Purpose
This policy governs the secure and responsible use of information technology, communications systems, and personal devices at Kickass Online Ltd (‘KO’). As a fully remote team, all staff use their own devices to carry out company work. This policy establishes the minimum security standards required, reflects KO’s obligations under UK law, and protects both the company and its employees, clients, and data.
Scope
This policy applies to all employees, contractors, and freelancers working for KO who access company systems, data, or communications — regardless of location or device ownership. It covers all personal devices used for work purposes (BYOD), all KO-provisioned accounts, and all company data however stored.
Legal Framework
This policy is issued in compliance with and with reference to:
- UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
- Computer Misuse Act 1990
- Investigatory Powers Act 2016 and Regulation of Investigatory Powers Act 2000 (monitoring notice — see Section 7)
- Network and Information Systems (NIS) Regulations 2018
- Health and Safety (Display Screen Equipment) Regulations 1992
| PART A — IT & COMMUNICATIONS POLICY |
1. Acceptable Use
KO’s IT and communications systems — including Google Workspace, project management tools, and all company accounts — are provided primarily for business purposes. Reasonable personal use is permitted provided it does not:
- Interfere with work duties or productivity
- Consume excessive bandwidth or storage
- Involve access to illegal, offensive, or inappropriate content
- Compromise the security of company systems or data
- Bring KO into disrepute
Employees remain subject to this policy when accessing company systems outside normal working hours.
2. Google Workspace
Google Workspace is KO’s primary productivity and communications platform. All employees are issued a KO Google Workspace account (@kickassonline.com). The following rules apply:
- Company email must be used for all business communications. Personal email accounts must not be used to send, receive, or store company data.
- Google Drive is the authorised storage platform for company documents. Client data must not be stored in personal cloud storage services (e.g. personal Google Drive, Dropbox, iCloud).
- Google Meet is the preferred video conferencing tool for internal and client meetings.
- All data stored in Google Workspace remains the property of KO. Employees have no expectation of privacy in their KO Google Workspace account.
- On leaving KO, access to all Google Workspace services will be revoked immediately. Employees must not retain, copy, or transfer company data on departure.
3. Email and Communications Etiquette
- All emails sent from KO accounts must be professional, accurate, and consistent with KO’s brand and values.
- Confidential or sensitive client data must not be sent via unencrypted email. Use Google Drive sharing links with appropriate permissions instead.
- Forwarding company emails to personal accounts is prohibited.
- Phishing emails or suspicious attachments must be reported to the line manager immediately and must not be opened or clicked.
- Mass communications or bulk emails on behalf of KO must be sent via authorised tools only (e.g. approved email marketing platforms).
- Chain emails, spam, or communications of an offensive, discriminatory, or harassing nature are prohibited and may result in disciplinary action.
4. Internet Use
- Employees must not use company systems or accounts to access websites or services that are illegal, pornographic, extremist, or otherwise offensive.
- Public Wi-Fi must not be used to access company systems without a VPN or equivalent encrypted connection.
- Employees must exercise caution when clicking links or downloading files from unknown sources. Any suspected malware or security incident must be reported immediately.
5. Software and Applications
- Only authorised software may be used to access or process company data. Employees must not introduce unapproved tools to the company tech stack without prior approval from the line manager.
- All software used for work purposes must be kept up to date with the latest security patches and updates.
- The use of AI tools (e.g. ChatGPT, Gemini) to process client data or confidential company information is subject to KO’s separate AI Use Guidelines. Client data must not be entered into public AI tools.
6. Data Security and Confidentiality
- Employees must handle all company and client data in accordance with the Data Protection and Privacy Policy and UK GDPR.
- Sensitive or confidential data must not be shared via insecure channels, personal accounts, or unauthorised third-party platforms.
- Employees must not photograph, screenshot, or otherwise copy confidential information for personal use or external sharing.
- Any actual or suspected data breach must be reported to the Data Protection Lead (Pazbi — pazbi@kickassonline.com) immediately and no later than within 1 hour of discovery, to allow KO to meet its 72-hour ICO notification obligation under UK GDPR.
7. Monitoring Notice
KO may, from time to time and in accordance with the Investigatory Powers Act 2016 and Regulation of Investigatory Powers Act 2000, monitor activity on company-provided accounts and systems (including Google Workspace, email, and any other KO-administered service). Such monitoring may include:
- Access logs and login records
- Email metadata (sender, recipient, timestamp)
- File access and sharing logs within Google Drive
- Usage data from company-licenced tools
Monitoring will only be carried out for legitimate business purposes including: security investigation, compliance with legal obligations, or where there is reasonable suspicion of a policy breach. Employees are notified of this possibility by the existence of this policy. Content monitoring of personal devices or personal accounts is not carried out.
8. Reporting
- Any IT security incidents, suspected phishing, malware, data breaches, or policy violations must be reported to the line manager and Data Protection Lead immediately.
- Employees must not attempt to investigate or remediate a security incident themselves without guidance.
- KO operates a no-blame reporting culture for good-faith security incidents. Delayed reporting due to fear of reprisal is more damaging than the original incident.
9. Training
All employees will receive IT security awareness training on induction and at least annually thereafter. This will cover phishing awareness, password hygiene, UK GDPR obligations, and safe use of company tools.
| PART B — BRING YOUR OWN DEVICE (BYOD) POLICY |
10. Overview
As a fully remote team, all KO employees use their own personal devices — laptops, desktops, tablets, and smartphones — to carry out their work. This section sets out the minimum security requirements that all personal devices used for KO work must meet.
By using a personal device to access KO systems, data, or communications, employees agree to comply with the requirements in this section. Non-compliance may result in access being suspended or withdrawn, and may lead to disciplinary action.
| Important: KO does not have remote management (MDM) software installed on personal devices. Security compliance is therefore based on trust and self-attestation, verified periodically by the line manager. |
11. Mandatory Device Requirements
The following requirements are mandatory for any personal device used to access KO systems or data:
| FULL-DISK ENCRYPTION | All devices must have full-disk (device) encryption enabled. On Windows: BitLocker. On macOS: FileVault. On iOS/Android: enabled by default when a device passcode is set. Encryption must be active at all times. |
| DEVICE PASSCODE / PASSWORD | All devices must be protected by a strong passcode, PIN, or password. Biometric unlock (fingerprint / Face ID) is permitted as a secondary method but must not be the sole means of access. Auto-lock must be set to 5 minutes or less of inactivity. |
| ANTIVIRUS / ENDPOINT SECURITY | All Windows and macOS devices must have reputable, up-to-date antivirus / endpoint protection software installed and active. Recommended: Malwarebytes, Bitdefender, or equivalent. Real-time scanning must be enabled. iOS and Android devices are exempt from this specific requirement but must meet all other requirements. |
| OPERATING SYSTEM UPDATES | Operating systems and all work-related applications must be kept up to date. Security patches must be applied within 14 days of release. Employees must not use end-of-life operating systems (e.g. Windows 10 after October 2025, older macOS versions no longer receiving security updates). |
| SCREEN LOCK | Devices must be set to lock automatically after a maximum of 5 minutes of inactivity, requiring re-authentication to resume. |
12. Password Management — LastPass
KO requires all employees to use LastPass as the company’s approved password manager for all work-related accounts.
- All employees will be provisioned with a KO-administered LastPass account. Personal LastPass vaults may be maintained separately but must not store KO credentials.
- All passwords for KO systems, client accounts, tools, and services must be stored in the KO LastPass vault.
- Passwords must be generated using LastPass’s password generator and must be a minimum of 16 characters, using a mix of upper and lower case, numbers, and symbols.
- Passwords must never be reused across different accounts or services.
- Passwords must never be shared verbally, via email, or via chat. Where temporary access is required, use LastPass’s secure sharing feature.
- The LastPass master password must be strong, unique, and must not be stored in any other application. Employees are personally responsible for their master password.
- On departure from KO, the employee’s LastPass account will be offboarded and all shared credentials will be rotated.
| Never store the LastPass master password in the vault itself, in a browser, or as a note on your device. |
13. Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is mandatory on all KO work accounts. There are no exceptions.
- MFA must be enabled on: Google Workspace (company email, Drive, Meet, and all connected services); LastPass; any project management or client-facing tools used by KO; any domain registrar, hosting, or DNS management accounts; any social media accounts managed on behalf of KO or its clients; and any financial or payment accounts.
- Preferred MFA method: an authenticator app (e.g. Google Authenticator, Authy, or the LastPass Authenticator). SMS-based MFA is permitted as a fallback only and is not recommended due to SIM-swap risks.
- MFA recovery codes must be stored securely in LastPass, not in a plain text file or email.
- Employees must not approve MFA prompts they did not initiate. An unexpected MFA prompt may indicate a compromise — report it immediately.
| Google Workspace admins: enforce MFA organisation-wide via the Google Admin Console (Admin → Security → 2-Step Verification → Enforcement). This should be set to ‘On’ for all users with no exceptions. |
14. Google Workspace Security Settings
Because Google Workspace is KO’s primary platform, the following security settings must be maintained:
- 2-Step Verification: enforced at the organisational level in Google Admin Console for all users.
- Account recovery: recovery phone and email must be set and kept up to date for each KO Google account.
- Third-party app access: employees must not grant OAuth access to third-party applications via their KO Google account without prior approval. Unapproved apps with access to KO data represent a data breach risk.
- Google Drive sharing: external sharing of Google Drive files must use the minimum necessary permissions. ‘Anyone with the link’ access should be used only where necessary and removed once no longer needed.
- Google Workspace on mobile: if accessing Google Workspace on a personal mobile device, the Google Workspace mobile app must be used rather than a generic mail client, to allow KO to remotely wipe the account (not the device) if necessary.
15. Network Security
- Employees must use a secure, password-protected Wi-Fi network for work. Default router passwords must be changed.
- Public Wi-Fi (coffee shops, hotels, co-working spaces) must not be used to access KO systems unless a reputable VPN is active for the duration of the session.
- Home network routers must use WPA2 or WPA3 encryption. WEP-encrypted networks are not acceptable.
- Employees are encouraged to use a separate guest network for work devices to isolate them from smart home devices and other household equipment.
16. Personal and Company Data Separation
- Company data (documents, client files, emails, credentials) must not be stored in personal folders, personal cloud storage (e.g. personal iCloud, personal Google Drive, OneDrive), or personal email accounts.
- All company data must be stored in Google Drive under the KO Workspace, or in another KO-approved tool.
- Employees should maintain clear separation between personal and work use on their devices, ideally using separate browser profiles (e.g. a dedicated Chrome profile logged in to the KO Google account).
| Recommended: Set up a dedicated work browser profile in Chrome signed in to your KO Google account. This keeps bookmarks, extensions, passwords (via LastPass), and history separate from personal browsing. |
17. Lost, Stolen, or Compromised Devices
- Any device used for KO work that is lost, stolen, or suspected to be compromised must be reported to the line manager and Data Protection Lead immediately — and no later than within 2 hours of discovery.
- On report, KO will initiate remote sign-out from all active Google Workspace sessions on the device.
- The employee must change all KO account passwords and regenerate MFA codes as a precaution.
- A data breach assessment will be carried out to determine whether ICO notification is required under UK GDPR.
- Employees must cooperate fully with any security investigation following a device incident.
18. Compliance, Attestation & Audits
On joining KO, and annually thereafter, employees must confirm in writing (via the HR onboarding or annual review process) that their devices meet the requirements of this policy. The compliance checklist below summarises the mandatory requirements:
| Requirement | Mandatory | Applies To |
| Full-disk encryption enabled | YES | All devices |
| Device passcode / strong password set | YES | All devices |
| Auto-lock set to 5 minutes or less | YES | All devices |
| Antivirus / endpoint protection installed and active | YES | Windows / macOS |
| Operating system up to date (patches within 14 days) | YES | All devices |
| LastPass installed and KO vault in use | YES | All staff |
| All work passwords stored in LastPass (16+ chars, unique) | YES | All staff |
| MFA enabled on Google Workspace | YES | All staff |
| MFA enabled on LastPass | YES | All staff |
| MFA enabled on all other work accounts | YES | All staff |
| MFA method: authenticator app (not SMS only) | YES | All staff |
| Separate browser profile for work (Chrome recommended) | Recommended | All staff |
| Home Wi-Fi using WPA2/WPA3 encryption | YES | All staff |
| VPN in use on public Wi-Fi | YES | All staff |
| Company data stored in Google Drive only (not personal cloud) | YES | All staff |
19. Privacy of Personal Devices
KO recognises that employees use their own devices and respects their personal privacy. Accordingly:
- KO will not install remote management (MDM) software on personal devices without the employee’s explicit written consent.
- KO’s monitoring rights (Section 7) extend only to company-administered accounts and systems (e.g. Google Workspace), not to the personal files, applications, or data on an employee’s device.
- In the event of a security incident, KO may request that the employee provides specific account access logs or allows an independent security review of relevant accounts. This will be handled sensitively and proportionately.
- Employees retain ownership of their personal devices at all times. KO will not seek to wipe a personal device; however, KO may remotely revoke access to KO accounts on that device.
20. Departures and Offboarding
When an employee leaves KO, the following steps will be completed on or before the last working day:
- All KO Google Workspace accounts revoked
- LastPass KO vault offboarded; all shared credentials rotated
- Access to all KO tools, platforms, and client accounts revoked
- Employee to confirm in writing that all company data has been deleted from personal devices and cloud storage
- Any KO-licenced software to be uninstalled
Retention of company data, client information, or KO credentials after departure may constitute a breach of the Computer Misuse Act 1990 and/or the UK GDPR, and KO reserves the right to take appropriate action.
Policy Compliance
Compliance with this policy is a condition of employment. Failure to comply may result in:
- Suspension of access to KO systems pending investigation
- Formal disciplinary action in accordance with the Disciplinary Policy
- Termination of employment in cases of serious or repeated breach
- Legal action in cases involving the Computer Misuse Act 1990, data theft, or breach of confidentiality
Employees who are uncertain about any aspect of this policy should contact their line manager before taking any action.
Policy Review
This policy will be reviewed annually or when there are material changes to KO’s technology stack, working arrangements, or applicable legislation.
Last reviewed: May 2026.