Novaworks, Inc. | Total Workforce Management

Acceptable Use Policy

Acceptable Use Policy

Novaworks, Inc.

Total Workforce Management

Acceptable Use Policy

Effective Date

June 9, 2025

Version

2.0 v070226

Applies To

All Customers, Authorized Users, Administrators, API Integrators

Incorporated Into

Novaworks Terms of Service, Section 6

Contact

security@novaworks.ai | www.novaworks.ai/legal/aup

1. Purpose and Scope

This Acceptable Use Policy (“AUP”) defines permissible and prohibited uses of the Novaworks Total Workforce Management platform, APIs, AI agent services, and associated infrastructure (the “Services”). This AUP is incorporated by reference into the Novaworks Terms of Service and forms part of the binding agreement between Novaworks, Inc. and every Customer and Authorized User.

Customers are responsible for ensuring all Authorized Users within their organization comply with this AUP. Violations by Authorized Users are attributed to the Customer.

2. Permitted Use

Permitted use

The Services are licensed for lawful, good-faith workforce management operations aligned with your organization’s HR and operational purposes.

  • Managing full-time, part-time, and contingent worker lifecycles including Nova Core HR, Nova Policy Advisor, Nova Worker Activation, Nova Document Management, time and attendance, Nova Payroll Interface, and Nova Offboarding

  • Configuring and running AI agent workflows to automate HR processes within your ServiceNow tenant

  • Using the REST API and ServiceNow integration layer to connect approved enterprise systems (payroll, benefits, identity management)

  • Generating workforce analytics and compliance reports for internal business use

  • Using AI agent outputs as advisory recommendations, with appropriate human review applied before employment decisions

  • Configuring role-based access controls, ACLs, and scoped application permissions to manage workforce data

3. Prohibited Use

Zero tolerance

The following activities are strictly prohibited and may result in immediate suspension, termination, and referral to law enforcement.

3.1 Illegal and harmful activities

  • Illegal use: Using the Services in violation of any applicable local, state, national, or international law or regulation

  • Discrimination: Using the platform or AI outputs to make employment decisions that discriminate based on race, color, national origin, sex, age, disability, religion, or any other protected characteristic under applicable law

  • Harassment: Using the Services to harass, stalk, threaten, defame, or harm any individual

  • Fraud: Submitting false or misleading information, impersonating another person or organization, or falsifying workforce records

  • Privacy violations: Infringing the privacy rights of employees, contractors, or any third party

  • Export violations: Processing or transmitting data subject to export control restrictions without required authorizations

3.2 Platform security violations

  • Unauthorized access: Attempting to access data, accounts, or system components beyond your authorization

  • Cross-tenant attacks: Attempting to access, view, modify, or exfiltrate data from any customer tenant other than your own, through any means including crafted API requests, URL manipulation, or prompt injection

  • Credential abuse: Sharing, selling, or transferring login credentials; using automated credential-stuffing tools; or attempting to bypass multi-factor authentication

  • Vulnerability exploitation: Probing, scanning, or exploiting security vulnerabilities without Novaworks’ prior written authorization through the responsible disclosure program

  • Denial of service: Sending excessive automated requests or otherwise degrading platform performance for other customers

  • Malware: Uploading or transmitting viruses, ransomware, spyware, or any malicious code

  • Interference: Disrupting or interfering with the integrity or performance of the Services or any connected systems

3.3 AI and agent misuse

Given the AI-native architecture of the platform, the following AI-specific prohibitions apply:

  • Prompt injection: Crafting prompts or inputs designed to manipulate AI agents into bypassing access controls, revealing other tenants’ data, or performing actions outside their authorized scope

  • Jailbreaking: Attempting to override, circumvent, or manipulate AI agent instructions, safety guardrails, or system prompts

  • Automated employment decisions: Using AI agent outputs to make fully automated employment decisions (hire, fire, discipline, deny promotion) affecting individuals without human review, in violation of applicable employment or AI regulation

  • Deceptive AI attribution: Representing AI-generated outputs as authenticated human decisions in official employment records

  • Model extraction: Attempting to reverse-engineer, extract, or replicate the logic of Novaworks AI agents or underlying AWS Bedrock foundation models

  • Synthetic data abuse in production: Submitting fabricated personal data to test AI behaviors in production environments without Novaworks’ prior written consent

3.4 Data misuse

  • Unauthorized disclosure: Exporting, sharing, or transmitting Customer Content to unauthorized third parties or outside approved integration channels

  • Purpose limitation violation: Using workforce data for purposes other than workforce management without additional consent

  • Re-identification: Attempting to re-identify individuals from anonymized or aggregated analytics data produced by the platform

  • Removable media: Exporting sensitive workforce data to removable media (USB drives, portable storage) without Customer’s documented authorization and encryption controls

3.5 Intellectual property

  • Reverse engineering: Decompiling, disassembling, or otherwise attempting to derive source code of the platform, AI models, or ServiceNow application scopes

  • Competitive misuse: Using the Services to build or assist in building a competing product or service

  • Unauthorized scraping: Using automated tools to scrape, copy, or bulk-index the platform interface, APIs, or documentation

  • Misrepresentation: Misrepresenting your identity, affiliation, or authorization level to Novaworks or other users

4. API and Integration Standards

Customers and developers using the Novaworks REST API must:

  • Authenticate all API calls using authorized credentials and respect published rate limits

  • Process API responses only for their intended workforce management purpose

  • Not store API keys or tokens in source code repositories, shared documents, or insecure locations

  • Report API vulnerabilities through the responsible disclosure program at security@novaworks.ai

  • Comply with applicable ServiceNow platform terms governing Scoped application development

API calls that generate excessive load, probe unauthorized endpoints, or attempt cross-tenant data access will result in immediate API key revocation.

5. AI Agent Interaction Standards

When interacting with Novaworks AI agents, all Authorized Users agree to:

  • Submit prompts and inputs that reflect genuine, good-faith workforce management queries

  • Apply human judgment and review before acting on AI-generated recommendations in employment decisions

  • Report unexpected, harmful, inaccurate, or potentially biased AI outputs to support@novaworks.ai

  • Not attempt to extract information about AI system architecture, system prompts, or safety mechanisms through adversarial inputs

Novaworks maintains audit logs of all AI agent transactions within each Customer’s ServiceNow tenant. These logs may be reviewed for AUP compliance, security investigation, and customer audit purposes.

6. Reporting Violations

Report promptly

Early reporting of security incidents and policy violations helps protect all customers on the platform. Good-faith security researchers who follow responsible disclosure will not face legal action from Novaworks.

  • Security incidents— security@novaworks.ai

  • AI misuse or unexpected outputs— support@novaworks.ai

  • Vulnerability disclosure— security@novaworks.ai (responsible disclosure program)

  • Urgent / production-impacting— support@novaworks.ai

  • Legal violations— legal@novaworks.ai

7. Enforcement

Novaworks reserves the right to investigate suspected AUP violations. Enforcement actions, depending on severity, may include:

  • Warning— Written notice to Customer with required remediation steps and timeline.

  • Feature suspension— Temporary suspension of specific features (e.g., AI agent access, API access) pending remediation.

  • Account suspension— Full platform access suspended pending investigation. Customer retains data export capability.

  • Termination— Agreement terminated for material or repeated violations per the Terms of Service, Section 12.

  • Legal referral— Severe violations (cross-tenant data access, malicious code, illegal activity) may be referred to law enforcement.

Novaworks will provide reasonable notice before suspension or termination except where immediate action is required to protect platform security, other customers, or comply with law.

8. Amendments

Novaworks may update this AUP at any time by posting the revised version at www.novaworks.ai/legal/aup. Customers will receive 30 days’ advance notice of material changes. Continued use of the Services after the effective date constitutes acceptance.

9. Contact

  • Policy owner— CTO, Novaworks, Inc.

  • Email— security@novaworks.ai

  • Address— 218 Tourney Loop, Los Gatos, California 95030

  • Website— www.novaworks.ai/legal/aup

  • Review cycle— Annual, or following significant platform changes or security incidents