Acceptable Use Policy

Updated: February 9, 2026

1.   Security and Confidentiality Overview and Acceptance

  • Security and Confidentiality Overview

The document and its related appendices and references constitute the formal Acceptable Use and Confidentiality Policy of Buxton Company, LLC  with its subsidiaries Elevar, LLC and Audiense, LTD (together and separately “Audiense”). This policy is a formal agreement between Audiense and its employees, contractors, and vendors (collectively, ’Users’). As it applies to Audiense employees, this document supplements the Audiense Employee Handbook. As applies to vendors, contractors, and other third parties that have access to Audiense’s network or proprietary information, this document shall supplement any contractual agreements for services rendered. Procedures are in place to ensure compliance with privacy laws relating to confidentiality and the safeguarding of personal data. All information herein is current and accurate as of the most recent revision date.

1.2   User Acceptance

All current Users must formally accept the terms of this document at least annually. A digital signature or email verification constitutes acceptance. Upon acceptance, the user agrees to adhere to all items listed in this policy. Failure to adhere to this policy may subject you to disciplinary action, up to and including termination of employment or termination of the contract.

1.3   Acceptance of Changes

Provided the User is notified of changes made to this document, the User’s initial formal acceptance described in 1.2 shall remain valid. Upon significant changes to this document, and at the discretion of the document owner, a new confirmation of acceptance may be requested in order to express consent.

  1. Access

    • Physical Access 
  • Physical Access to Equipment

All Users may physically access any IT equipment that is readily available and has been deemed suitable for their use. Only Users to whom physical access has been explicitly granted shall access equipment with restricted physical access, including but not limited to the computers behind locked doors. Users shall not attempt to bypass physical security measures intended to prevent access to IT equipment. Users should lock their computers when the computers are unattended.

2.1.2   Identification of Equipment

Equipment may be marked with adhesive labels or engravings to indicate Audiense ownership. Users shall not obscure or remove these identifying marks. The use of cases or covers for mobile devices is permitted to protect the mobile devices from damage, provided the case or cover can be easily removed to reveal the identifying marks.

2.1.3   Relocation of Equipment

Mobile devices and mobile computers assigned to the employee may be relocated or taken off-site at will. No other equipment shall be moved without the formal consent of a member of the IT department. Examples of this equipment include but are not limited to desktop computers, monitors, printers, networking devices, and large (non-mobile) projectors.

2.1.4   Access Controls of Audiense Locations

There are a variety of controls in place to help ensure the safety and security of all Audiense employees and related company resources. Those include but are not limited to the following:

  • Facility remains locked utilizing a door access control software with access history logging in place.
  • Surveillance cameras throughout Audiense’s operational areas and the building
  • Motion detectors/sensors throughout the facility trigger the alarm in the event of unapproved access.
  • Alarm system is deployed and monitored by a third

2.2   Logical Access

  • Logical Credential Standards

Users must not disclose their passwords, PINs, or other digital credentials to anyone. Due to the open physical access policy outlined in section 2.1.1, users are prohibited from recording passwords on paper or any other physical medium. Instead, users are encouraged to use the password management tools provided by IT whenever possible.

2.2.2   Password Management

These password standards are the minimum recommendations to be used within Audiense.

  • Passwords are required to be changed at initial
  • Passwords must contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example: !, $, #, %)
  • Passwords are entered into a non-display
  • The password minimum length is set to 15
  • Passwords expire after 365
  • Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
  • User passwords may not be

IT will never request a user’s password for testing purposes. If IT must login as a user, IT will temporarily change the password while testing. Once completed, IT will generate a new random password and set the password to change upon first login.

2.2.3   User Access Controls

User access is controlled by a formal profile-based authorization process. Each account is unique to every user except for system or service accounts. An account will be locked out after three (3) failed login attempts. In the event a user’s account is locked, the user should submit a ticket to IT. Users are required to log in with their own credentials and an administrator is always required to grant elevated access when necessary.

2.2.4   Shared Credentials

Certain credentials may be considered shared when a common credential that is not related to a specific user is used for general access or for the administration of an IT service. Shared credentials may only be used to conduct specific tasks for which they were designed. These credentials may be shared between users but should be stored and protected as described in section 2.2.1. Where possible, credentials should be shared via the password management tool, which allows sharing access securely without revealing the actual password.

2.2.5   Impersonation

Users shall use their credentials as the primary means to access a system. Users may not access or attempt to access any Audiense information resources with other Users’ credentials. Other than IT support staff, Users may not access a computer while another user is actively logged in, without the express permission of that user or an administrator. Users must receive approval before sending digital communications from another user’s account.

2.2.6   VPN Access

Users may utilize Audiense’s VPN to securely access Audiense’s resources remotely. This requires the user’s assigned Active Directory credentials as well as a multifactor authentication mechanism.

3.   Acceptable Use of Audiense Resources

  • Normal Business Operations

Audiense’s information resources are provided for the express purpose of conducting the business and mission of Audiense. Users shall not utilize Audiense’s equipment in a manner that interferes with this purpose. This includes but is not limited to activities that support another organization, or that place personal gain over that of Audiense.

3.2   Illegal and Illicit Activity

Users shall not utilize Audiense’s equipment to intentionally conduct illegal or illicit activity, whether in the office or away.

3.3   Obscenity

Users shall not use Audiense’s equipment to intentionally access, create, store, or transmit obscene materials.

3.4   Information System Security

Users shall not attempt to compromise, disable, or “hack” any Audiense information systems, unless expressly tasked with doing so. Users shall immediately report by submitting an IT ticket any suspicious behavior or evidence of attempted attacks.

3.5   Endpoint Security

Users should not attempt to disable or impede the operation of any security software intended to scan for or prevent execution of malicious code. This includes but is not limited to dedicated endpoint software and built-in Windows or Mac security features.

3.6   Unauthorized Software, Cloud Storage and SaaS Usage

Users shall not download, install, or attempt to run any software that is not provided by Audiense without prior express consent from a member of the IT department. The software should go through a third-party risk assessment review prior to usage

Use of unauthorized cloud storage and SaaS tools is prohibited. Only Audiense approved file sharing platforms (e.g., OneDrive, MFT) may be used for data transfer or collaboration.

3.7   Removeable Media

Audiense does restrict the use of personal storage media, which includes but is not limited to: USB or flash drives, external hard drives, and CD/DVD writers, on Audiense deployed devices. Use of removable media by personnel is strictly limited. If data must be added to removable media, then a Service Desk ticket must be submitted. In cases where Audiense provided removable media is utilized, the User must take reasonable precautions to ensure viruses, trojans, worms, malware, spyware, and other undesirable security risks are not introduced onto the Audiense network.

4.   Acceptable Use of Computer, E-mail, and Internet Resources

  • Email Guidelines

Audiense provides e-mail and online services for valid business purposes. Employees, together with management, are responsible for ensuring Audiense’s e-mail and online services systems are used in accordance with this policy.

No client Personally Identifiable Information (PII) data, including Personal Health Information (PHI) shall be transmitted via email. It should be transmitted via the MFT or an approved API.

If Personally Identifiable Information (PII) data is transmitted internally at Audiense via email, it should be either password protected in a file or the email should be encrypted.

E-mail, online real-time communication resources (e.g. Slack, etc.) and other services are intended to be used by employees for business purposes only (including employee-related activities and events which are supported by Audiense); however, reasonable personal use will be permitted, subject to the following:

  • Employees must exercise sound judgment and ethical conduct when using company systems for personal purposes.
  • Personal use must never interfere with the employee’s job performance or otherwise conflict with Audiense’s Personal use should be kept to an absolute minimum.
  • Personal use of resources is loosely defined as those activities not directly associated with Audiense approved projects or tasks.
  • Use of company email addresses for personal business purposes, including managing or promoting your personal business, is strictly prohibited.

Audiense owns and logs all electronic communications and data that is transmitted and/or stored on Audiense resources. Management and other authorized personnel have the right to access, review, modify, or delete any electronic material or communications transmitted and/or stored at any time. No employee should therefore consider or expect any electronic communication or data to be private.

  • The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid This list is not exhaustive but is included to provide a frame of reference for types of activities that are prohibited.
  • Unless authorized by a member of the Executive Security Committee, Users are prohibited from forging email header information or attempting to impersonate another person. Marketing campaigns are an example of the media that has been approved to be sent on behalf of another team member.
  • All company emails should be sent via company operated or approved email
  • It is a company guideline not to open email attachments from unknown senders, or when such attachments are unexpected.
  • Only approved applications on the Master Vendor List should be used for internal or external transfer of large and/or sensitive data files.

4.2   File Sharing and Streaming Media

File sharing programs (P2P, BitTorrent, and various internet sites) are not allowed on the corporate network under any circumstance. Excessive use of company bandwidth or other computer resources is not permitted. Large file downloads or other bandwidth-intensive tasks that may degrade network capacity or performance must be performed during times of low company-wide usage.

5.   Confidentiality

The protection of confidential business data and trade secrets is vital to the interests and success of Audiense. Audiense and each employee are obliged to preserve the confidentiality and non-disclosure of Client and Audiense proprietary information.

5.1   Internal Confidential Data

Audiense has and will develop, compile, own and/or acquire certain proprietary techniques and confidential information that have great value in its business. Confidential information is to be broadly defined and includes all information that has or could have commercial value or other utility in Audiense’s business and that is not made available by Audiense to competitors or the public. Examples of confidential information include but are not limited to the following:

  • Audiense trade secrets (e.g., data modeling, software techniques and approaches)
  • Audiense designs and specifications
  • Audiense marketing plan or techniques
  • Audiense strategies and tactics
  • Audiense advertising plans
  • Audiense business plans
  • Audiense internal financial information (e.g., budgets, sales figures, projections)
  • Audiense sales and operating methods and procedures of Audiense or our clients
  • Audiense customer-related information (e.g., contact and pricing information)
  • Audiense customer prospect databases
  • Audiense vendor and supplier information (e.g., contact and pricing information)
  • Audiense computer and internet login IDs and passwords
  • Audiense information regarding consumer market data
  • Audiense employee data

5.2   Client Confidential Data

All information provided by clients shall be treated, at a minimum, like a Audiense resource. Additional restrictions will be applied to this information including data destruction techniques, retention period agreements, Audiense user access, and others. Examples of confidential client information include but are not limited to the following:

  • Client provided data (e.g., locations, household related data, sales information)
  • Client created customer
  • Client provided

5.3   Global Data Protection Laws

Regional Data Restrictions: Employees must comply with local and international data protection regulations when handling client or consumer data.

International Transfers: Personal data must not be transferred cross-border without ensuring legal mechanisms (e.g., SCCs, BCRs).

5.4   Handling Confidential Data

All data, including but not limited to client data, confidential business data and Audiense personnel records must be evaluated as part of the asset classification process to ensure that appropriate measures are implemented to protect data at a level appropriate to value or risk.

Employees acknowledge that this confidential information can be in written, graphic, or electronic form, or otherwise made known to an employee. Employee acknowledges that he/she may receive, or process said confidential information at or after signing of this Agreement and that such confidential information is valuable to both Audiense and our clients. This information is considered a special and unique property of Audiense and is vital to the interests and success of our organization.

Only authorized personnel may access, modify, or transfer data. These activities are considered highly sensitive in nature, so they must be justifiable by a compelling business or operational requirement. Access to data elements is, at a minimum, controlled through Active Directory credentials and may be modified at any time, without notice. Data is not to be transferred outside of our environment unless it is deemed necessary and it’s through a secure channel.

The utmost care shall be taken when transmitting all confidential information. When possible, confidential information shall be encrypted during external transmission over the internet as well as over email. When personal healthcare information or personally identifiable information is exchanged between Audiense and our clients, the MFT or an approved API are the only approved methods of transfer. If any confidential information, in hardcopy form, needs to be destroyed, we recommend shredding the document accordingly prior to disposal.

While web conferencing has become more common for organizations, communication often still occurs over a phone. Sensitive information should not be shared over these lines unless there is a need to know. When sharing information employees can simply ask if they are on speakerphone so confidential or sensitive information is not revealed to the wrong party.

5.5 Consumer Health Data Laws

Certain Audiense products and clients require the use of geofencing. Washington state now restricts how businesses may collect and use “consumer health data,” a term defined broadly under the law to include precise geolocation that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies. Audiense does not permit its employees or customers to infer consumer health data from the use of Audiense products. Audiense employees acknowledge that they will not geofence around a healthcare facility in Washington state or wherever else is prohibited by law for either internal use, or customer-facing purposes.

In addition to the Washington law, additional states have created certain obligations related to “consumer health data,” which is generally defined to include data of a resident of that state that is reasonably capable of being linked to a person acting in a consumer capacity and that is used to identify the person’s past, present, or future physical or mental health status. These laws could require consent for collecting and sharing data and/or prohibit the sale of consumer health data without consent and establish certain geofencing obligations.

Many other states are currently developing similar laws. Legal should always be contacted if there are any questions.

5.6 AI Tools and Automation

AI tools are increasingly used for productivity, but they can introduce data privacy risks. Users must not input sensitive or proprietary data into generative AI tools unless explicitly authorized. All AI tools must be approved by the IT department via a vendor risk review before use.

6. Bring Your Own Device (BYOD)

Audiense employees may choose to use their personal electronic devices for work by enrolling in the BYOD (Bring Your Own Device) program. Participation is completely optional; Audiense does not require employees to use personal mobile devices for work-related activities. This policy outlines requirements for BYOD usage.

6.1   Devices and Support

  • It is the responsibility of the employee to maintain software updates on a regular basis for any personal device connected to Audiense resources.
    • A device may be temporally blocked from connecting to Audiense resources, until the device in question can be updated to a current secure version.
  • Personal devices that have reached end-of-life pose a significant risk as these devices no longer receive regular security These devices will not be allowed to connect to Audiense resources.
  • Not all devices are compatible in all If a device cannot be configured to work within the Audiense environment, IT will make the best effort to support it.
  • IT may document details about the personal device, including but not limited to make, model, serial, IMEI and MAC address, and memorialize them in a Service Desk
    • No personal information will be

6.2   Security

  • Devices must be password or pin protected, using the native features of the
  • Devices must be
  • Devices must automatically lock if idle within 3 minutes or less and require a password or PIN to unlock.
  • Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the
  • In most scenarios, devices that are not on the approved list of supported devices may not connect to the network.
    • Devices not on the list can be reviewed as an exception on a case-by-case basis if the device can meet the security and support requirements.
  • Employees’ access is limited based on the individual’s role and follows a least privileged
  • Personal devices connecting to Audiense resources will be monitored from a centralized management system.

We cannot see:

  • Calling and web browsing history
  • Email and text messages
  • Contacts
  • Calendar
  • Passwords
  • Pictures, including what’s in the photo’s app or camera roll
  • Files

We can see:

  • Device model, like Google Pixel
  • Device manufacturer, like Microsoft
  • Operating system and version, like iOS 0.1
  • App inventory and app names, like Microsoft
  • Device owner
  • Device name
  • Device serial number
  • IMEI

 

  • While rare, and under the direst circumstances, IT may need to perform a targeted remote wipe of Audiense data on an employee’s device when:
    • The device is lost or stolen
    • Employment separation with extenuating circumstances
    • Detection of an incident or breach, virus, or similar threat to Audiense

6.3   Risks, Liabilities and Disclaimers:

  • All data and information contained within Audiense utilized systems is the property of Audiense or its customers.
  • The IT department will take every precaution to prevent the employee’s personal data from being lost in the event a targeted remote wipe is initiated.
    • It is the employee’s responsibility to take additional precautions, for protecting personal data such as photos, messages, or other personal files.
  • Audiense reserves the right to disconnect devices or disable services to Audiense resources without notification if a security of privacy concern arises.
  • Lost or stolen devices must be reported to the IT department as soon as possible through the Employees are responsible for notifying their mobile carrier immediately upon loss of a device.
  • The employee is expected to use his or her device(s) in an ethical manner, always and adhere to the Audiense’s Code of Conduct in the Employee Handbook.
  • The employee is personally liable for all costs associated with his or her

7.   Clean Desk/Work Area

Authorized users will ensure that all sensitive/confidential materials, hardcopy or electronic, are removed from their desk or workstation and secured when the items are not in use or an employee leaves his/her workstation. This applies to remote and in office work.

  • Employees are required to ensure that all sensitive/confidential information, hardcopy or electronic form, is secure in their work area at the end of the day and when they are expected to be gone for an extended period.
    • File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended to.
    • Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.
    • Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.
    • Printouts containing Restricted or Sensitive information should be immediately removed from the printer.
    • Upon disposal, Restricted and/or Sensitive documents should be shredded in or placed in the locked confidential disposal bins.
    • Whiteboards containing Restricted and/or Sensitive information should be

8.   Phishing Simulation and Security Training

Training Compliance: Users are enrolled in and required to complete regular cybersecurity awareness and phishing simulation training. Additional training may be provided based on interaction with the simulated phishing attempts.

Reporting Obligation: Suspected phishing attempts must be reported immediately via designated incident response channels. If you believe that you have participated in an actual phishing activity, report it immediately.

8. Enforcement

Implementation and enforcement of this policy is ultimately the responsibility of all employees at Audiense. Information Technology may conduct random assessments to ensure compliance with policy without notice. Any system found in violation of this policy requires immediate corrective action. Violations shall be noted in the ServiceDesk tracking system and support teams shall be dispatched to remediate the issue. Repeated failures to follow policy may lead to disciplinary action up to and including immediate termination.