CODE OF CONDUCT

Statement of Commitment

Guardian’s Commitment to Personnel Conduct

Guardian Assessment Private Limited (India) and Guardian Assessment UK Ltd require all personnel to observe this Code of Conduct as the foundational behavioural standard governing their work. Where the substantive trust commitments documented in the Impartiality Statement (/impartiality), Confidentiality Policy (/confidentiality), Complaints and Appeals Procedure (/complaints-appeals), and Use of Certification Mark Policy (/marks-policy) establish what Guardian commits to as an institution, this Code documents how Guardian’s people behave in operationalising those commitments. Procedural integrity at the institutional level depends on conduct integrity at the individual level. The Code is the bridge.

The Code is embedded in the personnel agreements signed by every Guardian personnel role — employees signing employment contracts, contractors signing engagement agreements, Decision Authority personnel signing role-specific agreements, Reviewers signing engagement-specific terms, Impartiality Committee and Appeals Committee members signing committee membership agreements. The Code is a contractual commitment, not just an aspirational policy. Personnel who join Guardian commit to the Code; personnel who can no longer commit to the Code can no longer remain Guardian personnel. Conduct standards are not negotiable mid-term.

UAF reviews this Code during annual surveillance audits as part of the public-information evidence per Cl. 4.6 and as part of the personnel-competence and impartiality-discipline evidence per Cl. 6.1 (Personnel) and Cl. 4.2 (Impartiality). Material changes to the Code are versioned, dated, communicated to UAF, and incorporated into existing personnel agreements through standard amendment procedures.

Why Behavioural Conduct Matters Operationally

Procedural commitments at the institutional level — the structural separations described in /impartiality Section 3.2, the confidentiality agreements described in /confidentiality Section 3.5, the documented procedures for finding-handling and decision-making — succeed or fail in daily practice. An evaluator who decides to skim instead of test, who shares a finding with an unauthorised party, who accepts a ‘thank you’ gift outside threshold, who comments on an active engagement to the media — that personnel-level conduct is what determines whether the institutional commitments are operationally real or just documentary. The Code addresses the personnel layer directly because that is where the integrity is built or compromised.

Underlying Standards and Frameworks

This Code implements:

• ISO/IEC 17065:2012 Cl. 4.2 (Impartiality) — at the personnel-conduct level
• ISO/IEC 17065:2012 Cl. 4.5 (Confidentiality) — at the personnel-conduct level
• ISO/IEC 17065:2012 Cl. 6.1 (Personnel) — covering personnel competence, impartiality declarations, and conduct
• UAF-GEN-CAB-01 (General Accreditation Requirements) — explicitly cited in Guardian’s UAF accreditation Schedule
• UK Bribery Act 2010 — applicable to Guardian Assessment UK Ltd personnel
• Indian Prevention of Corruption Act 1988 (as amended) and the Indian Penal Code provisions on bribery — applicable to Guardian Assessment Private Limited personnel

Where applicable national laws or sectoral regulations impose additional personnel-conduct requirements, those requirements apply alongside this Code; the Code does not displace statutory or regulatory obligations.

Who the Code Applies To

Personnel Roles Bound by the Code

This Code applies in full to every personnel role that interacts with Guardian’s certification activities, the standalone Guardian VAPT service, or any other Guardian operational matter where the role’s conduct could affect institutional integrity. The applicable roles are listed below. Stakeholders sometimes assume Codes of Conduct apply only to permanent employees; this Code does not — it applies equally to contractors and committee members because their conduct affects Guardian’s integrity equally.

Impartiality and Confidentiality Conduct

Daily Conduct Operationalising the Structural Commitments

The Impartiality Statement (/impartiality) and Confidentiality Policy (/confidentiality) document Guardian’s institutional structural commitments. This Section addresses how those commitments translate to personnel daily conduct — the specific behaviours expected of personnel, beyond mere absence of obvious impartiality breaches and confidentiality leaks.

Impartiality Conduct at the Individual Level

Personnel are expected to:

• Submit accurate impartiality declarations before each engagement they participate in, disclosing any personnel, financial, ownership, prior-engagement, or other relationships that could affect or appear to affect their impartiality. Disclosed relationships trigger Impartiality Committee assessment per /impartiality Section 3.3 with reassignment where warranted.
• Recuse themselves proactively from engagements where they identify post-declaration impartiality concerns — for example, where they discover after engagement start that they have a previously unrecognised relationship with applicant personnel. Proactive recusal is preferred over post-hoc disclosure.
• Decline informal requests to provide preliminary opinions on certification likelihood — applicants asking ‘what do you think the decision will be?’ during evaluation, third parties asking ‘is this product going to be certified?’ before decision. Such requests are redirected to formal channels.
• Avoid commenting publicly on engagements they participate in — through social media, professional networks, conference presentations, or other public channels — except as explicitly authorised through Guardian’s communications procedures.
• Identify and escalate impartiality concerns about colleagues’ conduct that they observe — through the standard Complaints and Appeals procedure or directly to leadership where escalation through standard channels would be inappropriate.

Confidentiality Conduct at the Individual Level

Personnel are expected to:

• Treat all engagement-derived information as confidential per /confidentiality, regardless of how it was received: formal documentation, scoping conversation, evaluator team discussion, or side observations during evaluation.
• Limit discussion of engagement matters to personnel with need-to-know in the specific engagement; engagement-specific discussion in shared offices, public spaces, transport, and other contexts where overhearing is possible is itself a confidentiality breach.
• Apply technical confidentiality discipline — workstations locked when unattended, encrypted devices, secure document handling, and no unauthorised local copies of confidential material on personal devices.
• Continue confidentiality discipline after engagement closure and after employment or engagement termination — surviving obligations apply for the lifetime of the information’s commercial sensitivity per /confidentiality Section 3.5.
• Use information learned during engagements only for the engagement itself — not for personal benefit, not for guidance to other parties, not for trading purposes, and not for any purpose outside the engagement scope.

Gifts, Hospitality, and Personal Relationships

Where Personal Activity and Professional Conduct Intersect

Personnel daily life intersects with their Guardian role through gifts, hospitality, and personal relationships in ways that can compromise impartiality if not handled with discipline. The provisions in this Section establish clear thresholds and disclosure expectations. They are designed to be operationally workable — personnel can attend industry events, accept token promotional items, and have personal lives — while protecting Guardian’s integrity from the most common conduct vectors for impartiality compromise.

Gifts: General Position

Personnel may not accept gifts from applicants, certified clients, or any party with a material interest in Guardian’s certification decisions, including competitors of certified clients, regulators reviewing Guardian’s accreditation, accreditation peer reviewers, and similar. The general position is non-acceptance. Specific exceptions:

• Promotional items of nominal value — branded pens, notebooks, lanyards, water bottles distributed at trade shows or industry events. Acceptance is permitted; cumulative promotional items from a single source within a 12-month period exceeding nominal value should be disclosed to leadership for case-by-case assessment.
• Reciprocal courtesy gifts on visits — small gifts presented on first visits to applicant offices in cultures where such gifts are customary. Acceptance is permitted; the gift is logged in Guardian’s Gift Register and may be re-gifted internally or donated.

What is not acceptable in any circumstance:

• Cash or cash equivalents — gift cards, vouchers, prepaid cards, cryptocurrency, securities, or any form of financial instrument convertible to cash. Zero tolerance.
• Personal benefit gifts — items for personal use of substantive value, including electronics, jewellery, or vouchers for personal services. The substantive value threshold is approximately INR 5,000 / GBP 50 / USD 60 per gift; gifts exceeding the threshold from any source are not acceptable, and gifts at or below the threshold from sources with active engagements are similarly not acceptable.
• Gifts during active engagements — even nominal-value gifts from applicants or certified clients with current active engagements are not acceptable; the active engagement creates the impartiality concern that nominal-value framing cannot resolve.
• Gifts after Decision Authority decision but before decision communication — the period between Decision Authority decision and communication is particularly sensitive; gifts from any party in this window are not acceptable.

Hospitality

Hospitality — meals, refreshments, transport, accommodation, entertainment — has its own discipline because it occurs in social contexts where personnel may feel pressure to accept beyond what they would otherwise accept. The provisions:

• Routine working meals during engagements — lunch with applicant team during a multi-day on-site engagement, refreshments during meetings — are permitted at modest standard; the threshold is approximately INR 2,000 / GBP 20 / USD 25 per person per occasion.
• Dinners, entertainment, and elevated hospitality require assessment by personnel’s leadership; acceptance only with leadership approval and only where the hospitality is not disproportionate to the engagement context.
• Travel and accommodation related to engagements are arranged and paid for by Guardian per /process/fees Section 3.7. Personnel do not accept applicant-paid travel or accommodation; if applicants offer to pay, the offer is declined and Guardian-arranged alternatives are used.
• Industry event attendance with applicant or certified-client speakers is professionally appropriate; conference attendance paid for by an applicant or certified client is not. Guardian or personnel pay for their own attendance.

The Gift Register

Guardian maintains a Gift Register in which personnel record gifts received and hospitality accepted that exceed routine de minimis levels. Records include the gift or hospitality, approximate value, source, date, engagement context, and disposition — kept, donated, returned, or declined. The Register is reviewed periodically by leadership and is available to UAF during accreditation surveillance. The Register itself is a behavioural-discipline mechanism; knowing that gifts and hospitality are recorded changes the discipline of accepting them, even where individual items are technically permissible.

Personal Relationships

Personnel personal lives — friendships, family relationships, romantic relationships, social affiliations — are private. Guardian is not a regulator of personal life. However, where personal relationships intersect with engagement relationships in ways that create or could create impartiality concerns, disclosure is required:

• Personnel must disclose where applicant or certified-client personnel involved in their engagements are family members, romantic partners, close friends, or others with whom the personnel have substantive personal relationships. Disclosure triggers Impartiality Committee assessment, typically resulting in personnel reassignment from the engagement.
• Personnel are not required to disclose every casual professional acquaintance. The threshold is substantive personal relationship that would influence judgment if the colleague did not realise the connection.
• Personnel are not prohibited from having personal relationships with anyone; Guardian’s expectation is disclosure where relationships affect engagement work, not absence of relationships.
• Where personnel develop personal relationships during the course of engagement work — for example, where social interaction during a multi-month engagement evolves to friendship — they disclose and are reassigned if the engagement remains active.

The integrity rule for personal-side conduct: If you would be uncomfortable having a specific gift, hospitality acceptance, or personal-relationship situation reviewed publicly by a procurement team verifying Guardian’s impartiality, that discomfort is itself the test. Decline, disclose, or recuse rather than rationalise. Most edge cases are resolved by simply not accepting or by escalating to leadership for case-by-case assessment.

Anti-Bribery and Anti-Corruption

Zero Tolerance for Bribery and Corruption

Guardian operates a zero-tolerance policy on bribery and corruption — both giving and receiving. The policy applies to all personnel, all engagements, and all jurisdictions where Guardian operates. It is the single most consequential conduct provision in this Code, because the consequence of a substantive bribery violation is not just personnel termination but criminal liability for the personnel involved, criminal and civil exposure for Guardian as an institution, and likely loss of UAF accreditation with corresponding loss of Guardian’s ability to operate as a certification body.

The Bribery Prohibition

Personnel must not, directly or indirectly:

• Accept any payment, gift, hospitality, favour, employment offer, or other benefit from any party — whether or not connected to a specific engagement — where acceptance could influence or appear to influence Guardian’s certification activities or any decision Guardian takes.
• Offer any payment, gift, hospitality, favour, employment offer, or other benefit to any party — whether applicant personnel, regulators, peer accreditation bodies, or others — where the offer could influence or appear to influence the recipient’s conduct in ways favourable to Guardian or to the personnel offering.
• Solicit any of the above — even unsuccessful solicitation is itself a bribery offence under both UK and Indian law.
• Authorise, condone, or fail to act against bribery by other personnel — silent acquiescence is itself a Code violation and may also be a legal violation depending on facts.

Jurisdictional Frameworks

Two principal legal frameworks govern Guardian personnel conduct on bribery, depending on which entity employs or engages the personnel:

• Personnel of Guardian Assessment Private Limited (India) are subject to the Prevention of Corruption Act 1988 (as amended), the Indian Penal Code provisions on bribery, and the Companies Act 2013 anti-fraud provisions. Indian law criminalises both giving and receiving bribes by public servants and, since 2018 amendments, by commercial sector parties. Conviction carries imprisonment and fines.
• Personnel of Guardian Assessment UK Ltd are subject to the UK Bribery Act 2010 — the principal modern UK anti-bribery legislation. The Act criminalises offering, promising, giving, requesting, agreeing to receive, or accepting a bribe (Sections 1–2), bribery of foreign public officials (Section 6), and the corporate offence of failing to prevent bribery (Section 7), which extends to commercial organisations regardless of where the bribery itself occurred. Convictions carry imprisonment and significant fines; corporate convictions can include unlimited fines.

Both frameworks have extraterritorial reach in some circumstances. Indian personnel offering bribes outside India can be prosecuted in India; UK Bribery Act Section 7 makes UK organisations liable for failures to prevent bribery anywhere in the world. Personnel should not assume that operating outside their entity’s home jurisdiction provides protection from that jurisdiction’s anti-bribery framework. Where engagements span jurisdictions, both frameworks may apply concurrently.

Facilitation Payments

Facilitation payments — small payments to public officials to expedite routine actions they are already obligated to perform — are sometimes culturally normalised in some operating contexts. They are nonetheless prohibited under this Code:

• UK Bribery Act 2010 has no facilitation-payment exception; facilitation payments are unlawful regardless of size or local custom.
• Indian Prevention of Corruption Act 1988 similarly prohibits facilitation payments to public servants.
• Personnel encountering apparent demands for facilitation payments — for example, in customs clearance, regulatory permitting, or government office transactions — should refuse, document the demand, and escalate to leadership; legal counsel may engage to address the demand through proper channels.

Anti-Bribery Training

All personnel receive anti-bribery awareness training:

• On joining — as part of standard onboarding for employees and as a condition of engagement for contractors and committee members.
• Annually — refresher training covering recent regulatory updates, recent case examples in the certification industry, and reinforcement of the disciplinary expectations.
• Engagement-specific awareness — for engagements in jurisdictions or sectors with elevated corruption risk indicators, additional engagement-specific anti-bribery briefings before engagement start.

Training records are retained as evidence of Guardian’s anti-bribery compliance posture and are reviewed during UAF surveillance and during regulatory inspections where applicable.

Secondary Employment and External Activities

When Personnel Have Other Professional Roles

Many Guardian personnel — particularly contractors and committee members — have other professional roles concurrent with their Guardian engagement. The Code does not prohibit secondary employment in general; it requires disclosure and precludes specific configurations that would create impartiality concerns Guardian cannot manage.

Disclosure Requirements

Personnel must disclose all secondary employment, consulting engagements, board positions, advisory roles, and other ongoing professional activities at the time of joining Guardian and on each subsequent material change. Disclosures include the nature of the role, the entity engaged with, the time commitment, and any potential intersections with Guardian engagements that the personnel can reasonably anticipate. Disclosure is to leadership for permanent employees, to the engaging Guardian function for contractors, and to the Impartiality Committee for committee members.

Permitted External Activities

The following external activities are generally permitted, subject to disclosure and case-by-case Impartiality Committee assessment for engagement-specific concerns:

• Academic positions — teaching, research, and university affiliations not involving applicants or certified clients.
• Independent technical writing and publication — books, articles, or blog posts on technical topics not derived from confidential engagement information.
• Conference speaking and panel participation — on technical topics within personnel expertise; Guardian engagement-specific content requires prior approval under Guardian’s communication discipline.
• Open source contribution — including security research and tooling not connected to specific applicant or certified-client products.
• Industry committee participation — standards bodies, professional associations, and peer review panels.
• Personal investment activities — except as constrained by impartiality concerns described below.

Precluded External Activities

The following are precluded for personnel during their Guardian engagement:

• Consulting on certified products — personnel cannot provide consulting, security advisory, remediation guidance, certification preparation, or related services on products certified by Guardian. Where personnel have prior consulting relationships with applicants who subsequently apply for Guardian certification, the prior relationship is disclosed and the personnel are recused from the certification engagement.
• Employment by direct competitors of certified clients during active engagement — where Guardian is actively engaging with a certified client, personnel cannot concurrently be employed by a direct competitor of that client. The direct-competitor threshold is judgment-based; in cases of uncertainty, disclosure to the Impartiality Committee for case-by-case assessment.
• Personal investment positions in applicants or certified clients — personnel must not hold personal investment positions, including shares, options, derivatives, or debt instruments, in applicants whose engagements they participate in or in certified clients during their certification cycles. Pre-existing positions discovered after engagement start trigger immediate disclosure and recusal.
• External roles that compromise Code obligations — any external role that would require personnel to act inconsistently with this Code, for example an external role that requires disclosure of Guardian-confidential information, is precluded.

Outside Compensation Disclosure

Where secondary employment or external activities involve material compensation, personnel disclose the compensation source and approximate magnitude — specific amounts are not required — for impartiality assessment purposes. The disclosure is treated as confidential to Guardian’s leadership and the Impartiality Committee; it is not externally reported except as legally required. The discipline supports impartiality assessment without becoming intrusive into personnel personal financial matters.

Technology and Information Conduct

How Personnel Handle the Technology and Information They Encounter

Guardian personnel — particularly evaluators conducting Stage 4 Technical Evaluation — encounter sensitive technology and information at substantial depth. Source code, architecture details, vulnerability findings, threat models, and customer data accessed in evaluation environments require disciplined handling. The Code’s technology and information conduct provisions establish the discipline that protects this exposure from misuse.

No-Exploitation Discipline

Vulnerabilities, weaknesses, and security issues identified during evaluation are findings to be documented and reported through formal evaluation channels — not to be exploited, traded, or otherwise leveraged. Specifically:

• Personnel must not exploit identified vulnerabilities for personal benefit — accessing customer data beyond what evaluation requires, conducting unauthorised activities in applicant environments, or retaining access after engagement end.
• Personnel must not disclose findings to third parties — security researcher communities, public vulnerability databases, security media, or other parties — except through Guardian’s formal disclosure channels, which themselves require coordination with the affected applicant.
• Personnel must not retain post-engagement copies of evaluation evidence, applicant source code, or other engagement-derived material on personal systems beyond the standard engagement-records retention discipline per /confidentiality Section 3.6.
• Personnel must not trade on findings — direct or indirect securities trading, sharing findings with parties who could trade, or other activities that monetise findings outside Guardian’s formal compensation structure.

Responsible Disclosure for Incidental Third-Party Findings

During evaluation, personnel may identify vulnerabilities or weaknesses in third-party products incidentally — for example, a vulnerability in an open-source library used by the certified product, or a weakness in a third-party integration. The handling of these incidental findings:

• Findings are reported to Guardian’s evaluation lead for inclusion in the engagement record; where they affect the certified product’s security posture, they inform finding-handling for the engagement.
• Where the incidental finding warrants third-party disclosure for the broader security community’s benefit, Guardian’s leadership reviews the finding and coordinates responsible disclosure to the affected third party with appropriate timeline, typically following industry-standard 90-day or 120-day disclosure windows. Coordination is conducted by Guardian, not by individual personnel acting independently.
• Personnel do not independently disclose third-party findings to public databases, vulnerability disclosure programs, security media, conference presentations, or other public channels without Guardian’s coordination — even where the personnel believes the disclosure is appropriate. Independent disclosure could compromise the responsibly disclosed finding’s effectiveness and could compromise the certified client’s confidentiality interests.
• Where personnel believe Guardian’s coordination of a third-party disclosure is inappropriate or inadequate, the matter is escalated through the standard Complaints procedure rather than resolved through unilateral personnel action.

Workstation and Device Discipline

Personnel use Guardian-provisioned workstations or workstations meeting Guardian’s technical security requirements for engagement work. Specific expectations:

• Full-disk encryption mandatory; password and/or biometric authentication mandatory; automatic screen lock after defined inactivity.
• Approved software only — installation of unauthorised software, particularly software with telemetry that could exfiltrate evaluation data, is precluded.
• Removable media use only with leadership authorisation and only with controls, including encryption, audit logging, and secure disposal.
• Personal cloud services — consumer-grade file sync and collaboration tools — are prohibited for engagement materials; Guardian-controlled secure storage is the only authorised storage.
• Personal devices are prohibited for engagement work except in narrowly defined exceptions with leadership approval.
• Lost or compromised devices are reported to Guardian leadership immediately for impact assessment and remediation.

Communication Conduct

How Personnel Communicate with External Parties

Personnel communications with parties outside Guardian — applicants, certified clients, regulators, peer certification bodies, media, and the public — are themselves a vector through which Guardian’s institutional integrity can be compromised or strengthened. The Code’s communication conduct provisions establish the standards. The provisions are organised by audience because each audience has different communication discipline.

Communication with Applicants and Certified Clients

Engagement-related communication with applicants and certified clients follows the engagement’s defined channels — typically the lead evaluator or designated engagement contact, with engagement-specific communication routes for technical questions, scheduling, and similar. Specific expectations:

• Communication is professional, respectful, and substantive — applicants are not Guardian’s adversaries, even where evaluation reveals findings; the relationship is collaborative within the limits of Guardian’s evaluator role.
• No remediation guidance — per /impartiality Section 3.6, Guardian does not advise on how to fix findings; personnel decline informal requests for remediation guidance even where the request is friendly.
• No preliminary decision indications — personnel do not signal likely Decision Authority outcomes during evaluation, even where applicants ask.
• Engagement-specific communication outside defined channels is escalated to the engagement lead; applicants reaching out to evaluators directly for matters that should go through formal channels are redirected without engagement on substance.

Communication with Regulators

Where Guardian engages with regulators — disclosure mandated by law, regulatory inquiries, or sectoral oversight in industries Guardian’s certifications intersect with — communication is:

• Cooperative within the limits of Guardian’s confidentiality obligations to applicants and certified clients.
• Coordinated through Guardian’s leadership and legal counsel; individual personnel do not respond to regulatory inquiries unilaterally without coordination.
• Documented for record-keeping and accreditation oversight.
• Lawful — personnel comply with regulatory orders even where compliance is operationally inconvenient; non-compliance with valid regulatory authority is precluded.

Communication with Media

Media communication is the highest-risk communication category because of the public nature and the scope for misrepresentation:

• Personnel do not communicate with media about active engagements, specific applicants or certified clients, individual findings, or specific decisions; these communications are coordinated through Guardian’s leadership and communications function, never by individual personnel.
• Personnel may communicate with media about general topics within their professional expertise — application security technical topics, OWASP standards, and industry trends — provided the communication does not draw on confidential engagement-derived information and does not represent Guardian’s institutional positions without authorisation.
• Off-record communications with media are precluded. Even where media offer background-only or on-deep-background framings, personnel do not engage in off-record disclosures of certification matters; the appearance of off-record disclosure is itself damaging regardless of the actual content.
• Personnel approached for comment on Guardian-specific matters refer the inquiry to Guardian’s communications function.

Personal Social Media and Professional Networks

Personal social media presence — LinkedIn, X, Mastodon, professional blogs, podcasts — is private to the personnel; Guardian does not regulate personal expression. However, where personal media intersects with the Guardian role:

• Personnel may identify their Guardian role on professional profiles — LinkedIn affiliation, conference biographies, professional bios — as normal professional disclosure.
• Personnel must not disclose engagement-specific information in personal media; even where the post seems harmless to the personnel, engagement-specific disclosures are confidentiality breaches.
• Personnel must not represent Guardian’s institutional positions through personal media without authorisation; opinions stated on personal media should be clearly personal, not institutional.
• Personnel commenting publicly on certification industry topics, OWASP developments, regulatory matters, and similar should ensure their comments do not contradict Guardian’s documented positions or compromise Guardian’s institutional credibility.