Visit EthicPagesVendor Code of Conduct
Last updated: January 15, 2026
Vendor Code of Conduct
Document owner: General Counsel, with VP Procurement as operational co-owner
Effective date: January 1, 2026
Last updated: January 15, 2026
Review cadence: Annual
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103
This Vendor Code of Conduct ("Code") sets forth the minimum standards Acme Cloud, Inc. expects of its suppliers, vendors, contractors, consultants, and other third parties ("Vendors") who provide goods or services to Acme Cloud. This Code is incorporated by reference into Vendor agreements and supports our Third-Party Risk Management, Modern Slavery Statement, and ESG Report commitments.
Applicability
This Code applies to all Vendors regardless of location. Vendors must ensure their employees, subcontractors, and agents comply with these standards. Vendors doing business with Acme Cloud acknowledge they have read, understood, and agree to comply with this Code.
Ethical Business Practices
Vendors shall conduct business with integrity and in compliance with all applicable laws and regulations:
| Requirement | Standard |
|---|---|
| Anti-bribery & corruption | Zero tolerance; comply with FCPA, UK Bribery Act, and local laws |
| Antitrust & fair competition | No collusion, price fixing, or abuse of market position |
| Conflicts of interest | Disclose any financial or personal relationship with Acme Cloud employees |
| Gifts & entertainment | No gifts exceeding $100 per employee per year without prior approval |
| Accurate records | Maintain accurate books and records; no off-book accounts |
| Insider information | Do not use or share Acme Cloud confidential information improperly |
| Export controls | Comply with US and applicable export control laws |
Violations may be reported through Acme Cloud's Whistleblower Policy channels.
Labor & Human Rights
Vendors shall uphold human rights and fair labor practices consistent with ILO core conventions and our Modern Slavery Statement:
| Requirement | Standard |
|---|---|
| Forced labor | Prohibited — no involuntary, prison, indentured, or trafficked labor |
| Child labor | Prohibited — no employment below minimum legal age; no hazardous work for minors |
| Wages & benefits | Pay at least applicable minimum wage; provide legally mandated benefits |
| Working hours | Comply with local limits; overtime voluntary and compensated |
| Freedom of association | Respect workers' rights to organize and bargain collectively where lawful |
| Discrimination | Prohibited — equal opportunity regardless of protected characteristics |
| Harassment | Prohibited — maintain respectful workplace free from harassment |
| Health & safety | Provide safe working conditions; comply with OSHA or equivalent standards |
Vendors shall not retain employee identity documents, charge recruitment fees to workers, or restrict freedom of movement.
Environmental Responsibility
Vendors shall minimize environmental impact and support Acme Cloud's sustainability goals outlined in our ESG Report:
- Comply with applicable environmental laws and regulations
- Implement waste reduction, recycling, and responsible disposal practices
- Report environmental incidents affecting Acme Cloud goods or services within 48 hours
- Prefer sustainable materials and packaging where commercially reasonable
- Support Acme Cloud's carbon reduction initiatives for relevant service categories
Information Security & Data Protection
Vendors processing Acme Cloud data, customer data, or personal information must meet security requirements aligned with our Security Overview:
| Requirement | Standard |
|---|---|
| Data classification | Handle data per Acme Cloud classification guidelines |
| Encryption | AES-256 at rest, TLS 1.2+ in transit for confidential data |
| Access control | Least privilege, MFA for remote access, unique user IDs |
| Incident notification | Report security incidents within 24 hours to security@acmecloud.com |
| Subprocessors | Notify Acme Cloud 30 days before engaging subprocessors processing our data |
| Data return/deletion | Delete or return data upon contract termination per Data Retention Policy |
| Compliance evidence | Provide SOC 2, ISO 27001, or equivalent upon request |
| Background checks | Conduct for personnel with access to Acme Cloud systems or data |
| Vulnerability management | Patch critical vulnerabilities within 72 hours |
Vendors with access to production systems must comply with our Access Control Policy requirements as specified in the Vendor agreement.
Privacy & Confidentiality
Vendors shall protect confidential information received from Acme Cloud and comply with applicable privacy laws (GDPR, CCPA, etc.) when processing personal data. Data processing terms are specified in Vendor agreements and our Data Processing Agreement where applicable.
Vendors must not use Acme Cloud confidential information except to perform contracted services. Confidentiality obligations survive contract termination.
Quality & Business Continuity
Vendors providing critical services shall maintain business continuity capabilities:
- Maintain disaster recovery and backup procedures appropriate to service criticality
- Notify Acme Cloud of material service disruptions within 2 hours
- Provide business continuity documentation upon request
- Maintain service levels specified in Vendor agreements
Critical Vendors are identified through our Third-Party Risk Management tiering process.
Monitoring & Audit
Acme Cloud reserves the right to:
- Assess Vendor compliance through questionnaires, certifications, and audits
- Request corrective action plans for identified deficiencies
- Conduct or commission on-site audits for Tier 1 Vendors with 30 days notice
- Monitor Vendor performance and compliance continuously
Vendors shall cooperate with reasonable compliance assessments and provide accurate information.
Non-Compliance & Consequences
Failure to comply with this Code may result in:
| Severity | Consequence |
|---|---|
| Minor deficiency | Corrective action plan with 30-day remediation |
| Material violation | Suspension of new work; enhanced monitoring |
| Critical violation | Contract termination; legal action as appropriate |
| Legal violation | Referral to authorities; immediate termination |
Acme Cloud may terminate Vendor relationships for Code violations without penalty where permitted by contract.
Reporting Violations
Vendors and their employees may report suspected Acme Cloud Code violations or request clarification at:
- Email: vendor-compliance@acmecloud.com
- Ethics hotline: +1-800-555-0199 (anonymous option available)
Acme Cloud will not retaliate against good-faith reporters.
Related Documents
- Third-Party Risk Management
- Modern Slavery Statement
- Subprocessor List
- Security Overview
- Data Retention Policy
- Whistleblower Policy
Acknowledgment & Flow-Down Requirements
Tier 1 and Tier 2 vendors must acknowledge this Code annually. Vendors must flow down Code requirements to subcontractors performing work for Acme Cloud. Flow-down verification is included in annual reassessment.
Training Requirements
Vendors with access to Acme Cloud systems or customer data must ensure their personnel complete security awareness training annually. Training may be vendor-provided if covering equivalent topics: phishing, data handling, incident reporting, and acceptable use.
Sustainability Expectations
Vendors are encouraged to: measure and reduce greenhouse gas emissions; minimize packaging waste; use recycled materials where feasible; and report environmental metrics upon request for contracts exceeding $100,000 annually. Acme Cloud considers environmental practices in vendor selection for comparable bids.
Vendor Assessment Questionnaire Topics
Standard vendor security questionnaire covers: information security policy, access controls, encryption, incident response, business continuity, privacy compliance, subprocessors, penetration testing, certifications, and insurance. Questionnaires mapped to SIG Lite control families for efficiency.
Vendor Performance & Conduct Reviews
Annual vendor business reviews include Code of Conduct compliance assessment for Tier 1 and Tier 2 vendors. Review covers: audit findings, incident history, questionnaire updates, and business performance. Vendors with conduct concerns enter enhanced monitoring with 90-day improvement plan before potential termination.
Vendor Acknowledgment Tracking
GRC platform tracks vendor Code acknowledgment status. Tier 1 vendors: 100% acknowledged FY2025. Tier 2 vendors: 97% acknowledged. Non-acknowledged vendors receive 14-day reminder then procurement hold on new purchase orders until acknowledgment received.
Code Updates
Material Code updates communicated to vendors 30 days before effective date. Vendors must re-acknowledge within 30 days of update. Current version effective January 1, 2026.
Procurement integrates Code compliance into vendor scorecards affecting renewal decisions and preferred vendor status. Vendors with Code violations receive reduced scorecard rating until remediation verified.
Contact
Acme Cloud, Inc.
1200 Market Street, Suite 400, San Francisco, CA 94103
vendor-compliance@acmecloud.com | trust@acmecloud.com | legal@acmecloud.com
Vendor Contact for Code Questions
Vendors with questions about this Code: vendor-compliance@acmecloud.com. Report Acme Cloud employee violations through ethics@acmecloud.com or +1-800-555-0199.
Acme Cloud, Inc. — 1200 Market Street, Suite 400, San Francisco, CA 94103
Vendor Code version 2.0 effective January 2026 adds explicit modern slavery prohibitions and environmental expectations aligned with ESG Report.
Supplier Diversity Integration
Vendor Code compliance considered alongside supplier diversity goals per DEI Report. Diverse suppliers demonstrating Code compliance receive preferred vendor consideration in competitive bids.
Annual Vendor Acknowledgment Statistics
| Tier | Vendors | Acknowledged FY2025 | Target FY2026 |
|---|---|---|---|
| Tier 1 | 12 | 100% | 100% |
| Tier 2 | 34 | 97% | 100% |
| Tier 3+ | 140 | 89% | 95% |
Vendors failing to acknowledge Code within 30 days of renewal notice are placed on procurement hold until compliance confirmed by Vendor Compliance team.
Procurement team receives annual training on Vendor Code requirements, red flags for labor and ethics violations, and escalation procedures for non-compliance discovered during vendor relationships. Training completion tracked in LMS with 100% procurement team completion FY2025.