Acceptable Use Policy | Soapbox Cloud EHS Software

ACCEPTABLE USE POLICY

Effective Date: April 16, 2025

Published by SoapBox Software Solutions LLP | Hyderabad, India | legal@soapbox.cloud

1. Purpose and Scope

1.1 Purpose

This Acceptable Use Policy ("AUP" or "Policy") sets out the rules and standards governing acceptable and unacceptable use of the Soapbox.Cloud Platform and all associated services, APIs, and websites (collectively, the "Platform") provided by SoapBox Software Solutions LLP ("SoapBox").

The AUP is designed to protect the integrity, security, and reliability of the Platform; safeguard the interests of all Subscribers and their End Users; ensure that the Platform is used for its intended legitimate business purposes; and ensure compliance with applicable Indian and international law.

1.2 Scope of Application

This AUP applies to:

Subscribers: all business entities and individuals that subscribe to the Platform under a Master Subscription Agreement or Order Form.
End Users: all employees, contractors, consultants, and other individuals authorised by a Subscriber to access the Platform.
Visitors: individuals who visit the Soapbox.Cloud website (www.soapbox.cloud) without a Subscriber account.
Integrations: any third-party system, application, or API that connects to or exchanges data with the Platform.

1.3 Relationship to Terms of Service

This AUP is incorporated by reference into the Terms of Service ("ToS") and forms an integral part of the agreement between SoapBox and each Subscriber. Capitalised terms not defined in this AUP have the meanings given to them in the ToS. In the event of a conflict between this AUP and the ToS, the ToS shall prevail on matters of commercial terms; this AUP shall prevail on matters of permitted and prohibited use.

1.4 Subscriber Responsibility for End Users

Subscribers are fully responsible for ensuring that all their End Users are made aware of this AUP and comply with it. A violation of this AUP by an End User shall be treated as a violation by the Subscriber. SoapBox may, at its discretion, enforce this AUP against End Users directly where their conduct poses an immediate risk to the Platform or other users.

2. Intended and Permitted Use

2.1 Platform Purpose

Soapbox.Cloud is a professional business platform designed for organisational use in the following legitimate domains:

🦺

Environment, Health & Safety (EHS)

• Incident and near-miss reporting, investigation, and root cause analysis

• Risk assessments and hazard identification

• Safety audits, inspections, and checklists

• Corrective and preventive action (CAPA) management

• EHS training records, certifications, and competency tracking

• Regulatory compliance reporting (Factories Act, Environment Protection Act, etc.)

• Emergency preparedness and response planning

• Environmental monitoring and permit management

📋	Governance, Risk & Compliance (GRC) — Future Module • Enterprise risk register management • Policy management and version control • Compliance obligation tracking and attestation • Internal audit management • Regulatory change monitoring and impact assessment

🌿	Environmental, Social & Governance (ESG) — Future Module • ESG data collection and reporting • Carbon footprint and emissions tracking • Social impact and supply chain sustainability reporting • BRSR and GRI framework alignment

2.2 Quick Reference — Permitted vs. Prohibited

✅ PERMITTED	❌ PROHIBITED
Using the Platform for EHS incident management	Using the Platform for non-EHS/GRC/ESG purposes
Managing safety audits and inspections	Storing illegal or unauthorised content
Tracking employee training and certifications	Sharing login credentials between users
Generating compliance reports for regulators	Attempting to access another Subscriber's data
Collaborating with colleagues on corrective actions	Running automated bots or scrapers
Uploading and managing EHS-related documents	Uploading malware or malicious code
Using the API for approved integrations	Impersonating SoapBox staff or other users
Accessing the Platform from authorised devices	Circumventing access controls or security
Reporting a security vulnerability responsibly	Using the Platform to harass others
Exporting your own organisation's data	Reselling or sublicensing Platform access

3. Prohibited Conduct

The following categories of use are strictly prohibited on the Platform. This list is not exhaustive — conduct that is analogous to the categories below, or that SoapBox determines in good faith to be harmful to the Platform, its users, or third parties, is also prohibited.

3.1 Illegal and Harmful Activity

Users must not use the Platform:

in violation of any applicable local, state, national, or international law, regulation, or ordinance, including Indian law (IPC, IT Act 2000, DPDP Act 2023, and their amendments);
to facilitate, promote, or engage in fraud, forgery, misrepresentation, or deceptive practices;
to transmit or store content that is defamatory, obscene, pornographic, hateful, or discriminatory on the basis of race, religion, gender, sexual orientation, disability, or any other protected characteristic;
to incite, threaten, or facilitate violence or terrorism;
to violate any court order, injunction, or legal prohibition;
to evade, defeat, or circumvent any applicable law or regulatory obligation.

⚠️ EHS Context: Deliberately falsifying EHS incident reports, near-miss records, safety audit results, or regulatory compliance data on the Platform may constitute a criminal offence under applicable Indian law (including the Factories Act, 1948, and the Environment Protection Act, 1986) and will result in immediate account termination and reporting to relevant authorities.

3.2 Data and Privacy Violations

Users must not:

upload, store, or process personal data of individuals without the required consent, legal basis, or authority required under the Digital Personal Data Protection Act, 2023 or any other applicable data protection law;
access, collect, or use personal data of other Subscribers, their employees, or third parties without authorisation;
attempt to re-identify any anonymised or de-identified data;
use the Platform to conduct surveillance, tracking, or profiling of individuals for purposes unrelated to legitimate EHS/GRC operations;
export, share, or disclose another Subscriber's data or Confidential Information without authorisation;
process Sensitive Personal Data (health, medical, or biometric information) beyond what is necessary for the stated EHS purposes and without obtaining the required explicit consent.

3.3 Security and System Integrity Violations

Users must not:

attempt to probe, scan, test, or penetrate the security of the Platform without SoapBox's prior written authorisation;
introduce, upload, or transmit any virus, trojan, worm, ransomware, spyware, adware, or any other malicious code or software;
attempt to circumvent, disable, or interfere with any security feature, access control, encryption, authentication mechanism, or audit log of the Platform;
conduct denial-of-service (DoS or DDoS) attacks, or take any action that disproportionately burdens the Platform's infrastructure;
attempt to gain unauthorised access to any account, system, or network connected to the Platform;
intercept, monitor, or capture data transmitted to or from the Platform without authorisation;
use the Platform in a manner that degrades performance or availability for other Subscribers;
attempt to access SoapBox's administrative interfaces, backend systems, or non-public APIs.

🛡️ Responsible Disclosure: If you discover a security vulnerability in the Platform, please report it responsibly to security@soapbox.cloud. Do not exploit vulnerabilities or disclose them publicly before SoapBox has had a reasonable opportunity to investigate and remediate. SoapBox will acknowledge reports within 48 hours.

3.4 Intellectual Property Violations

Users must not:

upload, post, or distribute content that infringes the copyright, trademark, patent, trade secret, or other Intellectual Property rights of any person or entity;
reproduce, reverse-engineer, decompile, disassemble, or attempt to derive the source code of the Platform or any of its components;
remove, alter, or obscure any copyright notice, trademark, or other proprietary marking on the Platform;
use SoapBox's name, logo, trademarks, or branding without prior written consent;
create derivative works based on the Platform, its documentation, or its user interface without SoapBox's prior written consent.

3.5 Access and Account Misuse

Users must not:

share, sell, transfer, or disclose login credentials, session tokens, or API keys to any unauthorised person;
use another person's account or credentials, or impersonate any person — including SoapBox employees, Subscriber administrators, or other End Users;
create accounts for automated bots, crawlers, or scraping tools without SoapBox's prior written approval;
use the Platform to send unsolicited commercial communications (spam), chain letters, or mass mailings;
access or use the Platform after the Subscriber's account has been suspended or terminated.

3.6 Commercial Misuse and Competitive Activities

Users must not:

resell, sublicense, rent, lease, or otherwise make the Platform available to third parties without SoapBox's prior written consent;
use the Platform to provide bureau services, managed services, or outsourced services to third parties, unless expressly permitted in the Order Form;
use the Platform to build, develop, or benchmark a competing product or service;
scrape, extract, or systematically download Platform data or content (other than the Subscriber's own data via authorised export functions) for commercial purposes;
use the Platform's functionality, APIs, or documentation to circumvent or replicate the Platform's core features outside of the Platform.

3.7 Content Standards

All content uploaded to or created on the Platform must comply with the following standards:

Content must be accurate and not knowingly false or misleading, particularly with respect to EHS incident data, regulatory submissions, and safety records.
Content must not contain malware, executable code, or scripts that could harm the Platform or other users.
Content must not violate any applicable law or third-party right.
Content must be relevant to the Subscriber's legitimate EHS/GRC/ESG operations; the Platform is not a general-purpose file storage or social media service.
Documents and records generated on the Platform for regulatory or compliance purposes must reflect genuine, accurate information and must not be backdated, falsified, or manipulated.

4. Responsible Use of EHS and Sensitive Data

4.1 Accuracy of EHS Records

Given the safety-critical nature of EHS data, Subscribers and End Users bear a heightened duty of care to ensure that all incident reports, hazard identifications, risk assessments, audit findings, corrective actions, and compliance records entered into the Platform are:

accurate, complete, and based on actual observations and events;
entered in a timely manner in accordance with the Subscriber's internal EHS procedures and applicable regulatory requirements;
not altered, backdated, or falsified after entry, except through the Platform's legitimate edit and version control functions with a documented reason.

4.2 Health and Medical Data

Personal health, injury, and medical data entered into the Platform as part of EHS incident management is Sensitive Personal Data under the DPDP Act, 2023. Subscribers and End Users must:

only collect and enter health/medical data that is strictly necessary for EHS compliance purposes;
ensure that the affected individuals (Data Principals) have given explicit, informed consent before their health data is entered into the Platform, unless a legal obligation mandates recording such data;
restrict access to health and medical data to authorised personnel on a need-to-know basis using the Platform's role-based access controls;
not use health/medical data entered for EHS purposes for any other purpose, including HR performance management, insurance decisions, or discrimination.

4.3 Location and GPS Data

Where the Subscriber enables location tracking or GPS features of the Platform for field workers or site inspections:

End Users must be informed clearly and in advance that their location is being tracked, and the purpose for which location data is collected;
location tracking must be limited to working hours and the geographical scope necessary for the stated EHS purpose;
location data must not be used for performance monitoring, surveillance, or any purpose unrelated to EHS operations;
End Users must have a practical and simple mechanism to disable location tracking during personal time or non-working hours.

4.4 Third-Party Data

Where Subscribers upload data relating to contractors, visitors, vendors, or other third parties who are not Subscribers' direct employees:

the Subscriber must ensure it has a lawful basis to process such third-party data on the Platform;
the Subscriber must have provided appropriate privacy notices to such third parties;
such data must only be used for the EHS purposes for which it was collected (e.g., visitor accident records, contractor safety inductions).

5. API and Integration Use

5.1 Authorised API Use

SoapBox provides APIs to allow authorised Subscribers to integrate the Platform with their own systems (such as HR systems, ERP platforms, IoT sensors, and compliance tools). Permitted API use includes:

read and write operations on the Subscriber's own data within the Platform;
automated data ingestion from the Subscriber's approved internal systems;
building internal tools and dashboards that consume Platform data for the Subscriber's own use.

5.2 API Restrictions

API users must not:

exceed API rate limits set by SoapBox (published in the API documentation);
use the API to access data belonging to other Subscribers;
use the API to probe or test the security of the Platform;
share API keys with unauthorised parties or embed API keys in publicly accessible client-side code;
use the API to build competing products or services;
reverse-engineer the API to discover undocumented endpoints.

5.3 Third-Party Integrations

When connecting third-party systems to the Platform, Subscribers must ensure that: (a) the third-party system complies with applicable data protection law; (b) the integration does not introduce security vulnerabilities; and (c) only the minimum necessary data is exchanged. SoapBox is not responsible for the security, privacy practices, or data handling of third-party systems integrated by the Subscriber.

6. Enforcement and Consequences

6.1 Monitoring

SoapBox reserves the right (but has no obligation) to monitor usage of the Platform for violations of this AUP, using automated and manual methods. Such monitoring is conducted for platform security, integrity, and compliance purposes. SoapBox will handle any personal data collected in the course of monitoring in accordance with its Privacy Policy and applicable law.

6.2 Violation Severity and Consequences

The consequences of AUP violations are proportionate to their severity. SoapBox will assess violations in context and apply the following framework as a general guide:

Severity	Examples of Violation	Typical Consequence
CRITICAL	Malware upload, data breach, illegal activity, security attacks, deliberate EHS data falsification	Immediate account suspension; termination; legal action; regulatory reporting
HIGH	Unauthorised data access, sharing credentials, circumventing access controls, reselling access	Immediate suspension; 24-hour cure notice; termination if not remedied
MEDIUM	Repeated spam, minor IP violation, API rate limit abuse, misuse of health data	Written warning; 7-day cure notice; suspension if not remedied
LOW	Accidental upload of irrelevant content, minor policy deviation, isolated technical misuse	Warning notice; remediation guidance; monitoring

6.3 Suspension and Termination

SoapBox may immediately and without notice suspend access to the Platform if it determines in good faith that a violation poses an immediate risk to: (a) the security or integrity of the Platform; (b) other Subscribers' data or operations; or (c) any person's physical safety. In all other cases, SoapBox will provide reasonable notice and an opportunity to remedy the violation before suspension or termination, as set out in Section 6.2.

6.4 Reporting Violations

If you become aware of a violation of this AUP by any Subscriber, End User, or third party, or if you wish to report suspected illegal activity on the Platform, please contact SoapBox immediately:

Report Type	Contact
Security vulnerability / breach	security@soapbox.cloud (48-hour acknowledgement)
AUP violation / abuse	abuse@soapbox.cloud
Privacy / data protection issue	privacy@soapbox.cloud
Legal / regulatory matter	legal@soapbox.cloud
General support	support@soapbox.cloud

7. Special Categories of Prohibited Content

In addition to the general prohibitions in Section 3, the following specific categories of content are absolutely prohibited on the Platform under any circumstances:

🚫	Child sexual abuse material (CSAM) or any content that sexualises, exploits, or endangers minors. Any such content will be reported immediately to law enforcement authorities and the Internet Watch Foundation.
🚫	Content that incites, glorifies, or facilitates terrorism, extremism, or mass violence, including recruitment material, propaganda, or financing information.
🚫	Weapons of mass destruction: content providing instructions for creating biological, chemical, nuclear, or radiological weapons.
🚫	Non-consensual intimate imagery (NCII) or "deepfake" content depicting real individuals in explicit or degrading situations.
🚫	Deliberate disinformation designed to mislead regulatory authorities, auditors, or courts — particularly in the context of EHS compliance or safety investigations.
🚫	Content used to facilitate human trafficking, forced labour, or exploitation — including in the context of contractor or supply chain management on the Platform.

8. Compliance with Applicable Laws

Subscribers and End Users must at all times comply with all applicable laws when using the Platform, including but not limited to:

Law / Regulation	Relevance to Platform Use
Digital Personal Data Protection Act, 2023	All processing of personal data of employees, contractors, and visitors on the Platform
Information Technology Act, 2000 & Amendments	Electronic records, cybercrime, computer misuse, data protection
Factories Act, 1948	Recording and reporting of workplace accidents, injuries, and occupational diseases
Environment Protection Act, 1986	Environmental incident reporting and regulatory compliance records
Mines Act, 1952 / PNGRB Regulations	Sector-specific EHS compliance for applicable industries
Prevention of Money Laundering Act, 2002	Anti-money laundering compliance for applicable sectors
Indian Penal Code / BNS, 2023	General criminal law applicable to fraud, forgery, and harassment
Sexual Harassment of Women at Workplace Act, 2013 (POSH)	Where the Platform is used to record POSH complaints or investigations
Applicable export control laws	Where Platform data may be exported or shared across borders

⚖️ SoapBox is not a legal compliance advisor. The Platform is a tool to support your compliance activities, but the Subscriber remains solely responsible for understanding and meeting its own legal obligations under all applicable laws. When in doubt, consult a qualified legal professional.

9. Updates to This Policy

SoapBox may update this AUP from time to time to reflect changes in law, Platform capabilities, or industry best practices. When material changes are made, SoapBox will:

update the Effective Date at the top of this Policy;
notify Subscribers via email and/or in-Platform notification at least 14 days before the changes take effect;
publish the updated AUP at www.soapbox.cloud/legal/aup.

A Subscriber's continued use of the Platform after the effective date of the updated AUP constitutes acceptance of the revised Policy. If the Subscriber does not accept the revised AUP, it may terminate its Subscription in accordance with the Terms of Service.

10. Contact and Reporting

SoapBox Software Solutions LLP

Hyderabad, Telangana, India

AUP / Abuse Reports: abuse@soapbox.cloud

Security Vulnerabilities: security@soapbox.cloud

Privacy / Data Protection: privacy@soapbox.cloud

Legal Matters: legal@soapbox.cloud

AUP published at: www.soapbox.cloud/legal/aup

This Acceptable Use Policy was last reviewed and approved by SoapBox Software Solutions LLP in April 2025.