Acceptable Use Policy (AUP) for Awakeness.ai

1. Purpose

The Platform provides cybersecurity awareness training, simulated phishing and social engineering exercises, learning management capabilities, and related human risk management tools. Because these capabilities involve techniques that could cause harm if misused, this Policy defines the boundaries of acceptable use. Its purpose is to protect the Users, their employees, third parties, and the integrity of the Platform.

2. Scope and Acceptance

This Policy applies to all Users of the Platform, including administrators, learners, and any person accessing the Platform through a User's account or organization. Organizations are responsible for ensuring that their personnel comply with this Policy. If you do not agree with this Policy, you must immediately stop using the Platform.

3. Authorized Use

You may use the Platform solely for legitimate, internal security awareness, training, and human risk management purposes within your own organization, in accordance with the EULA, this Policy, and all applicable laws. Authorized use includes:

• Delivering security awareness training, microlearning modules, and assessments to your own personnel.
• Conducting authorized simulated phishing, Quishing (QR phishing), attachment-based, and social engineering exercises targeting members of your own organization.
• Uploading and managing your own training content through the Learning Management System (LMS).
• Monitoring training completion, simulation results, breach exposure, and awareness metrics (including the "Awakeness Score") for your organization.

4. Rules for Phishing Simulations and Social Engineering Exercises

4.1 Internal Targeting Only: You may only target users within your own organization. Targeting external individuals or organizations is prohibited unless you have obtained both (a) explicit written permission from Awakeness.ai and (b) documented, lawful authorization from the targeted organization.

4.2 Organizational Authorization: Before launching simulation campaigns, you must ensure that the exercises are duly authorized within your organization (e.g., by management, security, HR, or legal functions, as applicable) and that you comply with local labor law and employee consultation requirements, including works council or employee representative obligations where they apply.

4.3 Training Purposes Only: The simulation engine, templates, landing pages, and related tooling may be used exclusively for awareness and training purposes. You shall not use them to deceive individuals for any other purpose, to obtain or exploit credentials or personal data, to gain unauthorized access to systems or accounts, or to harass, intimidate, discipline unfairly, or entrap employees.

4.4 Simulation Data: Any data captured in connection with simulations (e.g., click events, reporting actions, submitted form interactions) may be used only for measuring awareness and delivering training. You shall not collect, store, or reuse real passwords or other authentication secrets submitted during simulations, and you shall not use simulation results as the sole basis for punitive employment actions.

4.5 Templates and Brand References: Simulation templates that reference or imitate third-party brands are provided strictly for closed, internal training exercises. You shall not publish, redistribute, or use such templates outside the Platform, and you remain responsible for ensuring your use of any custom templates does not infringe third-party rights or violate applicable law.

4.6 Sensitive Content: You shall not create or send simulation content that is discriminatory, defamatory, sexually explicit, or that exploits genuinely distressing subjects (e.g., false death notices or medical emergencies) in a manner that a reasonable employer would consider abusive.

5. Email Breach Monitor

The Email Breach Monitor feature may be used only to check email addresses and domains that you own or that you are explicitly authorized to monitor on behalf of your organization. In addition, each individual user may optionally add one (1) personal email address to be monitored; such address may be added only by its owner, voluntarily and for their own benefit. Using this feature to investigate third parties, private individuals outside your organization, email addresses you do not own, or domains you do not control is prohibited.

6. Learning Materials and User Content

6.1 Platform Learning Materials: All learning materials made available through the Platform — including training modules, courses, videos, articles, quizzes, simulation templates, and related documentation (collectively, "Learning Materials") — are and remain the intellectual property of Awakeness.ai or its licensors. You shall not distribute, copy, reproduce, download, publish, or use the Learning Materials outside the Platform unless you have received prior written permission from Awakeness.ai. This restriction does not apply to your own content uploaded to the LMS.

6.2 User Content and LMS Uploads: You are solely responsible for content you create, upload, or distribute through the Platform, including custom training materials uploaded to the LMS. You represent that such content is lawful, accurate, free of malicious code, and does not infringe intellectual property, privacy, or other rights of any third party. Awakeness.ai may remove content that violates this Policy.

7. Prohibited Activities

In addition to the restrictions set out in the EULA, you shall not:

• Use the Platform to conduct actual (non-simulated) phishing, fraud, social engineering, or any other deceptive or criminal activity.
• Send unsolicited bulk email (spam) or any communication unrelated to authorized training and simulation purposes.
• Upload, transmit, or distribute malware, ransomware, or any other harmful code.
• Harass, abuse, threaten, or defame any person, or distribute content that is illegal, hateful, or discriminatory.
• Probe, scan, penetration-test, stress-test, or otherwise attempt to compromise the security or availability of the Platform without prior written authorization from Awakeness.ai.
• Circumvent or disable any security, rate-limiting, or authentication mechanism of the Platform.
• Access the Platform through unauthorized automated means (bots, scrapers, scripts), or harvest data from the Platform.
• Distribute, copy, or use the Learning Materials outside the Platform without prior written permission from Awakeness.ai.
• Share, sell, sublicense, or transfer access credentials, or allow access by unauthorized parties.
• Resell, white-label, or provide the Platform to third parties as a service without a written agreement with Awakeness.ai.
• Use the Platform to build, train, or benchmark a competing product or service.
• Misrepresent your identity or affiliation when communicating with Awakeness.ai or when configuring sending identities, except as inherently required by authorized internal simulations.

8. Fair Usage and System Integrity

You agree to use the Platform's resources (including email sending volumes, API requests, storage, and reporting) reasonably and in line with Awakeness.ai's Fair Usage Policy referenced in the EULA. Usage that degrades service quality for other customers, or that materially exceeds volumes consistent with your subscription, may result in throttling, restricted access, or additional fees.

9. Data Protection and Privacy

9.1 Compliance: You must use the Platform in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other applicable data protection and privacy laws. As between the parties, you act as the data controller for personal data of your personnel processed through your campaigns and training programs, and Awakeness.ai processes such data on your behalf as described in the EULA and Privacy Policy.

9.2 Transparency: You are responsible for providing your personnel with any legally required information regarding the processing of their personal data in connection with training and simulations, and for establishing a lawful basis for such processing.

9.3 Minimization: You shall only input personal data into the Platform that is necessary for training and simulation purposes, and you shall not upload special categories of personal data unless strictly necessary and lawful.

10. Monitoring and Enforcement

Awakeness.ai may, but is not obligated to, monitor use of the Platform to verify compliance with this Policy, investigate suspected violations, and protect the Platform, its customers, and third parties. Awakeness.ai may suspend or terminate access, remove content, withhold campaign delivery, and/or notify competent authorities where it reasonably believes this Policy or applicable law has been violated, in accordance with the EULA.

11. Reporting Violations

If you become aware of any actual or suspected violation of this Policy, or of any misuse of the Platform's simulation capabilities, you must promptly notify Awakeness.ai through the contact channels published at www.awakeness.ai/contact. You agree to reasonably cooperate with Awakeness.ai in investigating and remedying violations.

12. Consequences of Violation

Violations of this Policy constitute a material breach of the EULA and may result in warning, suspension, or termination of access without notice, removal of content, forfeiture of fees, and liability for damages. You remain responsible for all activities conducted under your account, and you shall indemnify Awakeness.ai for claims arising from your violation of this Policy as set out in the EULA.

13. Amendments and Updates

Awakeness.ai reserves the right to update or modify this Policy at any time. You will be notified of significant changes through the Platform or via email. Continued use of the Platform after such updates constitutes your acceptance of the revised Policy.

14. Governing Law

This Policy is governed by the laws of Romania, without regard to its conflict of laws principles. Any disputes arising under this Policy shall be resolved as set out in the EULA, through binding arbitration in accordance with the rules of the Romanian Chamber of Commerce and Industry, with the venue located in Bucharest.