Staff Accountability Policy

1.1 Attorney-Client Privilege: All client data, case details, communications, and documents accessed through the platform are protected by attorney-client privilege. Staff must treat all client information as strictly confidential and must not disclose it to any unauthorized person, inside or outside the firm.

1.2 Non-Disclosure: Staff shall not, during or after their engagement with the firm, disclose any confidential information to any third party without explicit written authorization from firm management. This obligation survives termination of employment indefinitely.

1.3 Data Handling: Staff must:

• Never share login credentials with anyone
• Lock workstations when leaving desks
• Report any suspected data breach immediately to the Compliance Officer
• Not remove client data from firm systems without authorization
• Use only approved communication channels for client matters

1.4 POPIA Compliance: All staff must comply with the Protection of Personal Information Act (POPIA) when processing personal data. Staff must complete annual data protection training provided by the firm.

2.1 Legal Ozzie Usage: The AI assistant (Legal Ozzie) is a tool to augment, not replace, professional legal judgment. Staff must:

• Review all AI-generated content before use in client matters
• Not rely solely on AI outputs for legal advice or decisions
• Report any AI errors or inaccuracies to the system administrator
• Not attempt to extract confidential information about other clients via the AI

2.2 Prohibited Uses: Staff must not:

• Use firm systems for personal business or unauthorized purposes
• Install unauthorized software on firm devices
• Access systems or data beyond their authorized role
• Bypass security controls or attempt to circumvent access restrictions
• Use the platform to engage in harassment, discrimination, or illegal activities

2.3 Acceptable Use: Firm-issued technology (computers, phones, network) is to be used primarily for firm business. Limited personal use is permitted provided it does not interfere with work, consume excessive resources, or violate any policies.

3.1 Credential Security: Staff with access to the MavuyaOS admin portal must:

• Use strong passwords (minimum 8 characters, complexity required)
• Never share passwords or accounts with any other person
• Enable multi-factor authentication where available
• Change passwords immediately if a compromise is suspected
• Not store passwords in unsecured locations (post-its, unencrypted files)

3.2 Session Security: Staff must log out of all systems at the end of each work session. Automatic session timeouts will log out inactive sessions after 15 minutes by default.

3.3 Audit Logging: All actions performed in the platform are logged with timestamp, user ID, IP address, and action details. Staff acknowledge that their activities may be monitored for compliance and security purposes.

3.4 Incident Reporting: Any security incidents, suspicious activity, or policy violations must be reported to the Compliance Officer within 1 hour of discovery.

3.5 Account Recovery: Staff can reset their username and password through the admin portal. Clients may only reset their password via email as they authenticate using their email address.

4.1 Ethical Standards: All staff must adhere to the highest ethical standards in accordance with the Legal Practice Act, 2014 (Act 28 of 2014) and the firm's professional obligations.

4.2 Conflicts of Interest: Staff must immediately declare any actual or potential conflicts of interest to firm management. Staff must not use firm data or position for personal benefit.

4.3 Client Communication: All client communications must be professional, accurate, and responsive. Staff must not make promises or representations outside their authority.

4.4 Record Keeping: All client interactions, case updates, and file notes must be accurately recorded in the platform in a timely manner.

5.1 Firm IP: All work product created by staff during their engagement with the firm, including legal documents, templates, strategies, and processes, is the exclusive intellectual property of Mavuya Inc Attorneys.

5.2 NexGen Nova IP: The platform technology, AI integration, security infrastructure, and proprietary code remain the intellectual property of NexGen Nova. Staff must not copy, modify, reverse-engineer, or distribute any part of the platform.

5.3 Pre-Existing IP: Staff retain rights to pre-existing intellectual property not created using firm resources. Staff must disclose any pre-existing IP that may be used in their work.

6.1 Policy Violations: Violation of this Staff Accountability Policy may result in:

• Formal written warning
• Mandatory retraining
• Suspension of system access
• Suspension without pay
• Termination of employment or contract
• Legal action including criminal charges where applicable

6.2 Gross Misconduct: The following constitute gross misconduct and may result in immediate termination:

• Deliberate disclosure of confidential client information
• Unauthorized access to client data or systems
• Theft or misappropriation of firm or client funds
• Fraud, forgery, or falsification of records
• Harassment, discrimination, or workplace violence

6.3 Reporting: Staff may report violations confidentially to the Compliance Officer or via the whistleblower channel: whistleblower@mavuyainc.co.za. No retaliation will be taken against staff making good-faith reports.