Supplier and Third-Party Management Policy

1.Scope

This policy applies to every person acting on behalf of Better Quality Assurance S.R.L. ("BetterQA," "the company"), in every country we operate in, who engages, manages, or terminates a supplier or third party. It covers any external organisation or individual we pay to provide goods, services, software, infrastructure, or labour that supports BetterQA's operations or our delivery to clients.

The policy is aligned to ISO/IEC 27001:2022 (Information Security Management - Annex A.5.19 to A.5.22 on supplier relationships), ISO 9001:2015 (clause 8.4 on control of externally provided processes), the EU GDPR (Article 28 on processors), and the operational resilience expectations in DORA where they apply to our regulated financial services clients.

2.Our Position

BetterQA depends on a small but important set of third parties: cloud infrastructure (the platforms our internal tools run on), SaaS productivity tools, AI providers, payment and banking, accounting and legal advisers, sub-contracted engineers, and office services. A failure or breach at any of them can become a failure or breach at BetterQA. We manage that risk through proportionate due diligence at onboarding, ongoing oversight, and clear exit plans.

3.Specific Obligations

Onboarding due diligence. Before signing a contract with a new supplier, the responsible BetterQA owner must record:

• Legal name, registration number, registered address, and country
• What the supplier does for BetterQA and what data, if any, they will process
• Tier (Critical / Important / Standard), based on impact of failure and sensitivity of data shared
• Sanctions and adverse-media screening result
• For suppliers processing personal data: confirmation of GDPR Article 28 processor obligations and a signed Data Processing Agreement
• For suppliers handling client data or hosting BetterQA tools: evidence of an information security baseline. ISO/IEC 27001 certification is the preferred evidence; SOC 2 Type II is accepted where ISO 27001 is not available; for smaller suppliers, a completed BetterQA security questionnaire is acceptable for Standard tier
• For suppliers in higher-risk jurisdictions or sectors: enhanced due diligence per the AML Policy and the Anti-Bribery and Corruption Policy
• For suppliers providing labour (sub-contracted engineers, agency staff): confirmation of the Modern Slavery Statement requirements

Contracting. Supplier contracts must include, proportionate to tier:

• Confidentiality and IP terms
• Information security obligations aligned to ISO/IEC 27001 controls relevant to the engagement (access control, encryption, logging, incident notification)
• Breach notification obligations: 72 hours for personal data breaches under GDPR, and contractually equivalent timing for security incidents affecting BetterQA or its clients
• Sub-processor disclosure and prior-approval rights where personal data is processed
• Audit rights, proportionate to tier (Critical = full audit right; Important = right to receive ISO 27001/SOC 2 reports on request; Standard = right to security questionnaire response)
• Termination rights and a documented exit plan (see below)

Ongoing oversight.

• Critical and Important suppliers are formally reviewed at least annually by the responsible BetterQA owner with the Managing Director. The review covers performance, security posture (renewed certifications), changes to the supplier's ownership or jurisdiction, any incidents during the year, and contract anniversary actions
• Standard suppliers are reviewed on a sample basis at the annual policy review, and any time a triggering event occurs (incident, ownership change, sanctions hit, price change above 20%)
• Sanctions and PEP screening is repeated annually for all Critical and Important suppliers

Exit plans. For every Critical supplier, BetterQA maintains an exit plan documenting: an alternative supplier or in-house equivalent, the estimated migration window, the data that would need to be exported, and the contract clauses we would rely on. Exit plans are reviewed annually alongside the supplier review. The plan exists so that we are never operationally hostage to a single supplier, and so that we can demonstrate operational resilience to regulated clients under DORA-equivalent expectations.

Termination. When a supplier relationship ends, the responsible owner verifies that the supplier has returned or destroyed BetterQA and client data per the contract, that access has been revoked for all BetterQA accounts, and that any joint records (test environments, tenant configurations) have been decommissioned. A short closure note is filed against the supplier record.

4.Reporting Channel

If you become aware that a BetterQA supplier has had a security incident, a sanctions hit, a regulatory action, or any other event that may affect BetterQA or its clients, report it.

• Email: [email protected] (anonymous reporting permitted)
• For confirmed personal data breaches at a processor, GDPR Article 33 notification timelines apply (72 hours to the supervisory authority, controllers notified without undue delay)
• For security incidents at Critical suppliers, the Managing Director must be informed immediately by phone, not only by email
• See the separate Whistleblowing Policy for full procedure and protections

5.Consequences

Breach of this policy by a BetterQA employee or contractor is treated as misconduct. Consequences may include:

• Disciplinary action up to and including termination of employment or contract
• For supplier breaches: contract suspension, termination for cause, recovery of losses, and reporting to relevant authorities where personal data, sanctions, or financial crime exposure is involved
• Disclosure to clients whose engagements were touched by the affected supplier, per the relevant Data Processing Agreement or MSA
• Loss of ISO 27001 / ISO 9001 certification status if supplier control failures are systemic

6.Review Cadence

This policy is reviewed at least annually by the Managing Director, alongside the annual supplier review cycle, or sooner if there is a material change in BetterQA's supplier portfolio, a major incident at a supplier, or a relevant change in applicable law or standard (ISO 27001 revision, DORA implementation milestones, EU AI Act supplier obligations).

7.Owner