Hornbill chooses its suppliers carefully to ensure that our service delivery is not impacted\jeopardized and that they, at the very least, care about data security in the same way Hornbill does. Below are details on how we choose and monitor suppliers.

Supplier Relationships and Procurement

A Risk Assessment should be carried out to identify specific controls implemented before granting access to third parties or customers.

Identification of risk related to external party access to take account of the following: level of physical access, logical access to the external parties’ legal and regulatory requirements, and other contractual obligations relevant to the external parties. For confidentiality of the information accessed by third parties or customers, Non-Disclosure Agreements (NDAs) are signed.

Access to information and information processing facilities by third parties or customers is not provided unless an NDA is in force.

It should be ensured that the external party is aware of these obligations and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing information and information processing facilities.

Hornbill Technologies agrees with the external party on those controls that the external party is required to implement and documents them in the contract or agreement, which is a legal agreement, that the third-party signs. The obligations of the external party include ensuring that all its personnel are aware of their obligations where necessary.

The agreements between the organization and external parties (whether suppliers or customers) are intended to be legally binding and must specifically include (or provide documented reasons for excluding any of) the items on the checklist below, and the requirement for which may have been identified through the risk assessment, from any such contract:

the Information Security Policy the controls identified as required through the risk assessment process which may include procedures and technical controls a clear definition and/or description of the product or service to be provided, and a description of information (including its classification) to be made available

requirements for user and administrator education, training, and awareness provisions for personnel transfer description of responsibilities regarding software and hardware installation, maintenance and de-commissioning the clearly defined reporting process, reporting structure, reporting formats, escalation procedures, and the requirement for the external party to adequately resource the compliance, monitoring, and reporting activities a specified change management process controls against malware access control policy information security incident management the target level for service and security, unacceptable service and security levels, the definition of verifiable performance and security criteria, monitoring and reporting the right to monitor and audit performance (including the third party’s processes for change management, vulnerability identification, and information security incident management), to revoke activities, and to use external auditors continuity requirements liabilities on both sides, legal responsibilities, and how legal responsibilities (including data protection and privacy) are to be met the protection of IPR and copyright controls over any allowed sub-contractors conditions for termination/re-negotiation of agreements, including contingency plans. We are also committed to ensuring that there is no modern slavery or human trafficking in our supply chains or in any part of our business. We have zero tolerance to slavery and human trafficking. To ensure all those in our supply chain and contractors comply with our values we have in place a supply chain compliance program.

All suppliers when reviewed (Either annually\new contract or prospective stage) are engaged to ensure that they achieve the same ethical standards as ourselves. To ensure a high level of understanding of the risks of modern slavery and human trafficking in our supply chains and our business, we provide training on our Supplier management policy to all our staff covered under the policy

Monitoring of Service Delivery

Supplier Monitoring

All Incidents relating to a given Supplier will be logged in Hornbill Service Manager. Each report is reviewed post-incident to ensure actions are taken to prevent a recurrence, any affected controls are reviewed and where necessary any documentation\policies updated. The incident review also ensures that no contractual SLA\OLA was broken (Note that this is separate to and in addition to the ongoing standard Supplier review process detailed below), that our SLA\Uptime for the customer was not jeopardized, and that any legal obligations for data protection have been met. Any incident in which SLA\OLA\Uptime was jeopardized will result in a review of the supplier where appropriate. All Incidents will be reviewed during the annual management meeting to ensure they are aware of the incident and establish whether they wish to proceed with the given supplier. The external party agreement includes reporting structures, defines acceptable levels of performance, and provides monitoring, inspection, and audit rights. The relationship owner monitors performance against the service and security criteria contained in the agreement, ensures that reports required under the agreement are delivered as required and reviews them, and conducts regular progress meetings as required. The relationship owner ensures that information security incidents experienced by the third party are reviewed jointly and that relevant information security incidents experienced internally are communicated to the third party so that appropriate steps can be taken. The relationship owner identifies any problems of any sort (including operational problems, failures, faults and tracing faults, and disruptions), on either side of the relationship, and ensures that they are resolved, using the agreed escalation procedure where necessary.

Modern Slavery

Hornbill has a zero-tolerance approach to modern slavery, and we are committed to conducting business ethically and with integrity, and to implementing and enforcing effective systems and controls to ensure modern slavery is not taking place anywhere in our own business or in any of our supply chains. The Board of Directors and all employees are reminded annually of their obligations regarding this policy, and training is provided as required.

To ensure compliance with our values from those in our supply chain and contractors, we have implemented a supply chain compliance program. All suppliers are reviewed annually, upon contract renewal, or at the prospective stage, and are engaged to ensure they meet the same ethical standards as us.