1. PURPOSE

​

The purpose of this Third-Party Management Policy is to ensure that all vendors, contractors, and third-party providers engaged by ED4S meet high standards of ethical conduct, data protection, sustainability, and operational excellence. This policy establishes a risk-based framework for evaluating, onboarding, managing, and reassessing third parties to protect ED4S, its clients, and stakeholders while supporting sustainable business practices. 

 

2. SCOPE

​

This policy applies to all third-party providers engaged by ED4S, including but not limited to: 
 

• Subject matter experts and trainers (online or in-person) 

• Technology and digital service providers 

• Consultants and subcontractors 

• Cloud-based or AI-enabled platforms 
   

It encompasses all third-party activities, whether permanent, temporary, or project-based. 

 

3. STANDARDS AND EXPECTATIONS
 

3.1 Human Rights, Ethics, and ESG Practices 
 

Third parties must: 
 

• Comply with international human rights and labor standards (UN Guiding Principles, ILO Conventions, OECD Guidelines). 

• Avoid forced labor, child labor, discrimination, or exploitation. 

• Uphold anti-corruption and anti-bribery practices (ISO 37001 aligned). 

• Demonstrate environmental and social responsibility, including sustainable sourcing and low-impact operations where applicable or feasible. 

• Ensure accessibility and inclusion in all deliverables, consistent with WCAG 2.1 and DEI best practices. 

• ED4S reserves the right to terminate relationships with third parties that violate these standards. 

​

3.2 Data Protection and Confidentiality
 

Third parties handling ED4S or client data must: 
 

• Sign Non-Disclosure Agreements (NDAs) and, if applicable, Data Processing Agreements (DPAs). 

• Adhere to GDPR, PIPEDA, and equivalent data protection laws. 

• Apply appropriate security measures, including encryption, access controls, and secure storage. 

• Report data breaches or incidents within 24–72 hours, depending on severity. 

 

Information is classified as follows: 
 

​​
 

​

​

​

​​

​

​

​

​

​

3.2 Legal and Regulatory Compliance

​

Third parties must comply with: 

​

• Applicable laws and regulations in the jurisdictions where they operate 

• Contractual obligations with ED4S 

• Anti-corruption, sanctions, and conflict-of-interest requirements 

 

High-risk engagements or deviations from standard contracts require consultation with legal counsel. 

 

4. RISK ASSESSMENT AND DUE DILIGENCE

 

All third parties undergo a risk-based evaluation prior to engagement. 

​

4.1 Evaluation Criteria

​

Technology Providers: Security certifications (SOC 2, ISO 27001), data protection measures, market reputation. 

​

Subject Matter Experts: Experience, credentials, references, ESG alignment where available. 

​

 All Third Parties: Human rights, ethical practices, anti-corruption compliance, conflict of interest screening. 

​

Due Diligence Questions include: 

​

1. Are there certifications or proof of compliance with relevant standards? 

2. Can references or previous client examples be provided? 

3. Are ESG commitments documented and verifiable? 

4. Has the executive team demonstrated ethical business practices? 

5. How is sensitive data protected? 

6. Any association with controversial activities? 

7. What mitigation measures exist for identified risks? 

 

4.2 Risk Tiers

​

Third parties are categorized as Low, Medium, or High Risk based on: 

​

• Data sensitivity handled 

• ESG and ethical impact 

• Operational or reputational risk

​

Risk-tier informs the depth of monitoring, legal review, and contractual requirements.

​

5. RESPONSIBLE PROCUREMENT 

​

Purpose

ED4S is committed to conducting its procurement activities in a responsible and sustainable manner. This approach ensures that all suppliers and third-party service providers are evaluated not only on technical and commercial criteria but also on environmental, social, and ethical considerations, consistent with our Climate Policy, Human Rights Policy, and broader Sustainability commitments; and ED4S will apply a preference in selection to the suppliers in line with our own values. 

 

Scope

This responsible procurement approach applies to all third parties engaged by ED4S, including suppliers of software, technology, production services, office equipment, and other services essential to the company’s operations. 

​

​

Environmental Criteria

​

• Preference is given to suppliers that minimize environmental impacts, including:

  • Use of renewable energy (e.g., cloud providers powered by renewable sources) 

  • Reduction of waste and promotion of recycling

  • Digital-first solutions to reduce paper, travel, and other physical resource consumption

​

Social and Ethical Criteria

​

• Suppliers are expected to: 

  • Respect human rights, labor standards, and diversity, equity, and inclusion principles 

  • Uphold high ethical standards, including anti-corruption practices 

  • Demonstrate transparency in their operations and supply chains
     

Evaluation and Monitoring
 

• Suppliers are assessed using our Third-Party Questionnaire, which includes environmental, social, and ethical criteria. 

• Compliance with responsible procurement principles is reviewed periodically and documented. 

• Suppliers not meeting ED4S’s standards may be excluded or subject to corrective actions.

 

Continuous Improvement

​

• ED4S commits to continuously monitoring and improving our responsible procurement practices in line with emerging best practices and regulatory expectations. 

• The responsible procurement approach is integrated into all onboarding, contracting, and review processes for third parties. 

​

Governance

​

• Oversight of responsible procurement is the responsibility of the CEO/Founder in conjunction with the ED4S management team. 

• All employees involved in supplier selection and management are trained on the responsible procurement principles and required to adhere to them. 

 

6. CONTRACTING AND LEGAL REVIEW

​

• Standard contracts include confidentiality, data protection, ESG, and ethical conduct clauses. 

• Legal counsel is consulted for: 

  • High-risk or sensitive engagements 

  • International contracts 

  • Deviations from standard terms 

 

7. MONITORING, REVIEW, AND REASSESSMENT
 

• Third-party performance and compliance are reviewed periodically and if: 

  • Scope of services changes 

  • New risks emerge 

  • Client requests or audits occur 

• Monitoring includes: 

  • ESG and ethical compliance 

  • Data security adherence 

  • Service quality and reliability 
     

8. TERMINATION AND CORRECTIVE ACTIONS

​

ED4S may terminate contracts if a third party: 
 

• Violates this policy or contractual obligations 

• Engages in unethical, illegal, or unsafe practices 

• Fails to remediate identified risks within agreed timelines

​

Corrective actions are documented and may include escalation to management or legal counsel.

​

9. COMMUNICATION AND TRAINING 

 

• This policy is communicated to all relevant ED4S employees and third parties during onboarding. 

• Periodic refresher training ensures awareness of updates, ESG expectations, and compliance obligations. 

​

10. RECORDKEEPING

 

• All documentation related to third-party evaluation, contracts, and monitoring is retained for minimum 5 years. 

• Records are securely stored and accessible for audits or client due diligence. 

 

ANNEX
 

Due Diligence Questionnaire : 

​

All third-party organizations engaged by ED4S are requested to complete the following questionnaire. The information provided helps us ensure alignment with our standards for ethics, sustainability, and operational excellence, and supports informed decisions regarding contract approval, renewal, or any necessary follow-up actions, where the information is publicly available or feasible to obtain. 

​

Due Diligence Questions 

​

1.  Does the third party have certifications that demonstrate expertise or compliance with relevant standards? (e.g., SOC 2, ISO 27001) 
 

• Yes / No (Provide examples) 
   

2. Can the third party provide references from previous clients or projects? 

 

• Yes / No 

 

​

3. Are there documented commitments to environmental and social responsibility? 

​

• Yes / No (Provide documentation if available) 

​

4. Does the third-party executive team have a proven track record of ethical business practices? 

​

• Yes / No (Provide evidence if applicable) 

​

5. How does the third party ensure the security of the data they handle? 

​

• Open response 

​

6. Has the third party ever been associated with controversial activities or organizations?

 

• Yes / No

​

7. What mitigation measures are in place to address potential risks associated with the third party? 

​

• Open response 

​

Results of the risk assessment are reviewed by management, and mitigation strategies are implemented as needed.