ZYC-OUT-001 Outsourcing & Third-Party Risk Policy

Purpose

To ensure Zeyro maintains control, resilience, and regulatory compliance when outsourcing critical or important functions and engaging other third-party providers.

Scope

Applies to all outsourcing and third-party relationships, including technology vendors (e.g. DotFile, Atlassian, Microsoft 365), professional services, and operational support providers listed in the Third-Party Register.

Policy Statement

Zeyro outsources most operational activities to specialist providers. We remain responsible for all outsourced functions and ensure each third party operates to the same regulatory and ethical standards that apply internally.

Outsourcing must not:

  • diminish our ability to meet FCA requirements;

  • impair the effectiveness of our systems and controls; or

  • reduce the FCA’s ability to supervise us.

All providers are subject to proportionate due diligence, contract management, and ongoing oversight in line with FCA SYSC 8 and the UK operational-resilience framework.

Oversight Principles

1. Due Diligence Before engagement, operational staff assess each provider’s suitability using information on:

  • corporate identity and ownership;

  • financial stability;

  • information-security posture;

  • data-protection compliance under the UK data-protection regime; and

  • any legal or reputational risks. Findings are logged in the Third-Party Register.

2. Contractual Controls All agreements must include clear terms on:

  • service levels and performance metrics;

  • data-protection and confidentiality obligations (using UK-equivalent SCCs where relevant);

  • rights of audit and access; and

  • termination and exit arrangements.

3. Monitoring and Review Operational staff perform ongoing oversight proportionate to risk:

  • Low-risk vendors: annual check-ins.

  • Medium-risk: semi-annual performance review.

  • High-risk or critical: quarterly review plus ad-hoc checks. Monitoring covers delivery quality, data-security compliance, and service disruptions.

4. Offboarding and Exit When a relationship ends, data and access must be revoked or destroyed securely, and evidence of data return or destruction retained. Lessons learned feed into future onboarding and risk assessment.

5. Record Keeping All third-party information, contracts, and audit records are stored in Confluence under the Third-Party Register, in accordance with ZYC-REC-001 Record Keeping & Data Retention Policy.

Roles and Responsibilities

  • Operational Staff – Conduct due diligence, monitoring, and maintain register entries.

  • Compliance Officer (SMF 16/17) – Provides guidance on regulatory compliance and updates this policy when rules change.

  • Board – Receives periodic confirmation that critical outsourcing arrangements remain fit for purpose.

Review

This policy is reviewed annually or sooner following material regulatory, contractual, or operational change.

Document Control

Field

Details

Policy Code

ZYC-OUT-001

Policy Title

Outsourcing & Third-Party Risk Policy

Document Owner

Gareth Malna – MLRO (SMF 16 & 17)

Responsible Reviewer(s)

Zeyro Board

Version

v 1.0

Date Approved

October 2025

Next Scheduled Review

October 2026

Change History

v 1.0 (Oct 2025): Initial publication of outsourcing framework aligned to FCA SYSC 8 and UK operational resilience rules.

Classification

Internal policy – distributed to all staff; available to regulators on request.

PreviousZYC-DATA-001 Record Keeping & Data Retention PolicyNextZYC-BCP-001 Business Continuity & Incident Response Policy

Last updated