Legal & Marketing Constraints When Outsourcing Security

⚠️ DISCLAIMER: This is general industry knowledge. For authoritative legal advice, consult Norwegian advokat (Wiersholm/BAHR/Schjødt security practice) before signing any MSA or sub-contract.

Legal Requirements (White-label Model)

1. Master Services Agreement (MSA) with Partner

Back-to-back clauses — every obligation ALAI accepts from client must flow through to partner.

2. Sub-Processor DPA (GDPR Art.28)

Partner processes client personal data → must sign Sub-Processor Data Processing Agreement under GDPR Article 28.

3. NDA Chain

Partner must sign client-equivalent NDA. If client requires special classification (e.g., NSM Fortrolig), partner must hold equivalent clearance.

4. Right-to-Audit Clause

ALAI must have contractual right to audit partner's security practices. If partner refuses this clause → RED FLAG.

5. Cyber Liability Insurance Back-to-Back

Partner must carry cyber liability insurance coverage equivalent to ALAI's policy (minimum 5-10M NOK). ALAI must verify partner's insurance certificate annually.

6. IP Clause

ALAI owns final report delivered to client
Partner retains methodology and tooling IP

7. SLA Back-to-Back

If ALAI promises client "final report within 10 business days", partner must contractually promise ALAI "draft report within 7 business days".

8. Partner-Cert Legitimacy Clause

Partner guarantees active CREST/NSM/PCI certification during engagement period. If certification lapses, ALAI has termination right.

Norwegian Employment Law Constraint

Arbeidsmiljøloven §14-12 / §14-13 ("Innleie")

If partner sends individual testers to work under ALAI's direction (vs. partner delivering service as independent firm), Norwegian law may classify this as employment leasing.

Mitigation: Structure contract as firm-to-firm B2B service delivery. Partner retains operational control over testers. ALAI engages partner for deliverable (pen-test report), NOT for staff augmentation.

Marketing Do's and Don'ts

✅ Permitted Claims

"Delivered in partnership with [X]"
"Powered by [X]"
"ALAI coordinates security testing through certified partners"

❌ Prohibited Claims

"ALAI is CREST-certified" (false — partner is, ALAI is not)
"ALAI is NSM Sikkerhetsgodkjent" (false — unless ALAI itself holds clearance)
"ALAI performs pen-tests" (technically partner performs, ALAI coordinates)

⚠️ Special Constraints for Specific Certifications

NSM Sikkerhetsgodkjent Work (Classified)

Only certified firms can deliver classified security work. ALAI CANNOT promise this unless ALAI itself obtains NSM clearance (12-24 month process).

PCI ASV Scan

Payment Card Industry Approved Scanning Vendor (ASV) reports must be signed directly by ASV firm. ALAI cannot white-label PCI ASV scans — client must contract ASV directly (or ALAI refers under Model 1).

What You CANNOT Promise to Client

NSM Sikkerhetsgodkjent delivery (unless ALAI holds clearance)
PCI ASV scan under ALAI name (ASV firm must sign report)
Specific tester by name (partner retains operational control)

Source: MC #10446, CEO email 2026-05-01 (Message-ID 4929b145)