Policy - External Contractors

Applicability

This policy applies to all Recurity Labs’ contractors and suppliers engaged in the provisioning of Recurity Labs’ core process.

Introduction

External contractors include all freelancers and external companies engaged to perform assessments or parts of assessments in cooperation with and/or on behalf of Recurity Labs. These contractors support Recurity Labs in delivering specialized consulting services to clients, and are subject to the security and quality standards defined in this policy.

The key terms “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.

Mandatory NDA

A Non-Disclosure Agreement (NDA) is mandatory for all collaborations with external contractors.

Whether a full framework contract or additional contractual documentation is required is subject to the discretion of Recurity Labs’ CEO. The CEO may choose to accept the risks associated with the contractor’s work without additional contractual provisions (additional to an NDA), provided that:

  • The nature of the collaboration is well understood by both parties.
  • The absence of further contractual terms does not create undue legal or operational risk.

For consistency, the term Contract in this policy refers to / includes the NDA, whether in place as a separate agreement (e.g., solely an NDA) or as part of a contract (e.g., framework contract), and any additional contractual agreements that may be established.

Contractors MUST NOT commence work until a valid Contract is in place.

Collaboration Types and Communication Protocols

Short-Term Collaboration (No Infrastructure Access)

For short-term engagements, for which contractors do not require access to Recurity Labs’ infrastructure, the following protocols apply:

  • PGP-Encrypted Email
    PGP-encrypted email is the primary communication method to ensure secure exchanges.
  • Encrypted Exchange of Requirements and Results
    Assessment requirements, deliverables, and results MUST be encrypted before transmission via email to protect sensitive information.

Long-Term Collaboration (Potential Infrastructure Access)

For long-term collaborations, contractors MAY be granted limited access to Recurity Labs’ infrastructure to facilitate deeper integration into assessment processes. In such cases:

  • Full alignment with the organization’s standard hardware/software setup is not mandatory and is subject to case-by-case approval. However, at a minimum, contractors MUST use the YubiKey issued by Recurity Labs for two-factor authentication (2FA) when accessing Recurity Labs’ organizational resources. Personal accounts or infrastructure access in/to Recurity Labs’ environment MUST NOT be shared and MUST only be used by the assigned person.
  • End of Contract Obligations:
    • Upon contract expiration or upon request, all assets provided by Recurity Labs MUST be returned.
  • Reporting Personnel Changes:
    • Contractors MUST report all staff changes related to the collaboration without undue delay.

Quality Assurance and Review Process

External contractors MUST review their own work for accuracy and completeness before submission. Additionally, all deliverables MUST undergo review according to Recurity Labs’ internal quality assurance:

  • Technical and Editorial Review
    • All assessment results produced by external contractors MUST be reviewed both technically (TR) and editorially (ER) by Recurity Labs’ internal staff. Therefore, external core process contractors MUST contact the associated project manager to initiate the review process. Feedback from reviews MUST be incorporated by the contractor. After the ER, the project is considered complete, but follow-up work or customer communication may be necessary for which the contractor MUST remain available.
    • This process ensures consistent quality and compliance with Recurity Labs’ internal standards.

Confidentiality of Information

All information shared with external contractors during collaboration is classified as highly confidential. Contractors MUST:

  • Handle, store, and transmit all data securely. Project data MUST be stored encrypted and only stored unencrypted if the nature of the assessment requires it (e.g., on or for transmission to test devices).
  • Comply with all confidentiality clauses outlined in contracts and/or NDAs.
  • Prevent unauthorized access or disclosure of sensitive information.
  • Immediately report any suspected data breaches or unauthorized disclosures to Recurity Labs.

  • Communication with clients SHOULD be conducted via PGP-encrypted email, but MAY be overwritten by clients’ requirements (e.g., client-initiated chats)

  • Delivery of data and information
    • Project related communication to Recurity Labs MUST be conducted via Recurity Labs’ internal infrastructure or PGP-encrypted email.
    • Commits to project repositories MUST be signed with the PGP-key used in email communication.

Handling of Client Assets

External contractors may receive client assets (e.g., hardware, software, data) either directly from the client or through Recurity Labs as an intermediary. Regardless of how assets are delivered or received:

  • Secure Handling and Use
    • Contractors MUST handle client assets securely, i.e., securely store and share information assets only with approved contractors, and ensure that they are used only for their intended purpose.
  • Return of Client Assets
    • All client-provided assets MUST be returned after finalization of a project and/or upon request.
    • Contractors SHOULD ensure that assets remain in their original condition and are not retained beyond the agreed period.
    • If asset disposal is required, contractors MUST obtain explicit written approval from Recurity Labs before doing so, and provide proper proof of performed disposals upon request.

Data Deletion and Data Retention

Upon collaboration termination, e.g., NDA or contract expires or is terminated, contractors MUST NOT retain any Recurity Labs or client-related data unless a legal requirement or obligation mandates retention. In such cases, the contractor MUST:

  • Inform Recurity Labs of the specific legal requirement.
  • Ensure that retained data is securely stored and protected from unauthorized access.
  • Delete the data as soon as legally permissible.

During collaboration periods, the retention period for project-related data is determined by its runtime, directives communicated by the Project Manager (PM) or other authorized persons. If no specific retention period is stated, the following default applies:

  • All project-related data stored on contractors’ devices MUST be deleted no later than 365 days after the last editorial review within the project was completed.
  • Project repositories stored on contractors’ devices MUST be deleted when instructed by Recurity Labs.
  • Before deletion, contractor MUST ensure that all relevant information was shared with Recurity Labs, e.g., was committed to the project repository.
    • Should a project repository (or access to it) be no longer available to the contractor, the contractor MUST inform Recurity Labs thereof. Recurity Labs MUST provide access or other means to enable submission.

Compliance and Review

This policy is subject to regular reviews to ensure alignment with industry best practices and organizational security requirements. Contractors MUST be informed of any updates and ensure continued compliance.

  • Policy Review Cycle: Annually or after significant changes to the contractor management framework.
  • Policy Owner: The CISO is responsible for ensuring compliance and updating this policy as needed.
  • Effective Date: April 01, 2025
  • Contact: https://recurity-labs.com/.well-known/security.txt