Supplier Code of Conduct

Suppliers must comply with all applicable laws and regulations in the jurisdictions where they operate, as a minimum baseline. Where this Code sets a higher standard than local law, this Code prevails.

• No forced, bonded, indentured, prison or child labour. Workers must be free to leave their employment with reasonable notice.
• Workers must not be required to lodge identity documents or pay recruitment fees as a condition of employment.
• Working hours, wages and benefits must meet or exceed the applicable legal minimum and the ILO core conventions.
• Freedom of association and the right to collective bargaining are respected.
• Zero tolerance for discrimination on the basis of race, colour, sex, religion, age, disability, sexual orientation, gender identity, nationality or political opinion.
• Zero tolerance for physical, verbal, sexual or psychological harassment.

Suppliers must provide a safe and healthy workplace, monitor and reduce environmental impact (energy, water, waste, emissions, hazardous substances) and hold all required environmental permits. Tier-1 hardware suppliers must report Scope 1 and 2 emissions on request.

• Zero tolerance for bribery, kickbacks, facilitation payments and corruption in any form.
• Gifts and hospitality must be modest, transparent and never given to influence a decision. A €75 / £75 ceiling applies to gifts to DFA Machine staff.
• Conflicts of interest must be disclosed promptly.
• Suppliers must comply with applicable trade-control and sanctions regimes (UK, EU, US OFAC, UN).

Suppliers handling DFA Machine or customer data must operate an information-security programme aligned with ISO/IEC 27001, NIST CSF or SOC 2; encrypt data in transit (TLS 1.2+) and at rest (AES-256); restrict access on a least-privilege basis; and notify us of any actual or suspected security incident affecting our data within 24 hours. Personal data must be processed under a written Article 28 DPA.

Suppliers must comply with UK GDPR, EU GDPR and equivalent privacy laws. Personal data must only be processed on documented instructions, kept no longer than necessary and transferred internationally only under an approved mechanism (UK IDTA, EU SCCs, adequacy decision).

Suppliers must flow down the substance of this Code to their own suppliers and subcontractors where the work performed touches DFA Machine or its customers.

Any supplier, employee of a supplier or third party may report a concern about a breach of this Code via our anonymous Speak-Up channel or by email to contact@dfamachine.com. We do not tolerate retaliation against anyone who raises a concern in good faith.

We reserve the right to verify compliance with this Code through self-assessment questionnaires, document review and, for higher-risk suppliers, on-site audits with reasonable notice. Material breaches must be remediated within an agreed timeline; persistent or egregious breaches will result in termination of the business relationship.

Acceptance of a DFA Machine purchase order, master service agreement or framework contract is deemed acceptance of this Supplier Code of Conduct as in force on the date of acceptance.