Our policies

  • Policy Statement

    It is our policy to conduct all of our business honestly, straightforwardly, and ethically. We take a zero-tolerance approach to bribery and corruption. We are committed to acting with integrity in all our business dealings and relationships, wherever we operate worldwide, and implementing and enforcing effective systems to counter bribery and corruption.  

    This policy sets out our responsibilities and the responsibilities of those working for us and on our behalf to observe and uphold our position on bribery and corruption.  

    This policy applies to all individuals working at all levels within Stack For Business (“Stack”) and individuals and organisations working on our behalf, including contractors, consultants, suppliers, distributors, agents, franchisees, and licensees.  


    Bribery  

    Bribery is giving someone a financial or other advantage to encourage that person to perform their function improperly.  

    It is not acceptable for you to:  

    • Offer a payment, gift or hospitality with the expectation that a business advantage will be received in return (or to reward a business advantage already given);  

    • Offer a payment, gift or hospitality to a public employee or official to facilitate or expedite a routine  procedure;  

    • Accept a payment, gift or hospitality from a third party that you know or suspect is offered with the  expectation that you will give them a business advantage in return or  

    • Threaten or retaliate against another worker who has refused to commit a bribery offence or has raised concerns about bribery or corruption under this policy.  


    Gifts and Hospitality

    This policy does not prohibit you from giving or receiving normal and appropriate gifts and hospitality within  the following limits:

    • Gifts or hospitality with a value of [£50-100] or less (not cash or cash equivalent); and not intended to influence decision-making; and  

    • Compliant with local law and  

    • Not being offered to public employees, officials, or anyone whose company policies may be violated.  

    Employees may give or receive gifts or hospitality valued at [£50-100] or more with the co-founder's permission. All such cases must be advised to [the company secretary] for recording on the central register.  


    Donations 

    All donations to political parties and charities must be lawful and approved strictly in accordance with the Stack Delegated Authority Model.  


    Employee responsibilities 

    Employees must read, understand, and comply with this policy and avoid any activity that might breach it.  

    Employees are encouraged to raise concerns about any issue or suspicion of malpractice at the earliest possible stage. If Employees are unsure whether a particular act constitutes bribery or corruption or if they have any other queries, these should be raised with the co-founders.   

    Employees who breach this policy may face disciplinary action, which could result in dismissal for gross misconduct. We reserve the right to terminate our contractual relationship with other employees or partners who breach this policy. 


    Review date: 02.01.2024

  • This statement sets out Stack’s actions to understand all potential modern slavery risks related to its business and to put in place steps that are aimed at ensuring that there is no slavery or human trafficking in its own business and its supply chains. This statement relates to actions and activities during the financial year ending December 2023.

    Stack is committed to improving its practices to combat and ensure that its supply chains are free from slavery and human trafficking.

    Our business

    Stack is a provider of marketing services in the B2B sector. We are a stand-alone UK-registered company.

    Our supply chains

    We are a marketing business that provides services to businesses worldwide. Due to the technical nature of our offering, our workforce is highly skilled, and we have a relatively small supply chain. Stack operates with strategic and critical suppliers. Our supply chain primarily comprises purchasing research services, software licences, communications, and professional services.

    We have undertaken a proportionate risk assessment in line with the requirements of the Modern Slavery Act 2015. Due to the nature of our business and the skill levels required from our people and business partners, we believe that our business and supply chains are at a ‘low risk’ of potential for slavery or trafficking.


    Our policies on slavery and human trafficking

    We are committed to ensuring that there is no modern slavery or human trafficking in our supply chains or any part of our business. Our Anti-Slavery and Human Trafficking Policy reflects our commitment to acting ethically and with integrity in all our business relationships and to implementing and enforcing effective systems and controls to ensure slavery and human trafficking are not taking place anywhere in our supply chains. We undertake training to ensure a high level of understanding of the risks of modern slavery and human trafficking in our supply chains and our business.

    Stack encourages all its customers, and other business partners to report concerns about the organisation's direct activities or supply chains. The organisation's whistleblowing procedure is designed to make it easy for everyone to make disclosures without fear of retaliation.

    Due diligence processes for slavery and human trafficking

    Internally, we have several processes in place to verify our workforce's identity to ensure we know exactly who is working for us. We carry out appropriate checks on all our people, including reference, qualification and licence checks, depending on their role.

    As part of our initiative to identify and mitigate risk, our due diligence and reviews include:

    • mapping the supply chain broadly to assess particular product or geographical risks of modern slavery and human trafficking;

    • evaluating the modern slavery and human trafficking risks of each new supplier, and protecting whistleblowers.

    Our effectiveness in combating slavery and human trafficking

    Following a review of the effectiveness of the steps we have taken in 2023 to ensure that there is no slavery or human trafficking in our supply chains, Stack commits to:

    • Continuously assess and review exposure to slavery and trafficking risks across the Group’s supply chain and take the necessary steps to mitigate any identified risks.

    • Annually publishing progress and developments within the company’s practices about the objectives of the Modern Slavery Act 1995.

    This statement is made pursuant to section 54(1) of the Modern Slavery Act 2015 and constitutes our slavery and human trafficking statement for the financial year ending December 2023.

    Approved and signed on behalf of the Board of Stack for Business Ltd, Rachael Evans Co-Founder, 01.11.2023.

  • We understand that unexpected events can impact our business. We’ve developed this Business Continuity Plan to ensure we can continue providing our services with minimal disruption, no matter what challenges arise.

    Objectives

    • To maintain our operations and deliver services without interruption in case of unexpected events.

    • To protect our client relationships and business reputation.

    • To provide a clear, actionable plan for handling emergencies.

    Risk Assessment

    Potential Risks

    • Technical Issues: Problems with our cloud-based tools or internet connectivity.

    • Health Emergencies: Illness or personal emergencies affecting either co-founder.

    • Data Loss: Risks related to data breaches or loss.

    Impact Analysis

    • Service Disruption: We assess how each risk might affect our ability to deliver client projects on time.

    • Client Impact: Consider how disruptions could impact our clients and their expectations.

    Continuity Strategies

    Technical Issues

    • Cloud-Based Solutions: We rely on cloud-based tools for all our operations. This means our work is accessible from anywhere, so we can continue working even if technical issues arise at one location.

    • Backup Systems: Regularly back up all important files and data to ensure we can recover them quickly.

    Health Emergencies

    • Flexible Work Arrangement: Since we operate remotely, either co-founder can cover urgent tasks if the other is unavailable due to health issues.

    • Emergency Contacts: Keep a list of trusted freelancers or contractors who can assist with urgent tasks on a short-term basis.

    Data Loss

    • Security Measures: Use strong cybersecurity practices and secure, encrypted storage solutions to protect client data.

    • Incident Response: Have a clear plan for responding to data breaches, including notifying affected clients and taking corrective actions.

    Communication Plan

    • Client Notifications: If any disruption affects our service, we will inform our clients promptly and provide updates on how we address the issue.

    • Internal Communication: Maintain open communication between co-founders to coordinate responses and manage tasks effectively.

    Recovery Plan

    • Prioritisation: Focus on the most critical tasks and projects first to minimise client impact.

    • Review and Adjust: After any disruption, review the incident and update our continuity plan to improve our response to future challenges.

    Plan Review

    • Regular Updates: We will review this Business Continuity Plan annually or after any significant event to ensure it remains effective and relevant.

    • Feedback: Encourage feedback from clients and other stakeholders to continually refine our approach.

    Responsibilities

    • Co-Founders: Both of us are responsible for implementing and maintaining this plan. We will handle emergencies together, ensuring clear roles and responsibilities.

    Review date: 02.01.2024

  • We are dedicated to protecting the personal data of our clients and partners. Despite our best efforts to secure data, breaches can occur. This Data Breach Response Plan outlines the steps to respond promptly and effectively to any data breach incidents.

    Objectives

    • To contain and control the data breach

    • To assess the severity and impact of the breach

    • To notify affected individuals and relevant authorities as required

    • To mitigate any harm caused by the breach

    • To prevent future breaches by addressing the root cause

    Incident Identification and Reporting

    • Detection: Monitor systems continuously for signs of a data breach, such as unusual activity or alerts from security software.

    • Reporting: Immediately report any suspected data breach to both co-founders.

    Containment and Assessment

    Immediate Actions:

    • Isolate the affected systems to prevent further unauthorised access.

      Disable compromised accounts or access points.

      Secure any physical locations involved.

    Assessment:

    • Determine the type and scope of the breach.

    • Identify the data that has been accessed, compromised, or lost.

    • Evaluate the potential impact on affected individuals and our consultancy.

    Notification and Communication

    Internal Communication:

    • Both co-founders will be immediately informed and involved in the response process.

    External Notification:

    • Data Subjects: Notify individuals whose personal data has been affected by the breach. Include details about the nature of the breach, the data involved, the potential impact, and steps they can take to protect themselves.

    • Authorities: If required by law, notify relevant data protection authorities within the stipulated timeframe (e.g., within 72 hours for GDPR).

    Mitigation and Recovery

    Immediate Measures:

    • Change all passwords and access credentials that may have been compromised.

    • Apply patches and updates to affected systems to close security vulnerabilities.

    Long-Term Measures:

    • Review and update security protocols and measures.

    • Provide additional training to both co-founders on data protection and security.

    • Conduct a thorough review of the breach incident to identify lessons learned and prevent future occurrences.

    Documentation and Reporting

    Incident Log: Maintain a detailed log of the breach incident, including:

    • Date and time of detection

    • Nature and scope of the breach

    • Actions taken to contain and mitigate the breach

    • Communications with affected individuals and authorities

    • Follow-up actions and improvements made

    Post-Incident Report: Prepare a comprehensive report on the breach, its impact, and the steps taken to resolve it. This report should be reviewed continually to improve our data protection measures.

    Review and Updates

    • Regular Review: This Data Breach Response Plan will be reviewed annually or after any significant data breach incident to ensure its effectiveness and relevance.

    • Updates: Any changes to our business operations, data processing activities, or legal requirements will prompt an immediate review and update of this plan.

    Contact Information

    For any questions or concerns regarding this Data Breach Response Plan, please contact:

    Rachael Evans
    Stack for Business
    Rachael.evans@stackforbusiness.com

    Review date: 31.08.2024

  • Ensuring the privacy and security of personal data is fundamental to the trust our clients place in us. We recognise the importance of safeguarding personal information and adhere to the highest data protection standards. This policy outlines our approach to handling personal data, ensuring transparency and compliance with all relevant data protection laws, including the General Data Protection Regulation (GDPR).

    Purpose

    This Data Protection Policy outlines how we collect, use, store, and protect personal data. It ensures that we handle data responsibly and transparently, maintaining the trust of our clients and partners.

    Scope

    This policy applies to all personal data processed by [Your Company Name], including data related to clients, prospective clients, partners, and any other individuals whose personal data we handle.

    Data Collection and Use

    • Data Collection: We only collect personal data necessary for the provision of our services. This includes but is not limited to, names, contact information, and any other relevant details provided by our clients.

    • Purpose of Data Use: Personal data is used solely to deliver our marketing consultancy services, communicate with clients, and improve our service offerings.

    Legal Basis for Processing

    We process personal data based on the following legal grounds:

    • Contractual Necessity: To fulfil our contractual obligations with clients.

    • Legitimate Interests: To pursue our legitimate business interests, such as improving our services, provided these interests do not override the rights and freedoms of data subjects.

    • Consent: Where required, we obtain explicit consent from data subjects before processing their data.

    Data Storage and Security

    • Data Storage: Personal data is stored securely using cloud-based solutions with strong encryption and access controls. We ensure that only authorised individuals have access to personal data.

    • Data Security: We implement robust security measures, including password protection, encryption, and regular security updates, to safeguard personal data from unauthorised access, alteration, or destruction.

    Data Sharing and Transfers

    • Third-Party Sharing: We may share personal data with trusted third-party service providers who assist us in delivering our services. All third parties are required to comply with our data protection standards and relevant legal requirements.

    • International Transfers: If personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, such as standard contractual clauses or other approved mechanisms, are in place.

    Data Retention and Disposal

    • Data Retention: Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations.

    • Data Disposal: When personal data is no longer needed, we securely delete or destroy it to prevent unauthorised access or use.

    Data Subject Rights

    Data subjects have the following rights regarding their personal data:

    • Access: The right to request access to their personal data and obtain information about how it is processed.

    • Rectification: The right to request correction of inaccurate or incomplete data.

    • Erasure: The right to request deletion of their personal data under certain circumstances.

    • Restriction: The right to request restriction of processing under certain conditions.

    • Portability: The right to receive their personal data in a structured, commonly used format and transmit it to another controller.

    • Objection: The right to object to processing their personal data in certain situations.

    Data Breach Response

    In the event of a data breach, we will:

    • Identify and Contain: Immediately identify and contain the breach to prevent further unauthorised access.

    • Assessment and Notification: Assess the severity of the breach and notify affected individuals and relevant authorities if required by law.

    • Review and Mitigation: Review the breach incident to understand its cause and implement measures to prevent future breaches.

    Review and Updates

    This Data Protection Policy is reviewed annually to ensure its effectiveness and compliance with legal requirements. Updates are made as necessary to reflect changes in our data processing activities or regulatory changes.

    Contact Information

    For any questions or concerns regarding this policy or data protection practices, please contact:

    Rachael Evans
    Stack for Business
    Rachael.evans@stackforbusiness.com

    Review date: 31.08.2024

  • We recognise the importance of managing personal data responsibly. This Data Retention and Disposal Policy outlines how we handle data retention and disposal to ensure that personal data is kept only for as long as necessary and is securely disposed of when no longer needed.

    Purpose

    The purpose of this policy is to establish clear guidelines for retaining and disposing of personal data in a way that complies with legal requirements and protects the privacy and security of our clients and partners.

    Scope

    This policy applies to all personal data processed by Stack for Business, including data related to clients, prospective clients, partners, and any other individuals whose data we handle.

    Data Retention

    Retention Periods: Personal data will be retained for no longer than necessary to fulfill the purposes for which it was collected. Typical retention periods include:

    • Client Data: Retained for the duration of the client relationship and for a period of up to 6 years following the end of the relationship to comply with legal and contractual obligations.

    • Financial Records: Retained for 7 years to comply with tax and accounting regulations.

    • Marketing Data: Retained for 2 years if there is ongoing consent for marketing communications.

    • Project Data: Retained for 3 years after the completion of a project, unless otherwise agreed upon with the client.

    • Contractual Agreements: Retained for the duration of the contract and for up to 6 years after its expiration to handle any potential legal claims.

    Review and Update: Regularly review data retention periods to ensure they align with current legal requirements and business needs.

    Data Disposal

    Methods of Disposal:

    • Electronic Data: When personal data is no longer needed, it will be securely deleted using industry-standard methods to ensure that it cannot be recovered. This includes wiping hard drives and deleting files from cloud storage systems.

    • Physical Records: Paper records containing personal data will be shredded or otherwise securely destroyed to prevent unauthorized access.

    Disposal Procedures:

    • Verification: Ensure that all data is completely removed from storage systems and is unrecoverable.

    • Documentation: Maintain records of data disposal activities, including the type of data disposed of, the method of disposal, and the date of disposal.

    Data Subject Requests

    • Requests for Data Deletion: Respond promptly to requests from data subjects to delete their personal data, unless there is a legal or contractual reason to retain it.

    • Verification: Verify the identity of the requester to ensure that data is only deleted at the request of the data subject or their authorized representative.

    Compliance and Review

    • Compliance: Adhere to relevant data protection laws and regulations regarding data retention and disposal.

    • Policy Review: This policy will be reviewed annually and updated as necessary to reflect changes in legal requirements, business practices, or technological advancements.

    Responsibilities

    • Co-Founders: Both co-founders are responsible for ensuring that this policy is implemented and adhered to. Regular training will be provided to ensure understanding and compliance.

    Contact Information

    For any questions or concerns regarding this Data Retention and Disposal Policy, please contact:

    Rachael Evans
    Stack for Business
    Rachael.evans@stackforbusiness.com

    Review date: 31.08.2024

  • We are committed to fostering an inclusive and diverse environment. As a women-led business, we understand the importance of creating a supportive and flexible culture where anyone can thrive. As co-founders and directors who are also mothers, we value the need for balance and inclusivity in all aspects of our work.

    Scope

    This policy applies to all aspects of our operations, including our interactions with third-party providers, clients, and any future employees or partners.

    Our Commitment

    We are committed to:

    • Promoting a culture of respect and inclusion.

    • Ensuring equal opportunities for all, regardless of race, gender, age, disability, sexual orientation, religion, or any other characteristic.

    • Addressing and eliminating discrimination and harassment in all forms.

    • Encouraging diverse perspectives in decision-making processes.

    • Continuously learning and improving our practices to foster inclusion and diversity.

    • Supporting flexible working arrangements to accommodate personal and family needs.

    Key Principles

    • Respect and Fairness: We treat everyone respectfully and strive to provide fair treatment in all interactions. We recognise the value of diverse perspectives and work to create an environment where everyone feels empowered to contribute.

    • Equal Opportunity: We ensure that everyone has access to opportunities for collaboration, growth, and advancement without bias. We evaluate third-party providers based on their qualifications and the quality of their work, ensuring that our selection processes are fair and transparent.

    • Anti-Discrimination and Anti-Harassment: Discrimination or harassment will not be tolerated. We are committed to providing a safe and supportive environment for everyone. Any concerns or complaints will be taken seriously and addressed promptly.

    • Flexibility and Support: As working mothers, we understand the importance of flexibility. We are committed to supporting a work-life balance that allows everyone to thrive personally and professionally. We believe a flexible culture fosters creativity, productivity, and well-being.

    Implementation

    • Leadership and Accountability: As co-founders and directors, we are responsible for implementing and overseeing this policy. We will lead by example, demonstrating our commitment to inclusion and diversity in all our actions.

    • Training and Awareness: We will educate ourselves and our third-party providers about the importance of inclusion and diversity. We will share best practices and resources to help everyone understand and uphold our policy.

    • Monitoring and Evaluation: We regularly review our practices to ensure they align with our commitment to inclusion and diversity. Feedback from clients, partners, and third-party providers will be used to make continuous improvements.

    • Reporting and Resolution: Any concerns or incidents related to discrimination or harassment should be reported to either co-founder. We will investigate all reports confidentially and take appropriate action to resolve any issues.

    • Continuous Improvement: We recognise that fostering an inclusive and diverse environment is ongoing. We are committed to continuously improving our policies and practices, seeking input from diverse sources and staying informed about best practices in inclusion and diversity.

    • Communication of Policy: This policy will be communicated to all third-party providers, clients, and future employees or partners. It will also be available on our company website and in any relevant documentation.

    • Review of Policy: This policy will be reviewed annually to ensure it remains relevant and effective. Any necessary updates will be made to reflect our ongoing commitment to inclusion and diversity.

    Review date: 02.01.2024

  • Stack takes information security and protecting our clients' data seriously. This Acceptable Use Policy outlines the guidelines for using our technology and data resources to ensure their security and integrity.

    Purpose

    This policy is designed to ensure that all technology and data resources are used responsibly, securely, and compliantly. It applies to co-founders and any third-party contractors who have access to our systems and data.

    Scope

    This policy covers the use of all technology resources, including computers, mobile devices, cloud services, and any other systems used to handle personal and sensitive data.

    Acceptable Use Guidelines

    Data Security

    • Access Control: Use strong, unique passwords and enable two-factor authentication where possible. Only access data that is necessary for your role.

    • Confidentiality: Maintain the confidentiality of all data, and do not share or disclose sensitive information to unauthorised individuals.

    • Encryption: Ensure that any sensitive data transmitted or stored is encrypted using approved methods.

    Technology Use

    • Authorised Use: Only authorised software and systems are used for business purposes. Avoid installing or using unapproved applications that may pose security risks.

    • Device Security: Keep all devices secure with up-to-date antivirus software and apply security patches promptly.

    • Network Access: Use secure connections (such as VPNs) when accessing company resources outside the office or public networks.

    Data Handling

    • Data Storage: Store data in secure, encrypted locations. Avoid storing sensitive data on personal devices or unprotected areas.

    • Data Sharing: Share data only with authorised individuals and use secure methods for transmission. Avoid sending sensitive information via unsecured channels like email unless encrypted.

    • Data Disposal: Properly delete or securely erase data when it is no longer needed.

    Compliance and Reporting

    • Policy Compliance: Adhere to this Acceptable Use Policy and related data protection regulations. Familiarise yourself with relevant guidelines and procedures.

    • Incident Reporting: Report any security incidents, breaches, or suspicious activities immediately to the other co-founder. Follow established procedures for handling such incidents.

    Monitoring and Enforcement

    • Monitoring: We may monitor technology usage to ensure compliance with this policy and protect against potential security threats.

    • Consequences: Failure to comply with this policy may result in restricted access to technology resources and could impact business operations.

    Review and Updates

    • Regular Review: This policy will be reviewed periodically and updated as necessary to reflect changes in technology, business practices, or regulatory requirements.

    • Feedback: We welcome feedback on this policy to ensure it remains effective and relevant.

    Responsibilities

    Co-Founders: Both co-founders are responsible for ensuring compliance with this policy and maintaining a secure work environment.

    Review date: 31.08.2024

  • Effective risk management is essential to our success and the quality of our services. We proactively identify, assess, and mitigate risks to ensure smooth operations and continuous improvement.

    Objectives

    • To identify potential risks that could impact our business.

    • To assess the likelihood and impact of identified risks.

    • To implement effective risk mitigation strategies.

    • To continuously monitor and review risks to ensure timely response and adjustment.

    Scope

    This risk management strategy applies to all aspects of our consultancy, including client interactions, third-party providers, and any future partnerships. It covers operational, financial, technological, and reputational risks.

    Risk Management Process

    Risk Identification

    • Regular Assessments: Conduct regular discussions to identify potential threats to our operations.

    • Client Feedback: Actively seek feedback from clients to spot emerging risks.

    • Industry Monitoring: Monitor industry trends and external factors that could pose risks.

    Risk Assessment

    • Likelihood and Impact Analysis: Evaluate how likely each risk is to occur and its potential impact on our consultancy.

    • Risk Prioritisation: Focus on the most significant risks, prioritising those with the greatest impact.

    Risk Mitigation

    • Preventive Measures: Implement robust cybersecurity practices, regular data backups, and compliance with industry standards to reduce the likelihood of risks.

    • Contingency Planning: Develop simple, effective plans for high-priority risks, detailing steps to take if a risk materialises.

    • Google Sprint Methodology: Use iterative testing and feedback loops to identify and address potential issues early, ensuring swift action and resolution.

    • ​​Business Insurance: Maintain appropriate business insurance to cover key risks such as professional liability and data breaches, providing additional protection.

    Risk Monitoring and Review

    • Continuous Monitoring: Regularly check on identified risks and any changes in their status.

    • Feedback Loops: Use client feedback and observations to continuously refine our risk management practices.

    • Annual Review: Conduct an annual review of our risk management strategy, updating it as needed to reflect new risks and changes in our business environment.

    Roles and Responsibilities

    • Both co-founders oversee the implementation and effectiveness of the risk management strategy.

    • Ensure that third-party providers know and adhere to our risk management practices.

    Communication and Reporting

    • Risk Discussions: Regularly discuss potential risks and their management between the co-founders.

    • Client Transparency: Maintain open communication with clients about potential risks and how we manage them.

    Review date: 02.01.2024

  • Purpose

    This policy establishes a framework for vetting and selecting suppliers to ensure they meet Stack for Business’s quality, security, and ethical conduct standards. This policy outlines the procedures and requirements for supplier evaluation, ongoing monitoring, and compliance with specific standards and codes of conduct.

    Scope

    This policy applies to all suppliers, vendors, and third-party service providers who engage in business with our organisation. It covers the initial assessment, ongoing monitoring, and contractual obligations of suppliers to maintain compliance with our standards.

    Policy Statement

    Stack for Business is committed to maintaining high quality, security, and ethical standards in all our business dealings. We will thoroughly vet all suppliers and require them to adhere to specific standards and codes of conduct to ensure alignment with our values and regulatory requirements.

    Procedures

    Supplier Assessment:

    • Due Diligence: All potential suppliers must undergo a comprehensive due diligence process. This includes an evaluation of their financial stability, industry reputation, performance history, and adherence to security and compliance standards.

    • Security and Compliance Evaluation: Suppliers must demonstrate robust security measures, including data encryption, access controls, and regular security audits. Compliance with relevant regulations such as GDPR is mandatory.

    Standards and Codes of Conduct:

    • Security Standards: Suppliers are required to comply with any relevant industry-standard security measures. Evidence of certifications and regular security audits must be provided.

    • Ethical Conduct: Suppliers must adhere to ethical business practices, including fair labour practices, non-discrimination, and environmental responsibility. Suppliers are expected to operate in accordance with our ethical code of conduct.

    • Service Level Agreements (SLAs): Suppliers must agree to clear SLAs that outline expected service levels, response times, and penalties for non-compliance. These SLAs ensure reliability and performance.

    Ongoing Monitoring and Review:

    • Regular Audits: We will conduct regular audits and reviews of supplier performance and compliance with our standards. This includes periodic security assessments, performance evaluations, and compliance checks.

    • Performance Monitoring: Suppliers' performance will be continuously monitored using key performance indicators (KPIs) and feedback mechanisms. This ensures timely identification and resolution of any issues.

    Contractual Obligations:

    • Data Processing Agreements: Suppliers handling sensitive data must enter into data processing agreements outlining their data protection and security responsibilities. These agreements ensure compliance with our data protection policies and legal requirements.

    • Confidentiality Clauses: All supplier contracts must include confidentiality clauses to protect our proprietary information and client data. Suppliers are legally obligated to maintain data confidentiality and integrity.

    Training and Collaboration:

    • Supplier Training: We provide training and resources to suppliers to help them understand our standards and expectations. This includes guidance on security best practices and regulatory compliance.

    • Collaboration and Support: We communicate openly with our suppliers and work collaboratively to address challenges. This partnership approach promotes continuous improvement and alignment with our standards.

    Review date: 02.01.2024

  • We understand that collaborating with third-party vendors is essential to delivering high-quality services to our clients. This Third-Party Vendor Management Policy establishes the framework for selecting, managing, and monitoring third-party vendors to ensure they meet our security, privacy, and performance standards.

    Purpose

    This policy ensures that third-party vendors who have access to our clients' data or our internal systems adhere to our standards and legal requirements. It also aims to protect the integrity and confidentiality of the data we handle and ensure that our business operations remain secure and effective.

    Scope

    This policy applies to all third-party vendors that provide services to [Your Company Name], including but not limited to market research agencies, cloud service providers, IT support, and any other external service providers.

    Vendor Selection and Due Diligence

    Vendor Selection Criteria: When selecting third-party vendors, we will consider:

    • Reputation and reliability

    • Security practices and compliance with data protection laws

    • Ability to meet our business and technical requirements

    • Financial stability and viability

    • Experience and expertise in the relevant field

    Due Diligence: Before engaging with a vendor, we will conduct a thorough due diligence process, which includes:

    • Reviewing vendor security policies and procedures

    • Assessing the vendor’s compliance with relevant regulations and industry standards

    • Evaluating the vendor’s performance history and references

    • Conducting risk assessments to identify potential risks associated with the vendor relationship

    Contractual Agreements

    Contract Requirements: All engagements with third-party vendors will be formalised through written contracts that include:

    • Clear definitions of services to be provided

    • Confidentiality and data protection clauses

    • Security requirements and responsibilities

    • Performance metrics and reporting obligations

    • Terms for breach of contract and termination

    Compliance Clauses: Contracts will include clauses requiring vendors to comply with applicable data protection laws, such as GDPR, and to notify us of any data breaches or security incidents immediately.

    Vendor Management and Monitoring

    Ongoing Monitoring: We will regularly monitor and review vendor performance and compliance, which includes:

    • Conducting periodic security assessments and audits

    • Reviewing vendor performance reports and metrics

    • Monitoring compliance with contractual obligations and security requirements

    Communication: Maintain regular communication with vendors to address any issues or concerns and to stay informed about changes in their services or security practices.

    Risk Management

    Risk Assessment: Conduct risk assessments for all vendors to identify and mitigate potential risks associated with their services.

    • High-risk vendors, especially those with access to sensitive data, will be subject to more stringent controls and frequent assessments.

    Incident Response: Establish and maintain a process for managing vendor-related security incidents, including:

    • Immediate notification of any data breaches or security incidents by the vendor

    • Joint investigation and resolution of incidents

    • Documentation of incidents and lessons learned to prevent future occurrences

    Termination of Vendor Relationships

    • Termination Criteria: We reserve the right to terminate vendor relationships if they fail to meet our standards or contractual obligations or pose an unacceptable risk to our operations or data security.

    • Data Return and Deletion: Upon terminating a vendor relationship, ensure that all data shared with the vendor is returned or securely deleted in accordance with our Data Retention and Disposal Policy.

    Policy Review and Updates

    • Regular Review: This Third-Party Vendor Management Policy will be reviewed annually and updated as necessary to reflect changes in legal requirements, industry standards, or our business operations.

    • Continuous Improvement: Implement feedback from assessments and incidents to continuously improve our vendor management practices.

    Contact Information

    For any questions or concerns regarding this Third-Party Vendor Management Policy, please contact:

    Rachael Evans
    Stack for Business
    Rachael.evans@stackforbusiness.com

    Review date: 31.08.2024