Supplier & Partner Code of Conduct

Reviewed: 29 January 2026

At a glance

  • We expect Suppliers to operate to high ethical, legal, human rights, privacy and security standards.
  • This Code sets minimum requirements. Where your own policies are stronger, we expect you to meet those higher standards.
  • Breaches may result in corrective action, suspension or termination of engagement, and may be reported to authorities where required.

Purpose

To define the standards of conduct, compliance and accountability that Suppliers must meet when working with UK Postbox, protecting our customers, people, data and reputation.

Scope & acceptance

This Code applies to all Supplier personnel, temporary workers and approved sub‑contractors/sub‑processors involved in delivering goods or services to UK Postbox. Acceptance of a purchase order, contract or commencement of services constitutes acceptance of this Code. We may update this Code from time to time and will publish the latest version in our Trust Centre.

Laws, regulations & standards

Suppliers must comply with all applicable laws and regulations, including (as relevant):

  • UK GDPR & Data Protection Act 2018; PECR (for electronic marketing).
  • Bribery Act 2010 (anti‑bribery & corruption).
  • Modern Slavery Act 2015 (no forced, bonded or child labour).
  • Sanctions and Anti‑Money Laundering Act 2018; MLR 2017 (as amended).
  • Equality Act 2010 (non‑discrimination).
  • Health and Safety at Work etc. Act 1974. Fraud Act 2006 (fraud prevention and detection). Computer Misuse Act 1990 (for suppliers with system access).
  • Any sectoral, environmental and product standards (e.g., WEEE/RoHS where applicable).
  • International equivalents where services are performed outside the UK. Suppliers must also meet applicable industry standards (e.g., ISO 27001, SOC 2, Cyber Essentials/Plus) where contracted or reasonably expected for the service.

Ethics & integrity

  • Zero tolerance for bribery & corruption. Do not offer, promise, give, request or accept bribes or improper advantages. Maintain accurate books and records.
  • Gifts & hospitality. Must be modest (under £50) and infrequent; never to influence a business decision. Anything over £50 requires advance disclosure to procurement@ukpostbox.com.
  • Conflicts of interest. Disclose actual or potential conflicts promptly and cooperate to mitigate them.
  • Fair competition. No anti‑competitive agreements or abuse of market position.
  • Whistleblowing. Maintain safe, confidential channels; do not retaliate against whistleblowers.

Human rights, labour & inclusion

  • No forced, bonded or child labour. Minimum working age must comply with local law and ILO standards. No recruitment fees: workers shall not pay fees to obtain or retain employment (Employer Pays Principle); any fees charged must be reimbursed by the employer.
  • Fair treatment & non‑discrimination. No harassment or discrimination based on protected characteristics.
  • Wages, benefits & working hours. Meet or exceed legal minimums; provide clear terms of employment. Working hours must not exceed legal limits; overtime must be voluntary and compensated in accordance with applicable law.
  • Freedom of association. Respect lawful worker representation.
  • Accessibility & inclusion. Take reasonable steps to ensure accessible services and workplaces; support UK Postbox accessibility commitments.

Health, safety & environment (HSE)

  • Provide a safe and healthy workplace; identify and mitigate hazards; train personnel.
  • Environmental stewardship: minimise greenhouse gas emissions, waste and water use; manage chemicals responsibly; comply with permits; promote sustainable packaging/logistics.
  • Upon request, share relevant HSE policies, risk assessments and incident metrics. Report any HSE incident occurring in connection with services to UK Postbox within 24 hours of occurrence. Where UK Postbox has published environmental targets, we expect suppliers to support these through their own reduction efforts and by providing emissions data upon request.

Data protection, confidentiality & IP

  • Confidentiality: Protect all UK Postbox confidential information; use it solely to deliver contracted services; restrict access on a need‑to‑know basis; return/destroy upon request or contract end.
  • Personal data: Where Supplier acts as processor, comply with our Data Processing Agreement (DPA), Data Protection Policy, and controller instructions; implement Article 32 security; assist with DPIAs, data subject rights and incident response.
  • International transfers: Use IDTA or the UK Addendum to SCCs with a Transfer Risk Assessment where data leaves the UK; keep current records of sub‑processors.
  • Intellectual property: Respect IP rights; do not use UK Postbox’s trademarks or brand without written permission. Upon contract termination or request, securely delete or return all UK Postbox data within 30 days and provide written certification of deletion. Suppliers must conduct and document Transfer Impact Assessments for any transfers outside the UK and make these available to UK Postbox upon request.

Information security (minimum controls)

Suppliers must implement controls proportionate to risk, including:

  • Access control: unique accounts, MFA for all access to UK Postbox systems or data, least privilege, timely revocation.
  • Encryption: TLS 1.2+ in transit; AES‑256‑equivalent at rest for sensitive data.
  • Vulnerability management: regular scanning/patching with risk‑based SLAs (Critical: 7 days or 48 hours for mitigating controls; High: 14 days; Medium: 30 days); annual independent penetration testing by CREST-accredited or CHECK-approved testers for internet‑facing services.
  • Secure development & change: code review, dependency/SCA checks, secrets management, change control.
  • Logging & monitoring: centralised logs, retention aligned to legal/contract needs; alerting for suspicious activity.
  • Business continuity: maintain business continuity and disaster recovery plans appropriate to service criticality; test plans at least annually and provide evidence upon request.
  • Physical security: controlled facilities, visitor management, asset protection.
  • Personnel screening: at minimum, identity verification and right-to-work checks; roles with access to sensitive data should include criminal background checks where legally permitted.
  • Sub‑processors: use only with UK Postbox’s written authorisation where processing personal data; flow down equivalent obligations. Where AI or automated systems are used in delivering services to UK Postbox, ensure appropriate human oversight, bias monitoring, and transparency about the use of such systems.

We may request evidence such as policies, AOC/ROC, certificates (e.g., SOC 2, Cyber Essentials Plus), pen‑test summaries, or third‑party audit reports under NDA.

Financial crime, sanctions & restricted items

  • AML & KYC: Maintain a risk‑based AML programme; screen customers/transactions as relevant; keep records for the legally required period.
  • Sanctions: Screen against UK sanctions (OFSI), EU sanctions where applicable, and US OFAC where you or UK Postbox have US nexus or where carriers require OFAC compliance; do not engage in business that would cause UK Postbox to breach sanctions.
  • Fraud & misuse: Prevent account takeover, payments fraud, address misuse and reshipping/mule activity; cooperate on investigations.
  • Restricted goods/services: Comply with our Restricted Goods Policy and applicable carrier/customs rules.

Sub‑contracting & sub‑processing

  • Do not sub‑contract material obligations or engage sub‑processors for personal data without UK Postbox’s prior written consent.
  • You remain fully responsible for your sub‑contractors and must flow down obligations at least as protective as this Code and the contract.

Incident & breach notification

  • Notify without undue delay (and within 24 hours where feasible) of any security incident, personal data breach, sanctions breach, modern slavery concern, serious HSE incident, or material compliance issue impacting services to UK Postbox. For critical incidents (data breach affecting UK Postbox data, ransomware, or service unavailability), initial notification should be within 4 hours where feasible.
  • Provide timely updates, cooperate on investigations, preserve evidence, and implement corrective actions.

Audit rights & assurance

  • UK Postbox (and its auditors/regulators, where applicable) may assess compliance with this Code through questionnaires, evidence reviews, remote or on‑site audits, and penetration tests of in‑scope systems by agreement.
  • Audits will normally be conducted no more than once per year unless triggered by an incident, material change, or regulatory requirement. Reasonable notice will be given and activities will be conducted to minimise disruption. Failure to provide adequate assurance may lead to corrective action or termination.

Insurance & certifications

  • Maintain appropriate insurance (e.g., public liability, professional indemnity, cyber) in line with industry norms and contractual requirements, and provide certificates on request. Minimum insurance expectations will be communicated during onboarding; typical requirements include public liability (£1m+), professional indemnity (£1m+), and cyber insurance where processing personal data.
  • Maintain agreed certifications (e.g., Cyber Essentials Plus) and notify us promptly of any lapse.

Notifications & change management

  • Notify UK Postbox in advance of material changes that could affect delivery or risk (e.g., ownership change, key personnel loss, data‑location change, new sub‑processors, significant control changes, or major incidents at sub‑contractors). Material changes should be notified at least 30 days in advance where possible, or immediately where the change is unplanned.
  • Keep points of contact current and respond to due‑diligence requests in a timely manner.

Consequences of non‑compliance

  • We may require remedial action plans with defined timelines, suspend work, withhold payments (where permitted), or terminate the relationship for material or persistent breaches.
  • Where the law requires, we may report breaches to regulators or law enforcement. In critical situations where supplier failure threatens service continuity or data security, UK Postbox reserves the right to take reasonable steps to protect its interests, including engaging alternative suppliers.

Reporting concerns

If you believe a UK Postbox employee or any Supplier has breached this Code or the law, report it via ethics@ukpostbox.com, the confidential Speak Up channel, or anonymously where permitted by local law. We prohibit retaliation against good‑faith reporting.

Acknowledgement

By supplying goods or services to UK Postbox, you acknowledge and agree to comply with this Code and to cascade these requirements to your people and approved sub‑contractors.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907