Overview:
We use a limited number of third-party suppliers and specialist contractors to support the delivery and operation of our FastDraft, Academy, and ReachBack platforms, and to provide services to our customers.
All Suppliers and Individual Contractors are subject to formal onboarding, risk assessment, contractual, and security controls aligned with ISO/IEC 27001, Cyber Essentials Plus, and UK Government security expectations.
Our approach is designed to ensure that risks arising from external parties are identified, assessed, and managed appropriately, and that confidentiality, integrity, and availability of information and services are maintained.
Individual Contactors:
We engage a small number of individual contractors in specialist roles:
- Batuhan Balaban — Senior Software Engineer
- Emir Undeger — Senior Software Engineer
- Mike Ward — Senior Software Engineer
- Steve Webley — Head of Product
All Individual Contractors are subject to the same vetting, onboarding, and control processes as permanent employees, including:
- Baseline Personnel Security Standard (BPSS) checks
- Identity and right-to-work verification
- Confidentiality and data protection agreements
- Mandatory information security and data protection training
- Role-based access control and least-privilege permissions
- Use of company-managed devices and accounts where applicable
- Multi-factor authentication for administrative or privileged access
- Formal offboarding to ensure access is promptly revoked
Access to production environments and customer data is restricted, logged, monitored, and reviewed regularly. Contractors are only granted access necessary for their role and for the minimum required duration.
These controls align with ISO/IEC 27001 Annex A requirements for human resource security, access control, and supplier relationships, and with Cyber Essentials Plus technical control expectations.
Third-Party Suppliers:
We use the following third-party suppliers. Each supplier is subject to due diligence prior to onboarding and periodic review thereafter. This includes assessment of their security posture, certifications, contractual assurances, and where relevant, their data processing arrangements.
- Infrastructure and Hosting
- Microsoft Azure
- Used as our primary cloud infrastructure provider hosting core application services, data, and supporting systems.
- Provides extensive built-in security, monitoring, resilience, and compliance capabilities
- Holds multiple internationally recognised certifications including ISO/IEC 27001 and UK government-aligned standards
- Supports encryption in transit and at rest, identity and access management, logging, and auditability
- Microsoft Azure
- Platform and SaaS Providers
- Bridge (Learning Management System)
- Hosted platform used for our Academy / Learning Management System.
- Auth0
- Identity and access management platform for authentication (SSO / MFA)
- Discourse
- Hosted platform used for our Reachback / Community Q&A system.
- HubSpot
- Used for customer relationship management (CRM), customer communications, and engagement tracking.
- Zendesk
- Used for customer support ticketing, incident management, and service tracking.
- Mailgun
- Used for transactional and service email delivery (notifications, alerts, account communications).
- ReformIT
- Professional services and delivery partner providing implementation and advisory support.
- Bridge (Learning Management System)
For each SaaS or service provider, we:
- Assess publicly available security and compliance information (e.g. ISO 27001, SOC 2, CE+, or equivalent)
- Review contractual terms, including confidentiality and data protection obligations
- Ensure Data Processing Agreements (DPAs) are in place where personal data is processed
- Confirm appropriate technical and organisational security measures are implemented
- Periodically review supplier risk, criticality, and continued suitability
Where a supplier does not hold formal certification, we assess their controls against equivalent standards and risk profile before approval.
Supplier and Contractor Governance:
Our supplier and contractor management processes are aligned with ISO/IEC 27001 Annex A controls for supplier relationships and information security governance, including:
- Formal supplier onboarding and risk assessment
- Classification of suppliers based on criticality and data sensitivity
- Contractual security, confidentiality, and data protection requirements
- Periodic review of supplier security posture and performance
- Incident management, escalation, and breach notification processes
- Business continuity and exit planning for critical suppliers
- Formal termination and offboarding procedures
Access by suppliers and contractors to our systems and data is controlled, monitored, logged, and reviewed, and is removed promptly when no longer required.
Summary:
Through a combination of careful supplier selection, formal vetting, contractual controls, technical safeguards, and ongoing governance, we ensure that risks associated with third-party suppliers and contractors are managed in line with ISO/IEC 27001, Cyber Essentials Plus, and UK Government expectations.
This approach enables us to maintain strong security, resilience, and compliance across our supply chain while continuing to benefit from specialist platforms and expertise.
Supplier Register:
Spreadsheet linked below for download.
Comments
0 comments
Please sign in to leave a comment.