Legal & Marketing Constraints When Outsourcing Security

Legal & Marketing Constraints When Outsourcing Security

⚠️ DISCLAIMER: This is general industry knowledge. For authoritative legal advice, consult Norwegian advokat (Wiersholm/BAHR/Schjødt security practice) before signing any MSA or sub-contract.

Legal Requirements (White-label Model)

1. Master Services Agreement (MSA) with Partner

Back-to-back clauses — every obligation ALAI accepts from client must flow through to partner.

2. Sub-Processor DPA (GDPR Art.28)

Partner processes client personal data → must sign Sub-Processor Data Processing Agreement under GDPR Article 28.

3. NDA Chain

Partner must sign client-equivalent NDA. If client requires special classification (e.g., NSM Fortrolig), partner must hold equivalent clearance.

4. Right-to-Audit Clause

ALAI must have contractual right to audit partner's security practices. If partner refuses this clause → RED FLAG.

5. Cyber Liability Insurance Back-to-Back

Partner must carry cyber liability insurance coverage equivalent to ALAI's policy (minimum 5-10M NOK). ALAI must verify partner's insurance certificate annually.

6. IP Clause

• ALAI owns final report delivered to client
• Partner retains methodology and tooling IP

7. SLA Back-to-Back

If ALAI promises client "final report within 10 business days", partner must contractually promise ALAI "draft report within 7 business days".

8. Partner-Cert Legitimacy Clause

Partner guarantees active CREST/NSM/PCI certification during engagement period. If certification lapses, ALAI has termination right.

Norwegian Employment Law Constraint

Arbeidsmiljøloven §14-12 / §14-13 ("Innleie")

If partner sends individual testers to work under ALAI's direction (vs. partner delivering service as independent firm), Norwegian law may classify this as employment leasing.

Mitigation: Structure contract as firm-to-firm B2B service delivery. Partner retains operational control over testers. ALAI engages partner for deliverable (pen-test report), NOT for staff augmentation.

Marketing Do's and Don'ts

✅ Permitted Claims

• "Delivered in partnership with [X]"
• "Powered by [X]"
• "ALAI coordinates security testing through certified partners"

❌ Prohibited Claims

• "ALAI is CREST-certified" (false — partner is, ALAI is not)
• "ALAI is NSM Sikkerhetsgodkjent" (false — unless ALAI itself holds clearance)
• "ALAI performs pen-tests" (technically partner performs, ALAI coordinates)

⚠️ Special Constraints for Specific Certifications

NSM Sikkerhetsgodkjent Work (Classified)

Only certified firms can deliver classified security work. ALAI CANNOT promise this unless ALAI itself obtains NSM clearance (12-24 month process).

PCI ASV Scan

Payment Card Industry Approved Scanning Vendor (ASV) reports must be signed directly by ASV firm. ALAI cannot white-label PCI ASV scans — client must contract ASV directly (or ALAI refers under Model 1).

What You CANNOT Promise to Client

• NSM Sikkerhetsgodkjent delivery (unless ALAI holds clearance)
• PCI ASV scan under ALAI name (ASV firm must sign report)
• Specific tester by name (partner retains operational control)

Related: Outsource Models, Practical First Steps

Source: MC #10446, CEO email 2026-05-01 (Message-ID 4929b145)