Skip to content

Acceptable Use Policy for AEC Firms

Open IT Policy Library for AEC by Sorted Solution | sortedsolution.com
Version 1.0 — March 2026 Free to use, fork, and adapt at github.com/sortedsol/Open-IT-Policy-Library | Download DOCX version

1. Purpose

This policy defines acceptable and unacceptable use of the firm's technology resources — computers, networks, software, email, cloud services, and data. It exists to protect the firm, its clients, and its employees from security incidents, data loss, and legal liability.

This is not about restricting how you work. It's about making sure the tools the firm provides are used responsibly and securely.

2. Scope

This policy applies to everyone who uses the firm's technology resources — employees, contractors, subconsultants, interns, and temporary staff. It covers:

  • Firm-owned desktops, laptops, tablets, and phones
  • Personal devices used for firm work (see the BYOD Policy for additional requirements)
  • The firm's network, VPN, and Wi-Fi
  • Firm-managed email, cloud storage, and collaboration platforms (Microsoft 365, Google Workspace, Dropbox, SharePoint, OneDrive, BIM 360, Autodesk Docs, Bluebeam Studio, BIMcloud)
  • Software licensed by the firm (ArchiCAD, Revit, AutoCAD, Bluebeam, Adobe Creative Cloud, SketchUp, Rhino, Grasshopper, Dynamo, Enscape, Lumion, V-Ray, etc.)
  • Any third-party service you access using firm credentials

3. Ownership

Everything stored on or transmitted through the firm's technology resources is the firm's property. This includes email, files, messages, browser history, and cloud-stored data. The firm may access, review, or monitor this data at any time without prior notice for security, compliance, or legal purposes.

Don't store personal files on firm devices or in firm cloud accounts. The firm is not responsible for personal data on its systems, and it may be deleted during maintenance, offboarding, or incident response without warning.

4. Acceptable Use

4.1 General Principles

  • Use firm technology primarily for firm business. Incidental personal use is fine — checking personal email, browsing during lunch — as long as it doesn't interfere with your work, consume significant resources, or create security risks.
  • Keep your workstation locked when you step away (Windows: Win+L, Mac: Ctrl+Cmd+Q).
  • Log out of shared workstations and plotting stations when you're done.
  • Don't share your credentials with anyone, including IT. IT will never ask for your password.
  • Use the firm VPN when working from outside the office, including on project sites and at client offices.

4.2 Email and Communication

  • Firm email is for firm business. Don't use it to sign up for personal accounts, newsletters, or services unrelated to work.
  • Don't forward firm email to personal email accounts.
  • Don't open attachments or click links in unexpected emails — if something looks suspicious, report it to IT. It's always better to ask than to click.
  • Don't send confidential project data (drawings, models, specs, client financials) to personal email addresses or unauthorized external recipients.
  • Be professional in all firm communications. Email, Teams messages, and Slack messages are business records and may be discoverable in legal proceedings.

4.3 Software and Licensing

  • Only use software that IT has approved and licensed for the firm. Don't install software on firm devices without IT approval — this includes browser extensions, plugins, and "free" tools downloaded from the internet.
  • Don't use personal licenses for firm work, and don't use firm licenses for personal work.
  • AEC software licensing is complex and expensive. Don't share license credentials between employees, run concurrent sessions beyond what the firm's license allows, or install firm software on personal devices unless IT has explicitly approved it.

Firm administrators

List your specific license management rules here. Common items to address: floating vs. named licenses for ArchiCAD/Revit/AutoCAD, Adobe Creative Cloud seat assignments, Bluebeam license sharing policies, and how to request a temporary license for a subconsultant.

4.4 Cloud Storage and File Management

  • Store project files in the firm's approved project file system — not on your local desktop, personal cloud storage, or USB drives.
  • Follow the firm's folder structure and naming conventions for project files.
  • Don't sync entire project folders to personal cloud storage (Google Drive, iCloud, personal OneDrive, personal Dropbox).
  • Large BIM models, point clouds, and rendering assets should be stored according to the firm's BIM management plan — don't create duplicate copies outside the approved system.

Firm administrators

Specify your approved file storage and collaboration platforms here (e.g., "All project files must be stored in [BIM 360 / Autodesk Docs / SharePoint / firm file server]. Bluebeam Studio sessions are approved for document review. Personal cloud storage is not approved for project data.")

4.5 Printing and Plotting

  • Use firm printers and plotters for firm work only. Don't print large personal jobs on firm equipment.
  • Follow the firm's plotting and printing policies for large-format output (D-size and larger).
  • Shred or securely dispose of printed documents containing client or project data when they're no longer needed. Don't leave drawings, redlines, or printed specifications in common areas or recycling bins.

5. Unacceptable Use

The following are never acceptable, regardless of the circumstances:

  1. Accessing, downloading, storing, or distributing illegal content on firm systems
  2. Using firm resources to harass, threaten, or discriminate against anyone
  3. Attempting to bypass security controls, firewalls, content filters, or access restrictions
  4. Connecting unauthorized devices to the firm's network (personal routers, network switches, wireless access points)
  5. Using firm systems for personal commercial activity, side businesses, or freelance work
  6. Sharing firm credentials, VPN access, or software licenses with anyone outside the firm (including family members)
  7. Installing unauthorized remote access tools (TeamViewer, AnyDesk, personal VPN clients) on firm devices
  8. Disabling, uninstalling, or interfering with endpoint protection software, device management, or security tools
  9. Connecting to the firm network from a device that doesn't meet the firm's security baseline (current OS, endpoint protection, encrypted storage)
  10. Using firm email or communication tools to impersonate another employee
  11. Downloading or distributing pirated software, cracked license files, or unauthorized license key generators — this exposes the firm to significant legal and financial liability

6. Data Handling

6.1 Client and Project Data

Client and project data is the firm's most sensitive asset. This includes drawings, models, specifications, correspondence, budgets, proposals, and any other project-related information.

  • Never share client or project data with unauthorized parties.
  • Follow the firm's data classification policy (if applicable) for handling different types of project data.
  • When sharing project data with external parties (clients, consultants, contractors), use the firm's approved file sharing methods — not personal email or personal cloud storage.
  • Don't store client or project data on personal devices, personal cloud storage, or removable media (USB drives, external hard drives) unless specifically authorized by IT and the project lead.

6.2 Removable Media

  • USB drives and external hard drives are generally not approved for storing project data. If you need to use removable media (e.g., delivering files to a print shop, transferring large files to a client), get approval from IT first.
  • Encrypt any removable media containing project data.
  • Never plug in a USB drive you found or received from an unknown source.

6.3 Data Retention and Disposal

  • Don't delete project data unless you're following the firm's retention policy. AEC projects often have long retention requirements — some jurisdictions require maintaining project records for the life of the building plus additional years.
  • When disposing of old equipment, IT will handle secure data wiping. Don't donate, sell, or throw away firm devices without going through IT.

Firm administrators

Specify your data retention requirements here, especially for project records, stamped/sealed documents, and correspondence. Many states have specific retention requirements for architectural and engineering records.

7. Network and Internet Use

  • The firm's network is monitored. IT can see what devices are connected and what traffic is flowing through the network.
  • Don't use the firm's network for high-bandwidth personal activities (streaming, large personal downloads, torrenting) that degrade performance for everyone.
  • Don't attempt to access the firm's network infrastructure (routers, switches, firewalls, servers) unless you're authorized IT staff.
  • When working on project sites, use the firm VPN to access firm resources — don't transfer project data over the site's open network.

8. Physical Security

  • Don't leave firm laptops unattended in vehicles, public spaces, or unsecured areas on project sites.
  • Lock your workstation when you leave your desk — even for a few minutes.
  • Report lost or stolen devices to IT immediately — within 1 hour if possible. The faster IT knows, the faster they can remotely wipe the device and secure firm data.
  • Don't let unauthorized individuals tailgate into the office or access server rooms, network closets, or IT storage areas.

9. Incident Reporting

If you notice something wrong — a suspicious email, unexpected software on your machine, a possible security breach, lost or stolen equipment, or anything else that doesn't seem right — report it to IT immediately.

How to report: [INSERT IT CONTACT: email/Slack/phone]

Don't try to investigate or fix security issues on your own. Don't wait until you're "sure" something is wrong. Early reporting prevents small problems from becoming big ones.

Firm administrators

Insert your actual IT contact method and expected response time above.

10. Enforcement

  • IT may audit devices, accounts, and network usage at any time to verify compliance with this policy.
  • Violations will be handled through the firm's standard disciplinary process.
  • Serious violations — especially those that expose client data or create legal liability — may result in immediate termination.
  • This policy will be reviewed and updated annually, or sooner if the firm's technology environment changes significantly.

11. Disclaimer

This policy covers the firm's expectations for technology use. It doesn't replace project-specific contract requirements, legal advice, or your professional obligations. If a client contract imposes stricter requirements on data handling or technology use, the stricter requirement applies.

12. Acknowledgment

I have read and understand this Acceptable Use Policy. I understand that violations may result in disciplinary action, up to and including termination, and that I am responsible for using the firm's technology resources appropriately.

Name: _______________________________________________

Signature: _______________________________________________

Date: _______________________________________________

13. Revision History

Version Date Summary
1.0 March 2026 Initial release

This policy is part of the Open IT Policy Library for AEC by Sorted Solution. Free to use, fork, and adapt. Attribution appreciated.

By Sorted Solution Sorted Solution