Trust

Acceptable Use Policy

Last reviewed May 24, 2026.

This policy defines what Bella employees and contractors are responsible for when they handle customer data, use Bella systems, or operate devices that can reach production. It complements the Access Control Policy with personal-conduct expectations.

1. Devices used to access customer data

  • Full-disk encryption is enabled on any laptop or desktop used for Bella work.
  • Automatic operating system security updates are enabled and patches are installed within seven days of release.
  • A device password or biometric lock is configured. The lock screen activates automatically after a short idle period.
  • Production credentials, customer data exports, and restricted-classification material are not stored on the device outside the controlled application environment.
  • Lost or stolen devices that had any access to customer data must be reported to [email protected] immediately so that credentials and sessions can be rotated.
  • A formal mobile device management (MDM) program is planned as part of the SOC 2 readiness program. Until then, the controls above are honor-system with documented self-attestation.

2. Account hygiene

  • Multi-factor authentication is required on every account that can reach Bella systems or customer data, including email, code repository, and cloud provider consoles.
  • Passwords are unique per service and are managed in a reputable password manager. Shared passwords are not used between staff members.
  • Production credentials and customer data are not transmitted over chat, SMS, or unencrypted email except where strictly necessary for an active incident and only via the dedicated security channels.
  • Personal accounts are not used to access Bella systems or customer data.

3. Customer data handling

  • Access to customer data is limited to a job-required reason and is logged. Curiosity browsing is prohibited.
  • Exporting customer data to a local device requires a documented support reason and is deleted within the support engagement window.
  • Customer data is not shared outside the production environment except where contractually permitted (e.g., delivering an offboarding export to the customer).
  • AI tools that retain prompts for model training are not permitted for prompts containing customer data unless the provider's no-training option is in use and documented.

4. Use of AI development tools

Bella uses AI-assisted code generation as a productivity tool. When AI tools are used to produce or review code:

  • Code suggested by AI is reviewed by a human engineer before merge, on the same change-management track as any other code.
  • Production credentials and customer data are never pasted into AI prompts.
  • AI-generated code that introduces a new dependency or external call is reviewed for the security posture of the dependency or service.

5. Reporting concerns

Any employee or contractor who suspects a violation of this policy, an account compromise, or a security incident reports it to [email protected] immediately. Good-faith reports are protected; retaliation against reporters is prohibited.

6. Annual acknowledgement

Each Bella employee and contractor reviews and acknowledges this policy at least once per calendar year. New hires acknowledge during onboarding.

Related: Access Control · Incident Response · Information Security · All policies