This policy sets out the minimum information security requirements for third-party suppliers and partners who access, store, or process oboloo Limited’s data or systems. It ensures that supplier risks are identified, assessed, mitigated, and monitored effectively, as part of the Company’s broader Information Security Management System (ISMS).

- Supplier / Third Party – Any external entity that provides software, services, or infrastructure to oboloo Limited, or has access to Company systems or data.
- Critical Supplier – A supplier whose failure or compromise would materially impact business continuity, security, or customer obligations.
- Risk Assessment – A process used to evaluate threats and vulnerabilities related to supplier access, systems, and data.
- ISO/IEC 27001 – An international standard for information security management systems (ISMS).
- API Access – System-level access via application programming interfaces.

Company Name: oboloo Limited
Company Number: 12420854
Trading Address: 7 Bell Yard, London, England, WC2A 2JR
Contact: oboloo.com/contact-us

By engaging with oboloo Limited, suppliers acknowledge and agree to comply with this policy and all referenced security requirements. This includes cooperation during audits, completing risk assessments, and adhering to security controls as required.

This policy is reviewed annually and updated as necessary following vendor-related incidents, contract breaches, audit findings, or changes in applicable legal or regulatory requirements. The legal department is responsible for maintaining and interpreting this policy.

To ensure that all third-party suppliers accessing oboloo Limited systems, services, or data are properly assessed and managed throughout the relationship lifecycle, in line with risk tolerance and ISO/IEC 27001 expectations.

This policy applies to all third parties that:

- Access, store, or process oboloo Limited’s business or customer data;
- Provide core infrastructure, SaaS applications, or other technology services;
- Integrate directly into Company systems via APIs or credentials.

Suppliers must also ensure their own third parties comply with equivalent standards.

The following security controls apply to all relevant suppliers:

- Pre-engagement risk assessment for all suppliers;
- Evidence of ISO 27001 or SOC 2 certification for high-risk vendors (or proof of progress);
- Mandatory contract clauses including breach reporting, confidentiality, audit rights;
- Security questionnaires and insurance checks as required;
- Access restrictions—all supplier access is logged, monitored, and revoked at contract termination.

- Annual review of contracts for critical suppliers;
- Reassessment on contract renewal or material scope changes;
- Incidents involving suppliers are logged and escalated under the Incident Response Plan.

Suppliers must not engage in any form of bribery, facilitation payments, or conflict of interest involving oboloo Limited, its employees, or partners. This includes improper influence, undisclosed relationships, or inaccurate financial records. Any gifts, hospitality, or requests must be reported.

Violations of this policy may result in termination of access or contract. Suppliers can report concerns confidentially via: oboloo.com/contact-us

This policy supports ISO/IEC 27001:2022, UK GDPR, and oboloo Limited’s internal governance framework by ensuring external parties are held to a defined security standard and monitored regularly.

- Supplier Onboarding (A.15.1.1) - Security policy for supplier relationships
- Contractual Controls (A.15.1.2) -Securing contractual agreements
- Monitoring and Review (A.15.2.1) - Ongoing evaluation of supplier performance

Annual Review: This policy is reviewed annually or following vendor-related security events.

Responsibility: The Legal and Information Security teams oversee reviews and updates.

Version: 1.2
Date: April 2025
Description: Added ongoing monitoring requirements and aligned language with ISO Annex A.15
 

Previous Versions:
- Version 1.1 (November 2024): Initial release for supplier onboarding programme