This Acceptable Use Policy

1. INTRODUCTION

This Acceptable Use Policy ("AUP") governs the use of the Offmon monitoring platform ("Platform") by authorised users within UK Law Enforcement Agencies ("LEAs") and other public sector organisations ("Customers"). The Platform is designed specifically for the lawful monitoring and management of high-risk offenders in the community as part of statutory law enforcement functions.

This AUP is incorporated into the Offmon Terms and Conditions and must be read in conjunction with all applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and Part 3 of the Data Protection Act 2018 (DPA 2018).

2. SCOPE AND PURPOSE

2.1 Permitted Uses

The Platform may only be used for the following lawful purposes:

·       Monitoring individuals subject to court orders, licence conditions, or other statutory requirements for digital monitoring as part of offender management;

·       Prevention, investigation, detection, or prosecution of criminal offences;

·       Execution of criminal penalties and supervision of offenders in the community;

·       Safeguarding the public from serious harm posed by high-risk individuals;

·       Supporting rehabilitation efforts through early identification of risk escalation.

2.2 Prohibited Uses

The Platform must NOT be used for:

·       Monitoring individuals who are not subject to lawful monitoring orders or statutory supervision requirements;

·       Any purpose unrelated to law enforcement functions, including personal, commercial, or administrative purposes;

·       Accessing, collecting, or processing data in a manner that exceeds the scope of the legal authority or court order;

·       Surveillance or monitoring activities that are not proportionate, necessary, or justified under applicable law;

·       Sharing Platform access credentials with unauthorised persons;

·       Any activity that violates data protection laws, human rights legislation, or professional conduct standards.

3. USER RESPONSIBILITIES

3.1 Authorised Users

All Authorised Users (including Offender Managers and administrators) must:

·       Only access the Platform for legitimate law enforcement purposes within their role and authority;

·       Complete all mandatory training provided by the Customer organisation before using the Platform;

·       Maintain the confidentiality and security of their unique access credentials (usernames and passwords);

·       Not share, disclose, or transfer their account access to any other person;

·       Immediately report any suspected unauthorised access, security breach, or misuse of the Platform to their line manager and the organisation's Information Security team;

·       Log out of the Platform when not in active use, particularly on shared or public devices.

3.2 Account Security

Users are responsible for:

·       Creating strong, unique passwords in accordance with the Customer's password policy;

·       Ensuring passwords are not written down, stored insecurely, or shared with colleagues;

·       Protecting devices used to access the Platform with appropriate physical and technical security measures.

3.3 Data Handling and Privacy

Authorised Users must handle all data accessed through the Platform in accordance with:

·       UK GDPR and Part 3 of the Data Protection Act 2018;

·       The Customer organisation's data protection policies and procedures;

·       The principles of lawfulness, fairness, transparency, data minimisation, and purpose limitation;

·       Professional standards and codes of conduct applicable to law enforcement personnel.

3.4 Proportionality and Necessity

Users must ensure that:

·       All monitoring activities are necessary and proportionate to the legitimate law enforcement purpose;

·       Data collection is limited to what is strictly required for risk assessment and compliance verification;

·       Non-relevant data inadvertently captured (e.g., through screenshots) is promptly deleted;

·       AI-generated alerts and risk classifications are subject to human review and professional judgment before any enforcement action is taken.

4. SYSTEM INTEGRITY AND SECURITY

4.1 Prohibited Activities

Users must NOT:

·       Attempt to bypass, disable, or circumvent any security features or access controls of the Platform;

·       Conduct or request penetration testing, vulnerability scanning, or load testing without prior written consent from Offmon;

·       Introduce malicious software, viruses, or any code designed to damage, interfere with, or gain unauthorised access to the Platform;

·       Use automated tools, scripts, or bots to access the Platform except as expressly authorised;

·       Attempt to reverse engineer, decompile, or access the source code of the Platform;

·       Use the Platform in any manner that could damage, disable, overburden, or impair the service.

4.2 Browser and Device Requirements

Users must:

·       Use only supported and up-to-date web browsers (Google Chrome or Microsoft Edge);

·       Ensure offender devices run supported mobile operating systems (latest Android and iOS versions);

·       Keep all software and operating systems updated with the latest security patches.

5. DATA PROTECTION COMPLIANCE

5.1 Lawful Basis for Processing

All data processing through the Platform must be conducted under a valid lawful basis, specifically:

·       Part 3, Section 31 of the DPA 2018 (processing necessary for law enforcement purposes);

·       In accordance with statutory monitoring powers conferred by court orders, licence conditions, or relevant legislation.

5.2 Special Category and Criminal Offence Data

The Platform processes highly sensitive data including criminal offence data and potentially special category data. Users must:

·       Recognise the sensitive nature of all data processed through the Platform;

·       Handle all data with the highest standards of care and confidentiality;

·       Not disclose or share data outside the secure Platform environment except as required by law or operational necessity;

·       Delete alerts, images, and other data that are non-relevant or inadvertently captured as soon as practicable.

5.3 Data Retention and Deletion

Offender Managers have the ability to delete alerts and images directly through the Platform. Users must:

·       Follow the Customer organisation's data retention policies and schedules;

·       Delete data that is no longer necessary for the monitoring purpose;

·       Ensure data is not retained indefinitely without periodic review and justification.

5.4 International Data Transfers

All data is processed and stored exclusively within UK jurisdictions. Users must not transfer data outside the UK without appropriate legal authority and safeguards in place.

6. ALERT MANAGEMENT AND AI OVERSIGHT

6.1 Alert Categories

The Platform generates the following types of alerts, each requiring appropriate professional review:

·       DNS Alerts: Flagged web activity including visits to banned websites or use of prohibited applications;

·       Image Alerts: Images or videos matching Internet Watch Foundation (IWF) hash lists or flagged by Large Language Model (LLM) analysis;

·       Keyboard Alerts: Keywords or phrases associated with harmful content, triggering screenshots and analysis;

·       Heartbeat Alerts: Indicators of application tampering or extended periods of inactivity;

·       Location Alerts: Geographic location-based monitoring (to be released in version 2.0).

6.2 Human-in-the-Loop Requirement

All AI-generated alerts and risk classifications are indicative only and must undergo mandatory human review by a trained Offender Manager before any intervention or enforcement action is taken. Users must:

·       Apply professional judgment and contextual knowledge when assessing alerts;

·       Not rely solely on automated classifications or risk scores;

·       Verify the accuracy and relevance of flagged content before taking action;

·       Document the rationale for decisions based on alert data in accordance with organisational procedures.

6.3 False Positives and System Limitations

Users must recognise that AI and ML systems are not infallible and may generate false positives. Critical alerts must be investigated thoroughly, and any suspected system errors should be reported to Offmon support.

7. INCIDENT AND BREACH REPORTING

7.1 Security Incidents

Users must immediately report any of the following to their line manager and Information Security team:

·       Suspected unauthorised access to the Platform or user accounts;

·       Loss, theft, or compromise of access credentials;

·       Suspected data breaches or unauthorised disclosure of personal data;

·       System malfunctions, errors, or unusual behaviour;

·       Any attempt to misuse or abuse the Platform.

7.2 Personal Data Breaches

In the event of a personal data breach, Offmon will notify the Customer within 24 hours in accordance with the Terms and Conditions. The Customer must follow their internal incident response procedures and notify the Information Commissioner's Office (ICO) where required under UK GDPR.

8. COMPLIANCE AND CONSEQUENCES OF BREACH

8.1 Monitoring and Audit

The Platform maintains comprehensive audit logs of all user activities. The Customer organisation and Offmon reserve the right to monitor and audit Platform usage to ensure compliance with this AUP and applicable laws.

8.2 Consequences of Non-Compliance

Failure to comply with this AUP may result in:

·       Immediate suspension or revocation of Platform access;

·       Disciplinary action in accordance with the Customer organisation's policies;

·       Referral to professional standards or regulatory bodies;

·       Civil or criminal liability for breaches of data protection legislation;

·       Termination of the Agreement between the Customer and Offmon.

8.3 Reporting Violations

Any person who becomes aware of a violation of this AUP must report it immediately to their line manager, the organisation's Data Protection Officer, or Information Security team.

9. SUPPORT AND GUIDANCE

9.1 Technical Support

Users requiring technical support or guidance on Platform functionality can access the support portal at https://support.offmon.com or contact Offmon support during standard business hours (09:00-17:00 UK time, Monday to Friday).

9.2 Training Requirements

All Authorised Users must complete mandatory training on the Platform's functionality, data protection requirements, and this AUP before being granted access. Refresher training must be undertaken as determined by the Customer organisation.

9.3 Documentation

Comprehensive user documentation and guidance materials are available at https://support.offmon.com.

10. POLICY REVIEW AND UPDATES

This AUP may be updated from time to time to reflect changes in legislation, technology, or operational requirements. Offmon will provide not less than 30 days' written notice to the Customer of any material changes to this policy. Continued use of the Platform following such notice constitutes acceptance of the updated AUP.

The current version of this AUP is available at https://www.offmon.com/use.

11. CONTACT INFORMATION

For questions regarding this AUP, please contact:

Offmon Limited Summit House, 4 - 5 Mitchell Street, Edinburgh, United Kingdom, EH6 7BD

Email: hello@offmon.com