Acceptable Use Policy

1 Purpose & Scope

1.1. This Acceptable Use Policy ("AUP" or "Policy") sets forth the rules and guidelines governing the acceptable use of the BrainBit-SOMS platform ("Platform"), owned and operated by BrainBit Infotech Private Limited ("Company", "We", "Us", "Our").

1.2. This Policy applies to all individuals and entities who access or use the Platform, including but not limited to:

• Institute administrators (Principals, Vice Principals, Admin Staff)
• Teaching staff (Class Teachers, Subject Teachers)
• Non-teaching staff (Accountants, Librarians, Transport In-charges, Hostel Wardens)
• Parents and guardians accessing the Parent Portal
• Students accessing the Student Portal
• Any other authorized users granted access by a subscribing Institute

1.3. This AUP forms an integral part of our Terms of Service and should be read in conjunction with our Privacy Policy, Data Protection Policy, and all other legal documents referenced therein.

1.4. By accessing or using BrainBit-SOMS, you acknowledge that you have read, understood, and agree to comply with this Policy. Violation of this Policy may result in suspension or termination of access and/or legal action under applicable Indian laws.

2 Permitted Use

2.1. BrainBit-SOMS is designed exclusively for the management and administration of educational institutions. The Platform shall be used only for the following lawful and intended purposes:

2.1.1. Academic Administration

• Managing academic years, classes, sections, streams, and subjects
• Creating and maintaining timetables and holiday calendars
• Configuring examination types, grading systems, and marks entry
• Generating report cards and academic transcripts
• Managing student promotions and class allocations

2.1.2. Student & Staff Management

• Processing student admissions and maintaining enrollment records
• Recording and tracking student and staff attendance
• Managing leave applications and approvals
• Maintaining staff profiles, qualifications, and employment records
• Generating transfer certificates and identity cards

2.1.3. Financial Management

• Configuring fee structures, installments, and concessions
• Collecting and recording fee payments
• Processing payroll, salary components, and payslips
• Generating financial reports and fee receipts
• Facilitating online payments through the integrated Razorpay gateway

2.1.4. Communication

• Publishing notices and circulars to relevant stakeholders
• Sending SMS, email, and WhatsApp notifications for legitimate school purposes
• In-app notifications related to academic, administrative, or financial matters

2.1.5. Portal Access

• Parents viewing their ward's academic progress, attendance, fees, and notices
• Students viewing their own academic records, timetable, attendance, and fee status
• Submitting leave applications and making online fee payments through portals

3 User Account Responsibilities

3.1. Credential Security: Every user is individually responsible for maintaining the confidentiality and security of their login credentials (username and password). You shall:

• Create a strong password containing a combination of uppercase letters, lowercase letters, numbers, and special characters (minimum 8 characters)
• Never share your login credentials with any other individual, including colleagues, family members, or IT personnel
• Never write down or store passwords in plain text or in unsecured locations
• Change your password immediately if you suspect it has been compromised
• Log out of the Platform after each session, especially when using shared or public computers

3.2. Role-Based Access: The Platform implements a hierarchical role-based access control (RBAC) system. Users shall:

Responsibility	Description
Respect role boundaries	Access only the features and data permitted by your assigned role. Do not attempt to access modules or data outside your authorization level.
Accurate information	Provide truthful, accurate, and current information in all data entries, forms, and records.
Prompt reporting	Report any unauthorized access, security breach, or suspicious activity immediately to your Institute administrator and to the Company.
Account responsibility	You are solely responsible for all activities conducted through your account. Any action performed under your login credentials shall be deemed to have been performed by you.

3.3. No Account Sharing: Each user account is for the exclusive use of the individual to whom it is assigned. The following are strictly prohibited:

• Sharing login credentials with another person for any reason
• Using another person's login credentials to access the Platform
• Creating multiple accounts for the same individual
• Allowing unauthorized individuals to use your account

3.4. Institute Administrator Obligations: Institute administrators (Super Admin, Principal, Vice Principal) have additional responsibilities:

• Assign appropriate roles to users based on their actual responsibilities within the institution
• Promptly revoke access for staff or students who leave the institution or change roles
• Conduct periodic reviews of user accounts and access permissions
• Ensure all users under their Institute are aware of and comply with this Policy
• Maintain accurate records of authorized users and their assigned roles

4 Prohibited Activities

4.1. Unauthorized Access

You shall not, directly or indirectly, attempt to gain unauthorized access to:

• Any part of the Platform, servers, networks, or databases that you are not authorized to access
• Other Institutes' data, records, or account information
• Other users' accounts, credentials, or personal information
• Administrative or backend systems of the Platform
• Any system or network connected to the Platform through hacking, password mining, or any other illegitimate means

4.2. Hacking, Malware & Viruses

You shall not:

• Introduce, upload, transmit, or distribute any virus, worm, Trojan horse, ransomware, spyware, adware, or any other malicious software or code
• Attempt to probe, scan, or test the vulnerability of the Platform or any associated system or network
• Attempt to breach the Platform's authentication or security measures
• Deploy any packet sniffers, keyloggers, or similar tools to intercept data
• Install or execute any unauthorized scripts, programs, or agents on the Platform

4.3. Data Theft & Unauthorized Data Extraction

You shall not:

• Download, copy, extract, or transfer any data from the Platform for purposes other than the legitimate management of your own Institute
• Steal, misappropriate, or unlawfully obtain any data, records, or information belonging to the Company, other Institutes, or other users
• Access, view, or copy student records, staff records, financial data, or any other information that you are not authorized to access
• Sell, share, publish, or distribute any data obtained from the Platform to third parties without explicit authorization
• Retain copies of Platform data after your account has been terminated or your role has been revoked

4.4. Identity Theft & Impersonation

You shall not:

• Impersonate any other person, user, Institute, or entity while using the Platform
• Use another person's identity credentials (name, email, phone number, login details) to access the Platform
• Create fraudulent or fake user accounts
• Misrepresent your identity, role, designation, or affiliation with any Institute
• Forge any header information or manipulate identifiers to disguise the origin of any content or data

4.5. Offensive, Obscene & Unlawful Content

You shall not upload, transmit, publish, or distribute through the Platform any content that is:

• Obscene, pornographic, sexually explicit, or lascivious in nature
• Threatening, abusive, harassing, defamatory, libellous, or slanderous
• Harmful to minors or exploitative of children in any manner
• Promoting hatred, violence, or discrimination based on religion, caste, gender, race, ethnicity, language, or disability
• Violating any applicable law, regulation, or the rights of any third party

4.6. Cyber Terrorism

You shall not use the Platform or any of its infrastructure, directly or indirectly, for purposes of:

• Threatening the unity, integrity, security, or sovereignty of India
• Creating terror in the minds of any section of people
• Denying access to any person authorized to access computer resources
• Attempting to penetrate or access computer resources belonging to critical information infrastructure

4.7. Non-Educational Use

You shall not use the Platform for any purpose other than the management and administration of an educational institution, including but not limited to:

• Commercial activities unrelated to school management (e.g., selling products or services)
• Political campaigning, religious proselytizing, or propaganda
• Personal use unrelated to your role at the Institute (e.g., personal messaging, social networking)
• Running a competing business or building a competing product using Platform insights
• Storing personal files, photographs, or documents unrelated to institutional operations
• Any form of mass unsolicited communication (spam) not related to legitimate school operations

4.8. Cross-Tenant Data Access

BrainBit-SOMS operates on a multi-tenant architecture where each Institute's data is logically isolated. You shall not:

• Attempt to access, view, modify, or interact with data belonging to any other Institute
• Exploit any vulnerability or bug to bypass multi-tenant data isolation
• Attempt to discover, enumerate, or identify other Institutes registered on the Platform
• Share any technical information about the Platform's multi-tenant architecture that could be used to compromise data isolation

4.9. Automated Access & Scraping

Without prior written authorization from BrainBit Infotech Private Limited, you shall not:

• Use any automated tool, bot, spider, scraper, or similar technology to access or interact with the Platform
• Scrape, crawl, index, or mine data from the Platform
• Use automated scripts to create accounts, submit forms, or perform bulk operations
• Overload the Platform with automated requests that may degrade performance for other users
• Access the Platform through any means other than the officially provided web interface

4.10. Circumventing Security Measures

You shall not attempt to:

• Bypass, disable, interfere with, or circumvent any security feature or access control of the Platform
• Disable or circumvent CSRF protection, rate limiting, or session management controls
• Tamper with or modify HTTP headers, cookies, or URL parameters to gain unauthorized access
• Use proxy servers, VPNs, or other tools specifically to evade security controls or access restrictions imposed by the Company
• Exploit any bug, error, or design flaw in the Platform for unauthorized purposes (any such discovery must be promptly reported to the Company)

4.11. Uploading False or Misleading Records

You shall not knowingly upload, enter, or modify any data in the Platform that is:

• False, fabricated, or fictitious student records, attendance records, or examination results
• Fraudulent financial records, fee receipts, or payment entries
• Misleading staff records, qualifications, or employment details
• Forged or tampered documents (transfer certificates, mark sheets, birth certificates)
• Any data intended to deceive regulatory authorities, parents, students, or auditors

5 Content Standards

5.1. All content created, uploaded, transmitted, or published through the Platform, including notices, circulars, messages, documents, and data entries, must adhere to the following standards:

5.1.1. General Content Standards

• Content must be truthful, accurate, and relevant to the educational or administrative context
• Content must not contain obscene, vulgar, profane, or sexually suggestive language or imagery
• Content must not be defamatory, libellous, or slanderous towards any individual or entity
• Content must not promote discrimination on the basis of religion, race, caste, sex, place of birth, gender identity, sexual orientation, disability, or any other protected characteristic under the Constitution of India
• Content must not incite or promote violence, hatred, or hostility towards any group or individual

5.1.2. Child Protection Standards

Given that the Platform handles data of minors (students below 18 years of age), the following additional standards apply:

• No content shall be uploaded that is harmful to the physical, mental, or emotional well-being of children
• Student photographs and personal details shall be used solely for identification and academic record-keeping purposes
• No personal information of children shall be shared with unauthorized parties through the Platform's communication features
• All communication regarding students must be professional and in the best interest of the child

5.1.3. Intellectual Property Standards

• Content uploaded to the Platform must not infringe upon the intellectual property rights (copyright, trademark, patent) of any third party
• Users shall only upload content that they have the legal right to use and distribute
• The Institute is responsible for ensuring that all educational materials, documents, and templates uploaded to the Platform comply with copyright laws

6 System Integrity

6.1. Users shall not engage in any activity that threatens the integrity, performance, security, or availability of the BrainBit-SOMS platform or its underlying infrastructure. Specifically:

6.1.1. Reverse Engineering

• You shall not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Platform
• You shall not create derivative works based on the Platform's code, design, or architecture
• You shall not attempt to discover or reconstruct the Platform's algorithms, database schemas, or security mechanisms

6.1.2. Denial of Service

• You shall not launch or facilitate any Distributed Denial of Service (DDoS), Denial of Service (DoS), or similar attack against the Platform or its infrastructure
• You shall not generate excessive traffic, requests, or load with the intent to degrade or disrupt Platform performance
• You shall not engage in any activity that may cause the Platform to become unavailable to other users

6.1.3. Vulnerability Exploitation

• You shall not exploit any bug, vulnerability, or security flaw in the Platform for any purpose
• If you discover a vulnerability, you must report it immediately and confidentially to the Company at info@brainbitinfotech.com with the subject line "Security Vulnerability Report"
• You shall not publicly disclose any vulnerability until the Company has had reasonable time to address it
• You shall not use vulnerability scanning tools, penetration testing tools, or similar software against the Platform without prior written authorization from the Company

6.1.4. Infrastructure Integrity

• You shall not attempt to access, modify, or interfere with any server, network, storage, or database infrastructure used by the Platform
• You shall not attempt to intercept, monitor, or capture network traffic to or from the Platform
• You shall not interfere with any other user's use or enjoyment of the Platform

7 Communication Standards

7.1. BrainBit-SOMS provides integrated communication features including SMS, Email, WhatsApp messaging, notices, and circulars. All use of these features must comply with the following standards:

7.1.1. SMS Communication

• SMS shall be used only for legitimate school-related communication (attendance alerts, fee reminders, exam notifications, emergency notices)
• Bulk SMS shall not be used for promotional, commercial, or non-educational purposes
• SMS content must comply with TRAI (Telecom Regulatory Authority of India) regulations on commercial communication
• Recipients' opt-out preferences must be respected in accordance with TRAI DND (Do Not Disturb) regulations

7.1.2. Email Communication

• Emails shall be sent only to recipients who have a legitimate educational relationship with the Institute
• Mass email features shall not be used for spam, unsolicited marketing, or phishing
• Email content must be professional, relevant, and comply with all applicable anti-spam laws
• Email templates provided by the Platform shall be used for their intended purposes only

7.1.3. WhatsApp Communication

• WhatsApp messaging through the Platform shall be used only for school-related notifications and communication
• All WhatsApp communications must comply with Meta/WhatsApp Business Terms of Service and policies
• WhatsApp shall not be used to send unsolicited messages, promotional content, or content unrelated to school operations
• Users shall respect recipients' privacy and not use WhatsApp numbers obtained through the Platform for personal purposes

7.1.4. Notices & Circulars

• Notices and circulars published through the Platform must be issued by authorized personnel (Principal, Vice Principal, or Admin Staff)
• Content must be accurate, clear, and relevant to the intended audience
• Notices must not contain misleading, false, or inflammatory information
• Acknowledgment tracking features shall be used only for legitimate administrative purposes

8 Monitoring & Enforcement

8.1. Audit Logs: The Platform automatically maintains comprehensive audit logs of all user activities, including but not limited to:

• Login and logout timestamps with IP addresses and device information
• Data creation, modification, and deletion records with user identification
• Access to sensitive modules (financial data, student records, marks entry)
• Communication activities (SMS, email, WhatsApp messages sent)
• Portal activity logs for parent and student users
• Failed login attempts and suspicious access patterns
• Administrative actions (user creation, role changes, data exports)

8.2. Security Monitoring: The Company reserves the right, without obligation, to monitor, review, and analyze Platform usage to:

• Detect and prevent unauthorized access, security breaches, and policy violations
• Ensure compliance with this Policy and the Terms of Service
• Investigate complaints or reports of misuse
• Protect the rights, property, and safety of the Company, Institutes, and users
• Comply with applicable laws, regulations, and lawful requests from government authorities

8.3. Automated Security Measures: The Platform employs the following automated security measures:

Measure	Purpose
Rate Limiting	Prevents brute-force attacks and excessive automated requests
CSRF Protection	Prevents cross-site request forgery attacks on all forms
Session Management	Automatic session expiry, secure cookie handling, single-session enforcement
IP-based Blocking	Temporary blocking of IP addresses exhibiting suspicious behavior
Input Validation	Prevention of SQL injection, XSS, and other injection attacks
Login Anomaly Detection	Flagging unusual login patterns (new devices, unusual locations, off-hours access)

8.4. Cooperation with Law Enforcement: The Company shall cooperate with law enforcement agencies, regulatory authorities, and courts of competent jurisdiction in India, and shall provide access to logs, data, and records as required by law, court order, or lawful government request under the IT Act, 2000 and the Code of Criminal Procedure / Bharatiya Nagarik Suraksha Sanhita, 2023.

9 Consequences of Violation

9.1. The Company takes violations of this Policy seriously. Depending on the nature, severity, and frequency of the violation, the Company may take one or more of the following actions:

Level	Action	Applicable For
Level 1: Warning	Written warning issued to the user and the Institute administrator via email. The user is notified of the specific violation and required to take corrective action within a specified timeframe.	First-time minor violations (e.g., account sharing, inappropriate content in notices, minor policy deviations)
Level 2: Temporary Suspension	Temporary suspension of the violating user's account for a period of 7 to 30 days. During suspension, the user shall have no access to the Platform. The Institute administrator shall be notified.	Repeated minor violations, moderate violations (e.g., unauthorized data access attempts, misuse of communication features, uploading misleading records)
Level 3: Permanent Termination	Permanent termination of the violating user's account. If the violation involves the Institute administrator or is systemic, the entire Institute's subscription may be terminated.	Serious violations (e.g., data theft, hacking attempts, cross-tenant access attempts, uploading malware, repeated moderate violations)
Level 4: Legal Action	In addition to account termination, the Company shall initiate appropriate legal proceedings, including filing complaints with cyber crime cells and/or civil suits for damages. The Company shall also report the matter to CERT-In if applicable.	Criminal violations (e.g., hacking, data theft, identity theft, cyber terrorism, distributing malware, distributing obscene content involving minors)

9.2. Immediate Action: The Company reserves the right to take immediate action (including instant suspension or termination) without prior warning in cases where:

• The violation poses an immediate threat to the security or integrity of the Platform
• The violation poses an immediate risk to other users' data or privacy
• The violation constitutes a criminal offence under Indian law
• The Company is required to act by law, regulation, or court order

9.3. No Refund on Termination for Violation: If a subscription is terminated due to violation of this Policy, no refund of any paid subscription fees shall be provided. For refund terms in other circumstances, please refer to our Refund & Cancellation Policy.

9.4. Data Access Post-Termination: In case of termination due to policy violation, the Institute may request data export within 30 (thirty) days of termination, subject to the Company's verification that the exported data does not include data belonging to other users or Institutes. Data shall be retained for 90 (ninety) days post-termination, after which it shall be permanently deleted.

10 Reporting Violations

10.1. If you become aware of any violation of this Acceptable Use Policy, or any suspicious, unauthorized, or illegal activity on the Platform, you are encouraged to report it immediately.

10.1.1. How to Report

Method	Details
Email	Send a report to info@brainbitinfotech.com with subject line "AUP Violation Report"
Phone	Call +91 99343 14471 during business hours (Mon-Sat, 9:00 AM - 6:00 PM IST)
Institute Administrator	Report to your Institute's Principal or designated administrator, who shall escalate to the Company as appropriate
Grievance Officer	For formal complaints, contact our Grievance Officer as designated under the Grievance Redressal Policy

10.1.2. Information to Include in a Report

To help us investigate effectively, please include the following information in your report (to the extent available):

• Your name, Institute name, and contact details
• Description of the violation or suspicious activity
• Date, time, and duration of the observed activity
• Username or identity of the person(s) involved (if known)
• Screenshots or evidence supporting your report (if available)
• Any steps you have already taken in response to the incident

10.2. Confidentiality: All reports shall be treated as confidential. The identity of the reporting person shall not be disclosed to the accused party unless required by law or necessary for the investigation.

10.3. No Retaliation: The Company prohibits any form of retaliation against individuals who report violations in good faith. Any retaliation shall itself constitute a violation of this Policy.

10.4. Investigation Timeline: Upon receipt of a report, the Company shall:

• Acknowledge receipt of the report within 24 hours
• Initiate an investigation within 48 hours
• Provide the reporter with a preliminary update within 7 (seven) days
• Complete the investigation and communicate the outcome within 30 (thirty) days, unless the matter requires involvement of law enforcement

11 Legal Consequences under the IT Act, 2000

11.1. The following table summarizes key provisions of the Information Technology Act, 2000 (as amended) that are relevant to violations of this Policy. Users are advised to be aware of these legal consequences:

Section	Offence	Penalty
Section 43	Unauthorized access, download, introduction of virus, damage to computer system, disruption, denial of access, tampering	Compensation up to Rs. 5 crore per contravention (civil liability, adjudicated by IT Adjudicating Officer)
Section 65	Tampering with computer source documents	Imprisonment up to 3 years and/or fine up to Rs. 2 lakh
Section 66	Computer related offences (hacking with criminal intent - dishonestly or fraudulently committing acts under Section 43)	Imprisonment up to 3 years and/or fine up to Rs. 5 lakh
Section 66B	Dishonestly receiving stolen computer resource or communication device	Imprisonment up to 3 years and/or fine up to Rs. 1 lakh
Section 66C	Identity theft - fraudulent use of electronic signature, password, or unique identification feature	Imprisonment up to 3 years and fine up to Rs. 1 lakh
Section 66D	Cheating by personation using computer resource	Imprisonment up to 3 years and fine up to Rs. 1 lakh
Section 66E	Violation of privacy - capturing, publishing, or transmitting private images without consent	Imprisonment up to 3 years and/or fine up to Rs. 2 lakh
Section 66F	Cyber terrorism	Imprisonment which may extend to imprisonment for life
Section 67	Publishing or transmitting obscene material in electronic form	First conviction: imprisonment up to 3 years + fine up to Rs. 5 lakh. Subsequent: up to 5 years + fine up to Rs. 10 lakh
Section 67A	Publishing or transmitting material containing sexually explicit act in electronic form	First conviction: imprisonment up to 5 years + fine up to Rs. 10 lakh. Subsequent: up to 7 years + fine up to Rs. 10 lakh
Section 67B	Publishing or transmitting material depicting children in sexually explicit act in electronic form	First conviction: imprisonment up to 5 years + fine up to Rs. 10 lakh. Subsequent: up to 7 years + fine up to Rs. 10 lakh
Section 72	Breach of confidentiality and privacy - disclosure of information by person who has secured access to electronic record under lawful powers	Imprisonment up to 2 years and/or fine up to Rs. 1 lakh
Section 72A	Disclosure of information in breach of lawful contract - by intermediary or service provider	Imprisonment up to 3 years and/or fine up to Rs. 5 lakh

11.2. Additional Legal Provisions: In addition to the IT Act, violations may also attract penalties under:

• Digital Personal Data Protection Act, 2023 (DPDP Act): Penalties up to Rs. 250 crore for breaches of data protection obligations, including failure to protect personal data and violations of children's data provisions
• Bharatiya Nyaya Sanhita, 2023 (formerly IPC): Offences including fraud, forgery, criminal breach of trust, defamation, and criminal intimidation
• Copyright Act, 1957: Penalties for copyright infringement including imprisonment up to 3 years and/or fine up to Rs. 2 lakh
• POCSO Act, 2012: Offences involving sexual content related to children, with stringent penalties including imprisonment up to 5 years and fine

12 Contact Information

For any questions, concerns, or clarifications regarding this Acceptable Use Policy, please contact us:

For reporting violations specifically, please email info@brainbitinfotech.com with the subject line "AUP Violation Report".

For reporting security vulnerabilities, please email info@brainbitinfotech.com with the subject line "Security Vulnerability Report".