Skip to content

Acceptable Use Policy

Purpose

This policy sets out the standards for acceptable use of Trove's systems, tools, and data. It applies to all staff, contractors, and any other individuals who access Trove systems in connection with their work.

The goal is to protect Trove, its customers, and their data - while giving the team clear, reasonable guidance on how to use company systems responsibly.

Scope

This policy covers all systems and tools used to carry out work for Trove, including but not limited to:

  • Google Workspace - Gmail, Google Drive, Docs, Sheets, Calendar
  • Slack - team communication
  • ClickUp - task and project management
  • GitHub - source code and version control
  • DuploCloud - cloud infrastructure management
  • AWS - cloud services and infrastructure
  • Figma - design and prototyping
  • Trove admin portals - production and staging environments

This policy applies regardless of whether access is from a personal device, a work device, or a public or private network.

Bring Your Own Device (BYOD)

Trove operates a fully remote team where staff use personal devices for work. If you access any Trove system from a personal device, you are responsible for ensuring that device meets the following minimum standards:

  • Operating system - keep your OS updated with the latest security patches
  • Screen lock - enable a PIN, password, or biometric lock that activates after a short period of inactivity
  • Full-disk encryption - enable full-disk encryption (FileVault on macOS, BitLocker on Windows)
  • Antivirus / malware protection - have active, up-to-date protection in place
  • No shared access - do not allow others (including family members) to use your device for anything that could expose Trove systems or data
  • Lost or stolen devices - report a lost or stolen device to the CTO immediately so that access can be revoked

Remote Work & Public Networks

As a fully remote team, staff may work from a range of locations. The following standards apply:

  • Home networks - ensure your home Wi-Fi is protected with a strong password and modern encryption (WPA2 or WPA3)
  • Public networks - avoid accessing sensitive Trove systems (admin portals, AWS, GitHub, customer data) from public Wi-Fi networks such as cafes, airports, or co-working spaces without a VPN
  • VPN - use a reputable VPN when working from public or untrusted networks
  • Shoulder surfing - be mindful of your surroundings when working with sensitive information in public spaces

Acceptable Use

When using Trove systems, you are expected to:

  • Use systems only for legitimate work purposes
  • Keep login credentials secure and never share them with others
  • Use strong, unique passwords for each system - use a password manager
  • Enable multi-factor authentication (MFA) wherever it is available
  • Log out of or lock sessions when stepping away from your device
  • Handle customer and personal data with care and in accordance with our Privacy Policy and Global Privacy Policy
  • Report any suspected security incidents, data breaches, or policy violations to the CTO promptly

Unacceptable Use

The following are not permitted under any circumstances:

Data and security: - Sharing login credentials, API keys, or access tokens with unauthorised individuals - Storing Trove customer data, personal data, or confidential information in unauthorised locations (e.g. personal cloud storage, personal email) - Transmitting sensitive data over unencrypted channels - Attempting to access systems, data, or environments you are not authorised to access - Installing unauthorised software or tools on devices that access Trove systems

Systems and infrastructure: - Making changes to production systems outside the approved Git Branching & Deployment Workflow and Deployment Windows & Release Policy - Disabling or circumventing security controls, logging, or monitoring - Using Trove infrastructure for personal projects, mining, or any non-work purpose

General conduct: - Using Trove systems to harass, intimidate, or harm others - Sharing confidential company information (financials, strategy, customer data, source code) with unauthorised parties - Engaging in any activity that violates applicable law

Passwords & Access Management

  • Use a password manager to generate and store strong, unique passwords
  • Passwords must not be reused across systems
  • Enable MFA on all systems that support it - this is mandatory for Google Workspace, GitHub, and AWS
  • Access to systems should be requested through the CTO and granted on a least-privilege basis - you should only have access to what you need to do your job
  • When a team member leaves Trove, access to all systems must be revoked on their last day

Software & Tool Usage

  • Only use tools and software that have been approved for use at Trove
  • Do not introduce new third-party tools that will process Trove or customer data without first discussing with the CTO
  • Keep all work-related software and browser extensions up to date

Monitoring

Trove may monitor access logs, activity, and usage of its systems for security and compliance purposes. This includes but is not limited to access to cloud infrastructure, code repositories, and admin portals.

Monitoring is conducted for legitimate security and operational purposes only and is not intended to surveil individual staff beyond what is reasonably necessary.

Violations

Breaches of this policy may result in disciplinary action, up to and including termination of employment or contract. Where a breach involves illegal activity or a serious data incident, it may also be reported to relevant authorities.

If you are unsure whether something is permitted under this policy, ask the CTO before proceeding.

Review Cycle

This policy will be reviewed annually or when significant changes are made to Trove's systems, team structure, or regulatory obligations.

Last reviewed: April 2026 Owner: CTO