Acceptable Use PolicyIT GovernanceSaaS Management

Acceptable Use Policy for SaaS: Template and Guide

An acceptable use policy defines which SaaS tools employees can use and how. Get a practical template and guide for SaaS-first organizations.

Coax TeamJanuary 23, 202610 min read

The Policy Most Companies Are Missing

Every company has rules about how employees should use company resources. Most have an acceptable use policy (AUP) somewhere in the employee handbook. The problem: those policies were written for a world of company-owned computers, corporate email, and on-premise software.

In a SaaS-first organization, the most significant "company resource" is data — and that data lives in 200+ cloud applications, many adopted by employees without IT involvement. The traditional AUP that says "don't install unauthorized software on company devices" is irrelevant when employees access unauthorized tools through a browser with no installation required.

A modern acceptable use policy needs to address SaaS specifically: which applications employees can use, what data they can put into cloud tools, how they should manage their accounts, and what happens when they need a tool that isn't on the approved list.

Why SaaS Needs Its Own AUP

The Old Policy Doesn't Fit

Traditional AUPs focus on:

  • Don't install unauthorized software on company hardware
  • Don't use company email for personal purposes
  • Don't access inappropriate websites
  • Don't share your password

These rules don't address:

  • Signing up for a SaaS tool with your corporate email
  • Pasting customer data into an AI assistant
  • Granting a third-party app OAuth access to your Google Workspace
  • Using a personal Dropbox to store work files
  • Sharing company documents via a link "anyone with the link" can access

The Enforcement Gap

Traditional AUPs relied on technical controls: endpoint management, network filters, software inventories. In a SaaS world, employees can adopt tools entirely through a browser — from any device, any network, any location. Technical enforcement alone can't prevent shadow IT. Policy must set clear expectations, backed by monitoring and proportionate consequences.

Building a SaaS Acceptable Use Policy

Section 1: Purpose and Scope

Define what the policy covers and why it exists:

This policy defines acceptable use of SaaS applications and cloud services accessed for business purposes. It applies to all employees, contractors, and temporary workers who use SaaS applications to access, process, or store company data.

The purpose of this policy is to protect company data, ensure regulatory compliance, and maintain a secure, efficient technology environment while supporting employee productivity.

Key principle: Frame the AUP as protective, not punitive. Employees should understand that the policy exists to protect the organization and their own data — not to restrict their ability to work effectively.

Section 2: Approved and Unapproved Applications

Approved applications: Applications that have been vetted by IT and security, meet company security standards, and are available for employee use.

Employees should use applications from the approved software catalog for all business activities. The catalog is available at [internal link] and is organized by function (project management, communication, file storage, etc.).

If you need a tool that isn't in the catalog, submit a request through [request process]. Requests are reviewed within [SLA — e.g., 48 hours for low-risk, 1 week for standard].

Unapproved applications: Applications that have not been vetted.

Do not sign up for SaaS applications using your corporate email without checking the approved catalog first. If you have already signed up for an unapproved application, notify IT so it can be assessed.

Using unapproved applications that process personal data, customer data, or confidential business information is prohibited until the application has been reviewed and approved.

Section 3: Data Handling in SaaS Applications

This is the most critical section — it addresses what data employees can put into cloud tools:

Restricted data (customer financial data, health records, authentication credentials, trade secrets):

  • May only be stored in Tier 1 approved applications with full security controls
  • Must never be entered into unapproved applications, AI tools, or personal accounts
  • Must not be shared externally without explicit authorization

Confidential data (customer PII, employee data, financial reports, contracts):

  • May only be stored in approved applications with appropriate data classification controls
  • Requires a Data Processing Agreement with the vendor
  • External sharing requires manager approval

Internal data (project documentation, meeting notes, general correspondence):

  • Should be stored in approved applications
  • May be shared internally without restriction
  • External sharing requires appropriate access controls (no "anyone with the link")

Section 4: AI Tool Usage

AI tools deserve specific policy guidance given their rapid adoption and unique data risks:

Approved AI tools: [List your sanctioned AI tools and their approved use cases]

Rules for AI tool usage:

  • Do not paste customer data, personal data, source code, financial data, or confidential documents into AI tools unless the tool has been approved for that data type
  • Do not use AI-generated content without review for accuracy and appropriateness
  • Do not use AI tools to process data that would violate our data classification policy
  • Report any AI tools you're using to IT so they can be assessed

For detailed guidance, see our Shadow AI policy.

Section 5: Account and Access Management

Account creation:

  • Use your corporate email for all business SaaS accounts
  • Never use personal email for business applications
  • Use SSO (single sign-on) wherever available
  • Enable MFA on every application that supports it

Password management:

  • Use the company password manager for all SaaS credentials
  • Never reuse passwords across applications
  • Never share credentials with colleagues (request separate accounts instead)

OAuth and integrations:

  • Do not authorize third-party applications to access corporate Google Workspace or Microsoft 365 without IT approval
  • Review and revoke OAuth permissions for applications you no longer use
  • Report any suspicious OAuth authorization requests to IT security

Section 6: File Sharing and Collaboration

  • Use approved file storage applications for all work documents
  • Do not use personal cloud storage (personal Google Drive, Dropbox, iCloud) for company files
  • Set sharing permissions to "specific people" by default, not "anyone with the link"
  • Revoke sharing access when collaboration is complete
  • Do not email sensitive documents as attachments when a secure sharing link from an approved platform is available

Section 7: Departures and Transitions

  • When leaving the organization or transferring to a new role, cooperate with IT to identify all SaaS applications you use
  • Do not download, export, or transfer company data to personal accounts or devices
  • All SaaS accounts created for business purposes remain company property

For IT teams: follow the SaaS offboarding checklist to ensure complete access revocation.

Section 8: Reporting and Non-Compliance

Reporting:

  • If you discover a security issue with a SaaS application, report it to IT security immediately
  • If you're unsure whether an application is approved, check the catalog or ask IT
  • If you've been using an unapproved application, proactively notify IT — this is not a disciplinary matter when reported voluntarily

Non-compliance:

  • Violations of this policy will be addressed proportionally based on the risk and intent
  • Accidental use of an unapproved low-risk tool is handled through education
  • Deliberate use of unapproved tools for processing sensitive data after being informed of the policy may result in disciplinary action

Implementing the Policy

Step 1: Audit Current State

Before publishing the policy, understand reality:

  • Discover all SaaS applications currently in use
  • Identify which are sanctioned vs. shadow IT
  • Assess which shadow IT applications should be sanctioned (added to the catalog) vs. eliminated
  • Understand why employees adopted unauthorized tools — the policy should address the root cause, not just the symptom

Step 2: Build the Software Catalog

The AUP is only effective if employees have a clear alternative to shadow IT:

  • Create an approved software catalog organized by function
  • Include clear instructions for accessing each approved tool
  • Document the request process for new tools
  • Make the catalog easily searchable and accessible

Step 3: Communicate and Train

  • Announce the policy through multiple channels (email, all-hands, team leads)
  • Include AUP training in employee onboarding
  • Provide practical examples relevant to each department
  • Emphasize the "why" — protecting the company and its data
  • Position IT as a partner, not a blocker

Step 4: Monitor and Enforce

  • Implement continuous SaaS discovery to detect policy violations
  • Address violations through education first, escalation second
  • Track shadow IT adoption rates as a measure of policy effectiveness
  • Review and update the policy annually

Step 5: Iterate

A policy that's too restrictive drives shadow IT underground. A policy that's too permissive provides no protection. Monitor adoption and feedback:

  • If shadow IT rates remain high, the policy or the approved catalog may not meet employee needs
  • If employees frequently request the same type of tool, consider adding one to the catalog
  • If a specific department consistently bypasses the policy, investigate their workflow needs

AUP Metrics

MetricTargetWhat It Tells You
Shadow IT discovery rateDeclining trendPolicy awareness is working
Software catalog usageIncreasingEmployees are checking before adopting
Tool request volumeSteady or increasingEmployees are using the approved process
Time to fulfill requests< 48 hours (low-risk)Process isn't driving shadow IT
Policy acknowledgment rate100% annuallyAll employees have read the policy

The Bottom Line

An acceptable use policy for SaaS isn't about control — it's about clarity. Employees want to do the right thing, but they need to know what "the right thing" is in a world of 200+ cloud applications and frictionless signups.

A good AUP gives employees three things: a clear catalog of approved tools, a fast process for requesting new ones, and straightforward rules about what data goes where. Combined with continuous monitoring that catches gaps early, it creates a governance framework that protects the organization without blocking productivity.

Write the policy. Build the catalog. Train the team. Monitor the results. And keep iterating — because the SaaS landscape changes faster than any policy document.

Want to see which SaaS applications your employees are using today? Book a demo and get a complete shadow IT report in 15 minutes.

Ready to take control of your SaaS stack?

See your full SaaS landscape — shadow IT, wasted spend, and security gaps — in 15 minutes.

Related Articles

SaaS GovernanceIT GovernanceSaaS Management

SaaS Governance: A Complete Framework for IT Leaders in 2026

Build a SaaS governance framework that reduces risk, controls costs, and accelerates adoption. Proven policies and implementation strategies.

Mar 17, 202611 min read
Read
SaaS ManagementSaaS SprawlIT Governance

What Is SaaS Sprawl? Causes, Costs, and How to Fix It

SaaS sprawl costs mid-market companies millions in wasted spend and unmanaged risk. Learn what causes it and seven proven strategies to control it.

Feb 24, 20268 min read
Read
SaaS ManagementIT GovernanceSaaS Tools

SaaS Management Platform: What It Is and How to Choose One

A SaaS management platform gives IT teams visibility into every app, license, and cost. Learn what SMPs do, key features, and how to evaluate one.

Nov 7, 202510 min read
Read