Acceptable Use Policy For CloudWorkers

1. Overview

The Acceptable Use Policy (AUP) provides guidelines and stipulates prohibited actions that CloudWorkers must agree to for access and usage of CloudFactory information technology resources, corporate network, the internet and other business related resources. All CloudWorkers will be required to read and accept this policy on an annual basis. Failure to adhere to the terms outlined in the policy will constitute a breach and may result in disciplinary action.

Any questions regarding what constitutes acceptable use of CloudFactory IT resources should be directed to the CloudWorkers Delivery Team Lead or Global IT team.

2. Use of non-company owned device and storage media

2.1 Antivirus software and updates

1. When using a personal device (i.e. not one assigned by CloudFactory) and personal storage media (e.g. USB or flash drives, external hard drives, personal music/med players), precautions must be taken to ensure viruses, malware, spyware, and other undesirable security risks are not introduced into CloudFactory’s network environment or to web-based applications that support performance of CloudFactory Client Services, by having up-to-date AntiVirus and Malware endpoint protection installed on those devices.
2. Antivirus and anti-malware software must be regularly updated (at least monthly) with the latest virus definitions and engine updates to ensure protection against n threats. Check CloudFactory approved list of Antivirus solutions here.

2.2 Security Patches

A Security patch refers to an update released by software developers to fix kno security vulnerabilities, bugs, or to improve the performance and functionality of the system.
1. CloudWorkers must ensure that security patches and system updates to the operating system and installed software applications are kept up to date.
2. Delaying or preventing the installation of updates and security patches exposes the devices to security risks. Therefore, CloudWorkers must regularly scan their devices for security updates, and promptly install all security patches on their devices to protect device, data and online activity from emerging threats.

2.3 Vendor supported Operating systems

1. Operating systems that fall outside of Vendor support periods will no longer be deemed acceptable for use at CloudFactory. This is because use of a non-supported operating system may result in functional issues when accessing production services. To check if your operating system is supported, consult with the operating system vendor’s website or consult with CloudFactory IT team by raising a KIRA ticket.
2. Continuing to use a non-supported operating system may result in functional issues when accessing production services.
3. Access restrictions will also be placed on non-supported operating systems leading to reduced chances to undertake paid work.

3. Use of Company-provided machine

CloudWorkers assigned to WorkStreams with high-security requirements, such as those classified under Endpoint security, must exclusively use CloudFactory-provided laptops for a tasks related to CloudFactory customers. The use of personal devices for any work associated with these clients is strictly prohibited, whether the work is performed remotely or within a delivery center.

In cases where a CloudWorker is assigned to an Endpoint WorkStream, or where multiple Client WorkStreams are assigned concurrently, then if any WorkStream mandates Endpoint-level security, the CloudWorker must only use the CloudFactory-provided laptop for all WorkStreams. The highest security posture required by any of those WorkStreams must be applied to all tasks performed by the CloudWorker.

To ensure this is consistently enforced, Sector Delivery Lead are responsible for validating the security requirements for each Client WorkStreams during incubation / go-live and communicating these requirements during CloudWorker onboarding.

4. Use of One Device

To ensure the security and integrity of CloudFactory's systems and data, each CloudWorker is permitted to register only one device for accessing CloudFactory services. This limitation enhances security, simplifies device management, and ensures a consistent access contr framework. It applies to all CloudWorkers accessing CloudFactory services and governs the registration, usage, and management of devices used for authentication and system access.

4.1 Single Device Registration

Each CloudWorker is allowed to register only one primary device for accessing Cloudfactory services.

The registered device will be used for all authentication and access purposes.

The primary device used by a CloudWorker must be fully functional and suitable for their duties. This is considered a baseline requirement. Therefore, the need to register or request additional devices should not arise under standard circumstances.

4.2 Device Registration Requests

If a Cloudworker needs to register a new device for any reason, a formal request must be submitted.

In cases where power backup is required, the use of battery packs or power banks is strongly encouraged. This ensures that a single, primary device remains sufficie helping to prevent unnecessary device proliferation.

Requests for new device registrations should be raised via the Team Lead.

If the request is deemed valid, the Team Lead will raise a request into KIRA for wider review.

4.3 Changing the Primary Device

Cloudworkers should direct their device requests to their team leads, who will assess the necessity and validity of such requests.

Team leads or Delivery Practices will act as gatekeepers, ensuring that only essential and justified requests are submitted into Kira on behalf of the Cloudworker.

4.4 Approval Process

All requests for secondary devices or changes to the primary device will be reviewed by the IT and Security team.

Approval will be granted based on the justification provided and the securi implications of the request.

The IT team will assist with the registration process for new devices once approval is obtained.

4.5 Compliance and Enforcement

CloudWorkers are required to comply with this policy to maintain access to CloudFactory services.

Device use will be actively monitored to ensure CloudWorkers are operating from a registered device. If irregular device assignment is detected then this will be investigated as a potential case of noncompliance.

Non-compliance may result in the revocation of access privileges or other disciplinary actions as deemed appropriate by CloudFactory management.

4.6 Support and Assistance

For any questions or assistance regarding device registration, CloudWorker can contact the IT support team.

4.7 Loss or Theft of device

For cases where CloudWorkers experience loss or theft of their laptop, they must follow Business as Usual practices, notify their Team lead and report via the standard CloudWorker Support Form.

For further information or to log a request, please visit Kira.

Exceptions to the use of One Device

In certain circumstances, the use of a second device for work purposes may be justified. T following outlines the most common exceptions:

1. Backup Device for Emergencies

   1. Reason: A secondary device may be used if the primary device fails or needs maintenance.
   2. Justification: Ensures work continuity and minimises downtime.
   3. Conditions: The backup device must follow all security protocols.

2. Specialised Work Requirements

   1. Reason: Certain tasks, like graphic design or software testing, may require specialised hardware.
   2. Justification: Some tasks need higher processing power or specific tools th second device can provide.
   3. Conditions: The secondary device should be used only for these specialised tasks.

NOTE: The use of a secondary device is strictly temporary and will be subject to continuous review. In all cases,the second device must be approved and follow company security protocols.

5. Password management

5.1 Password creation

To ensure that password is complex and unique, making it difficult for cybercrimin to guess or crack your password through brute force attacks or other malicious methods, CloudWorker must create passwords that are unique, complex and not easily guessable. At a minimum, passwords should:

1. be at least twelve characters long.
2. contain a combination of uppercase and lowercase letters, numbers, and special characters. Do not include part of the CloudFactory username, User’s fir name or last name.

5.2 Password storage, sharing and protection

1. Passwords must not be written down on paper or stored in cleartext or in an unencrypted digital format.
2. Passwords must not be shared with others, including coworkers, family members, or friends.
3. Old passwords must never be reused.
4. Passwords should be unique and not used for other applications or software (as this increases the risk of compromise by third-party, malicious actors who will then attempt to brute force using guessable username combinations.
5. In the event of a suspected or confirmed security breach or loss of passwo confidentiality, or account compromised, as a CloudWorker, you must immediately res your passwords.

5.3 Multi-Factor Authentication (MFA)

1. Multi-factor authentication (MFA) should be enabled, when available, and used for any online accounts accessed from mobile devices and laptops to add an extra layer of security.

6. Network Access

1. All CloudWorkers are required to use the CATO VPN at all times, whether working from a Delivery Center or remotely. CATO is mandatory for accessing all corporate services and applications, including those provided by CloudFactory, the Client, or any related third parties. However, there are limited exceptions to this rule.

   In certain cases, a temporary exemption from using CATO may be necessary, such as when dealing with conflicting client VPNs or experiencing service degradation due to network issue To request an exemption for your workstream, raise a KIRA ticket, clearly state the reason for the exclusion request.

   (CATO is the standard for network connectivity at CloudFactory. The CATO solution provides a vast number of security advantages to help protect devices when connecting to web-based services. This in turn also helps to protect all services associated with our Client workstreams.)

2. Peer-to-Peer (P2P) networking is not allowed on the corporate network. However, in some circumstances, a WorkStream activity may require the use of a P2P VPN application, in which case approval from Global IT will be required by the Sector Delivery Lead and communicated to each assigned CloudWorker.
3. Use of remote desktop software and/or services is allowable as long as it is provided by CloudFactory.
4. Applications that are irrelevant to workstream activity should be terminated for the duration of each shift. These include but are not limited to; online games, P2P software, social media apps, personal communication tools etc. For the avoidance of doubt, private group sharing / chat sessions, including platforms such as Discord or Telegram, are strictly prohibited as these put CloudFactory corporate and Client Information at risk of compromise.

7. Working Remotely

7.1 Physical Security of remote work environment

CloudWorkers are responsible for implementing and maintaining appropriate physical security measures in their remote work environment. Specifically:

1. A dedicated workspace must be used that provides an appropriate level of privacy and minimizes the risk of unauthorized access to company information.
2. CloudWorkers must take reasonable measures to secure physical assets, such as laptops, mobile devices, and paper documents, while working remotely.
3. Devices must be locked or protected when not in use and must not be left unattended in public places.

7.2 Communication and collaboration in remote environment

1. CloudWorkers must be cautious when discussing work-related matters in public places, such as coffee shops or public transportation, to avoid unintentional disclosure of sensitive information.
2. When engaging in virtual meetings or video conferencing, CloudWorkers should be mindful of their surroundings to prevent unauthorized individuals from overhearing or viewing confidential discussions.

7.3 Use of public Wi-Fi networks

1. Use of public Wi-Fi networks such as those found in coffee shops, airports, or hotels, should be avoided as they may not be secured, and data could be intercepted by hackers.
2. If public Wi-Fi has to be used, CloudWorkers must ensure a CATO connection is initiated before completing any WorkStream activities.
3. CloudWorker should disable file sharing in public or untrusted private network

7.4 Home wireless Network Configuration Requirements

1. CloudWorkers must ensure that their home networks or personal wireless networks are configured securely and meet the following requirements:
   1. Use strong encryption protocols, such as WPA2 (Wi-Fi Protected Access 2) or higher, for wireless network connections.
   2. Change the default network name (SSID) and password to unique values that are not easily guessable.
   3. Regularly update the firmware of wireless routers or access points to addre security vulnerabilities.

7.5 Use of mobile phone as internet hotspot (Tethering)

If a mobile phone is used as an internet hotspot i.e. tethering when working on CloudFactory WorkStreams, then CloudWorker should adhere to the following best practises :

1. Antivirus or anti malware software is installed and running on their mobile phone.
2. A mobile hotspot is secured with a strong password or passphrase to prevent unauthorized access.
3. Default hotspot names and passwords are changed to unique values that are not easily guessable.
4. Encryption on their mobile hotspot is enabled, preferably using WPA2 (Wi-Fi Protected Access 2) or a higher security protocol.
5. Hotspot access credentials are not shared with unauthorized individuals.

7.6 Visitors and Family Members

1. CloudWorkers should minimize the presence of visitors, friends or family members in their remote work environment, especially when handling sensitive information.
2. CloudWorkers should minimize the presence of visitors, friends or family members in their remote work environment, especially when handling sensitive information.

8. Working from CloudFactory Delivery Center

8.1 Usage of Company resources and internet bandwidth

1. CloudWorkers should not access CloudFactory network data, files, and informati that are not directly related to his / her job function. The existence of access capabilities does not imply permission to use this access.
2. Personal usage of CloudFactory resources and systems is permitted as long as such usage follows guidelines elsewhere in this policy and does not have a detrimental effect on CloudFactory or on the CloudWorkers job performance.
3. Excessive use of company bandwidth or other computer resources is not permitted. Large file downloads or other bandwidth-intensive tasks that may degrade network capacity or performance must be performed during times of low company-wide usage.

8.2 Clear Desk requirements

1. Cleanliness and Organization: Workstations should be kept clean, organized, and free from clutter. CloudWorkers are responsible for regularly tidying their desks, ensuring that surfaces are clear of unnecessary items, trash, or food containers. Workstations should not be used for storage of personal items or clutter that hinders productivity and cleanliness.
2. Use of Physical document: CloudWorkers should strive to adopt a paperless approach whenever possible by utilizing electronic documents and digital storage. If physical documents or hard copies are used, they should be locked in cabinets or drawers, and access to such storage areas should be restricted to authorized personnel only.
3. Document disposal: Any unwanted or outdated documents that contain sensitive information should be disposed of securely. CloudWorkers must use designated shredders to ensure that information cannot be reconstructed.
4. End of Day Procedures: At the end of each workday, CloudWorkers are required to clear their desks of personal items, documents, and any confidential information WorkStation devices should be logged off or shut down securely. This practice allows for efficient cleaning, reduces security risks, and facilitates a smooth transition for ot CloudWorkers using the workspace.

8.3 Clear Screen requirements

1. Screen Locking: CloudWorkers must ensure that their computer screens are locked whenever they are away from their desks or workstations. Screen locking should be activated through the use of passwords.
2. Multiple Users: In situations where multiple CloudWorkers share a workstation or computer, each CloudWorker must log out or lock the screen when they are not actively using the system. This prevents unauthorized access to information and ensures accountability for actions performed on the shared device. Failure to comply with this requirement for discrete user activity is a disciplinary offense and may result in termination of employment.

9. Prohibited and illegal Activities

Company provided or personal devices used for company purposes must not be used for activities that are considered illegal under local, state, federal, or international law; when working from either a CloudFactory Delivery Center or when working remotely.

The following actions are not exhaustive, but are included to provide a frame of reference for types of activities that are deemed unacceptable:

1. Perform any of the following: port scanning, security scanning, network sniffing keystroke logging, or other IT information gathering techniques when not part of CloudWorker’s job function.
2. Engaging in any form of hacking, cracking, or other malicious activities that compromise the security or integrity of any systems or networks is strictly prohibited.
3. Engage in any activities that may cause embarrassment, loss of reputation, or other harm to CloudFactory.
4. Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media.
5. Engage in activities that cause an invasion of privacy.
6. Engage in activities that cause disruption to the workplace environment or create a hostile workplace.
7. Acts of Terrorism.
8. Downloading, storing, or distributing violent, perverse, obscene, lewd, or offensive material as deemed by applicable statutes.
9. Accessing or viewing sexually explicit content or websites.
10. Using the internet for personal financial gain, including conducting unauthorized commercial activities, online gambling, or engaging in any form of illegal or unethical behavior is strictly prohibited.
11. Introduction, transmission, or dissemination of computer viruses, malware, or any other harmful software or content is strictly prohibited.
12. Tampering with CloudFactory security controls implemented on company owned devices. Specifically, BIOS passwords and BIOS start-up settings should not be altered or removed.

10. Confidentiality and privacy of CloudFactory and Client data

1. Confidential data must not be:
   1. shared or disclosed in any manner to non-employees of CloudFactory,
   2. should not be posted on the Internet or any publicly accessible systems, and
   3. should not be transferred in any insecure manner.

   Failure to comply with this requirement for discrete user activity is a disciplinary offense and may result in termination of employment.

2. Client Data: All data associated with a Client’s WorkStream is the sole property of the Client. CloudFactory operates as a processor of this data with no data retention claim outside of the contracted scope. Retaining access to data beyond the scoped services is not permitted and serves as a breach of agreement between all parties employed to work with the data.

   Non-approved copying, or storage, of Client data is forbidden, this also extends to the use of any Client contact information outside of the intended and agreed scope of use as contractually defined between Client and CloudFactor

3. CloudFactory reserves the right to take all steps reasonably necessary to protect its Client and employee data; and intellectual property.

11. Intellectual property and copyright infringement

1. CloudWorkers are required to take reasonable measures to protect CloudFactory intellectual property and copyrighted materials. This includes keeping confidential information secure, not sharing login credentials or access to our systems, and reporting any suspected incidents of unauthorized use or download.
2. Downloading, copying, or distributing any of our intellectual property, copyrighted materials, or proprietary information without authorization is strictly prohibited. This includes software, designs, images, text, and other creative works. Any unauthorized use of our intellectual property or copyrighted materials may result in legal action, as well as disciplinary action up to and including termination of employment.
3. CloudFactory's computer systems and networks must not be used to download, upload, or otherwise handle illegal and/or unauthorized copyrighted content. Any of the following activities constitute violations of acceptable use policy, if done without permission of the copyright owner:
   1. copying and sharing images, music, movies, or other copyrighted material using peer-to-peer file sharing or unlicensed CD's and DVD's
   2. posting or plagiarizing copyrighted material
   3. downloading copyrighted files which employee has not already legally procured
4. “Pirated” applications or software should not be used, installed or distributed under any circumstance.

12. Use of Social media, blogging and social networking

1. CloudWorker should not post or share information about a Client, WorkStream, Project or CloudFactory as a business anywhere on the Internet with the following exceptions:
   1. A CloudWorker can list their involvement with our company (CloudFactory) on their personal accounts (LinkedIn, Facebook, etc) as per their engagement type contract title. CloudWorkers may not reference specific CloudFactory Clients or WorkStream Note: If referencing CloudFactory on LinkedIn, CloudWorkers should use this company information, our official LinkedIn profile.
   2. A CloudWorker can share company stories, news, and events that have been posted / published by official CloudFactory outlets (i.e. CloudFactory’s website, CloudFactor main Facebook page, etc.)
   3. Revealing protected health information that our client provides to us in any way, through any means, may violate Health Insurance Portability and Accountability Act (HIPAA) or contractual regulations and may result in termination of employment along with what's dictated by HIPAA contract.
2. If you disclose your affiliation with CloudFactory on your profile or in any social media postings, you must state that your views do not represent those of CloudFactory. You should also ensure that your profile and any content you post are consistent with the profession image you present to clients and colleagues.
3. CloudWorker cannot respond to any competitor or other person posting negative reviews or comments about the company on any sites on the Internet.
4. CloudWorker cannot replicate or use the CloudFactory Logo and Brand name on any websites on the Internet.
5. CloudWorker should make it clear in social media postings, or in your personal profile, that you are speaking on your own behalf. Write in the first person and use a personal ema address.
6. Be respectful to others when making any statement on social media and be aware that you are personally responsible for all communications which will be published on the internet for anyone to see.
7. If you are uncertain or concerned about the appropriateness of any statement or posting, refrain from posting it until you have discussed it with your manager.
8. If you see social media content that disparages or reflects poorly on CloudFactory, you should alert CloudFactory using the violation process below.

This process can also be used if you see anything that is posted by a third party (i.e. anyone who is not affiliated with CloudFactory

13. Communicating channels and tools

1. To ensure effective communication and engagement, all participants are required to have their webcams turned on during meetings. This policy applies to all virtual meetings, including but not limited to team meetings, client presentations, training sessions, and any other offic gatherings conducted via video conferencing platforms. Exceptions to this requirement may be granted on a case-by-case basis with prior approval from the meeting organiser.
2. When communicating with CloudFactory Clients, only approved corporate communication tools should be used. The preferred method of internal communication amongst CloudWorkers is Slack. If Slack is not available, the IT Services team should be contacted who will enable the Slack client and account for CloudWorkers.
3. CloudFactory does not officially support or recognise the use of any instant messaging platforms such as WhatsApp, Skype, Facebook Messenger, etc. The use of messaging tools not supported by CloudFactory is prohibited when engaging with clients and other external third parties.
4. In situations where urgent and immediate communication is necessary, the use of instant messaging platforms such as WhatsApp is temporarily permitted for internal team communication only. This should be limited to essential operational updates and should not be used for project-related discussions or client interactions.
5. The use of WhatsApp or similar messaging tools to communicate with colleagues is down to personal choice and is not endorsed by CloudFactory. The user should recognise that use of such tools may be an insecure medium, as such, the user is accountable for the storage, sharing, retention and removal of personal data on such platforms. CloudFactory is not responsible or liable for the distribution of personal data on these platforms.

14. Recording of Video Meetings

1. Video and Call Recordings will comprise personal data, of all participants, and others identified in discussions. That may include sensitive personal data. To comply with da protection regulation, data collected must be limited to 'what is necessary'.
2. All employees, CloudWorkers and guests (participants) should provide their consent before any recording takes place, either initiated by CloudFactory or provided by a third-party, such as a Client.
3. If there is a business justification for recording, participants' acceptance is not necessary but they must be informed in advance. Supported video conferencing systems, including Google and Zoom, will announce recording commencement and request participant acceptance.
4. All participants must be reminded that they must not make their own recordings unless this has been agreed in advance.
5. If recording has been accepted by all participants, a copy of the completed recording should be made available on request by the host.
6. As a data asset, video and call recordings are subject to CloudFactory’s Data Retention Policy. Recordings should not be kept for longer than is necessary, and when the retention period has been met (by default this has been set at 28-days) or the recording is no longer required, all copies of the recording should be securely deleted.

15. Usage of Email

1. Email is an insecure method of communication, and thus information that is considered confidential or proprietary to CloudFactory must not be sent via email, regardless of the recipient, without proper encryption.
2. Email attachments from unknown senders, when such attachments are unexpected must not be opened.
3. Email systems were not designed to transfer large files and as such emails should not contain attachments of excessive file size.
4. Forging email header information or attempting to impersonate another person is strictly prohibited.
5. Using Email for spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes are never permitted.

16. Impersonation

To maintain the integrity and security of CloudFactory's workplace, CloudWorkers must not engage in any form of impersonation. Specifically, the following actions are strictly prohibited:

1. Falsely represent yourselves as another CloudWorker in any of the work and work-related communications.
2. CloudWorkers must not create accounts or profiles using misleading or false identities. This includes using fictitious names or titles that may deceive others about the CloudWorkers's true identity or role within the company.

17. Usage of Generative AI (GAI)

Generative AI refers to a type of artificial intelligence that is designed to generate new content or output, such as images, videos, music, or text, that is original and not based on existing data. It involves the use of complex algorithms and deep learning models to learn patterns and create new content that resembles the input data or is completely novel.

1. Always use Generative AI for legitimate and ethical purposes, and do not use it to create or spread false or misleading information. Additionally, be aware of the risks of posting company data online and take necessary steps to protect sensitive information.
2. Posting any form of data to a GAI service should be treated with the same due care as posting to any public media platforms. By posting to GAI you are effectively handing over the data to a public service.
3. Such services must be used in a lawful and appropriate manner. This includes refraining from using the service to engage in activities that violate our company policies, infringe upon the rights of others, or compromise the security or integrity of the service.
4. Posting company data online, whether intentionally or unintentionally, can put CloudFactory at risk of security breaches, cyber-attacks, and reputational damage. Please exercise caution and be mindful of the information you share online to protect the company and its data.
5. Necessary precautions must be taken to protect proprietary or personal data from being shared with or accessed. Ensure that proprietary or personal data is not included in conversations with the AI. If proprietary or personal data is necessary for a conversation, it must be anonymised or redacted before being entered into the system. The use of proprietary or personal data with the AI can result in security breaches or privacy violations that could harm CloudFactory and our Clients.
6. AI models generate responses based on patterns and data they've been trained on, which can sometimes result in the generation of incorrect or misleading information. It's important to critically evaluate the responses and not take them as absolute truth.

18. Monitoring and Privacy

1. CloudWorkers should expect that their activities on the corporate network or when using company resources and systems, will be monitored. Such use may include but is not limited to the transmission and storage of files, data, and messages.
2. CloudFactory reserves the right to monitor any and all use of its systems and applications. To ensure compliance with company policies this may include the interception and review of any emails, or other messages sent or received, inspection of data stored on personal fi directories, hard disks, and removable media.

19. Reporting security incidents or weaknesses

1. If a security incident or breach of any security policies / controls is discovered or suspected, the worker must immediately notify their Sector Delivery Lead and Global IT (email: security@cloudfactory.com)
   Examples of incidents that require notification include:
   1. Suspected compromise of login credentials (username, password, etc.)
   2. Suspected virus/malware/trojan infection
   3. Loss or theft of any device that contains company information
   4. Loss or theft of ID badge or keycard
   5. Any attempt by any person to obtain a user's password over the telephone or by email
   6. Any other suspicious event that may impact CloudFactory's information security
2. CloudWorkers must treat a suspected security incident as confidential information, a report the incident only to his or her Delivery Team Lead and/or Global IT.
3. CloudWorkers must not withhold information relating to a security incident or interfere with an investigation.
4. The scope of a security incident is not limited to a CloudFactory Provisioned Service. If you experience a personal online security breach then this must be reported in consideration of section 19.a.(vi).

20. Applicability of other policies and contracts

1. This policy document is part of CloudFactory's cohesive set of security policies. Other policies may apply to the topics covered in this policy and as such the applicable policies should be reviewed as needed.
2. Depending on geographic location and the type of work activity, CloudWorkers may be required to sign a specific work contract for the WorkStream activity.
3. For WorkStreams that involve processing of Personal Information (governed by US HIPAA, US state privacy legislation and/or EU GDPR legislation), an attestation must be accepted by the CloudWorker.
4. The WorkStreams and Client contract will determine the security level to be enabled for delivery by the CloudWorker. The assigned delivery security level should never be downgraded unless done so from the Client’s end. Any issues with enabling or meeting the required security level should be immediately reported to the supervisor or team leader.

21. Policy violation and disciplinary action

1. Non-compliance with this policy may result in disciplinary action, which may include suspension, restriction of access or more severe penalties up to and including termination of employment, as well as legal consequences in accordance with applicable laws and regulations.
2. CloudWorkers will be required to remove any social media content that CloudFactory considers to constitute a breach of this policy.
3. The following penalties can be made against both an individual and the organization for violation of HIPAA:
   1. Wrongful disclosures - Up to $ 50,000 per violation + up to 1 year in prison
   2. Gaining access to information by false pretenses - Up to $100,000 per violation + up to 5 years in prison
   3. Intent to sell, transfer, or use - Up to $250,000 per violation + up to 10 years in prison
4. Where illegal activities or theft of company property (physical or intellectual) are suspected, CloudFactory may report such activities to the applicable authorities.