Supply Chain and Subcontractor Policy

Scope

This policy applies to every third party engaged by NetSecGroup in the delivery of services, including subcontractors performing billable client work, cloud and software service providers supporting our operations, and professional advisors engaged by the business.

Selection criteria

Third parties are selected against the following criteria, weighted according to the nature of the engagement:

• Current, verifiable professional credentials relevant to the scope (CREST certifications, The Cyber Scheme certifications, Cyber Essentials, OSCP, and equivalent)
• Professional indemnity and public liability insurance at cover levels proportionate to the engagement
• Right to work and residency in the United Kingdom for personnel delivering client work
• Demonstrable compliance with UK Modern Slavery Act, UK GDPR, and relevant sanctions regimes
• Financial standing and business continuity arrangements appropriate to the engagement

Vetting process

Before any third party is engaged in client-facing work, NetSecGroup completes the following vetting steps:

• Identity verification and right to work confirmation
• Professional credential verification with the issuing body where practical (for example, the CREST registry or The Cyber Scheme registry)
• Reference checks covering at least two recent comparable engagements
• Written acceptance of our Supply Chain terms, data processing obligations, and confidentiality requirements
• Sanctions list screening against the UK Sanctions List

Contractual obligations

Every third-party engagement is underpinned by a written agreement that includes, at minimum:

• Non-disclosure covering client information, NetSecGroup information, and any information accessed in the course of the engagement
• Data processing terms where client personal data is accessible, aligned to UK GDPR Article 28
• Flow-down of NetSecGroup's information security, modern slavery, health and safety, and sanctions obligations
• Audit rights reserved to NetSecGroup and, by extension, to affected clients where contractually required
• Incident and breach notification obligations with defined timelines
• Termination rights for material breach of any of the above, without prejudice to damages

Client notification and consent

Where a subcontractor will access client data, systems, or credentials in the course of an engagement, the client is notified in writing before the subcontractor is introduced. Where the client contract requires explicit consent, that consent is obtained before any access is granted.

Ongoing management

Active third-party relationships are reviewed annually, including credential currency, insurance validity, and compliance standing. Changes to any of those underlying checks are captured and, where material, notified to affected clients.

Termination and transition

Termination of a third-party relationship triggers a defined off-boarding process: immediate revocation of access, return or destruction of client and NetSecGroup information, and confirmation in writing. Engagements in flight at termination are transitioned to alternative resources with client awareness.

Review

This policy is reviewed annually and upon any material change to business operations or applicable legislation.