Movaci
Modern digital workspace with communication tools

Legal

Acceptable Use Policy

This Acceptable Use Policy (“AUP”) governs the use of all services provided by Movaci Co., Ltd. (“Movaci”), including but not limited to managed IT services, cybersecurity services, cloud and hosting services, internet and network services, communication platforms, email services, VPN services, backup services, and any related support, monitoring, advisory, or infrastructure services. This policy exists to protect Movaci infrastructure, customer environments, upstream providers, third parties, and the integrity and availability of connected systems and networks.

Effective Date

Effective Date: May 1, 2026 Last Revised: May 1, 2026

1. Purpose

This Acceptable Use Policy (“AUP”) governs the use of all services provided by Movaci Co., Ltd. (“Movaci”), including but not limited to managed IT services, cybersecurity services, cloud and hosting services, internet and network services, communication platforms, email services, VPN services, backup services, and any related support, monitoring, advisory, or infrastructure services. This policy exists to protect Movaci infrastructure, customer environments, upstream providers, third parties, and the integrity and availability of connected systems and networks.

2. Scope

This AUP applies to all customers, end users, administrators, contractors, vendors, guests, affiliates, and any other person or entity using or accessing Movaci services directly or indirectly through a customer account, network, tenant, hosted environment, or managed platform.

Customers are responsible for ensuring that their users, contractors, and third parties comply with this AUP. A violation by any user associated with a customer account may be treated as a violation by the customer.

3. General Principles

All use of Movaci services must be lawful, authorized, secure, responsible, and consistent with the intended use of the service. Customers and users must not use Movaci services in a way that creates legal exposure, security risk, operational disruption, reputational damage, resource abuse, or harm to Movaci, other customers, upstream providers, or third parties.

4. Compliance with Law and Regulation

Customers must comply with all applicable laws, regulations, and regulatory requirements, including those applicable in Thailand and in any jurisdiction in which the customer operates or stores, transmits, or processes data.

Where applicable, this includes compliance with Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), the Electronic Transactions Act, and the Computer Crime Act, as well as any lawful directives of competent authorities. The PDPC is the primary Thai regulator for personal data protection, and PDPA compliance remains the customer’s responsibility to the extent data processing, lawful basis, notices, retention, and data subject rights fall within the customer’s control. Thailand also maintains laws and decrees focused on electronic transactions and technology crime, which may affect permitted use.

5. Prohibited Activities

The following activities are prohibited, whether attempted or completed:

5.1 Illegal or Unlawful Use

  • Any activity that violates applicable law or regulation.
  • Hosting, storing, transmitting, publishing, or distributing illegal content.
  • Using Movaci services in support of fraud, scams, extortion, theft, harassment, stalking, or unlawful surveillance.
  • Using Movaci services to evade lawful regulatory or law-enforcement processes.

5.2 Unauthorized Access and Intrusion

  • Unauthorized access to any system, application, account, dataset, tenant, endpoint, or network.
  • Attempting to bypass authentication, access controls, security controls, rate limits, or usage restrictions.
  • Brute-force attacks, password spraying, credential stuffing, account takeover attempts, or credential harvesting.
  • Use of stolen, leaked, compromised, or otherwise unauthorized credentials, keys, tokens, certificates, or sessions.
  • Privilege escalation or attempts to gain unauthorized administrative access.
  • Exploitation of vulnerabilities without explicit written authorization.

5.3 Network and Infrastructure Abuse

  • Denial-of-service (DoS), distributed denial-of-service (DDoS), flooding, or resource exhaustion activity.
  • Unauthorized scanning, probing, enumeration, fingerprinting, or mapping of systems, ports, services, tenants, or networks.
  • Operation of open relays, open proxies, anonymization relays, unauthorized VPN gateways, or other services that facilitate abuse.
  • Unauthorized interception, monitoring, redirection, manipulation, spoofing, or tampering with traffic or routing.
  • Use of IP addresses, ASNs, domains, or network resources not assigned or authorized for customer use.

5.4 Malware, Malicious Code, and Abuse Infrastructure

  • Development, distribution, deployment, staging, or hosting of malware, ransomware, spyware, worms, droppers, loaders, exploit kits, or malicious scripts.
  • Operation of botnets, command-and-control infrastructure, phishing kits, credential-harvesting platforms, malware delivery systems, or similar abuse infrastructure.
  • Hosting content designed primarily to exploit, compromise, infect, or mislead users or systems.

5.5 Email, Messaging, and Communication Abuse

  • Sending unsolicited bulk email, spam, mass messaging, or abusive promotional traffic.
  • Spoofing, fraudulent messaging, impersonation, deceptive headers, or misleading sender identity.
  • Phishing, spear phishing, business email compromise, social engineering, or fraudulent communications.
  • Operation of communication services or campaigns in a way that degrades Movaci systems or harms third parties.

5.6 Identity, Token, API, and Automation Abuse

  • Abuse of authentication flows, APIs, tokens, SSO, OAuth, service principals, certificates, or automation mechanisms.
  • Unauthorized or excessive automated activity causing disruption, instability, high load, or unintended service behavior.
  • Use of scripts, bots, or automated tooling to circumvent intended service controls or to access data beyond authorized scope.

5.7 Resource Abuse and Unapproved Workloads

  • Excessive consumption of shared compute, storage, network, memory, or support resources beyond agreed use.
  • Unauthorized cryptocurrency mining, staking infrastructure, or blockchain validation workloads.
  • Use of services for workloads materially different from the purchased or approved scope.
  • Abusive test traffic, synthetic load, or misuse that degrades service for others.

5.8 Content Violations

  • Content that is illegal, harmful, abusive, defamatory, infringing, or otherwise prohibited by law.
  • Content that violates privacy rights, intellectual property rights, or confidentiality obligations.
  • Content intended primarily to deceive users, distribute malicious payloads, or facilitate fraud.

5.9 Security Testing and Offensive Activities

Security testing, penetration testing, vulnerability scanning, and similar activities against Movaci-managed systems, customer systems, or third-party systems are prohibited unless expressly authorized in writing and performed within an approved scope. Any unapproved testing may be treated as a security incident.

6. Customer Security Responsibilities

  • Maintain the confidentiality and security of usernames, passwords, API keys, tokens, certificates, and other credentials.
  • Use strong authentication practices, including MFA where supported or required.
  • Maintain supported software versions, apply patches, and remediate known vulnerabilities in a timely manner.
  • Implement appropriate access control, least privilege, and administrative separation.
  • Maintain secure endpoint and device hygiene for devices used to access Movaci services.
  • Promptly notify Movaci of known or suspected compromise, abuse, or unauthorized access.
  • Ensure data stored, processed, or transmitted through Movaci services is handled lawfully and appropriately.

7. Shared Responsibility Model

Movaci and the customer operate under a shared responsibility model. Unless otherwise expressly agreed in writing:

  • Movaci is generally responsible for security and operation of infrastructure and services under Movaci’s direct control.
  • Customers are generally responsible for their data, applications, user activity, user permissions, tenant configuration, lawful basis for processing, content, retention, and compliance obligations.
  • Movaci is not responsible for customer-side misconfiguration, negligent credential handling, insecure customer workflows, or failures to implement recommended controls.

8. Upstream Provider and Third-Party Compliance

Customers must comply not only with this AUP but also with the acceptable use requirements, service conditions, and abuse rules of any relevant upstream carriers, registrars, cloud platforms, SaaS providers, data center providers, or infrastructure partners used by Movaci to deliver services. Where an upstream provider requires urgent corrective action, Movaci may take such action immediately, including service suspension or restriction, to maintain compliance and service continuity.

9. Privacy, Personal Data, and PDPA

Customers must not use Movaci services in a way that violates privacy rights or personal data protection requirements. Where customers process personal data using Movaci services, customers remain responsible for establishing a lawful basis for processing, providing notices, respecting data subject rights, managing retention, and implementing appropriate internal governance, unless specific responsibilities are allocated differently in a written data processing agreement or service contract.

PDPA compliance in Thailand is overseen by the PDPC, and the customer must ensure its own compliance where the customer acts as controller or determines the purposes and means of processing.

10. Monitoring, Logging, and Investigation

Movaci may monitor service usage, metadata, logs, network activity, authentication events, system events, and other relevant telemetry where necessary to protect service integrity, investigate abuse, respond to incidents, comply with law, or enforce this AUP.

Movaci may retain logs, records, and other evidence for operational, security, incident response, investigative, contractual, or legal purposes. Users should not assume complete privacy in service usage where monitoring is reasonably required for security or operational integrity.

11. Incident Handling and Customer Cooperation

Customers must cooperate promptly and in good faith with abuse investigations, security investigations, regulatory inquiries, and incident response actions. This includes timely response to Movaci requests, preservation of relevant evidence where appropriate, implementation of corrective actions, credential resets, user suspension, or other containment actions as reasonably required.

Failure to cooperate may itself constitute a violation of this AUP and may result in suspension or termination of services.

12. Enforcement Rights

If Movaci reasonably believes that a violation has occurred or that action is required to protect systems, customers, upstream providers, or third parties, Movaci may take one or more of the following actions:

Movaci may act immediately and without prior notice where necessary to prevent harm, mitigate security risk, comply with upstream requirements, or preserve service integrity.

  • Issue a warning or request corrective action.
  • Restrict functionality or access.
  • Suspend affected services, accounts, routes, users, domains, tenants, IP addresses, or workloads.
  • Block traffic, isolate systems, disable credentials, or remove content.
  • Terminate services for material, repeated, or severe violations.
  • Preserve and disclose evidence where required by law or contract.
  • Cooperate with regulators, carriers, law enforcement, or competent authorities.

13. Reporting Abuse

Abuse, security incidents, or suspected violations should be reported to [email protected] or through another official Movaci reporting channel. Movaci will make commercially reasonable efforts to review and respond to abuse reports in a timely manner, but response times are not guaranteed unless separately agreed in writing.

14. No Waiver

15. Relationship to Other Agreements

This AUP supplements, and does not replace, any applicable service agreement, statement of work, managed services agreement, master services agreement, data processing agreement, or other contract between Movaci and the customer. In the event of a conflict, the applicable written contract will control to the extent of the conflict, unless the contract expressly states otherwise.

16. Changes to this Policy

Movaci may update this AUP from time to time. Continued use of services after an updated version becomes effective constitutes acceptance of the updated policy.