Supplier form Compliance Due Diligence Questionnaire v0.2 200921

1 Supplier information & Compliance Due Diligence Questionnaire This questionnaire is to be completed by any third parties who provide services to Sign Solutions that involve the processing or storage of personal data and other sensitive information. Please complete, sign, date and return the completed questionnaire to one of the following addresses: Email: [email protected] and [email protected] Contact Information Name Organisation Address Email Contact Number VAT number Company Registration Number Relevant industry or professional accreditations Purchase Information What is our customer account number? Sales Contact name Email Contact Number What is your company’s website address? Please provide details of products/services provided Insurance Information Employer Liability Cover? Public Liability Cover? Product Liability Cover? Insurance expiry Dates: Supplier form & Compliance Due Diligence Questionnaire v0.2 20/09/21

Do you hold cyber security insurance? 2 Yes/No – if yes, please provide further details Payment Information Bank Account Details: Name: Address: Account Number: Sort Code: Payment reference details: Payment terms & payment options: 1. Information Security 1.1 Are you certificated to ISO 27001:2013 Yes/No 1.2 Do you have an information security policy? (If yes please provide a copy of Yes/No the certificate) 1.3 If Yes, does your information security policy comply with ISO/IEC 27001? Yes/No 1.4 Do you have arrangements for ensuring physical security of your premises and Yes/No restricting access to records and equipment? 1.5 Do you have security arrangements for handling, transport and storage of records, Yes/No removable media and equipment? (eg. USB/external hard drives, laptops, mobile phones) 1.6 Do you use login credentials and password controls to restrict access to your Yes/No computers, laptops, mobile devices, corporate networks, systems and databases? 1.7 Do you have controls against malicious software including firewalls and anti-virus Yes/No protection? 1.8 Do you implement a clear desk and screen policy? Yes/No 1.9 Do you have any policy/process for secure disposal of equipment, media and Yes/No Electronic data? 1.10 Do you have procedures for secure disposal of paper records? Yes/No 1.11 Do you have back-up and disaster recovery systems and/or policies? Yes/No 1.12 Do you have measures to preserve security if an event occurs that could Yes/No compromise business continuity? 1.13 Do you monitor access to and use of your systems and maintain audit trail logs Yes/No for inspection? Supplier form & Compliance Due Diligence Questionnaire v0.2 20/09/21

3 1.14 Do you audit compliance against your information security policies and standards? Yes/No 2. Data Protection 2.1 Do you have policy and procedures for complying with the General Data protection Yes/No Regulation? 2.2 Do you have procedures for dealing with Data Subject rights under GDPR including Yes/No the right of access, right to be forgotten, right to object and the right to rectification? 2.3 Do you have a breach / incident management policy and established processes Yes/No for managing and reporting data breaches / incidents? 2.4 Do you have a data retention policy to manage retention and disposal of personal Yes/No data? 2.5 Do you have any retention policy to manage retention and disposal of personal Yes/No data? 2.6 Do you have any equipment capable of storing personal data that is held offsite? Yes/No 2.7 Do you transfer data outside of the European Economic Area? Yes/No 2.8 Do you audit compliance against your data protection policies and standards? Yes/No 3. Your Employees (if applicable) 3.1 Have you carried out verification checks on all current employees? Yes/No 3.2 Do you carry out verification checks on all potential employees? Yes/No 3.3 Do you have a personnel screening and vetting policy? Yes/No 3.4 Do you train staff on the care and handling of personal data and information Yes/No security? 3.5 Do your employment contracts include confidentiality clauses? Yes/No 3.6 Do your employment contracts include an obligation to comply with your Yes/No information security and data protection policies? 4. Quality Assurance Details 4.1 Name & position of person responsible for Quality 4.2 Are you certificated to BS EN ISO 9001:2015? (If Yes/No yes please provide a copy of the certificate) 4.3 Please list any other approvals held: Supplier form & Compliance Due Diligence Questionnaire v0.2 20/09/21

4 5. Health & Safety Details 5.1 Name & position of person responsible for Health & Safety 6.2 Has your organisation or any of its Directors or Yes/No if yes, please provide further Executive Officers been in receipt of details enforcement/remedial orders in relation to the Health and Safety Executive (or equivalent body) in the last 3 years? 6.3 Please supply copy of Company Health & Safety Policy 6. Crime Prevention (please tick to confirm) 6.1 You will not engage in any activity, practice or conduct that would constitute an offence under the Modern Slavery Act 2015. 6.2 You will produce and publish a modern slavery statement if your organisation is required to do so by the Modern Slavery Act. 6.3 You will implement a due diligence process, appropriate to your business, to ensure there is no slavery and human trafficking in your supply chain (including in relation to personnel obtained via recruitment agencies). 6.4 You will not engage in activity, practice or conduct that would constitute an offence under anti-money laundering legislation or regulations (e.g. Bribery Act 2010 etc.) 6.5 You have not been convicted, or are currently being investigated by a national law enforcement agency (e.g. NCA), for any offence involving slavery or human trafficking, money laundering, financial sanctions or bribery (neither to your know-ledge have or are any of your employees or associated persons) 6.6 You will include in any contracts with your subcontractors and supplier’s provisions that are at least as onerous as those set out in this sign-off sheet. 7. Compliance 7.1 Have you ever been the subject of a complaint or Yes/No – if yes, please provide further investigation by the Information Commissioner’s details Office? 7.2 Have you ever had a security breach resulting in Yes/No – if yes, please provide further loss or unauthorised disclosure of personal data? details Supplier form & Compliance Due Diligence Questionnaire v0.2 20/09/21

5 7.3 Have you ever been subject to a complaint or Yes/No – if yes, please provide further investigation by any regulatory body? (e.g. BSB, details FCA, GMC etc.) 8. Declaration By signing this document you declare that you are authorised to respond on behalf of your organisation and that the responses you have provided are accurate and true. Completed by: Role: Signature: Date Company Confidential (when completed) Supplier form & Compliance Due Diligence Questionnaire v0.2 20/09/21