Skip to content

Supplier Code of Conduct

1) Overview

This Supplier Code of Conduct (“Code”) sets the minimum standards that Caribou Digital (UK) Limited and its subsidiaries and affiliates (together, “Caribou”) require from suppliers, vendors, consultants, grantees, delivery partners, agents and subcontractors (collectively, “Suppliers”). It applies globally. Where laws differ, the higher/stricter standard applies. 

Compliance with this Code is a material condition of doing business with Caribou. Caribou may incorporate this Code (by URL or attachment) into contracts and purchase orders and require flow-down to all subcontractors engaged on Caribou work.

2) Ethics & compliance

  • Anti-bribery & corruption: No bribes, facilitation payments, kickbacks, or improper advantages. Prohibit bribery of public officials; keep accurate books and records.
  • Conflicts of interest: Disclose actual, potential, or perceived COIs before engagement and as they arise; cooperate with mitigations.
  • Financial crime & sanctions: Comply with applicable anti-money laundering, counter-terrorist financing, and sanctions/export-control laws; do not deal with sanctioned parties.
  • Competition & fair dealing: No collusion, bid-rigging, market allocation, or misuse of confidential information.

3) Labour & human rights

  • No forced, bonded, or child labour; verify worker age and right to work.
  • Fair wages, hours, benefits meeting or exceeding legal minimums.
  • Non-discrimination, dignity, and respect; zero tolerance for harassment.
  • Respect freedom of association and lawful collective bargaining.
  • Provide a safe and healthy workplace; manage risks and incidents.

4) Safeguarding (people we work with)

Where work involves research participants, children, or vulnerable adults, Suppliers must:

  • Apply safeguarding practices (risk assessment, appropriate vetting where lawful, supervision).
  • Obtain informed consent and protect participants from harm.
  • Report concerns immediately to Caribou and relevant authorities where required.

5) Data protection & privacy

If a Supplier processes personal data for Caribou, it must:

  • Process lawfully, fairly, and for limited purposes agreed with Caribou.
  • Implement appropriate security measures (confidentiality, integrity, resilience).
  • Notify Caribou without undue delay (and within 72 hours where feasible) of any suspected or actual personal-data breach affecting Caribou data.
  • Comply with international transfer rules where applicable. Any additional data-protection terms will be set out in the contract.

6) Information security

Where Suppliers access Caribou systems or data, they must at minimum:

  • Enforce Multi-factor authentication (MFA), strong authentication, and least-privilege access.
  • Encrypt data in transit and at rest where feasible.
  • Patch and manage vulnerabilities; use reputable anti-malware / Endpoint Detection & Response (EDR).
  • Segregate client data; prohibit shared credentials.
  • Report security incidents promptly and cooperate with investigation and remediation.

7) Environmental responsibility

Operate in a manner that minimises environmental impact (efficient travel, energy, and waste practices) and comply with applicable Environment, Health & Safety (EHS) laws. Support Caribou’s sustainability goals where relevant to the engagement.

8) Business continuity

If you provide a critical service to Caribou or host data/systems, maintain a documented Business Continuity / Disaster Recovery plan, test it periodically, meet agreed Recovery Time Objective (RTO) / Recovery Point Objective (RPO), and notify Caribou of incidents that could affect service delivery.

9) Records & reporting

Maintain accurate, complete, and timely records that fairly reflect transactions; no off-book accounts. Provide information reasonably needed for due diligence, audits, or regulatory inquiries.

10) Speak Up (reporting concerns)

Anyone may report concerns confidentially (and, where lawful, anonymously) via Caribou’s EthicsPoint portal: cariboudigital.ethicspoint.com. No retaliation is permitted against good-faith reporters. Suppliers must allow their personnel to use this channel and must not retaliate.

11) Subcontracting & flow-down

Do not subcontract material obligations without Caribou’s consent. You remain responsible for your subcontractors and must flow down this Code and applicable contractual obligations.

12) Monitoring, audits & consequences

Caribou may request evidence of compliance, conduct audits on reasonable notice, or require corrective actions. Serious or repeated breaches may lead to suspension, termination for cause, removal from approved-supplier lists, and/or reporting to authorities.

Related Policies

This policy should be read in conjunction with other Caribou policies, namely: