Acceptable Use Policy

Purpose and Scope

This Acceptable Use Policy (“AUP”) governs your use of Flow GRC’s (“Flow,” “we,” “us,” or “our”) governance, risk, and compliance platform and related services (the “Service”). This policy is designed to ensure a safe, secure, and productive environment for all users.

By accessing or using our Service, you agree to comply with this AUP in addition to our Terms of Service and Privacy Policy. Violations of this policy may result in suspension or termination of your access to the Service.

General Principles

When using our Service, you must:

• Use the Service only for legitimate business purposes
• Respect the rights and privacy of other users
• Comply with all applicable laws and regulations
• Maintain the security and integrity of the platform
• Use resources responsibly and efficiently
• Report security vulnerabilities or policy violations promptly

Prohibited Activities

The following activities are strictly prohibited when using our Service:

Illegal and Harmful Activities

• Engaging in any illegal activities or facilitating illegal conduct
• Violating any applicable laws, regulations, or third-party rights
• Promoting or facilitating violence, terrorism, or hate speech
• Harassing, threatening, or intimidating other users
• Distributing malware, viruses, or other harmful code
• Engaging in fraudulent or deceptive practices

Security Violations

• Attempting to gain unauthorized access to accounts, systems, or networks
• Bypassing or circumventing security measures or access controls
• Probing, scanning, or testing the vulnerability of systems or networks
• Interfering with or disrupting the Service or its infrastructure
• Monitoring network traffic or data without authorization
• Sharing login credentials or allowing unauthorized account access

Misuse of Service Features

• Using automated tools, bots, or scripts without explicit permission
• Overloading or attempting to overwhelm our systems
• Reverse engineering, decompiling, or extracting source code
• Creating fake accounts or impersonating other individuals or organizations
• Attempting to access features or data not intended for your account type
• Using the Service for cryptocurrency mining or similar resource-intensive activities

Content Violations

• Uploading or sharing content that infringes intellectual property rights
• Distributing spam, unwanted communications, or chain letters
• Posting content that is defamatory, obscene, or offensive
• Sharing confidential information without proper authorization
• Uploading content containing personal information of others without consent
• Distributing content that violates privacy or data protection laws

Data and Privacy Responsibilities

Data Handling

When using our Service, you must:

• Only upload data that you have the legal right to process
• Ensure all personal data is collected and processed lawfully
• Implement appropriate data protection measures within your organization
• Classify and handle sensitive data according to its risk level
• Regularly review and update data access permissions
• Report data breaches or security incidents promptly

Prohibited Data Types

You may not upload or process the following types of data through our Service:

• Data obtained through illegal or unauthorized means
• Medical records or protected health information (unless specifically authorized)
• Payment card information (PCI data) without proper compliance measures
• Government classified information or export-controlled data
• Children’s personal information (under 13 years of age)
• Biometric data or genetic information without explicit consent

Account Security Requirements

To maintain account security, you must:

• Use strong, unique passwords for your account
• Enable multi-factor authentication (MFA) when available
• Keep your contact information and security settings up to date
• Log out of shared or public computers
• Monitor your account for unauthorized activity
• Report suspected security breaches immediately
• Regularly review and manage user access permissions
• Implement proper offboarding procedures for departing employees

Resource Usage Guidelines

Fair Use

Our Service is designed to support normal business operations. You should use resources reasonably and in accordance with your subscription plan limits.

Prohibited Resource Usage

• Excessive API calls or data requests that impact service performance
• Storing or processing data unrelated to GRC activities
• Using the Service as a general file storage or backup solution
• Running processes that consume excessive computational resources
• Attempting to resell or redistribute Service access to third parties

Compliance and Regulatory Requirements

As a GRC platform, we expect our users to maintain high standards of compliance:

Industry Standards

• Adhere to relevant industry regulations (SOX, GDPR, HIPAA, etc.)
• Implement appropriate internal controls and governance frameworks
• Maintain accurate and complete compliance documentation
• Conduct regular risk assessments and audits
• Report compliance violations or concerns promptly

Professional Conduct

• Maintain professional integrity in all interactions
• Avoid conflicts of interest in risk assessments and audits
• Ensure independence and objectivity in compliance activities
• Protect confidential information and trade secrets
• Follow your organization’s code of ethics and conduct policies

Reporting Violations

We encourage users to report suspected violations of this AUP or other concerning activities:

How to Report

What to Include

When reporting violations, please provide:

• Detailed description of the incident or concern
• Date, time, and location (if applicable)
• User accounts or systems involved
• Any supporting evidence or documentation
• Your contact information for follow-up

Enforcement and Consequences

Investigation Process

When we receive reports of policy violations, we will:

• Conduct a thorough investigation of the reported incident
• Gather relevant evidence and documentation
• Interview involved parties as necessary
• Determine appropriate corrective actions
• Implement measures to prevent future violations

Potential Consequences

Depending on the severity and nature of the violation, consequences may include:

• Warning: Written notice of policy violation with corrective guidance
• Account Restriction: Temporary limitation of specific features or capabilities
• Account Suspension: Temporary suspension of Service access
• Account Termination: Permanent termination of Service access
• Legal Action: Referral to law enforcement or pursuit of civil remedies
• Data Recovery Assistance: Help with data export before account closure (when appropriate)

Appeals Process

If you believe enforcement action was taken in error, you may appeal by contacting our support team within 30 days of the action. We will review your appeal and respond within 10 business days.

Policy Updates

We may update this Acceptable Use Policy from time to time to address new threats, technologies, or business requirements. We will notify users of material changes through:

• Email notifications to account administrators
• In-platform notifications and announcements
• Updates to the “Last Updated” date on this policy
• Prominent notices on our website

Continued use of the Service after policy updates constitutes acceptance of the revised terms.

Contact Information

If you have questions about this Acceptable Use Policy or need clarification on any provisions, please contact us: