This Acceptable Use Policy (“AUP”) sets out how the OneForce Care web platform and Worker App (the “Service”, operated by Wondertree Studios Pty Ltd, ACN 699 886 498, ABN 82 699 886 498, of Level 10, 387 George Street, Sydney NSW 2000, Australia, “Wondertree”, “we”, “us”, “our”) may and may not be used. It forms part of our Terms of Service and uses the defined terms set out there, including “Customer” (“you”, “your”), “Authorised User” and “Customer Data”. We may update this AUP as the Service evolves, in line with Section 18 of the Terms.
The goal is simple: keep the Service safe, lawful and reliable for everyone, especially the participants and workers whose information it holds.
1. Lawful use
You and your Authorised Users must not use the Service to:
- (a) breach any law, regulation, industry code, or third party’s rights, including intellectual property, privacy, or confidentiality rights;
- (b) collect, store, or share information you have no right to collect, hold, or disclose, including where you lack the consent or lawful basis required under the Privacy Act 1988 (Cth);
- (c) harass, threaten, defame, discriminate against, or otherwise harm any person, including a participant or worker whose record is held in the Service;
- (d) impersonate any person or organisation, or misrepresent your affiliation with one; or
- (e) engage in any activity that would expose Wondertree, other customers, or their participants or workers to legal liability.
2. Use of real participant and worker data
The Service is built to hold real, sensitive information about people receiving and delivering disability support. Because of that:
- (a) you must only enter real participant or worker personal information into the Service where you have the lawful basis and consent needed to do so, and only for the purpose of managing that person’s care, employment, or engagement through your organisation;
- (b) you must not enter a real person’s identifying details (name, date of birth, NDIS number, health information, or similar) purely for testing, demonstration, or training purposes; use fictitious or clearly marked test records for that instead;
- (c) you must not repurpose participant or worker information collected through the Service for a use that person has not consented to, such as marketing unrelated to their support, or sharing it with a third party outside the scope of their care or employment; and
- (d) you must keep participant and worker information in the Service accurate and current, and correct or remove it promptly once you become aware it is wrong.
3. Unauthorised access, scraping and security testing
You must not, and must not attempt to:
- (a) access, or attempt to access, any account, record, or area of the Service you are not authorised to access, including another provider’s workspace or another Authorised User’s account;
- (b) probe, scan, penetration-test, or otherwise test the security of the Service, its infrastructure, or its integrations, without our prior written permission (see our Security page for how to report a vulnerability responsibly instead);
- (c) circumvent or attempt to circumvent authentication, multi-factor authentication, rate limits, permission checks, or any other access control in the Service;
- (d) introduce malware, ransomware, or other harmful code, or otherwise interfere with, degrade, or disrupt the integrity, security, or performance of the Service or the systems of any other customer;
- (e) scrape, crawl, or bulk-extract data from the Service other than through export or reporting features we provide for that purpose; or
- (f) reverse engineer, decompile, or disassemble any part of the Service except to the extent an applicable law gives you the right to do so despite this restriction.
4. Respecting participant and worker privacy
Because the Service holds sensitive care and employment information, each of your Authorised Users must:
- (a) only access participant and worker records they are authorised to access for their role, and not browse records out of curiosity or for a purpose unrelated to their work;
- (b) keep their login credentials and multi-factor authentication method confidential, and never share an account between two individuals;
- (c) take reasonable care when exporting, downloading, printing, or sharing information from the Service, including participant notes, incident reports, and documents, so it is not disclosed to anyone who should not see it; and
- (d) report a suspected privacy or security incident involving the Service promptly, to you as their employer or engager, and, where it may involve the platform itself, to us at hello@oneforce.com.au.
5. Fair use of email, notification and signing features
The Service sends transactional email and in-app notifications on your behalf for specific purposes, including account and worker invitations, password and security change notices, shift assignment and change alerts, task notifications, and requests to electronically sign documents. You must not use these features to:
- (a) send content unrelated to the purpose the feature is provided for, including marketing, promotional, or unsolicited commercial content;
- (b) send messages to a person who has not consented to being contacted by you through the Service, or who is not a genuine participant, worker, or Authorised User of your organisation; or
- (c) send an unreasonable volume of invitations, reminders, or signing requests, whether to genuine recipients or otherwise.
We may throttle, delay, or block outgoing email or notifications where we reasonably believe this clause is being breached, without that affecting your other obligations under these Terms.
6. API access and automation
The Service does not currently offer a general-purpose public API for external integration. Where the Service provides programmatic or automated access for a specific purpose, for example our Xero and electronic signature integrations, you may only use that access for its intended purpose, in line with any documentation or configuration screens we provide, and must not exceed reasonable request volumes.
You must not write, run, or permit any script, bot, browser automation tool, or other automated process against the Service outside features we explicitly provide for that purpose (such as CSV import or export). We apply automated rate limits and throttling to protect the Service, for example on account creation, invitation, and sign-in attempts, and you must not attempt to bypass, exhaust, or abuse them.
7. Fair use of infrastructure
You must not use the Service in a way that places an unreasonable load on our infrastructure relative to your genuine business use, resells or sublicenses access to the Service without our written authorisation, or provides access to the Service, in whole or in part, to any person who is not an Authorised User engaged by your organisation.
8. Reporting misuse
If you become aware of a breach of this AUP, whether by one of your own Authorised Users or by anyone else, please tell us at hello@oneforce.com.au. If you discover a security vulnerability rather than misuse, please report it in line with the responsible disclosure process on our Security page.
9. Consequences of breach
Where we reasonably believe this AUP has been breached, we may, as described in Section 15 (Suspension and termination) of the Terms:
- (a) investigate the use in question, including reviewing relevant audit logs;
- (b) warn you and require the offending conduct to stop;
- (c) restrict, suspend, or terminate access for the Authorised User or account involved;
- (d) remove or disable access to offending content; and
- (e) where required by law, or where we reasonably believe there is a serious risk to a person’s safety or to personal information, notify the relevant authorities, which may include the NDIS Quality and Safeguards Commission, the Office of the Australian Information Commissioner, or police.
Where a breach threatens the security of the Service, the integrity of another customer’s data, or the safety of personal information, we may act immediately and without prior notice.
10. Contact
Questions about acceptable use, or a report of misuse? Email hello@oneforce.com.au.