Acceptable Use Policy

1. Purpose

This Acceptable Use Policy ("AUP") governs your use of the MayDay-IC incident command system (the "Service") operated by Blue Beard Solutions Inc. ("Company," "we," "us," or "our"). By accessing or using the Service, you agree to comply with this AUP. This policy is designed to protect the Service, its users, and the sensitive data processed through the platform, including Protected Health Information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA).

2. Permitted Uses

The Service is intended exclusively for the following authorized purposes:

• Emergency incident command and coordination by authorized emergency personnel
• Patient triage, tracking, and medical care coordination during emergency incidents
• Resource management, logistics, and mutual aid coordination
• Incident documentation, reporting, and after-action review
• Training exercises and scenario-based drills conducted by authorized agencies
• Communication among authorized responders during active incidents
• Equipment and vehicle tracking for emergency operations
• Administrative functions including crew management, scheduling, and compliance reporting

3. Prohibited Conduct

You may not use the Service to engage in any of the following prohibited activities:

3.1 Unauthorized Access

• Accessing or attempting to access accounts, systems, or data without proper authorization
• Using another user's credentials or impersonating another user
• Circumventing, disabling, or otherwise interfering with security-related features of the Service
• Probing, scanning, or testing the vulnerability of the Service or any related network without written authorization

3.2 Data Exfiltration

• Unauthorized extraction, copying, or transfer of data from the Service
• Scraping, harvesting, or collecting user information or incident data through automated means
• Downloading or exporting data in excess of what is reasonably necessary for your authorized role
• Transferring Service data to unauthorized third parties, personal devices, or unapproved storage systems

3.3 PHI Misuse

• Accessing PHI beyond the minimum necessary for your authorized role and purpose
• Sharing PHI with individuals or entities not authorized to receive it under HIPAA
• Using PHI for purposes unrelated to emergency medical care coordination or treatment
• Storing PHI on personal devices or in unapproved applications without encryption
• Failing to report known or suspected PHI breaches

3.4 Credential Sharing

• Sharing your login credentials (username, password, access tokens) with any other person
• Using shared or generic accounts instead of individual user accounts
• Failing to maintain the confidentiality of your authentication credentials
• Failing to log out of shared or public devices after use

3.5 Reverse Engineering

• Decompiling, disassembling, or reverse engineering the Service or any portion thereof
• Attempting to derive source code, algorithms, or data structures from the Service
• Creating derivative works based on the Service without written authorization

3.6 Denial-of-Service

• Launching or facilitating denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
• Deliberately overloading, flooding, or crashing the Service or its infrastructure
• Interfering with the Service's availability to other users, especially during active emergency operations

3.7 Malware and Malicious Code

• Introducing viruses, worms, trojans, ransomware, or any other malicious software
• Uploading files that contain malicious code, scripts, or exploits
• Attempting to inject malicious code through input fields, file uploads, or API calls

3.8 Other Prohibited Activities

• Using the Service for any unlawful purpose or in violation of any applicable law or regulation
• Transmitting harassing, threatening, defamatory, or discriminatory content
• Creating false incident reports, fabricating patient data, or falsifying training records
• Using the Service for commercial purposes unrelated to emergency management
• Interfering with or disrupting the integrity of elections, government operations, or public safety systems

4. Account Responsibilities

As a user of the Service, you are responsible for:

• Maintaining the security and confidentiality of your account credentials
• All activity that occurs under your account, whether authorized by you or not
• Immediately notifying your agency administrator and the Company of any unauthorized use of your account or any other security breach
• Ensuring that your account information is accurate and up to date
• Using strong, unique passwords and enabling multi-factor authentication when available
• Logging out of the Service when not in active use, particularly on shared devices

5. Data Handling Requirements for PHI

All users who access Protected Health Information through the Service must comply with the following requirements:

• Minimum Necessary Standard: Access only the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.
• Encryption: Ensure that any PHI accessed through the Service remains within the encrypted environment of the application. Do not copy PHI to unencrypted locations.
• Access Controls: Use the Service's role-based access controls as intended. Do not attempt to elevate your access level beyond what has been authorized by your agency administrator.
• Audit Compliance: Understand that all access to PHI is logged and auditable. These logs are retained for 6 years in accordance with HIPAA requirements.
• Breach Reporting: Report any known or suspected breach of PHI to your agency's HIPAA Privacy Officer and to the Company at info@maydayic.com immediately upon discovery.
• Device Security: Ensure that any device used to access the Service has appropriate security measures including screen lock, current operating system, and encrypted storage.

6. Reporting Violations

If you become aware of any violation of this AUP, you must report it promptly. Violations can be reported through the following channels:

Reports may be submitted anonymously. We will investigate all reports promptly and take appropriate action. Retaliation against individuals who report violations in good faith is strictly prohibited.

7. Consequences of Violations

Violations of this AUP may result in one or more of the following consequences, depending on the severity and nature of the violation:

7.1 Suspension

Temporary suspension of your access to the Service pending investigation. During active emergency operations, suspension may be deferred to ensure public safety, with enhanced monitoring in place.

7.2 Termination

Permanent termination of your account and access to the Service. Your agency administrator will be notified of the termination and the reason for it.

7.3 Legal Action

We reserve the right to pursue all available legal remedies, including but not limited to:

• Civil litigation for damages, injunctive relief, or specific performance
• Referral to law enforcement for criminal investigation and prosecution
• Reporting to relevant regulatory authorities, including the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) for HIPAA violations
• Cooperation with your agency's internal affairs or compliance department

8. HIPAA-Specific Obligations for Covered Entities

If your organization is a Covered Entity or Business Associate under HIPAA, the following additional obligations apply:

• Business Associate Agreement: Your organization must have a valid Business Associate Agreement (BAA) with Blue Beard Solutions Inc. before accessing PHI through the Service.
• Workforce Training: You must ensure that all members of your workforce who use the Service have completed HIPAA privacy and security awareness training.
• Incident Response: You must maintain an incident response plan that includes procedures for reporting PHI breaches discovered through or related to your use of the Service.
• Access Management: You must promptly deactivate the accounts of workforce members who no longer require access to the Service, including upon termination of employment or change of role.
• Sanctions Policy: You must maintain and apply a sanctions policy for workforce members who violate HIPAA requirements in their use of the Service.
• Risk Assessment: You must include the Service in your organization's periodic HIPAA security risk assessments.

9. Law Enforcement Cooperation

We cooperate with law enforcement agencies in accordance with applicable law and our Law Enforcement Request Policy. If we determine that a violation of this AUP involves criminal activity, we may report the matter to appropriate law enforcement authorities and provide information necessary for investigation and prosecution. We may also preserve and disclose data as required by valid legal process, including subpoenas, court orders, and search warrants.

10. Modifications to This Policy

We reserve the right to modify this AUP at any time. We will notify users of material changes at least 30 days before the effective date by email or in-app notification. Your continued use of the Service after the effective date constitutes acceptance of the updated policy. The current version of this AUP is always available at /legal/acceptable-use.

11. Contact Information