwords;
  • must not contain the user's name, the Company's name or obvious sequences (123456, qwerty, password, etc.);
  • planned change at least every 90 days;
  • change immediately upon suspected compromise.

4.2. Multi-Factor Authentication (MFA)

MFA is mandatory for:

  • Google Workspace accounts (email, documents);
  • Cloudflare, Namecheap and online banking accounts;
  • administrative consoles of servers and databases;
  • source code repository accounts (GitHub, GitLab, etc.);
  • any account with privileged access.

4.3. Password Storage

  • writing passwords on paper kept in plain view is prohibited;
  • storing passwords in unencrypted files, notes or messages is prohibited;
  • dedicated password managers (e.g., 1Password, Bitwarden, KeePassXC) shall be used;
  • using identical passwords for business and personal accounts is prohibited.

5. Email Use

Corporate email (the @safelaw.ai domain on Google Workspace) is provided for business correspondence. When using email, employees must:

  • not open attachments or links in suspicious emails from unknown senders;
  • verify the sender's address in emails requesting funds transfers, changes of bank details, passwords or confidential data;
  • immediately report phishing emails to safelawinfo@gmail.com;
  • not forward business correspondence to personal mailboxes;
  • not send payment card data, passwords or personal data in plaintext via email;
  • use corporate signatures and language consistent with the Company's image.

The use of corporate email is prohibited for:

  • bulk commercial messages (spam);
  • distribution of materials that infringe copyright or are offensive or discriminatory;
  • registration in entertainment or other services unrelated to business activities.

6. Internet and Web Service Use

  • the Internet is used primarily for business purposes;
  • downloading software and content from untrusted sources to corporate devices is prohibited;
  • visiting resources known to host malware or unlawful content (extremist, pornographic, etc.) is prohibited;
  • officially approved cloud services (Google Workspace, approved AI services) are preferred for business purposes;
  • new cloud services for storing or processing Company data require prior approval from the Information Security Officer.

7. Use of Company and Personal Devices

7.1. Company Devices

  • up-to-date anti-malware software is installed;
  • the operating system and applications are kept current;
  • full-disk encryption is enabled (FileVault on macOS, BitLocker on Windows, LUKS on Linux);
  • automatic screen lock after 10 minutes of inactivity;
  • loss or theft of a device must be reported to the Company immediately for access revocation.

7.2. Personal Devices (BYOD)

If an employee uses a personal device for business purposes, the following requirements apply:

  • the device is protected by a password, PIN, biometrics or another form of screen lock;
  • the device runs current software with the latest security updates;
  • business data is not stored in unencrypted storage;
  • upon termination of the engagement, the employee must delete all business data from the personal device.

8. Remote Access

  • remote access to corporate resources requires MFA;
  • the use of a VPN is recommended when working on public Wi-Fi networks;
  • screens used to handle business information in public places must be protected from shoulder surfing;
  • devices must not be left unattended in public places.

9. Protection of Payment Cardholder Data

Given the Company's involvement in payment operations, employees are strictly prohibited from:

  • accepting payment card data (card number, CVV, PIN, expiry date) from users via email, messengers, telephone, chat support or any channel bypassing the acquiring bank's payment gateway;
  • writing down, photographing or otherwise recording users' payment card data;
  • discussing users' payment card data with colleagues or third parties;
  • developing code, forms or processes that could result in the Company processing PAN or SAD without prior written approval from the Information Security Officer.

If a user has, on their own initiative, sent payment card data through an inappropriate channel (for example, to a customer support email), the employee must:

  • immediately delete the message containing the card data;
  • inform the user that the Company does not accept payment credentials by email and ask them to complete the payment via the website;
  • notify the Information Security Officer.

10. Software

  • only licensed or open-source software is installed on corporate devices;
  • the installation of new software, especially software requiring elevated privileges, is coordinated with the Information Security Officer;
  • the use of pirated software, key generators, cracks and similar tools is prohibited;
  • browser extensions and plug-ins are reviewed for security and privacy risks.

11. Protection against Malware and Phishing

Employees must:

  • exercise caution when opening attachments and following links in email;
  • check the sender's address for spoofing (for example, character substitution in the domain name);
  • not enter credentials on pages opened via links in emails;
  • if malware is suspected on a device, immediately disconnect the device from the network and notify the Information Security Officer.

Common phishing indicators:

  • unexpected urgency and threats of blocking or penalties;
  • mismatch between the displayed sender name and the actual email address;
  • requests to transfer funds, change banking details or share passwords;
  • attachments with .exe, .zip, .scr, .docm extensions from unknown senders.

12. Use of AI Services and Third-Party Services

When using third-party AI services (OpenAI, Anthropic, Google Vertex AI and others), employees must:

  • not submit users' payment card data, passwords or API keys in plaintext to AI services;
  • limit the transfer of users' personal data to the minimum necessary;
  • use only official integrations and APIs approved by the Company;
  • take into account that data submitted to an AI service may be processed by the provider in accordance with its policies.

13. Social Media and Public Statements

  • publications related to the Company's activities are coordinated with management;
  • publishing information about clients, partners, internal processes, infrastructure or incidents on social media is prohibited;
  • when mentioning the Company in personal publications, employees clarify that the statements reflect their personal views.

14. Prohibited Activities

When using the Company's resources, the following are strictly prohibited:

  • attempts at unauthorised access to information systems of the Company or third parties;
  • exploiting software vulnerabilities for purposes other than authorised security testing;
  • disabling security controls (anti-malware, firewall, logging);
  • bypassing access controls, password protection or MFA;
  • creating, using or distributing malware;
  • intentional alteration or destruction of the Company's information assets;
  • acts contrary to the legislation of the Republic of Uzbekistan or the Company's international obligations.

15. Monitoring

The Company may monitor the use of information resources to ensure security and policy compliance. Monitoring may include:

  • analysis of system and application access logs;
  • monitoring of network traffic on perimeter devices;
  • review of corporate email logs in case of suspected incidents.

Monitoring is performed with due regard to the legislation of the Republic of Uzbekistan on personal data and the secrecy of communications.

16. Liability

Violations of this Policy may result in:

  • disciplinary action under the labour legislation of the Republic of Uzbekistan;
  • termination of employment or civil-law relationships;
  • civil, administrative or criminal liability where the law so provides;
  • reimbursement of damage caused to the Company.

17. Acknowledgement and Undertakings

All employees and contractors to whom this Policy applies must read and acknowledge its provisions in writing upon hiring or contract signature, and upon each material update of the Policy. The acknowledgement is recorded in the register of acknowledgements of the local information security acts.

18. Document Information

Version

Date

Changes

Approved by

1.0

15 May 2026

Initial approval of the document

R. Jumamuratov

Document Approval

This document is approved by the Director of SELLAI LLC and becomes effective from the signing date. All personnel, contractors, and other persons with access to SELLAI LLC information assets are required to acquaint themselves with this document.

Director of SELLAI LLC:

_________________________ / R. Jumamuratov

(signature) (name)

Date: «_____» _____________ 2026

Company seal.

Related policies

ISP-01
Information Security Policy
IRP-01
Incident Response Plan
TPSP-01
Third-Party Service Providers Management
Report a vulnerability or incident, or contact us as an auditor: safelawinfo@gmail.com