IT Acceptable Use Policy Template for Indian Companies (2026)

An IT Acceptable Use Policy (AUP) is the legal anchor for everything else — monitoring, DLP, incident discipline, asset return. Without a clear AUP signed by every employee, monitoring data has reduced admissibility in disciplinary proceedings and Indian labour-court matters.

This post is a complete, paste-ready AUP template for Indian companies in 2026. Section-by-section, with the rationale for each clause.

The 9-section structure

1. Purpose and scope
2. Acceptable use
3. Prohibited use
4. Monitoring and privacy
5. Data handling and confidentiality
6. AI assistants and generative tools
7. BYOD and personal device use
8. Incident reporting
9. Enforcement and acknowledgement

The template (paste-ready)

[Company Name] — IT Acceptable Use Policy
Effective: [date]. Version: 1.0. Owner: [CISO or Head of IT].

1. Purpose and scope. This policy governs the acceptable use of all information-technology resources owned, leased, or operated by [Company]. It applies to all employees, contractors, consultants, interns, and any other person granted access to Company IT resources.

2. Acceptable use. Company IT resources are provided for the conduct of Company business. Limited personal use is permitted during break time provided it does not (a) consume excessive bandwidth or storage, (b) interfere with work duties, (c) violate any provision of this policy, or (d) breach applicable law.

3. Prohibited use. Employees shall not:

• Use Company IT resources for unlawful activity, including but not limited to copyright infringement, harassment, fraud, or breaches of the Information Technology Act 2000
• Access, store, or transmit content that is obscene, hateful, defamatory, or harassing
• Attempt to bypass security controls (firewalls, monitoring agents, access restrictions) or use unauthorised privilege-escalation methods
• Install software that has not been approved by IT, including remote-access tools, peer-to-peer file-sharing applications, or unsanctioned monitoring software
• Share account credentials with any other person, including colleagues, family members, or external parties
• Use Company resources for personal commercial activity, secondary employment, or political campaigning
• Transfer Company data to personal cloud storage, personal email accounts, or unsanctioned third-party services
• Connect unauthorised devices (USB drives, mobile hotspots, personal laptops) to the Company network without prior IT approval

4. Monitoring and privacy. The Company monitors IT resource usage for legitimate business purposes including productivity assessment, data-leakage prevention, security incident investigation, and compliance with applicable laws and client contractual obligations. Monitoring is conducted using [tool name, e.g., Headx Monitor]. The system displays a tray-icon indicator when monitoring is active.

The Company captures: applications used during work sessions, websites visited, periodic screenshots, USB activity, file transfers, clipboard content from Company applications, and print job metadata. The Company does not deliberately capture: content of personal email accounts, banking application content, content of healthcare applications, password fields, or any activity from personal devices.

Captured data is retained for [30] days for activity logs and screenshots; for [3] years for security incident records and DLP alerts; and for the duration of statutory requirements (RBI / IRDAI / SEBI cyber-security frameworks where applicable). Access to captured data is restricted to the Information Security team, Human Resources team, and the employee's direct manager on a need-to-know basis, with every access logged for audit.

Employees have the right to request a copy of their own monitoring data by writing to the Grievance Officer at [privacy@company.com]. Requests are fulfilled within 30 days as required by the IT Rules 2011 and DPDP Act 2023.

5. Data handling and confidentiality. Company data is classified into four tiers: Public, Internal, Confidential, and Restricted. Employees are responsible for handling each tier according to the published Data Handling Standard. Restricted-tier data (including but not limited to customer PAN/Aadhaar in bulk, payment data, and personally identifiable health information) requires explicit business justification for each access.

Employees shall not transfer Company data to any personal device, personal cloud-storage account, or unsanctioned third-party service. Data exports for legitimate purposes (e.g., reports for clients, regulator submissions) follow the approved Export Workflow.

6. AI assistants and generative tools. Employees may use only the AI assistants explicitly sanctioned by the Company (currently: [list approved tools, e.g., ChatGPT Enterprise, Microsoft Copilot, Google Gemini for Workspace]). Use of free-tier or consumer AI services that train on submitted content is prohibited for any work-related activity.

Employees shall not submit to any AI assistant: Company source code from production repositories, customer personally identifiable information, payment data, internal strategy documents marked Confidential or Restricted, or any data subject to non-disclosure obligations. The Code-Assistance AI sanctioned for engineering use is [tool name]; engineering teams shall use only this tool for code-completion or code-explanation queries.

7. BYOD and personal device use. Personal devices may be used to access Company email and limited Company applications via the [Microsoft Intune / equivalent MDM] managed work container only. Personal devices shall not store Company data outside the managed container. Loss or theft of any personal device used for work shall be reported to IT immediately so that the work container can be remotely wiped.

The Company does not monitor activity on personal devices outside the managed work container. The Company does not access personal email, photos, location data, or other personal content on BYOD devices.

8. Incident reporting. Employees shall report any of the following to the Information Security team at [security@company.com] without delay:

• Suspected phishing attempts or other social-engineering attempts
• Lost or stolen Company devices
• Suspected unauthorised access to accounts or systems
• Inadvertent data disclosure to unauthorised parties
• Suspected violation of this policy by any colleague (anonymous reporting available via [ethics line])

No retaliation will be taken against any employee who reports a suspected incident in good faith.

9. Enforcement and acknowledgement. Violations of this policy may result in disciplinary action including warnings, performance improvement plans, termination of employment, civil liability, and criminal prosecution where applicable. Severity of action is proportionate to the violation and prior history.

Every employee shall acknowledge receipt and understanding of this policy at the time of joining and re-acknowledge annually thereafter. This policy is subject to review every 12 months or upon material change in regulator requirements, business circumstances, or technology stack.

Acknowledgement. I, ____________________, Employee ID ________, have read and understood this Acceptable Use Policy. I agree to abide by its provisions and understand that violations may result in disciplinary or legal action.

Signature: ______________    Date: ___________    Witness: ______________

The three additions most 2024-era policies miss

Addition 1: AI assistants section

Most policies written before 2023 don't mention AI. In 2026 this is a gap big enough to drive a truck through. Section 6 above is the minimum viable AI clause.

Addition 2: Personal-cloud explicit prohibition

Older policies say "don't transfer data to unauthorised systems." Be specific: name personal Gmail, personal Dropbox, personal Google Drive, personal OneDrive, WeTransfer, MEGA. Specificity wins on enforceability.

Addition 3: DPDP Act references

The monitoring + data-handling sections must reference the Indian IT Act 2000, IT Rules 2011, and DPDP Act 2023 explicitly. This anchors the policy in current law and makes it future-proof against the DPDP Act's full enforcement.

Annual re-acknowledgement workflow

Most Indian companies sign the AUP at joining and never again. This weakens enforceability — a court can ask "did the employee understand the policy as it stood at the time of the incident, given it was last acknowledged 4 years ago?" Run a low-effort annual re-acknowledgement:

• April each year, send the AUP via your HRMS with a click-wrap acknowledgement
• Highlight any sections changed since the last version
• Track non-acknowledgement and follow up with a manager-led conversation
• Store the acknowledgement record in the HR file with timestamp and IP

FAQ

Does the AUP need to be signed in physical paper?

No. Click-wrap acknowledgement with captured user identity, IP, and timestamp counts as "writing" under the IT Act 2000's electronic-records definition. Most Indian HRMS platforms support this natively.

Should the AUP be in regional languages?

Legally not required. Practically yes, especially for workforces with significant non-English-literate staff. A reasonable-understanding test applies to consent.

How does the AUP interact with the monitoring consent form?

The AUP references monitoring in general; the consent form is the specific authorisation for monitoring particulars. Both should be signed; the consent form should be granular (per-capability) and the AUP should be the overarching policy.

Does this template work for foreign-incorporated companies with Indian operations?

The principles transfer, but the statutory references (IT Act, DPDP Act, IT Rules 2011) need to be combined with the parent company's frameworks (often US-style at-will employment language, EU GDPR processing notices). Have parent-jurisdiction counsel and Indian counsel both review.

What about contractors and consultants?

Same AUP, with adapted language. The monitoring consent is critical for contractors — clients often demand that contractors handling regulated data are subject to the same controls as employees.