Novaworks, Inc. | Total Workforce Management
Novaworks, Inc.
Total Workforce Management
Acceptable Use Policy
Effective Date | June 9, 2025 |
Version | 2.0 v070226 |
Applies To | All Customers, Authorized Users, Administrators, API Integrators |
Incorporated Into | Novaworks Terms of Service, Section 6 |
Contact | security@novaworks.ai | www.novaworks.ai/legal/aup |
1. Purpose and Scope
This Acceptable Use Policy (“AUP”) defines permissible and prohibited uses of the Novaworks Total Workforce Management platform, APIs, AI agent services, and associated infrastructure (the “Services”). This AUP is incorporated by reference into the Novaworks Terms of Service and forms part of the binding agreement between Novaworks, Inc. and every Customer and Authorized User.
Customers are responsible for ensuring all Authorized Users within their organization comply with this AUP. Violations by Authorized Users are attributed to the Customer.
2. Permitted Use
Permitted use
The Services are licensed for lawful, good-faith workforce management operations aligned with your organization’s HR and operational purposes.
Managing full-time, part-time, and contingent worker lifecycles including Nova Core HR, Nova Policy Advisor, Nova Worker Activation, Nova Document Management, time and attendance, Nova Payroll Interface, and Nova Offboarding
Configuring and running AI agent workflows to automate HR processes within your ServiceNow tenant
Using the REST API and ServiceNow integration layer to connect approved enterprise systems (payroll, benefits, identity management)
Generating workforce analytics and compliance reports for internal business use
Using AI agent outputs as advisory recommendations, with appropriate human review applied before employment decisions
Configuring role-based access controls, ACLs, and scoped application permissions to manage workforce data
3. Prohibited Use
Zero tolerance
The following activities are strictly prohibited and may result in immediate suspension, termination, and referral to law enforcement.
3.1 Illegal and harmful activities
Illegal use: Using the Services in violation of any applicable local, state, national, or international law or regulation
Discrimination: Using the platform or AI outputs to make employment decisions that discriminate based on race, color, national origin, sex, age, disability, religion, or any other protected characteristic under applicable law
Harassment: Using the Services to harass, stalk, threaten, defame, or harm any individual
Fraud: Submitting false or misleading information, impersonating another person or organization, or falsifying workforce records
Privacy violations: Infringing the privacy rights of employees, contractors, or any third party
Export violations: Processing or transmitting data subject to export control restrictions without required authorizations
3.2 Platform security violations
Unauthorized access: Attempting to access data, accounts, or system components beyond your authorization
Cross-tenant attacks: Attempting to access, view, modify, or exfiltrate data from any customer tenant other than your own, through any means including crafted API requests, URL manipulation, or prompt injection
Credential abuse: Sharing, selling, or transferring login credentials; using automated credential-stuffing tools; or attempting to bypass multi-factor authentication
Vulnerability exploitation: Probing, scanning, or exploiting security vulnerabilities without Novaworks’ prior written authorization through the responsible disclosure program
Denial of service: Sending excessive automated requests or otherwise degrading platform performance for other customers
Malware: Uploading or transmitting viruses, ransomware, spyware, or any malicious code
Interference: Disrupting or interfering with the integrity or performance of the Services or any connected systems
3.3 AI and agent misuse
Given the AI-native architecture of the platform, the following AI-specific prohibitions apply:
Prompt injection: Crafting prompts or inputs designed to manipulate AI agents into bypassing access controls, revealing other tenants’ data, or performing actions outside their authorized scope
Jailbreaking: Attempting to override, circumvent, or manipulate AI agent instructions, safety guardrails, or system prompts
Automated employment decisions: Using AI agent outputs to make fully automated employment decisions (hire, fire, discipline, deny promotion) affecting individuals without human review, in violation of applicable employment or AI regulation
Deceptive AI attribution: Representing AI-generated outputs as authenticated human decisions in official employment records
Model extraction: Attempting to reverse-engineer, extract, or replicate the logic of Novaworks AI agents or underlying AWS Bedrock foundation models
Synthetic data abuse in production: Submitting fabricated personal data to test AI behaviors in production environments without Novaworks’ prior written consent
3.4 Data misuse
Unauthorized disclosure: Exporting, sharing, or transmitting Customer Content to unauthorized third parties or outside approved integration channels
Purpose limitation violation: Using workforce data for purposes other than workforce management without additional consent
Re-identification: Attempting to re-identify individuals from anonymized or aggregated analytics data produced by the platform
Removable media: Exporting sensitive workforce data to removable media (USB drives, portable storage) without Customer’s documented authorization and encryption controls
3.5 Intellectual property
Reverse engineering: Decompiling, disassembling, or otherwise attempting to derive source code of the platform, AI models, or ServiceNow application scopes
Competitive misuse: Using the Services to build or assist in building a competing product or service
Unauthorized scraping: Using automated tools to scrape, copy, or bulk-index the platform interface, APIs, or documentation
Misrepresentation: Misrepresenting your identity, affiliation, or authorization level to Novaworks or other users
4. API and Integration Standards
Customers and developers using the Novaworks REST API must:
Authenticate all API calls using authorized credentials and respect published rate limits
Process API responses only for their intended workforce management purpose
Not store API keys or tokens in source code repositories, shared documents, or insecure locations
Report API vulnerabilities through the responsible disclosure program at security@novaworks.ai
Comply with applicable ServiceNow platform terms governing Scoped application development
API calls that generate excessive load, probe unauthorized endpoints, or attempt cross-tenant data access will result in immediate API key revocation.
5. AI Agent Interaction Standards
When interacting with Novaworks AI agents, all Authorized Users agree to:
Submit prompts and inputs that reflect genuine, good-faith workforce management queries
Apply human judgment and review before acting on AI-generated recommendations in employment decisions
Report unexpected, harmful, inaccurate, or potentially biased AI outputs to support@novaworks.ai
Not attempt to extract information about AI system architecture, system prompts, or safety mechanisms through adversarial inputs
Novaworks maintains audit logs of all AI agent transactions within each Customer’s ServiceNow tenant. These logs may be reviewed for AUP compliance, security investigation, and customer audit purposes.
6. Reporting Violations
Report promptly
Early reporting of security incidents and policy violations helps protect all customers on the platform. Good-faith security researchers who follow responsible disclosure will not face legal action from Novaworks.
Security incidents— security@novaworks.ai
AI misuse or unexpected outputs— support@novaworks.ai
Vulnerability disclosure— security@novaworks.ai (responsible disclosure program)
Urgent / production-impacting— support@novaworks.ai
Legal violations— legal@novaworks.ai
7. Enforcement
Novaworks reserves the right to investigate suspected AUP violations. Enforcement actions, depending on severity, may include:
Warning— Written notice to Customer with required remediation steps and timeline.
Feature suspension— Temporary suspension of specific features (e.g., AI agent access, API access) pending remediation.
Account suspension— Full platform access suspended pending investigation. Customer retains data export capability.
Termination— Agreement terminated for material or repeated violations per the Terms of Service, Section 12.
Legal referral— Severe violations (cross-tenant data access, malicious code, illegal activity) may be referred to law enforcement.
Novaworks will provide reasonable notice before suspension or termination except where immediate action is required to protect platform security, other customers, or comply with law.
8. Amendments
Novaworks may update this AUP at any time by posting the revised version at www.novaworks.ai/legal/aup. Customers will receive 30 days’ advance notice of material changes. Continued use of the Services after the effective date constitutes acceptance.
9. Contact
Policy owner— CTO, Novaworks, Inc.
Email— security@novaworks.ai
Address— 218 Tourney Loop, Los Gatos, California 95030
Website— www.novaworks.ai/legal/aup
Review cycle— Annual, or following significant platform changes or security incidents