Acceptable Use Policy

Product: Phishy (the “Platform”). Provider: Wolfcore Ltd, a company registered in England and Wales (company no. 16308559), registered office at 72 Newbiggin, Malton, North Yorkshire, YO17 7JF (“Wolfcore”, “we”, “us”, “our”).

This Acceptable Use Policy (“AUP”) governs access to and use of the Platform. It forms part of, and is incorporated into, the Phishy Terms & Conditions (the “Agreement”). Capitalised terms not defined here have the meaning given in the Agreement. By accessing or using the Platform, the Customer and each of its Authorised Users agree to comply with this AUP.

1. Definitions

1.1 “Customer” means the organisation that has entered into the Agreement to use the Platform.

1.2 “Authorised User” means an individual whom the Customer permits to access the Platform on its behalf.

1.3 “Simulation” means an authorised phishing-simulation exercise — by email, SMS, QR code, voice or any other channel offered through the Platform — created and run by the Customer.

1.4 “Target Recipient” means an individual to whom a Simulation is directed.

1.5 “Authorisation to Test” means the Customer’s documented confirmation that it is lawfully entitled to run Simulations against the relevant Target Recipients.

2. Authorised use

2.1 The Platform is a tool for conducting authorised security-awareness phishing simulations only. The Customer may use the Platform solely to test, train and measure the security awareness of Target Recipients that the Customer is lawfully entitled to test.

2.2 Before running any Simulation, the Customer must hold a valid Authorisation to Test and must confirm, through the Platform’s authorisation workflow, that: (a) the Target Recipients are the Customer’s own employees, workers or contractors, or other individuals for whom the Customer has obtained all necessary authorisations; and (b) the Customer has a lawful basis under applicable data-protection law to process the relevant personal data and to conduct the Simulation.

2.3 The Customer is solely responsible for ensuring that its use of the Platform complies with all laws applicable to it, including without limitation the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, the Computer Misuse Act 1990, applicable employment law, and any sector-specific or jurisdictional requirements applicable to the Target Recipients.

2.4 The Customer must retain records of its Authorisation to Test and make them available to Wolfcore on reasonable request.

3. Prohibited uses

The Customer must not, and must ensure that its Authorised Users do not, use the Platform to:

3.1 conduct any actual phishing, fraud, identity theft or social-engineering attack, or any activity intended to obtain money, data or access for any purpose other than a bona fide authorised Simulation;

3.2 target any individual the Customer is not lawfully entitled to test, including members of the public, consumers, or any third party for whom the Customer lacks a documented Authorisation to Test;

3.3 harass, intimidate, defame, discriminate against, or cause foreseeable psychological harm to any person;

3.4 impersonate — or use sender identities, sender names, domains or content that impersonate — any real third-party brand, trademark, organisation or individual that the Customer is not authorised to represent, where doing so would infringe intellectual-property rights, breach the policies of any messaging, email or telecommunications provider or carrier, or otherwise be unlawful or deceptive beyond the scope of an authorised internal Simulation;

3.5 attempt to capture, store, exfiltrate or make any use of the actual credentials or other authentication secrets of any Target Recipient. The Platform is designed not to retain submitted passwords, and the Customer must not attempt to circumvent, disable or defeat that design;

3.6 transmit unlawful, infringing, malicious or harmful content, including malware, other than the controlled, simulated artefacts provided or configured through the Platform for the purpose of the Simulation;

3.7 breach the acceptable-use, anti-spam, sender-registration or content policies of any downstream provider or carrier used to deliver Simulations (including, without limitation, email and SMS providers and mobile network operators), or send to any jurisdiction or number range for which delivery is not permitted;

3.8 resell, sublicense, rent or otherwise make the Platform available to any third party except as expressly permitted in the Agreement;

3.9 copy, modify, reverse engineer, decompile, scrape, or create derivative works of the Platform, or attempt to gain unauthorised access to the Platform or its underlying systems or data;

3.10 probe, scan, overload, disrupt or test the vulnerability of the Platform or any associated network, or circumvent any security or access controls, except with Wolfcore’s prior written consent; or

3.11 use the Platform in any way that brings, or is reasonably likely to bring, Wolfcore or any provider into disrepute, or that exposes them to legal liability.

4. Sender identity and content

4.1 The Customer is solely responsible for the sender identities, sender names, domains and message content it configures, and warrants that they comply with clause 3.4 and all applicable laws and provider policies.

4.2 The Customer acknowledges that messaging providers and carriers independently filter, block, reject or report traffic, and may suspend or terminate accounts that send deceptive, brand-impersonating or otherwise non-compliant traffic. Wolfcore does not warrant the delivery of any Simulation.

5. Customer responsibilities

5.1 The Customer is responsible for the accuracy and lawfulness of all data it uploads to the Platform, including Target Recipient contact details.

5.2 The Customer should ensure appropriate internal approvals, transparency and follow-up (such as debrief and awareness training) consistent with its own legal and ethical obligations to its personnel.

6. Suspension and enforcement

6.1 Wolfcore may investigate suspected breaches of this AUP and may suspend or restrict access, remove content, or terminate the Agreement in accordance with its terms where it reasonably believes the Platform is being used in breach of this AUP or in a manner that poses legal, security or reputational risk.

6.2 Where practicable and lawful, Wolfcore will give notice before suspending access, but may act without prior notice where it reasonably considers urgent action necessary.

7. Reporting

7.1 Suspected misuse of the Platform may be reported as appropriate to any relevant regulator.

8. Changes to this AUP

8.1 We may update this AUP from time to time. Material changes will be notified in accordance with the Agreement. Continued use of the Platform after changes take effect constitutes acceptance of the updated AUP.

9. Governing law

9.1 This AUP is governed by, and construed in accordance with, the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales, in accordance with clause 17.1 of the Terms & Conditions.