⚠️ PLACEHOLDER — PENDING LEGAL REVIEW
This document is included as a draft for reference. It must not be executed or distributed until approved by legal counsel.
Effective Date: TBD
Document Version: 1.0
Applicability: U.S.-based Staff & Contractors
Purpose #
This policy establishes the terms and conditions under which OASIS Open deploys monitoring software, mobile device management (“MDM”) solutions, and security tools on devices used to conduct organizational business. By executing this agreement, the User acknowledges and consents to the monitoring and management practices described herein. This policy applies to all U.S.-based Staff (employees issued Organization-owned devices) and Contractors (individuals utilizing personal devices under a BYOD arrangement) who access OASIS Open systems, networks, or communication platforms.
Definitions #
- Company Device: Any laptop, desktop, mobile phone, or tablet owned, leased, or provided by OASIS Open for work purposes.
- BYOD Device: Any personally owned device on which the User installs Organization-required software or accesses Organization systems for work purposes.
- MDM Software: JumpCloud and any successor or supplementary MDM platform deployed by the Organization.
- Security Monitoring Software: Obsidian Security and any successor or supplementary security monitoring platform deployed by the Organization.
- Communication Platforms: Slack, Zoom, corporate email, and any other Organization-provisioned communication tools.
- Organization Data: Any data created, received, stored, or transmitted using Organization systems, accounts, or platforms, regardless of the device on which it resides.
Scope of Monitoring & Device Management #
JumpCloud — Mobile Device Management #
The Organization deploys JumpCloud as its MDM platform to manage device security posture, enforce compliance policies, and maintain organizational control over devices that access OASIS Open systems. JumpCloud may enforce device encryption, password complexity, screen lock, and OS update requirements; deploy, update, and remove Organization-required applications; monitor device compliance status; restrict access from non-compliant devices; remotely lock or wipe Organization data in the event of loss, theft, termination, or security incident; and inventory hardware and installed software on enrolled devices.
Obsidian Security — SaaS & Cloud Security Monitoring #
The Organization deploys Obsidian Security to monitor and protect its cloud and SaaS application environments. Obsidian Security may monitor user activity and access patterns across Organization SaaS applications; detect anomalous behavior, unauthorized access attempts, and potential security threats; audit authentication events, session activity, and permission changes; generate alerts and reports related to security incidents or policy violations; and support incident investigation and forensic analysis.
Communication Platform Monitoring #
Organization-provisioned Communication Platforms are provided for business use. The Organization reserves the right to access, review, and retain messages, files, recordings, and other content transmitted through Communication Platforms; monitor usage patterns for security, compliance, and acceptable use purposes; and preserve communications as required by legal holds, regulatory obligations, or internal investigations. Users should have no expectation of privacy with respect to any content created, transmitted, or stored using Organization Communication Platforms.
Device Classification & Enrollment #
Company Devices (Staff) #
JumpCloud MDM agent shall be installed and active on all Company Devices at all times. The Organization retains full administrative control over Company Devices, including the right to install, configure, update, and remove software. Company Devices remain the property of OASIS Open and must be returned upon termination or reassignment. The Organization may remotely access, lock, or perform a full device wipe on Company Devices at any time. Personal use of Company Devices is permitted on a limited basis but carries no expectation of privacy.
BYOD Devices (Contractors) #
JumpCloud MDM agent shall be installed on BYOD Devices used to access Organization systems. JumpCloud operates within a managed container or profile logically separated from personal data to the extent technically feasible. The Organization’s remote wipe capability on BYOD Devices is limited to Organization data and managed profiles only. Installation of Communication Platforms on personal mobile devices requires MDM enrollment. The Contractor retains ownership of the BYOD Device; Organization data remains the property of OASIS Open. Failure to maintain MDM enrollment or comply with device security requirements may result in revocation of access.
Remote Wipe Disclosure #
Company Devices #
The Organization may initiate a full device wipe under the following circumstances: loss or theft; termination of employment or contract; confirmed or suspected security breach; device non-compliance that cannot be remotely remediated; or as otherwise required to protect Organization data.
BYOD Devices #
The Organization may initiate a selective wipe (Organization data, managed profiles, and Organization-deployed applications only) under the same circumstances. The Organization will use commercially reasonable efforts to limit remote wipe actions to Organization data only. However, the User acknowledges that a remote wipe action may result in the loss of personal data on the BYOD Device. The User accepts all risk of personal data loss resulting from remote wipe actions on BYOD Devices and is solely responsible for maintaining independent backups of personal data.
Data Collection & Use #
Monitoring and management tools may collect device information (hardware model, OS version, serial number, MAC address, IP address, installed applications, encryption status, compliance state); authentication data (login times, methods, session duration, MFA status); application activity (usage of Organization SaaS platforms including access times, actions performed, files accessed, permission changes); communication metadata (timestamps, participants, channel/meeting identifiers); security events (failed logins, anomalous access, privilege changes, threat indicators); and approximate location data for security purposes (continuous GPS tracking is not performed). Data is used solely for security, compliance, IT administration, and protection of Organization assets.
User Obligations #
The User agrees to: install and maintain JumpCloud MDM on all devices used to access Organization systems; comply with all device security requirements; use Communication Platforms in accordance with the Acceptable Use Policy; report loss, theft, or compromise of any enrolled device to IT immediately; maintain independent backups of personal data on BYOD Devices; and return all Company Devices and remove Organization data from BYOD Devices upon termination.
Data Retention #
Monitoring data, logs, and communications are retained in accordance with the Organization’s data retention schedule and applicable legal requirements. Data may be retained beyond standard retention periods when subject to a legal hold, active investigation, or regulatory requirement.
Non-Compliance #
Failure to comply may result in disciplinary action up to and including termination, revocation of access to Organization systems, and such other remedies as may be available under applicable law.
Amendments #
The Organization reserves the right to amend this policy at any time. Users will be notified of material changes and may be required to re-execute this acknowledgment.
Governing Law #
This policy is governed by the laws of the State of Florida and applicable federal law, without regard to conflict of laws principles.
Acknowledgment and Consent #
By signing below, the User acknowledges that they have read, understand, and agree to be bound by the terms of this policy. The User consents to the monitoring, management, and remote wipe provisions described herein and acknowledges no expectation of privacy with respect to Organization data, platforms, or activity conducted using Organization credentials.
Classification:
- ☐ Staff (Company Device)
- ☐ Contractor (BYOD Device)
| Signature | Printed Name | Title / Role | Date | |
|---|---|---|---|---|
| User | ||||
| IT Representative |