Acceptable Use Policy

Attack or compromise systems:

1. transmit malware, ransomware, trojans, or other malicious code;
2. conduct port scanning, vulnerability scanning, or network probing of the Service or third-party systems;
3. perform denial-of-service or distributed denial-of-service attacks;
4. attempt to gain unauthorised access to any part of the Service, another user's account, or any third-party system;
5. introduce code intended to interfere with, disrupt, or destroy any software, hardware, or data.

Circumvent controls:

1. bypass, disable, or interfere with any security or access-control mechanism in the Service;
2. attempt to extract, scrape, or harvest data from the Service in bulk except via an authorised API or export function;
3. use automated tools to access the Service in a manner that exceeds reasonable use or places unreasonable load on infrastructure;
4. frame or embed any part of the Service or Website in another application or website without our prior written consent.

Infringe intellectual property:

1. upload, transmit, or make available content that infringes any third party's intellectual property rights;
2. publish or distribute another Organisation's Private Template or Partner Template without authorisation.

Tier 1 — Prohibited without a separate written agreement:

1. payment card data requiring PCI DSS-certified infrastructure (e.g. raw primary account numbers);
2. protected health information governed by HIPAA or equivalent health-data legislation, unless Eddy Works has separately agreed to provide HIPAA-compliant infrastructure;
3. biometric data used for the purpose of unique identification of a natural person, where specialist infrastructure is required;
4. genetic data for health or identification purposes where specialist infrastructure is required;
5. children's clinical or welfare data relating to individuals under 13, without a separate safeguarding agreement;
6. life-critical automated decisions — do not use the Service for automated decisions that directly affect a person's physical safety, access to emergency services, or other life-critical outcomes, without human review and appropriate safeguards;
7. any data category that, by applicable law, requires infrastructure-grade security controls that Eddy Works has not expressly agreed to provide.

Tier 2 — Permitted with safeguards (Customer is responsible):

The following data categories may be processed via Eddy where you have a lawful basis, have taken appropriate safeguards, and have confirmed your obligations as data controller:

• workplace health and safety incident data;
• equality, diversity, and inclusion survey data;
• trauma-informed training records;
• employment-related process data (performance reviews, disciplinary records);
• educational records (grades, conduct, welfare) where the educational institution is the data controller;
• sector-specific compliance data for which the Customer (not Eddy Works) holds the relevant regulatory permission.

Eddy Works does not certify that use in any specific regulated sector is lawful. You remain responsible for your own compliance obligations.

Always prohibited:

1. content that is illegal under applicable law;
2. child sexual abuse material (CSAM) or any content that sexualises minors;
3. content that constitutes unlawful harassment, defamation, or discrimination;
4. content designed to facilitate physical violence against a specific individual or group.

Surveillance and coercion:

1. designing a Map for the covert monitoring of employees or individuals beyond what is lawful and disclosed;
2. using the Service to coerce, intimidate, or unduly pressure Participants — for example, structuring a Map so that a participant cannot decline or exit without consequences not disclosed at the point of invitation;
3. using the Service to conduct surveillance of Participants' behaviour beyond what is necessary for the stated Process purpose.

Misleading invitations:

1. inviting Participants to a Session under a false or misleading description of the Process purpose — for example, framing a data-collection Process as something unrelated;
2. impersonating another Organisation or person in a start link, invitation, or Session screen;
3. sending electronic transmissions through the Service that do not correctly identify the sender.

Discriminatory Maps:

1. designing Maps with screening criteria, routing logic, or outcomes that unlawfully discriminate on the basis of a protected characteristic (race, gender, age, disability, religion, sexual orientation, or other characteristics protected under applicable law).

Template publishing:

1. publishing another Organisation's Private Template or Partner Template to the public commons without authorisation;
2. publishing a Template that embeds confidential information, personal data, or proprietary content belonging to a third party;
3. publishing a Template that is designed to facilitate a prohibited activity listed in this AUP.

Governance bypass:

1. using the Service to circumvent or obscure a legally required governance or approval process that the Map was designed to replace or represent.

If you become aware of a violation of this AUP, please report it to abuse@eddy.works.

We reserve the right to investigate suspected violations and, where appropriate, to:

1. remove or disable access to content that violates this AUP;
2. suspend or terminate access for the violating account or Organisation;
3. notify relevant authorities.

We will exercise these rights for defined purposes: support (at Customer request), security incidents, abuse reports, legal obligations, and integrity of the Service. We will act proportionately and will notify the Customer where it is lawful and safe to do so.

We will not use AUP enforcement rights as a pretext for accessing Customer Content for commercial purposes.

If your access is suspended or terminated for an AUP violation, you may appeal to legal@eddy.works within 14 days. We will review and respond within a reasonable time.