Acceptable Use Policy

1. Permitted Use

1.1 The AttendIQ platform is provided solely for the purpose of construction workforce management, including worker identity and competency management, site access control, attendance recording, compliance tracking, induction delivery, document management, payroll data processing, and related operational functions.

1.2 You may use the platform only for your normal business purposes in connection with managing your workforce and supply chain in the construction sector.

1.3 Use of the platform must comply with all applicable laws and regulations, including but not limited to the Health and Safety at Work etc. Act 1974, the Construction (Design and Management) Regulations 2015, the Immigration, Asylum and Nationality Act 2006, and UK data protection legislation.

2. Account Security

2.1 Multi-factor authentication (MFA) is mandatory for all user accounts and cannot be disabled. This is a non-negotiable security requirement.

2.2 You must ensure that each Authorised User has a unique login. Account credentials must not be shared between individuals.

2.3 You must promptly deactivate or remove user accounts for any individual who leaves your organisation or no longer requires access to the platform.

2.4 You are responsible for all activity that occurs under your organisation's accounts. You must notify AttendIQ immediately at security@attendiq.co.uk if you become aware of any unauthorised access to your account.

2.5 You must ensure that user roles and permissions are assigned according to the principle of least privilege. Users should only have access to features and data necessary for their role.

2.6 Special category data permissions (medical_view, da_view) must only be granted to users with a legitimate operational need. Granting these permissions to users without a genuine requirement is a violation of this policy.

3. Prohibited Conduct

You and your Authorised Users must not:

3.1 Security and Infrastructure

• (a) Attempt to access, view, or modify data belonging to another organisation's tenancy.
• (b) Attempt to bypass, disable, or interfere with any security feature of the platform, including Row Level Security, multi-factor authentication, or document scanning.
• (c) Upload files containing viruses, malware, ransomware, or any other malicious code. All uploaded documents are scanned by our antivirus system (ClamAV), and infected files are automatically quarantined.
• (d) Attempt to reverse engineer, decompile, disassemble, or otherwise derive the source code of the platform.
• (e) Use automated scripts, bots, scrapers, or other automated means to access the platform or extract data, except through our published API and within the rate limits specified.
• (f) Conduct or commission any security testing (including penetration testing) against the platform without our prior written consent.
• (g) Attempt to overwhelm or degrade the platform through excessive API calls, bulk operations, or denial-of-service activity.

3.2 Data and Content

• (a) Upload, store, or process personal data without a lawful basis under UK data protection legislation. You are the Data Controller for worker data and are responsible for establishing the legal basis for processing.
• (b) Upload content that is unlawful, defamatory, threatening, discriminatory, obscene, or that infringes the intellectual property rights of any third party.
• (c) Use medical records, drug and alcohol test results, or any other special category data for purposes other than legitimate occupational health, workplace safety, or the specific purposes for which the data was collected.
• (d) Use the platform or any data within it to unlawfully discriminate against any worker on the basis of a protected characteristic under the Equality Act 2010, including but not limited to disability, race, religion, sex, or age.
• (e) Falsify, fabricate, or knowingly upload inaccurate competency records, qualification data, or right-to-work documentation. Competency records are safety-critical; falsification may constitute a criminal offence.
• (f) Publish or disclose the results of any benchmark or performance test conducted on the platform without our prior written consent.

3.3 Access Rules and Compliance

• (a) Configure site access rules with the purpose or effect of unlawfully discriminating against workers.
• (b) Override, bypass, or ignore access rule decisions for safety-critical rules (bans, right-to-work expiry) except where permitted by law.
• (c) Use the ban functionality for purposes unrelated to legitimate site safety, security, or disciplinary reasons.

3.4 Commercial Restrictions

• (a) Resell, sublicense, or make the platform available to third parties other than your Authorised Users and invited Supply Chain Organisations.
• (b) Use the platform to provide workforce management services to third parties on a bureau or outsourced basis, unless agreed in writing with AttendIQ.
• (c) Exceed your Permitted Worker Band without purchasing an upgrade.

4. Data Accuracy

4.1 You are responsible for the accuracy, completeness, and legality of all data you upload to or enter into the platform.

4.2 You must ensure worker records are kept up to date, including employment status, competency expiry dates, and right-to-work documentation.

4.3 Where the platform flags a potential duplicate worker record, you must review and resolve the flag promptly. Ignoring duplicate flags may result in compliance data being associated with the wrong individual.

5. Supply Chain Responsibilities

5.1 Where you invite a Supply Chain Organisation to use the platform, you are responsible for ensuring that the Supply Chain Organisation is made aware of this Acceptable Use Policy.

5.2 Supply Chain Organisations and their Authorised Users are bound by the same terms as set out in this AUP.

5.3 You acknowledge that Supply Chain Organisations access a limited view of the platform, scoped to the sites and projects to which they have been invited. Any attempt by a Supply Chain Organisation to access data outside this scope is a violation of this policy.

6. Consequences of Violation

6.1 AttendIQ reserves the right to take the following actions in response to violations of this AUP:

• First violation (minor): Written notice identifying the violation and requiring corrective action within a reasonable timeframe.
• Repeated or material violation: Suspension of the offending user account or, where the violation is attributable to the Customer organisation, suspension of the Customer's access to the platform. Suspension will continue until the violation is remedied to our reasonable satisfaction.
• Serious violation: Immediate termination of the Agreement in accordance with the termination provisions of the Master Subscription Agreement. Serious violations include any deliberate attempt to access another tenant's data, falsification of safety-critical records, or use of the platform for unlawful discrimination.

6.2 Suspension or termination under this clause does not relieve you of your obligation to pay any outstanding fees.

6.3 We will use reasonable efforts to notify you before suspending access, except where immediate action is necessary to protect the security or integrity of the platform, other customers' data, or to comply with a legal obligation.

7. Reporting Violations

7.1 If you become aware of any violation of this AUP, whether by your own users or by any other party, please report it immediately to security@attendiq.co.uk.

7.2 If you discover a security vulnerability in the platform, please report it responsibly to security@attendiq.co.uk. Do not publicly disclose any vulnerability before we have had a reasonable opportunity to investigate and address it.

8. Changes to This Policy

8.1 We may update this AUP from time to time. Material changes will be notified to you by email at least 30 days before they take effect.

8.2 Continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.

9. Contact

For questions about this Acceptable Use Policy, contact:

Email: support@attendiq.co.uk
Post: AttendIQ Ltd, England and Wales (registered address to be confirmed on incorporation)