PROPRIETARY | 1 v07282022

1. Introduction

RSA is committed to responsible business practices and to high standards of ethical behavior. This includes holding our suppliers to high standards of excellence as defined in governing laws, recognized international standards and conventions, and global best practices.

2. Scope

These principles are applicable to parties working with RSA, including suppliers, supplier employees, contractors and subcontractors (“Suppliers”).

3. Statement of Principles

RSA’s Suppliers must abide by:

  • All applicable laws, regulations, and purchasing requirements, including the FAR and the DFARS
  • The RSA Code of Conduct
  • Relevant UN Conventions, including the United Nations (U.N.) Declaration of Human Rights and the U.N. Convention on the Rights of the Child
  • Relevant quality, environmental, health and safety and other management systems

RSA implements these principles by reinforcing the general requirement that Suppliers meet or exceed all applicable laws and recognized standards.

We recognize that not all Supplier engagements or activities with RSA will apply equally to all Suppliers. Therefore, we direct supplier requirements and outreach toward those suppliers who have been prioritized based on the nature of their business and holistic risk assessment.

The Suppliers declare (on their behalf and on that of their employees, agents, and consultants) that they have received and agree with these principles, and undertakes to comply with it, as well as to any updates that may be made by RSA.

These principles must be observed as of the start of the activities covered under the contract executed between RSA and Supplier.

4. Compliance with Laws and International Standards

Compliance with all Laws and Regulations

It is essential to a socially and environmentally responsible supply chain that all persons, including Suppliers, behave in a legal and ethical manner. RSA and RSA’s Suppliers shall comply with all applicable laws and regulations.

Anti-Corruption

Suppliers shall adhere to the Foreign Corrupt Practices Act, the United Kingdom Bribery Act of 2010, and all applicable local laws relating to anti-corruption or anti-bribery (“Anti-Corruption Laws”).

5. RSA’s Core Policy Commitments and Supplier Requirements

RSA imposes specific requirements on its Suppliers with respect to the following issue areas:

Federal Acquisition Regulations

If RSA is providing Supplier’s products or services under a United States government prime contract or subcontract, Supplier shall comply with the following provisions of the Federal Acquisition Regulations, published in Title 48 of the United States Code of Federal Regulations (CFR) at 52.244-6: 52.203-13, Contractor Code of Business Ethics and Conduct; 52.219-8, Utilization of Small Business Concerns; 52.222-26, Equal Opportunity; 52.222-35, Equal Opportunity for Veterans; 52.222-36, Affirmative Action for Workers with Disabilities; 52.222-40, Notification of Employee Rights Under the National Labor Relations Act; 52.222-50, Combating Trafficking in Persons; 52.232-40, Providing Accelerated Payments to Small Business Subcontractors and 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels. Supplier shall also comply with the requirements of 41 CFR §§ 60-l.4(a), 60- 300.5(a) and 60- 741.5(a), which prohibit discrimination against qualified individuals based on their status as protected veterans or individuals with disabilities, and prohibit discrimination against all individuals based on their race, color, religion, sex, or national origin. Supplier also shall comply with the provisions of 48 CFR 52.204-21 and 48 CFR 252.204-7012 if: (i) Supplier’s performance involves access to “Federal contract information” or “covered defense information” (as those terms as defined in 48 CFR 52.204(a) and 48 CFR 252.204-7012(a), respectively); and (ii) Suppler is providing other than Commercial Off-The-Shelf items.

Working Conditions, Forced Labor and Human Trafficking

RSA is committed to upholding the human rights of workers at any tier of its supply chain, and to treating them with dignity and respect. Workers include direct employees, temporary workers, migrant workers, student workers, contract workers, and any other person(s) providing labor and employment services to Supplier. Forced, bonded (including debt bondage) or indentured labor, involuntary prison labor, slavery or trafficking of persons of any age shall not be used at any tier of the supply chain.

  • Employers and agents may not use misleading or fraudulent practices during the recruitment of employees.
  • Child labor may not be used in any tier of the supply chain.

RSA reserves the right to take any and all available actions against Suppliers for violations of its Vulnerable Worker Policy including without limitation the termination or reduction of business, frequent required onsite compliance auditing at Supplier’s expense, employee compensation at Supplier’s expense, and/or termination of RSA’s contract with the Supplier.

Minerals and Extractives

RSA is committed to the responsible sourcing of materials used in products, and expects our Suppliers to adhere to the same high standards.

Supplier Diversity

RSA believes an ethical, diverse supply chain is a vital part of our business. Each Supplier must meet the following diversity requirements: (1) comply with any applicable law and regulation targeted towards suppliers to governmental entities; (2) use reasonable efforts to engage minority-owned businesses, women-owned businesses, and LGBT-owned businesses if Supplier engages subcontractors to provide any deliverables or to support the Supplier’s overall business operations; (3) use commercially reasonable efforts to engage small businesses as defined by the United States Small Business Administration (including small business subcategories such as small disadvantaged businesses, small women-owned businesses, veteran-owned businesses, service disabled veteran-owned businesses and HUB zone businesses) if Supplier engages subcontractors in the United States to provide any deliverables or to support the Supplier’s general business operations; (4) maintain accurate records of Supplier’s efforts under this provision; and (5) report to RSA, on RSA’s request, Supplier’s spend with minority-owned businesses, women-owned businesses, small businesses, and LGBT-owned businesses.

Avoid Conflicts of Interest

Any circumstance in which a Supplier’s ability to act with objectivity is compromised is considered a conflict of interest. Since RSA wishes to maintain a partnership free of conflicts, we ask that should a conflicting situation arise between RSA and a Supplier or any of its employees, that Supplier report all pertinent details to RSA. This includes, but is not limited to, close personal or family relationships with those at RSA or the giving or receiving of lavish business courtesies.

Continuous Improvement

RSA is committed to responsible sourcing. Suppliers must meet the standards specified in this section, but we encourage Suppliers to view sustainability as a journey of continuous improvement. With a focus on self- assessment, internal ownership and self-accountability, RSA Suppliers can make changes that will bring long- lasting, sustainable impact not only to their own facilities and operations, but also to those of their own providers.

6. Information Security

To establish the concepts and guidelines for information security of RSA’s information and that of RSA’s clients, Suppliers who have physical or logical access to RSA’s or RSA’s client’s information, systems or locations, must abide by the following:

  • Information, whether in hard-copy or soft-copy format, and the technological environments used by Suppliers are the exclusive property of RSA and are not for personal use.
  • Suppliers must have a unique identification (both physical and digital), which is personal and non-transferable, and which can be used to identify the party by the services they are providing.
  • Access rights must always observe the principle of least privilege, wherein users must only have the permissions necessary for the execution of their tasks.
  • Confidential information, such as passwords and any other information possessed by Suppliers over the course of their work, must always be held as top secret; sharing of this information is strictly prohibited.
  • The Suppliers undertake, and are responsible for their employees, agents, consultants, and/or representatives who have a need to access confidential information, to hold the same under confidentiality, and not to copy, sell, assign, license, commercialize, transfer, or in any other way convey, divulge, or provide such information to any third party that is not involved in the contract, nor to use the information for any purpose, except upon prior written express authorization.
  • RSA’s and its customer’s information must be treated ethically and confidentially. It must only be used for the purpose for which it was authorized.
  • All Suppliers should be aware that the use of information and information systems may be monitored without notice, and that records obtained through this means may serve as evidence for legal purposes.
  • Information must be used in a transparent manner and only for the purpose for which it was gathered and/or for statistical purposes, without identifying RSA’s customers or revealing customer-specific system characteristics.

7. Reporting Suspected Violations

Questions about specific issues that may arise in a business relationship with RSA may be referred to the following contacts:

  • RSA Ethics at ethics@rsa.com
  • File a report at www.lighthouse-services.com/rsa
    (Note that laws and procedures for reporting vary from country to country so review any guidance provided before moving forward.)
    • Suppliers are expected, consistent with applicable laws and contractual obligations, to provide reasonable assistance to any investigation by RSA of a violation of this Code or applicable laws and to allow RSA reasonable access to all facilities, records and documentation concerning their compliance with this Code and laws applicable to them or their provision of products and services to RSA.

      Effective Date: July 28, 2022

      ©2022 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA and other trademarks are trademarks of RSA Security LLC or its affiliates. Other trademarks may be trademarks of their respective owners.