Supplier Assessment Service Policy

1. Scope of the Service

The Supplier Assessment Service (the “Service”) is a structured professional due diligence and risk evaluation service provided to the Client in respect of one or more third-party suppliers.

The Service may include, depending on the selected service level:

• supplier outreach and questionnaire distribution;
• reminder communications;
• analysis of supplier-provided information;
• open-source intelligence (OSINT) and desk-based research;
• review of publicly available policies, certifications, reports and disclosures;
• independent public corroboration;
• use of approved commercial third-party intelligence sources;
• analytical evaluation and reporting.

The Service constitutes an expert assessment process and does not guarantee supplier participation, completeness of available information, or any particular assessment outcome.

2. Service Levels

The Service is provided at different levels (e.g. L1, L2, L3, L4 or custom), each defining scope, depth, and deliverables.

Higher levels include the elements of lower levels with increased depth, validation and analytical coverage.

Specific scope, timelines and deliverables are defined in the applicable order, proposal, or agreement.

3. Commencement of the Service

The Service shall commence when:

• the Client has placed an order or otherwise engaged the Provider;
• any required payment or billing arrangement is in place;
• the Client has provided the minimum required information for execution, including supplier identification and scope.

The Provider shall not be responsible for delays resulting from missing or incomplete Client inputs.

4. Timelines

Unless otherwise agreed in writing, indicative turnaround times are as follows:

• L1: up to 5 business days;
• L2: up to 10 business days;
• L3: up to 15 business days;
• custom levels: as agreed.

Timelines are measured in business days and are subject to pause where progress depends on Client input, approvals, or other factors outside the Provider’s control.

5. Supplier Outreach

Where applicable, the Provider will perform a structured supplier outreach process, including initial contact and follow-up reminders.

The Provider shall use commercially reasonable efforts to engage the supplier but does not guarantee supplier response or cooperation.

6. Evidence Sources

The Provider may rely on a combination of the following sources:

• supplier-provided information;
• publicly available information, including policies, certifications, reports and disclosures;
• independent public corroboration, including registries and public records;
• commercial third-party intelligence sources, where included in the Service or approved by the Client.

The Provider may determine, in its professional judgment, the appropriate mix of evidence sources for each assessment.

7. Use of Public Information and OSINT

The Service includes the use of open-source intelligence and publicly available information as part of the assessment methodology.

Publicly available information may, where appropriate, constitute a sufficient basis for assessment conclusions, subject to limitations regarding completeness, currency, and verifiability.

8. Use of Commercial Third-Party Intelligence

The Provider may use commercial third-party intelligence sources where:

• such sources are included in the selected service level; or
• the Client has approved their use.

Unless expressly included in the agreed scope, the cost of such sources shall be borne by the Client.

9. Supplier Non-Response

In the event that a supplier does not respond within the applicable timeframe, the Provider may complete the assessment using other available evidence sources, including OSINT, publicly available information, public records, and approved third-party intelligence.

The Provider may issue one of the following outcomes:

• supplier-verified assessment;
• desk-based assessment;
• limited-confidence assessment;
• inconclusive assessment.

Supplier non-response shall not, by itself, be deemed a failure of the Service.

10. Deliverables and Completion

The Service shall be deemed completed when the Provider has:

• performed the agreed service steps; and
• delivered the applicable assessment package for the selected service level.

Completion does not require that the supplier has responded or that all assessment criteria have been fully verified.

11. Revisions

The Service may include a limited number of revision cycles, as specified in the applicable service level.

Revisions are limited to:

• correction of factual inaccuracies;
• clarification of conclusions;
• limited incorporation of additional information within the original scope.

Any request that materially expands the scope of work shall be treated as a change request.

12. Expedited Delivery

Expedited or accelerated delivery may be offered at the Provider’s discretion and subject to additional fees.

Expedited delivery accelerates the Provider’s internal handling but does not guarantee supplier responsiveness or availability of external data sources.

13. Recurring Assessments

Where the Client requests reassessment of the same supplier on a recurring basis, the Provider may offer:

• full reassessment;
• delta reassessment focusing on changes since the prior assessment; or
• limited refresh assessments.

The applicable scope, fees, and timelines shall be agreed separately.

14. Additional and Non-Standard Services

Services falling outside the standard Supplier Assessment scope, including but not limited to:

• advisory consulting;
• participation in meetings or audits;
• representation of the Client;
• bespoke deliverables;
• extended workshops or briefings;

shall be treated as separate professional services and may be subject to additional fees and terms.

15. White-Label Delivery

White-label or client-branded deliverables may be offered where agreed.

White-labeling affects presentation only and does not alter the Provider’s methodology, limitations, or liability framework.

16. Fees and Refunds

Fees are payable for the performance of the agreed Service and delivery of the agreed outputs.

No refund shall be due solely on the basis that:

• a supplier fails to respond;
• a supplier provides incomplete information;
• available evidence supports only a qualified or limited-confidence assessment.

Refunds or service credits may be considered where the Provider fails to perform the agreed scope of work.

17. Limitations

The Provider does not warrant:

• the accuracy or completeness of supplier-provided information;
• the availability of public or third-party information;
• that all risks or deficiencies will be identified;
• that the Service constitutes a legal opinion, audit, or certification.

18. Reliance and Use

Unless otherwise agreed in writing, the assessment is provided for the Client’s use only.

The Provider does not accept responsibility to third parties unless expressly agreed.

19. Change Requests

Any Client request that materially modifies the agreed scope, timeline, methodology, or deliverables may be treated as a change request and may require revised fees and terms.

20. Governing Principle

The Provider’s obligation is to perform the agreed assessment methodology with commercially reasonable care and to deliver the agreed outputs.

The Provider is not responsible for securing supplier cooperation, and the absence of supplier response does not invalidate completion of the Service.