Aegix Global, LLC
Effective Date: April 2, 2026
1. PURPOSE AND SCOPE
This Acceptable Use Policy (AUP) defines acceptable and prohibited uses of Aegix Global, LLC's information systems, networks, data, and infrastructure. This policy applies to all persons who have access to Aegix systems, including:
Full-time employees
Contractors and consultants
Temporary workers and interns
Board members and advisors
This policy covers company-issued devices, company-issued or managed software, company networks, and personal devices used to access company systems or data (BYOD).
2. GENERAL USE PRINCIPLES
Aegix provides information systems, networks, and data access to enable employees to perform their job duties. The following principles govern all use:
All company systems are provided for business purposes. Personal use must be incidental and must not interfere with work responsibilities, system security, or performance.
Users have no expectation of privacy on company systems. Aegix reserves the right to monitor, access, and disclose all electronic communications and files on company systems at any time without advance notice.
All use must comply with federal, state, and local laws, regulations, and Aegix policies.
All data created, transmitted, or stored on Aegix systems is the property of Aegix Global, LLC.
3. ACCEPTABLE USE
Users may use Aegix systems for the following purposes:
Performing assigned job duties and authorized business activities
Accessing company email, collaboration tools, and approved SaaS applications
Professional development and research directly related to job function
Communication with Authorized Customers (K-12 LEAs, colleges and universities, government agencies, healthcare organizations, corporate / religious / venue site operators, and others) through approved channels
Incidental personal use that does not interfere with work or system security
4. PROHIBITED USE
The following uses are strictly prohibited:
Accessing, storing, or transmitting Customer Data (including student data, healthcare PHI under executed BAA, government records, employee records, and any other regulated data) outside of Aegix-approved systems
Sharing student Personally Identifiable Information (PII) through personal email, SMS, messaging applications, or unauthorized cloud storage services
Installing, downloading, or executing unauthorized software on systems that access Customer Data
Using company systems for illegal, unethical, or harassing activities
Attempting to bypass, circumvent, or disable security controls, firewalls, or access restrictions
Accessing systems or data for which you lack authorization
Sharing user credentials, passwords, API keys, or authentication tokens
Connecting to Aegix production systems from unsecured or public networks without an active VPN connection
Using Customer Data for any purpose outside the scope of the executed agreement with the relevant Authorized Customer (Master Subscription Agreement, Student Data Privacy Agreement for K-12, Business Associate Agreement for healthcare, government addendum, etc.)
Downloading, exporting, or copying Customer Data to personal devices without authorization
Taking screenshots, photographs, or unauthorized copies of Customer Data
Inputting Customer Data or other sensitive information into AI/ML tools (e.g., ChatGPT, Claude, LLMs)
5. CUSTOMER DATA HANDLING
Aegix handles Personally Identifiable Information (PII) and other regulated data from a range of Authorized Customers across multiple sectors — K-12 school districts and charter networks; colleges and universities; federal, state, local, tribal, and military government agencies; healthcare organizations; corporate, religious, summer-camp, sports, and entertainment-venue site operators. Each sector triggers different regulatory obligations. All employees must understand and comply with the following.
Data Classification
Customer Data is classified per the Aegix Data Classification Policy. The most sensitive tiers (Restricted-PII, Restricted-Student-Record-PII, and PHI under executed BAAs) require strict access and handling controls.
Sector-Specific Regulatory Compliance
K-12 Authorized Customers — FERPA (Family Educational Rights and Privacy Act): Access student records only when you have a documented legitimate educational interest as defined in the executed Student Data Privacy Agreement (SDPA) with the K-12 Authorized Customer.
K-12 Authorized Customers — COPPA (Children's Online Privacy Protection Act): Enhanced privacy protections apply to data from users under 13 years old. Do not collect, share, or use such data outside the scope of the SDPA.
K-12 Authorized Customers — State Student Data Privacy Laws: Aegix operates under SDPC v3 16-state Data Privacy Agreements (NY § 2-d, IL SOPPA, NJ SOPA, NH RSA 189, and analogous laws). Comply with all applicable state laws.
Higher-Education Authorized Customers — FERPA: Applies to higher-education student records. Same school-official-with-legitimate-interest standard.
Government Authorized Customers — FedRAMP / FISMA / CJIS / FOIA: Aegix infrastructure operates within FedRAMP Moderate-authorized AWS environments; additional agency-specific controls may apply per the executed contract. Where Customer Data is part of a CJIS-regulated workflow, follow CJIS-driven access controls.
Healthcare Authorized Customers — HIPAA / PHI: PHI is permitted only after a Business Associate Agreement (BAA) is executed with the Authorized Customer. Without a BAA, PHI must not be transmitted through Aegix systems. Once a BAA is in effect, follow HIPAA Security Rule requirements (administrative, physical, and technical safeguards).
All Authorized Customers — Universal privacy laws: CPRA, VCDPA, CPA, CTDPA, TDPSA, OCPA, and analogous state comprehensive privacy laws apply to Customer Data regardless of sector. Honor data-subject rights (access, correction, deletion, opt-out of sale/sharing) through the documented DSAR procedure.
Access and Processing
Access Customer Data only through approved Aegix systems: AWS console, Aegix platform application interfaces, and approved administrative dashboards.
Never transfer Customer Data to personal devices, personal email accounts, personal cloud storage (Google Drive, Dropbox, OneDrive), or non-approved systems.
Apply data minimization: access only the minimum Customer Data required to perform your job function.
Report any suspected unauthorized access, data exposure, or security incident immediately to the Chief Product & Technology Officer (CPTO) or Security team.
6. EMAIL AND COMMUNICATIONS
Use company email (firstname.lastname@aegixglobal.com) for all business communications.
Do not transmit RESTRICTED data via email without encryption. Contact IT for encrypted email assistance.
Be vigilant with email attachments and links. Verify sender identity before opening attachments or clicking links. Report suspected phishing emails to IT.
When communicating with Authorized Customers (K-12 districts, universities, government agencies, healthcare organizations, corporate / venue site operators, and others), use professional tone and approved communication channels. Do not share sensitive information via unsecured methods.
7. PASSWORD AND AUTHENTICATION
Create unique passwords that meet Aegix complexity requirements: minimum 12 characters, including uppercase, lowercase, numbers, and special characters.
Multi-Factor Authentication (MFA) is required for all systems that access Customer Data (including student data, healthcare PHI under executed BAA, government records, and other regulated data) or sensitive company information.
Never share your password, MFA codes, or authentication tokens with anyone, including IT staff or managers.
Use the company-approved password manager (1Password/Dashlane) to securely store credentials.
Report compromised credentials or suspected unauthorized access immediately to IT and your manager.
8. REMOTE ACCESS
A company-provided or approved VPN connection is required when accessing Aegix internal systems from outside the office.
Always lock your screen (Windows+L or Control+Q) when you step away from your device, even for short periods.
Endpoint protection (antivirus, anti-malware) must be active and up-to-date on all devices accessing company systems.
Do not connect to Aegix systems from unsecured or public Wi-Fi networks (coffee shops, airports, hotels) without an active VPN.
Keep your device operating system, software, and security patches current. Enable automatic updates when available.
9. INCIDENT REPORTING
Security incidents and suspected policy violations must be reported immediately:
Suspected data breach or unauthorized data access: Contact CPTO/Security immediately
Compromised credentials: Contact IT and reset password immediately
Policy violations: Contact your manager or HR
Anonymous reporting: Use the company ethics hotline if you are uncomfortable reporting directly
Aegix prohibits retaliation against employees who report suspected policy violations or security incidents in good faith. Failure to report known incidents is itself a policy violation and may result in disciplinary action.
10. CONSEQUENCES OF VIOLATION
Violations of this policy may result in disciplinary action, up to and including immediate termination of employment:
First minor violation: Written warning and mandatory security training
Second violation: Suspension and security retraining
Serious violations (e.g., unauthorized access, data theft, Customer Data exposure): Immediate termination
Legal consequences: Violations involving Customer Data may trigger breach notification obligations under (depending on sector) FERPA, COPPA, state student-data-privacy laws, the HIPAA Breach Notification Rule and executed BAAs, FedRAMP / FISMA incident-reporting requirements, CPRA / VCDPA / CPA / CTDPA / TDPSA / OCPA, and the executed Master Subscription Agreement. Aegix may pursue legal action to recover damages, and employees may face personal liability.
11. NIST 800-53 CONTROL MAPPING
This policy supports the following NIST SP 800-53 Rev 5 security controls:
| Control ID | Control Title |
| PL-4 | Rules of Behavior |
| AC-20 | Use of External Systems |
| AT-2 | Literacy Training and Awareness |
| PS-6 | Access Agreements |
| PS-8 | Personnel Sanctions |
12. COMPLIANCE FRAMEWORK
This policy aligns with the following regulatory frameworks and standards:
FERPA (Family Educational Rights and Privacy Act) — Federal law protecting student educational records
COPPA (Children's Online Privacy Protection Act) — Federal law protecting data of children under 13
NY Education Law § 2-d — State law governing student data privacy
NIST SP 800-53 Revision 5 — Security and privacy control recommendations
SOC 2 CC1.4 — Service Organization Control - COSO Principle 4 (Commitment to Competence)
Student Data Privacy Consortium (SDPC) DPA — Standard data processing agreement covering 16-state jurisdictions
13. ACKNOWLEDGMENT
By signing below, you acknowledge that you have read, understood, and agree to comply with this Acceptable Use Policy. Failure to comply with this policy may result in disciplinary action up to and including termination of employment.
Employee Name (Printed) _____________________________ |
Employee Title _____________________________ |
Employee Signature _____________________________ |
Date _____________________________ |
Aegix Global, LLC
94 Lone Hollow Dr.
Sandy, UT 84092
Appendix: Vendor Compliance Documentation References
The following vendor documentation provides supporting evidence for the compliance claims and technical controls referenced in this document. These resources should be reviewed periodically to ensure alignment with current vendor certifications and capabilities.
Amazon Web Services (AWS)
AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/
AWS Compliance Programs: https://aws.amazon.com/compliance/programs/
AWS FERPA Compliance: https://aws.amazon.com/compliance/ferpa/
Note: AWS compliance reports (SOC 2 Type II, ISO 27001) are available for download through AWS Artifact in the AWS Management Console. Contact the CPTO for access credentials.