Acceptable Use Policy

1. Introduction

This Acceptable Use Policy ("AUP") establishes the rules and guidelines for using the Namibia Regulatory Sandbox platform ("Lancr"). It is designed to protect our users, maintain platform integrity, and ensure compliance with regulatory requirements.

By accessing or using Lancr, you agree to comply with this AUP in addition to ourTerms of Service andPrivacy Policy.

Violations of this AUP may result in immediate suspension or termination of your access, legal action, and referral to regulatory authorities.

2. Scope of This Policy

This AUP applies to:

• All users of the Lancr platform
• All content, data, and information transmitted through the platform
• All testing activities in the Digital and Regulatory Sandboxes
• All interactions with platform APIs, tools, and services
• All communications with Lancr staff, regulators, and other users

3. Prohibited Activities

The following activities are strictly prohibited when using the Lancr platform:

3.1 Illegal Activities

• Use the platform for any illegal purpose or to facilitate illegal activities
• Money laundering or terrorist financing
• Fraud, embezzlement, or financial crimes
• Violate sanctions, export controls, or trade restrictions
• Infringe intellectual property rights
• Engage in market manipulation or insider trading
• Facilitate pyramid schemes or Ponzi schemes
• Process stolen financial information or credentials

3.2 Security Violations

You must not:

• Attempt to gain unauthorized access to systems, accounts, or data
• Circumvent, disable, or interfere with security features
• Introduce viruses, malware, or any malicious code
• Conduct port scanning, network reconnaissance, or vulnerability probing without authorization
• Launch denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
• Engage in password cracking or credential stuffing
• Exploit security vulnerabilities for unauthorized purposes
• Share, sell, or redistribute access credentials

3.3 Data Misuse

You must not:

• Access, collect, or use data beyond your authorized scope
• Attempt to identify real individuals from synthetic datasets
• Extract, scrape, or systematically download platform data
• Share synthetic datasets with unauthorized third parties
• Use platform data for purposes other than approved testing
• Reverse engineer data generation algorithms
• Combine synthetic data with real data to re-identify individuals
• Sell, license, or commercialize synthetic data

3.4 Platform Abuse

You must not:

• Overload platform infrastructure with excessive requests
• Create multiple accounts to circumvent usage limits
• Use automated scripts or bots without authorization
• Interfere with other users' access or testing activities
• Manipulate, alter, or forge platform logs or reports
• Bypass rate limits, quotas, or access controls
• Resell or sublicense platform access

3.5 Misrepresentation and Fraud

You must not:

• Provide false, misleading, or fraudulent information in applications
• Impersonate another person, entity, or regulator
• Misrepresent your relationship with the sandbox or regulatory authorities
• Falsify testing results or compliance reports
• Make misleading claims about sandbox participation or approval
• Use sandbox credentials or status to deceive consumers

3.6 Consumer Harm

Regulatory Sandbox participants must not:

• Test without adequate consumer safeguards
• Exceed approved consumer limits or testing parameters
• Engage in unfair, deceptive, or abusive practices
• Fail to disclose material risks to consumers
• Operate without appropriate insurance or financial backing
• Continue testing after being instructed to stop
• Withhold or delay refunds as required by the testing agreement

3.7 Regulatory Non-Compliance

You must not:

• Violate financial services laws or regulations
• Test products or services outside your approved scope
• Fail to report material incidents or breaches
• Refuse to cooperate with regulatory oversight
• Obstruct inspections or audits
• Make material changes without regulatory approval
• Continue operations after sandbox exit without proper licensing

3.8 Content Violations

You must not post, transmit, or share content that:

• Is defamatory, abusive, harassing, or threatening
• Contains hate speech or promotes discrimination
• Includes graphic violence or pornography
• Violates third-party privacy or data protection rights
• Contains spam or unsolicited commercial communications
• Infringes copyrights, trademarks, or other intellectual property

4. Security Requirements

All users must implement and maintain appropriate security measures:

4.1 Account Security

• Use strong, unique passwords (minimum 12 characters)
• Enable multi-factor authentication (MFA) where available
• Keep login credentials confidential
• Report suspected account compromise immediately
• Log out when leaving devices unattended
• Regularly review account activity for anomalies

4.2 Data Protection

• Encrypt sensitive data in transit and at rest
• Implement access controls and least-privilege principles
• Maintain audit logs of data access and usage
• Securely delete data when no longer needed
• Follow data protection best practices (GDPR, POPIA)

4.3 Infrastructure Security

Regulatory Sandbox participants must:

• Maintain secure development and testing environments
• Apply security patches and updates promptly
• Conduct regular security assessments
• Implement intrusion detection and monitoring
• Have an incident response plan
• Maintain appropriate cybersecurity insurance

4.4 Vulnerability Disclosure

• Report security vulnerabilities to security@sandbox.lancr.org
• Allow reasonable time for remediation before public disclosure
• Do not exploit vulnerabilities for unauthorized purposes
• Do not publicly disclose vulnerabilities without coordination

5. Data Usage Restrictions

5.1 Synthetic Data

When using synthetic data from the Digital Sandbox:

• Permitted Use: Testing, development, proof-of-concept, algorithm training
• Prohibited Use: Production deployment, real customer decisions, sale to third parties
• Attribution: Acknowledge Lancr as the data source in research publications
• Confidentiality: Do not share datasets outside your organization
• No Re-identification: Do not attempt to identify real individuals

5.2 Real Consumer Data (Regulatory Sandbox Only)

When testing with real consumers:

• Use data only for approved testing purposes
• Comply with all data protection laws (GDPR, POPIA, etc.)
• Obtain proper consent before collecting data
• Implement appropriate security measures
• Delete data according to retention schedules
• Honor consumer rights (access, erasure, portability)
• Report data breaches within 72 hours

5.3 Platform Data

• Platform usage data may be collected for analytics and improvement
• Aggregated, anonymized data may be used for research and policy
• You retain ownership of your submitted business information
• Confidential information will be protected per our Privacy Policy

6. Testing Conduct Standards

6.1 Digital Sandbox

Users of the Digital Sandbox must:

• Use the environment for legitimate testing purposes
• Respect infrastructure limits and fair use guidelines
• Not attempt to access other users' sandboxes or data
• Clean up resources when testing is complete
• Report bugs or technical issues

6.2 Regulatory Sandbox

Approved participants must:

• Test only the innovation described in your application
• Stay within agreed testing parameters:
  • Consumer limits
  • Transaction volumes
  • Geographic scope
  • Testing duration
• Submit progress reports on schedule
• Cooperate with monitoring and oversight
• Notify regulators of material changes or incidents
• Implement consumer protection measures
• Maintain required capital and insurance
• Follow the exit strategy if testing is unsuccessful

6.3 Fair Use

To ensure platform availability for all users:

• Do not monopolize shared resources
• Respect API rate limits
• Optimize code for efficiency
• Schedule resource-intensive tasks during off-peak hours

7. Reporting Violations

We encourage reporting of any violations of this AUP or suspicious activities:

7.1 How to Report

7.2 What to Include

When reporting violations, provide:

• Description of the violation
• Date, time, and location (if applicable)
• Evidence (screenshots, logs, URLs)
• Impact or potential harm
• Your contact information (for follow-up)

7.3 Whistleblower Protection

We protect individuals who report violations in good faith. Retaliation against whistleblowers is prohibited and will result in severe consequences.

8. Consequences of Violations

Violations of this AUP may result in one or more of the following actions:

8.1 Factors Considered

When determining appropriate consequences, we consider:

• Severity and nature of the violation
• Intent (accidental vs. deliberate)
• Actual or potential harm caused
• History of previous violations
• Cooperation with investigation
• Remedial actions taken

8.2 Appeals Process

If you believe a decision was made in error, you may appeal by contacting appeals@sandbox.lancr.org within 30 days. Include:

• Your account details
• Description of the decision
• Reasons for appeal
• Supporting evidence

9. Enforcement

9.1 Monitoring

We monitor platform usage to ensure compliance with this AUP and detect violations. Monitoring may include:

• Automated security scanning
• Log analysis
• User-reported incidents
• Regulatory oversight

9.2 Investigation

When a potential violation is detected, we may:

• Collect evidence and interview involved parties
• Suspend access pending investigation
• Cooperate with law enforcement or regulators
• Preserve relevant data for legal proceedings

9.3 Regulatory Coordination

Violations involving financial regulations, consumer harm, or financial crime will be reported to BON, NAMFISA, or other relevant authorities as required by law.

10. Updates to This Policy

We may update this AUP to reflect changes in our services, legal requirements, or enforcement practices. Updates will be communicated through:

• Email notification
• Platform announcement
• Updated "Last Updated" date

Continued use of the platform after changes take effect constitutes acceptance of the updated AUP.

11. Contact Information

For questions about this Acceptable Use Policy: