1. Users must not use Tech Mahindra, or Customer provided assets for any personal use, such as for personal email access, personal gain, moonlighting, publication, or promotion, shopping, internet surfing, entertainment, or OTT platforms.
2. Personal emails and documents should not be stored on Tech Mahindra or Customer assets and transmitted using Customer or Tech Mahindra email.
3. Users must not transfer data from previous employment, including not limited to IPR such as codebase, design documents, user manuals, and such to Tech Mahindra or Customer assets.
4. Users should not use credentials and licenses either personal or from past employment or previous Customer accounts for Tech Mahindra business.

1. Users shall not use personal assets and accounts such as email, drives, and tools for work related purposes unless authorized by ISG.
2. Users are not permitted to download or store Tech Mahindra or Customer data onto their personal assets and any other device including online storage media not authorized by Tech Mahindra.
3. Users must not use personal identity / email accounts for official purposes such as to receive tenders, register domains, or to purchase Third-party hosting Services / Cloud Services/ Digital Certificates / Software as a service (SAAS) platform or to enter into any form of agreements.
4. Users cannot purchase any ICT or SAAS application using personal payment methods such as credit cards, vouchers, and vendor free services. All purchases must be via the authorized procurement process.
5. Users cannot use personal accounts such as GitHub, email, or drives for company use.

1. Users must adhere to the highest ethical standards when using Tech Mahindra and Customer assets and must not engage in activities that are offensive or inappropriate, or not authorized, such as to:
   1. harass, threaten, impersonate, or abuse others.
   2. degrade the performance of Tech Mahindra or Customer assets.
   3. deprive authorized Tech Mahindra personnel access to a Tech Mahindra or Customer assets.
   4. obtain or retain additional access and assets beyond those authorized.
   5. circumvent Tech Mahindra or Customer computer security measures.
   6. access, create, store, or transmit material which Tech Mahindra or the Customer may deem to be offensive, indecent, or obscene.
   7. go against ethical and responsible use of assets.
   8. work from non-authorized locations
   9. Utilize tools and applications via personal accounts.
   10. Conduct POC’s utilizing sensitive data or external personal accounts without explicit approvals.
   11. Download Tech Mahindra or Customer data onto personal devices.
2. Users must not share Customer data without authorization and comply with Tech Mahindra and Customer confidentiality and non-disclosure agreements.
3. Users must not share Customer credentials with anyone, including co-workers.
4. Users must access only Customer information and assets required for their assigned job role.
5. Users should always use secure data and communication channels while accessing Customer networks, applications, or services, such as authorized VPN’s and MFA (Multi-Factor Authentication), Hardware Tokens.
6. Users must comply with work instruction and contractual obligations when handling and processing PII/SPII.
7. Users must respect and follow the security, safety and access control rules established by the Customer.
8. Users must not misuse Customer credentials when they are not working with the respective project or account.
9. Users must not use Customer or Tech Mahindra work products such as Brand, logo, UI, designs, artwork, scripts, and code for personal use such as promoting a blog or website, resume, or treat them as personal possessions.

1. Users must access PII/SPII data only after specific approval by Tech Mahindra or its Customers in compliance with work instructions, geographical locational access restrictions and local laws.
2. User must ensure adherence to the applicable Data Protection Laws including GDPR, UK GDPR, Federal Data Protection Act of Germany and so on.
3. Users must use approved encrypted communication methods whenever sending confidential information and PII/SPII including, not limited to user email, contact details, mailing address, medical or financial information, etc. within and outside Tech Mahindra.
4. Users are permitted to use only Tech Mahindra or Customer authorized services for sharing, storing, and transferring confidential information.
5. Users may access, use, or share Personal information (PII/SPI) only to the extent it is authorized and necessary to fulfill assigned job duties.
6. Users must ensure that printed and digital information is shared, handled, transferred, saved, and destroyed, based on the information sensitivity.
7. Users must ensure they do not have confidential conversations in public places or open offices, common areas where they can be overheard.
8. Users must ensure that confidential information transmitted via secure postal Services or other mail services must be secured in compliance with the Data Protection laws.
9. Users must ensure that all electronic media containing confidential information must be securely disposed as per the Work Instructions for Media Handling and Asset Disposal.
10. Users, administrators with extended privileges, must not access files and/or other information that is not specifically required to carry out designated tasks in their respective job role.
11. Users must not collect personal data using exercises such as surveys, mass emails, or use of external agencies for internal or Customer use without the approval of ISG and compliance with our Data Protection and Privacy Policies and Procedures.
12. Users should not place Personal Information on shared drives, multi-access folders, the Intranet, or Internet that can be accessed by any unauthorized Users.
13. Users must also take full responsibility to ensure that the hard copy of the sensitive documents are properly shredded at the time of its disposal as per the Work Instructions for Media Handling and Asset Disposal policy.

Associates must comply with the Data Privacy and Protection Policy: ISG-PO008 published.

1. Users must protect and safeguard the intellectual property rights of Tech Mahindra, its Customers, and its vendors. This will include the proprietary information of Customers or vendors or associated parties, IPR related contents received or created as a part of the service provided to Customers.
2. Users must not use, distribute, transmit, download, copy, cache, host, store (including on personal assets, personal online storage, personal email, open-source platforms, social media personal websites and blogs, cloud repositories such as GitHub), any information, data, material, or work that infringes the intellectual property rights of others.
3. Users must comply and respect all legal protections provided by patents, copyrights, trademarks, and intellectual property rights for any software and/or materials viewed, used, or obtained while working with Tech Mahindra
4. Users must ensure compliance with software licenses.

1. Users must adhere to the Tech Mahindra’s Work from Home: Guidelines, Work from Home – BPS, and procedures while working from home offices, and responsibly handle and protect assets and information.
2. Users must connect from work from home using company-provided or Customer authorized assets only. Personal assets should not be used unless explicitly authorized by both Customer Information Security Team & ISG.
3. Users are not permitted to work from any area outside their home or authorized work location unless they are required to travel for official purposes.
4. Users must not record or take any photograph/video of work content on their personal devices while working from home.
5. Users must not allow any unauthorized person including family members to access or use Tech Mahindra or Customer assets at any given point of time.

1. Users must comply with Tech Mahindra’s Work from Home: Guidelines and Work from Home – BPS policy and applicable Customer policies while working remotely.
2. Users must protect the screens of assets they work on from casual viewing by others, especially when working with sensitive data and lock the computer/laptop when they step away from it.
3. Users must not record or take any photograph or video of work content on their personal devices while working remotely.

1. Users must access secure areas only after authorization using Tech Mahindra or Customer provided access card/ID cards.
2. Users must always display their photo ID access card while on premises. When not on premises, Users are requested not to display id cards such as in public areas or transport.
3. Users must not share access cards, passwords, or entry codes with anyone especially for gaining access or swiping attendance.
4. Users must comply with the security and safety signage and instructions displayed in Tech Mahindra or Customer office premises.
5. Users must ensure doors of restricted areas are always closed and report any malfunctioning doors to the location security supervisor.
6. Photographic, video, audio, or other recording equipment, such as cameras and cameras in mobile devices, is not allowed in secure work areas.
7. Users must keep their workstation and personal storage locked when not in use.
8. Users must follow the instructions of security personnel and fire safety officials during drills and emergencies.
9. Users must swipe in and out of access-controlled areas. Piggybacking, tailgating, door propping and any other activity to circumvent door access controls is strictly prohibited.
10. Users must always accompany their visitors to all areas of the company premises.

1. Users must log off from applications or network services when they are no longer needed.
2. Users must log off or lock their workstations and laptops when their workspace is unattended.
3. Users must remove or place all confidential or internal information in a locked drawer or file cabinet when their workspace is unattended.
4. Users must not post passwords on computer screens e.g., sticky notes or in printed form in any location.

1. Users are expected to be vigilant and to actively report potential security incidents, suspicious activities, and policy violations to the Incident Management Team as per the details provided at isgincidentmanagementgroup@techmahindra.com
2. Users must ensure reporting of data privacy incidents within 2 hours of incident occurrence.
3. Users must not take unilateral actions to mitigate incidents without consulting the incident response team assigned to the incident.
4. Users must not tamper with or alter digital evidence during incident investigations, as it may compromise the integrity of the investigation.
5. Users must collaborate effectively with the incident management team and follow containment and mitigation measures as instructed by the incident management team.
6. In the events an actual or apparent breach of data privacy or confidentiality has occurred, User must comply with the instructions of Tech Mahindra to help mitigate such actual or apparent breaches.

1. Users must actively participate in asset risk identification efforts, reporting any potential risks or incidents promptly to ISG risk management team .
2. Users must not provide false or misleading information about identified risks, as it can hinder risk assessment efforts.
3. Users must continuously monitor risks within your area of responsibility and report any changes or emerging threats.

1. Users must complete assigned mandatory security awareness training within 20 days of enrollment and thereafter periodic refreshers as and when assigned within such duration as may be specified. Not completing such trainings might be viewed as violation of Tech Mahindra's AUP and Data Privacy and Protection Policy
2. Upon having enabled or become a party to any security incident or breach of Data Privacy Policy, the User must undergo mandatory training, or a refresher as assigned.

1. Users must use Internet only be used on company devices/locations for business-related activities. Unapproved activities include, but are not limited to:
   1. Recreational games, gambling,
   2. Streaming media,
   3. Personal social media,
   4. Personal Email, Storage & Collaboration tools unless explicitly approved by ISG,
   5. Accessing or distributing pornographic or sexually oriented materials,
   6. Accessing sites supporting or inciting violence, hate crimes in any forms,
   7. Attempting or making unauthorized entry to any network or computer accessible from the Internet,
   8. Usage of personal Remote Assistance & Remote Support Tools,
   9. Or otherwise violate any other Tech Mahindra policies, applicable laws.
2. Users must only not use Company provided, or where applicable, Customer provided Internet services such as drives, email, file transfer sites, to communicate Tech Mahindra or Customer confidential or internal information and shall not use any third party provided Internet services without prior written approval.
3. Users are prohibited from surfing, transmitting, or downloading material that is obscene, pornographic, threatening or sexually harassing, or in any manner prohibited by Tech Mahindra, Customer policies or by applicable laws.
4. Users should not upload, download, or otherwise transmit commercial software or any copyrighted materials on Tech Mahindra and Customer assets except when authorized and approved to do so in writing by appropriate authority and exclusively for official purposes.
5. Users should take reasonable care not to access known malicious sites and not to download any hacking tools or network monitoring tools.
6. Users should not use personal email, drives, Gits, or any other file transfer or SAAS applications using personal or unapproved accounts.

1. Tech Mahindra or Client email shall be used only for official work-related communication and never for personal use.
2. Users shall be accountable for emails sent as these are contractual in nature. Users shall not represent personal opinions as those of Tech Mahindra’s in emails.
3. Users must be responsible for the ethical use of email accounts assigned to them. Users must not use Tech Mahindra or Customer email for:
   1. Solicitation.
   2. Setting up personal accounts such as email, LinkedIn, and other such accounts.
   3. Political purposes
   4. Uses that have the potential to harm the reputation of Tech Mahindra.
   5. Forwarding chain emails.
   6. Promoting anti-social or unethical behavior such as pornography, inappropriate comments, hate and harassment.
   7. Actions that violate local, state, federal, or international laws or regulations.
   8. Actions that result in disclosure of Tech Mahindra confidential information to unauthorized people
   9. Actions that violate any other Tech Mahindra policies.
4. Users should not send Customer Confidential Information or Documents from Customer Mailbox to Tech Mahindra or any other email ID without explicit Customer sanction.
5. Users could preferably disable the auto complete to avoid impact or check the name and email from the drop down correctly.
6. Users should not auto forward confidential information and documents from Tech Mahindra mailbox to Personal Email or other domains unless explicitly approved.
7. Users should not circulate any personal, spam or chain mails using Client mail ID or Client webmail.
8. Users must ensure that the credentials of email accounts provided to them are not shared with anyone.
9. User shall not provide a company email id as a contact point in personal advertisements in the press, on the internet and so on.
10. Users must exercise care and caution while sending messages and related attachments to ensure that messages are only marked to intended recipients.
11. All email messages should be appropriately classified as per the data classification policy.
12. Users must not use Tech Mahindra email accounts to send or receive Tech Mahindra confidential information, except for company related documents such as Salary Slips, Tax Computation Forms, Compensation/Appraisal Documents, and relevant documents.
13. Users must use discretion while setting up Out of Office or other automated responses to avoid disclosure of confidential and personal information.
14. Users must use caution when responding to, clicking on embedded links, or opening attachments in emails.
15. Users must report all suspicious emails via “Report Message” Add-in under Message tab on outlook email or on ReportPhishing@TechMahindra.com . Users should classify it as Junk/Phishing.

1. Users shall adhere to Tech Mahindra’s Social Media Policy, Social Media Guidelines and Social Media Playbook Guidelines and Policy.
2. Users are responsible for the content they publish online / on the internet.
3. Users shall not create any social media accounts intended to represent Tech Mahindra or be a look-a-like to Tech Mahindra
4. Users are expressly prohibited from creating websites with content derived from their work with Tech Mahindra and its Customers, including text, images, graphics, logo’s, videos, audio, code, and any other type of content.
5. Users must not identify themselves as being Tech Mahindra representatives and include a disclaimer accompanying their content. An example disclaimer could be “The opinions and content are my own and do not necessarily represent Tech Mahindra’s position or opinion.”
6. Users must ensure that content they post online should not violate any applicable laws (i.e., copyright, fair use, financial disclosure, or privacy laws).
7. Discrimination (including age, sex, race, color, creed, religion, ethnicity, sexual orientation, gender, gender expression, national origin, citizenship, disability, or marital status or any other legally recognized protected basis under federal, state, or local laws, regulations, or ordinances) in published content that is affiliated with Tech Mahindra is strictly prohibited.
8. Users must ensure that confidential information, internal communications, Customer logos and names, and non-public financial or operational information are not published on personal sites in any form, including not limited to work products, personal blogs, comments and on websites.
9. Users approved to post, review, or approve content on Tech Mahindra social media sites must comply with the Tech Mahindra Social Media Procedures and Policies.
10. Text or picture messages (web posts, comments, SMS, or MMS) must not contain, or have attachments that contain defamatory, offensive, or harassing language, fraudulent material, sexually explicit images or language, material that infringes copyright or other intellectual property rights of third parties, or offensive cartoons or jokes or otherwise involve lawful or wrongful conduct. Nor should they contain any remarks that might be potentially embarrassing to the Tech Mahindra, its Customers, its employees or the public.

1. Users must only use MS TEAMS which is the approved collaboration and Messaging tool within Tech Mahindra.
2. External chat messengers including web messengers such as WhatsApp, Viber, WeChat, Telegram, Yahoo messenger, Gtalk, etc. are prohibited across Tech Mahindra. Any use of such messengers by any User without prior written approval of ISG shall not be the responsibility of Tech Mahindra.
3. Users shall not send official information on Messenger applications such as WhatsApp or Telegram. This includes Tech Mahindra or Customer Confidential information, RFP, financial information, Contract, NDA Protected Documents, Sensitive Discussions, Snippets of Confidential Documents, Tech Mahindra, or Customer credentials, Personal or Sensitive Personal Information such as Wages Information, Background Verification Records, and Health Data.
4. Users must ensure that folders and channels created on SharePoint and MS Teams can only be accessed by authorized individuals on a need-to-know basis.
5. Users must create, use folder or groups on MS Teams and SharePoint in compliance with confidentiality and security policy of the respective Customer accounts.
6. Users must follow data handling policies while exchanging content in online meetings. Sharing inappropriate content could lead to disciplinary action.
7. Users must access and use strictly for business purposes such as Customer or vendor meetings, Zoom, Google Meet and any other collaboration tool.

1. Users are only allowed to use Tech Mahindra Ltd. - TMBOX, which is the approved method for secure external file transfer.
2. Users shall use only Tech Mahindra Corporate Microsoft One Drive for Business, TMBOX and Tech Mahindra Corporate Google G-Drive for internal file storage and transfer as per applicable policy. No external sharing is permitted.
3. Users can use Customer approved third-party Secure Cloud / Secure File Storage / Secure File Transfer services.
4. User must ensure that project specific file shares/folders must be restricted to authorized associates from within the respective project and account, on a need-to-know basis.
5. All Users who are owners of SharePoint and NAS folders need to ensure that they assign proper access rights and classification for their sites and information within, adhere to data deletion and retention policy and periodically audit their settings.
6. No site or folder access can be set to “public” or “anyone” or “default.” Authorized Users need to be specifically permitted by the site owner.

1. Users must only connect Tech Mahindra and approved Customer assets to Tech Mahindra and its Customers’ networks.
2. Users are permitted to use only those networks, DNS names and host addresses issued to them by the ICT department (TIM) or the Customer.
3. Users should not attempt to access any data or programs contained on Tech Mahindra or Customer systems for which they do not have authorization.
4. Users must ensure that all remote access connections made to internal Tech Mahindra networks and/or environments must be through Tech Mahindra-provided, virtual private networks (VPNs) using secure and approved authentication methods, such as MFA (Multi Factor Authentication)

1. User must protect and safeguard any type of credentials provided by Tech Mahindra or its Customers from disclosure or loss.
2. Users must not share with anyone their credentials and authentication information provided for access to Tech Mahindra and its Customer assets which include:
   1. Account passwords,
   2. Personal Identification Numbers (PINs),
   3. Security Tokens (i.e., FIDO tokens, Smartcard, Hardware Tokens),
   4. Multi-factor authentication information
   5. Access cards and/or keys,
   6. Digital certificates,
   7. Similar information or devices used for identification and authentication purposes.
3. Users must ensure that all passwords, including initial and/or temporary passwords, comply to the following Tech Mahindra rules:
   1. Must meet all requirements including minimum length, complexity, and reuse history.
   2. Must not be easily tied back to the account owner by using things like username, social security number, nickname, relative’s names, birth date, etc.
   3. Must not be the same passwords used for non-business purposes.
   4. Must immediately change initial or first set passwords.
   5. Must change their passwords as per policy.
4. Users must ensure that unique passwords are used for each system/application, whenever possible. Generic passwords should be avoided, to the extent possible.
5. Users must not store and send system and application passwords in emails or documents.
6. Users must ensure that account passwords are not divulged to anyone, and for any purpose such as ICT support, and project requirements.
7. Users must not ask for a colleague’s passwords, MFA, PIN
8. Users should immediately change the password, if compromise of a password is suspected or in doubt due to suspicious activity, ISG/TIM alert, or if the password was visible to another user (e.g., during remote support).
9. Users must not circumvent password entry with application remembering embedded scripts or hard coded passwords in Customer software.
10. Users must ensure that the administrative/root passwords and SSH keys used for production environments are changed as per the mandated policy.
11. Users must not share personal and system passwords over WhatsApp, Personal Emails, SMS, Tech Mahindra Email and MS Teams within the team, to superiors, and Tech Mahindra support staff.
12. Users must ensure that passwords are stored in encrypted files such as password-protected excel file and not in sticky notes, notepad etc.
13. Users must ensure passwords for Tech Mahindra and Customer accounts are revoked immediately when the role has changed, or access is no longer required.
14. Users must ensure that lost or stolen access cards, security tokens, and/or keys must be reported to physical security personnel and TIM Asset (TIMAssets@TechMahindraahindra.com) as soon as possible.
15. Users must check for any suspicious requests for credentials via SMS or Emails as these are social engineering attacks.

1. Users must protect Tech Mahindra or Customer provided computing assets, peripherals and data from loss or damage, either tangible or intangible.
2. Users must not leave Tech Mahindra or Customer assets unattended where it may be stolen or accessed by an unauthorized person.
3. Users must ensure the safety of portable assets.
4. Users must ensure that servers and other such computing assets are in secure areas such as datacenters, locked racks, and access-controlled labs.
5. Users must not install unauthorized software including but not limited to games, personal tools, coin mining software or freeware.
6. Users must not store personal content such as any personal documents, offensive material such as pornography or hate, data, pictures, movies, or songs on Tech Mahindra or Customer assets.
7. Users must not connect portable media and use it to transfer data outside Tech Mahindra and Customer environment without prior written permission and authorization by ISG.
8. Users must keep Tech Mahindra or Customer assets ICT Hygiene up to date by accepting standard build patches, patching self-installed third-party software and tools, and reporting non-compliances identified by Tech Mahindra compliance tools and alerts.
9. Users must not allow family members or other non-employees to access or use Tech Mahindra Assets e.g., to play games or study purpose or any purpose whatsoever.
10. Users must only use assets for approved business purposes with the recommended controls and precautions.
11. Users must return assets on separation or when their use is no longer required.

1. Users must comply with the printing restrictions and guidelines displayed within secure areas.
2. Users must use discretion while printing documents, i.e., print only when necessary and avoid printing for personal use.
3. Users must report any errors encountered while printing sensitive documents to the ICT Help Desk to delete unprinted files from the printer queue.
4. Users must immediately remove documents containing confidential information from printers and fax machines and not leave them unattended.

1. Users cannot use or procure any SAAS licenses or tools on their personal account for business use.
2. Users must only use Tech Mahindra sanctioned and procured enterprise SAAS applications such as GITS, Email, Drives and other such business applications.
3. Users must ensure that SAAS applications for projects or Trials or Demo need to be sanctioned by ISG and the license signed and approved by Tech Mahindra Legal function prior to use. In any event Users shall not accept any online terms and conditions or license agreements without prior written confirmation from Tech Mahindra Legal function.

1. No personal portable media can be brought onto the Company premises except with prior permission of ISG.
2. Users are not permitted to connect any portable media to Tech Mahindra or its Customer assets such as USB and portable drives without prior written permission and authorization to do so given by Reporting Manager and ISG.
3. Users, when granted exceptional use of removable media, must use it exclusively for business purposes within the permitted duration and scope.
4. Users should encrypt Confidential Tech Mahindra or Customer information stored on removable media.
5. Users must delete all data and format the portable media after use and fulfilment of purpose.
6. Users must protect removable media from loss and damage by ensuring a safe and secure environment.
7. Users must report the loss or theft of a removable media device with Tech Mahindra information to TIM and ISG incident management team.

1. Users are not allowed admin rights on Tech Mahindra assets. except for Users with designated administrative roles and granted exceptions.
2. Users, when granted exceptional use of admin rights, must use it exclusively for business purposes and within the permitted duration and scope.
3. Users with Administrator rights should not:
   1. Make any unauthorized system level changes or disable any standard security software.
   2. Install personal VPN (Virtual Private Networks) and browsers such as TOR for anonymous browsing.
   3. Install port and network scanning tools.
   4. Install crack/unlicensed Applications or software.
   5. Install unauthorized browser extensions.
   6. Install unauthorized remote connectivity tools.
4. Users with admin rights must ensure strict compliance with relevant laws, regulations, and internal policies when configuring or operating the asset.
5. Users with admin rights must enforce access control by limiting administrative access to only what is necessary for specific administrative tasks.
6. Users with admin rights must use strong, unique passwords and multi-factor authentication for admin accounts.
7. Users with admin rights must regularly review logs and monitor data related to administrative activities to identify and respond to potential security incidents.

1. Users can use personal mobile phones for Multifactor authentication and for access to Tech Mahindra Email, Messaging and M-Easy Applications in compliance with Tech Mahindra’s Mobile Device Policy and Guidelines for Mobile Device Usage documents available on BMS.
2. Users must set a six-digit PIN on Tech Mahindra workspaces on mobile phones or tablets used to access Tech Mahindra email, Teams and/or any other applications.
3. Users must not copy or store any Tech Mahindra and Customer confidential information on the personal workspace of mobile phones or tablets.
4. Users must report any theft or loss of any mobile device that has been used to create, store, or access confidential or internal information to TIM.
5. Users must not carry mobile devices in mobile restricted secure areas.
6. Users must not use any Jail-broken or rooted mobile devices to connect to Tech Mahindra Networks.

1. Users must use personal assets such as Desktops, Laptops, MacBook’s, Tablets for Tech Mahindra, or Customer work only if approved by ISG.
2. BYOD assets cannot be brought to Tech Mahindra offices and connected to Tech Mahindra office networks.
3. BYOD assets cannot be utilized such as configuring & accessing Emails, Chat & Collaboration Tools, Corporate Storage Drives, Corporate Document Management Systems, Corporate VPN, Corporate Code Repository systems.
4. BYOD assets cannot be utilized to access Tech Mahindra or Customer Applications & VPN Systems with Tech Mahindra or Customer - Confidential/ PII / SPI / Proprietary / IPR information etc.
5. BYOD assets cannot be taken to Customer offices and connected to Customer office networks unless explicitly authorized by Customer Information security team.
6. Users must use licensed software and adhere to security requirements for personal assets, including encryption, password protection, and security software.
7. Users must not attempt to bypass access control measures or allow unauthorized individuals to use personal assets for work related tasks.
8. Users must only use applications and software authorized by TIM or Customer on personal assets when performing work duties.
9. Users must use secure network connections, such as VPNs, when accessing company assets.
10. Users must not upload, download, store or transfer any Tech Mahindra or Customer data to personal assets.
11. Users must report any security incidents related to suspicious action on the BYOD assets immediately to ISG incident management team.

Important Note: Tech Mahindra has approved limited usage of Handheld Smart Phones for configuring Corporate Emails, Teams based on certain roles, bands, and approved exceptions.

1. Users must obtain written approvals from authorized Tech Mahindra and Customer personnel before conducting POCs which involve the use of public tools and environments.
2. Users must not upload live data, Customer code base on personal cloud repositories such as GitHub to conduct POC.
3. Users must delete data after the approved POC period is over or earlier if the POC is completed.

1. Users should not use emerging tools such as Chat GPT and equivalents for Tech Mahindra and Customer work without approval of ISG.
2. Users and business units in collaboration with ISG must deploy and utilize comprehensive information security/ cyber security infrastructure and incorporate safeguards in software development lifecycle while utilizing any generative AI tool.
3. Users must use Enterprise licensed tools and not process company information or personal, confidential, proprietary, or sensitive information on external public tools such as Chat GPT, GitHub Co-Pilot.
4. Users and appropriate business units in collaboration with Tech Mahindra AI competency team while relying on generative AI / AI tools must periodically monitor inputs and outputs, improve organizational safeguards, construct automated checks, assess AI tool performance, and incorporate user feedback to achieve responsible and acceptable use of AI/generative AI tools.
5. Users are strictly prohibited from inserting/processing sensitive Tech Mahindra data, Tech Mahindra IP and confidential information while using AI tools, especially information related to sensitive areas such as health, finance, government services etc.
6. Users relying on generative AI tools must use the tools responsibly. Such tools are not a replacement for critical thinking and human oversight.
7. Users relying on codes or outputs of generative AI tool must deploy similar or higher standard internal validation/vetting/assessment processes as used for any human generated or third party or non-AI generated code or content.
8. Rather than relying completely or mostly on AI tool output to develop any software for Tech Mahindra, the output should be used to fill gaps in otherwise human-controlled software development.
9. It is important that Tech Mahindra maintain records of what software is developed by Tech Mahindra’s employees and what constitute outputs from AI/generative AI tools.
10. Tech Mahindra should give a preference in using generative AI output in its internal enterprise applications rather than in distributed applications for third parties/Customers.
11. Users should whenever possibly modify generative AI tool outputs or use generative AI tool for suggestions instead of exactly copying the generative AI tool output in the final developed software.
12. Users and business units should incorporate technological controls to filter and assess any output generated by AI tool. Technological controls could include but are not limited to software composition analysis, FTP assessment, content sensors, static code quality testing, DAST, SAST and any other third-party tools as onboarded by the applicable business competency.
13. Wherever applicable, Tech Mahindra can opt to use the AI tool or its output for developing software at Customer’s premises and within the Customer infrastructure, subject to necessary consent from the Customer.
14. Users must take accountability for interactions and use of content generated using such tools.
15. Users should ensure that data used to train AI algorithms does not violate privacy laws, copyrights, applicable terms of service or third-party licenses. Collection or input of personal data in generative AI or AI or any emerging technology tool requires prior approval of the data protection officer.
16. Users of GitHub Co-Pilot or Chat GPT for Customer projects must ensure back-to-back transfer of liability and obligations from the license to Customer engagement.
17. Users must not engage in practices that violate ethical principles, such as discrimination, bias, manipulation, or harm to individuals or groups.
18. Users must maintain transparency, ethical standards, and fairness in the usage of emerging technologies, especially when they impact individuals' rights or decisions.
19. Users must identify and mitigate bias in algorithms and models used in emerging technologies, particularly in AI and machine learning applications.
20. Users must abide by all relevant laws and regulations governing the use of emerging technologies.
21. Users must ensure to promptly report any incidents, security breaches, misuses, unauthorized access, vulnerabilities, or ethical concerns related to the use of emerging technologies to the TIM or ISG.
22. Users must ensure that all AI tools/emerging tools are utilized adhering to principles of integrity and in a form that respects the rights, privacy, and dignity of individuals.
23. Users are prohibited from using AI tools which facilitates.
    1. dangerous or illegal activities,
    2. commission of crime
    3. hatred or promotes bullying or abuse.
    4. promotion of terrorist activity or incites violence or self-harm.
    5. violation of law,
    6. harassment of individuals
    7. tracking individuals without consent
    8. infringe an individual’s rights.
    9. Abuse, harm, interference, or disruption of services
    10. Distribution of malicious or harmful software or malware
    11. Creating content for fraudulent activities, misrepresentation, scams or phishing.
    12. Users and necessary business units must ensure and prioritize transparency and accountability in the appropriate use of AI tools which should include periodic training of Users to understand the risks and limitations of AI generated outputs and developments.
    13. Any misuse of AI tools will be investigated, and appropriate disciplinary action will be taken.
    14. Users should not generate or distribute content which misrepresents the nature of AI generated content as being created by human or represent AI generated content as original works or generate content that impersonates an individual or organization.

1. Users must use open-source software only for its approved purpose.
2. Users must use and download open-source software from trusted sites.
3. Users must ensure that the license to opensource is signed and approved by Tech Mahindra Legal function prior to use. In any event Users shall not accept any online terms and conditions or license agreements without prior written confirmation from Tech Mahindra Legal function. Users must check and adhere to the terms and conditions of open-source licenses.
4. Users must document the use of open-source components within Tech Mahindra projects and internal applications.
5. Users must be responsible as a developer or contributor when using or contributing to open-source projects.
6. Users must report any discovered vulnerabilities or license misuse related to open-source software promptly to ISG.

1. Users must use tools and software applications after authorization and only for approved purposes.
2. After giving adequate prior notice to Customer, Users must delete Customer provided or project specific tools after the completion of their projects. Under no conditions can the Customer provided tools be reused for any other purposes.
3. Users with administrative access to the tools must be responsible for compliance with organizational security processes and guidelines, such as:
   1. Strong passwords and keeping software updated.
   2. Regular Patching
   3. Access Management
   4. Security Assessments
4. Users must report any identified vulnerabilities or security concerns related to tools promptly to TIM.

1. Users shall not provide a company telephone number as a contact point in personal advertisements in the press, on the internet and so on.
2. Users shall not call premium rate phone numbers such as those associated with competition lines, racing lines, chat rooms etc. using Tech Mahindra telephone number.
3. Users shall not make any offensive calls using Tech Mahindra voice network or shall not use Tech Mahindra voice network for any illegal, immoral, unethical purposes.
4. Users must take reasonable efforts to ensure that conversations involving confidential or personal information cannot be overheard.