Vendor Code of Conduct
Last updated: May 31, 2026
Document owner: General Counsel and Head of Procurement
Policy steward: Third-Party Risk Management (TPRM) Program
Review cadence: Semiannual and before critical vendor onboarding updates
Effective date: 2026-05-31
Applies to: All suppliers, contractors, service providers, and sub-tier vendors supporting EthicPages
Primary contact: ethicpages+contact@invictosoft.com (subject: Vendor Code of Conduct)
Purpose and applicability
EthicPages depends on a network of vendors to operate responsibly, securely, and sustainably. This Vendor Code of Conduct defines minimum ethical, legal, environmental, labor, and data protection standards that all vendors must meet as a condition of doing business with EthicPages.
This Code applies to direct suppliers and, where relevant, their subcontractors and other sub-tier providers that materially contribute to products or services delivered to EthicPages. Vendors are responsible for implementing equivalent standards in their own supply chains when supporting EthicPages commitments.
This Code should be read together with our Privacy Policy, Security Overview, Data Processing Agreement, Responsible Disclosure Policy, Modern Slavery Statement, and ESG Commitments.
Core vendor obligations
Vendors must comply with all applicable laws and regulations in each jurisdiction where they operate, including labor, anti-corruption, sanctions, environmental, tax, export, privacy, and data protection laws.
| Obligation category | Baseline expectation |
|---|---|
| Legal compliance | Operate in full compliance with applicable law and maintain necessary licenses and authorizations |
| Ethical conduct | Maintain honest, transparent, and accountable business practices |
| Human rights | Respect internationally recognized human rights standards |
| Data security and privacy | Apply appropriate technical and organizational controls for confidentiality, integrity, and availability |
| Supply chain responsibility | Flow down relevant obligations to material subcontractors |
| Incident transparency | Promptly notify EthicPages of events affecting risk posture |
Labor and human rights standards
EthicPages requires vendors to uphold fair labor and human rights protections across their operations and supply chains.
| Labor standard | Requirement |
|---|---|
| No forced labor | Prohibit slavery, servitude, debt bondage, prison labor abuses, and human trafficking |
| No child labor | Comply with legal minimum age requirements and ILO conventions |
| Fair wages and benefits | Pay at least legal minimum wages and statutory benefits |
| Working hours | Comply with maximum working hours and rest requirements under local law |
| Non-discrimination | No unlawful discrimination based on protected characteristics |
| Freedom of association | Respect lawful worker rights to organize and collective bargaining where permitted |
| Harassment-free workplace | Prohibit abuse, threats, intimidation, and retaliation |
Vendors must maintain mechanisms for employees and contractors to raise concerns confidentially and without retaliation.
Health and safety expectations
Vendors must provide safe and healthy working environments, including:
- Hazard identification and risk mitigation controls.
- Emergency preparedness procedures and incident response protocols.
- Occupational health training relevant to role-based risk exposure.
- Access to appropriate protective equipment where needed.
- Documented incident reporting and corrective action processes.
Where operations include physical facilities, vendors should maintain inspection and prevention programs suitable to operational hazards.
Anti-bribery, anti-corruption, and conflicts
EthicPages has zero tolerance for bribery, facilitation payments, kickbacks, embezzlement, and fraudulent business practices.
| Anti-corruption area | Vendor expectation |
|---|---|
| Bribery prohibition | No offering, giving, soliciting, or accepting improper benefits |
| Facilitation payments | Prohibited unless there is an imminent health/safety emergency and legally reportable |
| Gifts and hospitality | Must be infrequent, modest, and never intended to influence decisions |
| Books and records | Maintain complete, accurate records and accounting controls |
| Conflicts of interest | Disclose actual or potential conflicts related to EthicPages engagements |
| Third-party intermediaries | Conduct due diligence and monitor intermediary corruption risks |
Any attempted or suspected bribery linked to EthicPages business must be reported immediately to ethicpages+contact@invictosoft.com.
Trade compliance and sanctions
Vendors must comply with applicable sanctions, export controls, anti-money laundering regulations, and trade restrictions. Vendors may be asked to certify screening controls and provide attestation that they do not knowingly engage prohibited parties in EthicPages-related work.
Environmental responsibility
EthicPages expects vendors to operate with environmental care and to reduce adverse impacts where practical.
| Environmental area | Required baseline |
|---|---|
| Regulatory compliance | Meet all applicable environmental laws and permit requirements |
| Resource efficiency | Seek reductions in energy, water, and material waste intensity |
| Waste management | Handle, store, transport, and dispose of waste responsibly |
| Emissions awareness | Track and reduce material emissions where feasible |
| Continuous improvement | Establish goals and accountability for environmental performance |
Vendors supporting infrastructure-heavy services should provide available sustainability disclosures when requested.
Data protection and information security
When vendors process EthicPages data (including customer data), they must meet strict privacy and security expectations.
| Control domain | Minimum expectation |
|---|---|
| Access control | Role-based least privilege and secure credential management |
| Encryption | Encryption in transit and at rest for sensitive data |
| Incident response | Defined process for detection, triage, containment, and communication |
| Vulnerability management | Timely patching and risk-based remediation practices |
| Data minimization | Process only data needed for defined contractual purpose |
| Retention and deletion | Retain data only as required and securely delete when no longer needed |
| Subprocessor oversight | Written agreements and due diligence for sub-tier processors |
Where required, vendors must execute appropriate contractual terms, including data processing agreements and transfer safeguards.
AI, automation, and model usage expectations
If a vendor uses AI systems to deliver services that touch EthicPages or customer data, the vendor must:
- Disclose relevant AI use cases and processing boundaries.
- Implement safeguards against unauthorized data leakage.
- Avoid training public models on restricted or confidential data unless explicitly authorized.
- Provide transparency on data retention and deletion controls.
- Maintain incident procedures for model misuse or harmful output.
These obligations complement our AI Usage Policy and processor requirements.
Audit rights and assurance
EthicPages reserves risk-based rights to request evidence of vendor compliance with this Code and contractual obligations.
| Assurance method | Examples |
|---|---|
| Questionnaire-based due diligence | Security and compliance assessments during onboarding and renewals |
| Document review | Certifications, policy excerpts, penetration summaries, incident postmortems |
| Attestations | Executive or compliance officer attestations regarding controls |
| Targeted audits | Focused reviews where risk indicators, incidents, or material changes arise |
| Remediation plans | Corrective action deadlines for identified gaps |
Vendors must cooperate in good faith with reasonable audit and remediation requests tied to legitimate risk management needs.
Incident notification requirements
Vendors must promptly notify EthicPages of security, privacy, legal, or ethical incidents that may affect EthicPages, customer data, or service continuity.
| Incident type | Notification expectation |
|---|---|
| Security incident affecting EthicPages data | Without undue delay, ideally within 24 hours of confirmation |
| Suspected unauthorized access | Immediate preliminary alert followed by structured updates |
| Regulatory inquiry or legal order affecting service | Prompt disclosure unless prohibited by law |
| Material subcontractor breach | Prompt notice and risk impact summary |
| Business continuity disruption | Timely update with restoration timeline |
Notifications should be sent to ethicpages+contact@invictosoft.com with subject line indicating severity.
Reporting violations and non-retaliation
EthicPages expects transparent reporting of actual or suspected violations of this Code.
| Reporter | Reporting channel | Protection expectation |
|---|---|---|
| Vendor personnel | Internal vendor channel and/or EthicPages email | No retaliation for good-faith reports |
| Subcontractor personnel | Vendor escalation path and/or EthicPages email | Escalation rights preserved |
| External stakeholders | EthicPages contact channel | Concern logged and reviewed |
EthicPages prohibits retaliation against anyone raising a good-faith concern.
Consequences of non-compliance
Failure to comply with this Code may lead to corrective action requirements, increased oversight, commercial suspension, or termination.
| Non-compliance level | Potential response |
|---|---|
| Minor and remediable | Written corrective action plan with deadline |
| Repeated gaps | Enhanced monitoring, conditional renewal controls |
| Material violation | Commercial suspension, contract breach escalation |
| Severe ethical or legal breach | Immediate termination and potential legal action |
EthicPages applies proportionate responses based on risk severity, customer impact, and remediation intent.
Documentation and records
Vendors must maintain records sufficient to demonstrate adherence to this Code and related legal obligations. EthicPages may request relevant records as part of due diligence or incident response.
Training and awareness
Vendors are expected to provide role-appropriate training on:
- Anti-corruption and ethical conduct.
- Labor and human rights protections.
- Data protection and secure data handling.
- Incident reporting and escalation procedures.
Training should be refreshed periodically and aligned with operational risk.
Continuous improvement and collaboration
EthicPages recognizes that responsible vendor management is a continuous process. We encourage vendors to proactively share control improvements, certifications, and lessons learned from incidents or audits.
We prioritize collaborative remediation over punitive action when issues are disclosed transparently and corrected quickly.
Legal and policy cross-links
This Code aligns with and is supported by:
- Privacy Policy
- Security Overview
- Data Processing Agreement
- Responsible Disclosure Policy
- Modern Slavery Statement
- ESG Commitments
- Terms of Service
Contact
For questions, attestations, incident notifications, or compliance concerns, contact ethicpages+contact@invictosoft.com with an appropriate subject line:
- Vendor Code of Conduct
- Vendor Incident Notification
- Vendor Compliance Attestation
- Vendor Ethics Concern
Revision history commitment
EthicPages may update this Code to reflect legal developments, risk priorities, or operating model changes. Material updates are reflected in the "Last updated" field and may be referenced in procurement and vendor communications.
By continuing to provide services to EthicPages, vendors acknowledge and agree to uphold the standards in this Code, including supply-chain flow-down expectations and timely cooperation on audits, investigations, and corrective actions.