Acceptable Use Policy

1. Overview

Octa1ne provides managed cybersecurity services to organisations worldwide. Our Services include security operations centre (SOC) monitoring, threat detection and response, vulnerability management, identity security, data protection and compliance support — all built on Microsoft's enterprise security ecosystem.

The integrity, security and reliability of our Services are essential — both for protecting our clients and for maintaining the trust that our business depends on. This Acceptable Use Policy exists to protect our clients, our staff, our infrastructure and the broader security community from harmful, unlawful or irresponsible use of our systems and services.

We take violations of this policy seriously. Any use of our Services that threatens the security of our systems, the safety of our clients or the integrity of our operations will be treated as a material breach and may result in immediate suspension or termination of access, legal action or reporting to relevant authorities.

2. Scope & Application

This policy applies to:

• All client organisations that have entered into a Service Agreement with Octa1ne
• All authorised users within client organisations who access Octa1ne systems, portals or reports
• All employees, contractors and consultants of Octa1ne
• Any third party that accesses our systems, infrastructure or data in connection with services we provide
• Any person or entity that visits or interacts with the Octa1ne website at www.octa1ne.com

This policy applies globally — regardless of the jurisdiction in which you are located or from which you access our Services. Where local law imposes additional obligations or restrictions, those also apply.

If you are a client, this policy supplements and should be read alongside your Service Agreement and any Data Processing Agreement in place with Octa1ne. In the event of conflict, the Service Agreement shall prevail.

3. Permitted Use

You may use our Services for the following purposes, subject to these Terms and any applicable Service Agreement:

• Accessing and reviewing security reports, dashboards and threat intelligence delivered as part of your Octa1ne service
• Communicating with your dedicated Octa1ne security engineer and our support team regarding your security programme
• Providing us with access to your environment, systems and data necessary for us to deliver the agreed services
• Downloading and distributing security reports and compliance evidence packs produced by Octa1ne to your authorised internal stakeholders, auditors, regulators and clients
• Participating in security assessments, penetration tests and vulnerability management activities that have been formally scoped and agreed in your Service Agreement
• Accessing training materials, documentation and guidance that we provide as part of your service
• Using our website to learn about our services, submit enquiries, apply for roles or access our blog and resource content

All permitted use must be for lawful business purposes only, and must comply with all applicable laws, regulations and the terms of any licences or third-party agreements relevant to your use.

4. Prohibited Use

The following uses of our Services are strictly prohibited. These prohibitions apply regardless of intent, claimed justification or any instruction received from a third party.

4.1 Illegal and Harmful Activities

• Using our Services to commit, facilitate, support or conceal any criminal offence under any applicable law
• Using our Services to conduct, enable or assist cyberattacks, intrusions or unauthorised access against any system — including systems of third parties, competitors or public infrastructure
• Using our Services to create, deploy, test or distribute malware, ransomware, spyware, rootkits, exploits or any other malicious code or software
• Using our Services to conduct denial-of-service attacks, distributed denial-of-service attacks or any form of deliberate disruption against any system or network
• Using our Services to conduct fraud, phishing, social engineering or any form of deception against any person or organisation
• Using our Services to engage in money laundering, sanctions evasion, terrorist financing or any other financial crime

4.2 Unauthorised Access & System Abuse

• Attempting to gain unauthorised access to any Octa1ne system, infrastructure, internal network, client environment or data — including through technical means, credential theft or social engineering
• Attempting to probe, scan, fingerprint or test the vulnerability of any Octa1ne system or infrastructure without our prior written authorisation
• Circumventing, disabling or interfering with any access controls, authentication mechanisms, security monitoring or protective technologies implemented by Octa1ne
• Attempting to reverse engineer, decompile, disassemble or extract the source code of any Octa1ne software, tool, detection rule or proprietary technology
• Using any automated tool, script, bot or crawler to access our systems or website in a manner that exceeds reasonable use or causes performance degradation
• Sharing, transferring or selling access credentials to any Octa1ne system to any third party — whether or not they are within your organisation
• Accessing any system, account or data within the Octa1ne environment that you are not explicitly authorised to access under your Service Agreement

4.3 Data Misuse

• Using threat intelligence, security findings, vulnerability data or any other information provided by Octa1ne in connection with our services to conduct attacks against any third party
• Disclosing, publishing or sharing confidential security findings, vulnerability reports or incident details to unauthorised parties — including on public forums, social media or with competitors
• Using personal data processed by Octa1ne on your behalf for any purpose other than the agreed services and in a manner inconsistent with applicable data protection law
• Interfering with, corrupting or altering any data held within Octa1ne systems — whether your own data or data belonging to other clients or to Octa1ne
• Exfiltrating, copying or extracting data from Octa1ne systems beyond what is necessary for your legitimate business purposes under the Service Agreement

4.4 Intellectual Property & Content

• Reproducing, distributing, selling or creating derivative works from Octa1ne proprietary content — including detection rules, methodologies, templates, playbooks and training materials — without our prior written consent
• Removing, altering or obscuring any copyright notice, trademark, proprietary marking or attribution from any Octa1ne content or deliverable
• Using the Octa1ne name, logo, brand or trademarks without our prior written authorisation — including in marketing materials, case studies, press releases or on your website
• Claiming to be Octa1ne or to represent Octa1ne in any communication or context without our explicit authorisation

4.5 Interference with Service Delivery

• Deliberately providing false or misleading information to Octa1ne that affects our ability to assess, design or deliver your security programme accurately
• Withholding information necessary for the safe and effective delivery of services — including known security incidents, changes to your environment or relevant legal obligations
• Deliberately interfering with monitoring agents, sensors or logging configurations deployed by Octa1ne as part of your service
• Taking any action designed to conceal security incidents, vulnerabilities or policy violations from Octa1ne
• Instructing or pressuring Octa1ne staff to act in a manner inconsistent with their professional obligations, applicable law or these Terms

5. Security Requirements

As a cybersecurity services provider, we hold ourselves and our clients to a high standard of security practice. Where you are a client, you agree to maintain the following baseline security practices in your own environment:

• Maintain the security of any credentials, API keys or access tokens provided to you for use with our services
• Promptly notify us of any actual or suspected compromise of credentials used to access Octa1ne systems
• Not circumvent, disable or interfere with any security controls deployed by Octa1ne as part of your service — including endpoint agents, logging configurations and network sensors
• Inform us promptly of any material changes to your environment that may affect the scope or effectiveness of the services we provide
• Maintain appropriate access controls within your own organisation to limit access to Octa1ne portals, reports and data to authorised personnel only
• Apply security patches and updates to systems within your control in a timely manner, particularly where we have identified and reported vulnerabilities
• Cooperate fully and promptly with Octa1ne during security incident investigations — including providing access to systems, logs and personnel necessary for effective response

6. Data Handling

In the course of providing our services, we handle data belonging to you, your employees and in some cases your clients. The following obligations apply to how we each handle data in connection with the services:

• You must ensure that any personal data you provide to us, or grant us access to, is done so with the appropriate legal basis under applicable data protection law
• You must not provide us with access to categories of sensitive personal data — such as health records, financial account data or biometric data — beyond what is strictly necessary for the agreed services
• You must ensure that data retention and deletion obligations are communicated to us promptly where they affect data held within our systems
• You must not use any data access provided through our services to access data belonging to individuals or organisations beyond the scope of your legitimate business operations
• Security reports, threat intelligence and vulnerability data produced by Octa1ne must be handled as confidential and shared only with authorised parties under appropriate confidentiality obligations

Full details of how we process personal data are set out in our Privacy Policy and, for clients, in the Data Processing Agreement forming part of your Service Agreement.

7. Third-Party Systems

Our services involve integration with and monitoring of third-party systems, platforms and services within your environment — including Microsoft 365, Azure, identity providers, endpoint platforms and network infrastructure. The following conditions apply to such integrations:

• You represent and warrant that you have the legal right and authority to grant Octa1ne access to any system, account or data that you make available to us as part of the services
• You must ensure that any access granted to us does not violate the terms of service, licence agreements or data sharing restrictions applicable to third-party platforms or suppliers
• You must not use our services to monitor, access or collect data from systems, accounts or environments that you do not own or are not explicitly authorised to monitor
• Where our services involve access to cloud platforms or SaaS tools, you are responsible for ensuring that any required consent or notification obligations to your own users have been fulfilled
• We will not use access to your systems beyond what is necessary for the agreed services and will not retain copies of your data beyond the retention periods set out in our Data Processing Agreement

8. Monitoring & Enforcement

We reserve the right to monitor use of our Services for the purpose of ensuring compliance with this policy, maintaining the security and integrity of our systems and fulfilling our obligations to clients.

Our monitoring activities may include:

• Automated monitoring of access patterns, API usage and system activity within our own infrastructure
• Review of access logs, authentication events and data transfer records
• Investigation of reported violations or suspicious activity
• Technical analysis of any system, tool or process used to interact with our Services

Any information collected through monitoring will be handled in accordance with our Privacy Policy and applicable data protection law. Monitoring of client environments is conducted solely for the purpose of delivering the agreed security services and in accordance with the Data Processing Agreement.

We will investigate all reported or suspected violations of this policy promptly and take appropriate action as set out in Section 10.

9. Reporting Violations

If you become aware of any actual or suspected violation of this policy — whether by a colleague, contractor, client or any other party — you should report it to us immediately.

To report a suspected policy violation, security incident or misuse of our services:

We treat all reports seriously and will acknowledge receipt promptly. We will maintain confidentiality in respect of reports where requested and where permitted by law. We do not retaliate against individuals who make good-faith reports of suspected violations.

10. Consequences of Violation

Violations of this policy are treated as material breaches of our Terms of Service and the applicable Service Agreement. The consequences of a violation depend on its nature, severity and impact — and may include any or all of the following, at our sole discretion:

We reserve the right to pursue all available legal remedies in respect of violations of this policy, including claims for damages, injunctive relief and recovery of costs. Nothing in this policy limits our rights under the Terms of Service or applicable law.

11. Exceptions & Authorisations

Certain activities that would otherwise fall within the prohibited uses described in Section 4 may be authorised by us in specific circumstances — for example, penetration testing of your own environment using our services as part of a formally scoped engagement, or security research activities conducted under a responsible disclosure agreement.

To request authorisation for any activity that may otherwise be prohibited under this policy:

• Submit a written request to hello@octa1ne.com describing the proposed activity, its purpose, scope, duration and the systems involved
• Await written authorisation from Octa1ne before commencing any activity that may fall within the prohibited uses described in Section 4
• Conduct any authorised activity strictly within the scope of the written authorisation — any activity outside that scope will be treated as unauthorised
• Retain a copy of the written authorisation and make it available to Octa1ne on request

Verbal authorisation is not sufficient. Only written authorisation from an authorised Octa1ne representative constitutes permission to conduct otherwise prohibited activities. We cannot grant authorisation for activities that are unlawful regardless of scope or intent.

12. Changes to This Policy

We may update this Acceptable Use Policy from time to time to reflect changes in our services, applicable law, industry standards or security best practices. We will update the “Last updated” date at the top of this page when we make changes.

For material changes that affect the obligations of our clients, we will provide at least 30 days notice by email or through the client portal before the changes take effect. Continued use of our services after the effective date of any changes constitutes acceptance of the updated policy.

If you have concerns about any changes to this policy, please contact us at hello@octa1ne.com before the effective date.

13. Contact Us

If you have questions about this Acceptable Use Policy, wish to report a violation or require clarification about whether a specific activity is permitted, please contact us: