# Legal & Marketing Constraints When Outsourcing Security # Legal & Marketing Constraints When Outsourcing Security **⚠️ DISCLAIMER:** This is general industry knowledge. For authoritative legal advice, consult Norwegian advokat (Wiersholm/BAHR/Schjødt security practice) before signing any MSA or sub-contract. ## Legal Requirements (White-label Model) ### 1. Master Services Agreement (MSA) with Partner Back-to-back clauses — every obligation ALAI accepts from client must flow through to partner. ### 2. Sub-Processor DPA (GDPR Art.28) Partner processes client personal data → must sign Sub-Processor Data Processing Agreement under GDPR Article 28. ### 3. NDA Chain Partner must sign client-equivalent NDA. If client requires special classification (e.g., NSM Fortrolig), partner must hold equivalent clearance. ### 4. Right-to-Audit Clause ALAI must have contractual right to audit partner's security practices. If partner refuses this clause → RED FLAG. ### 5. Cyber Liability Insurance Back-to-Back Partner must carry cyber liability insurance coverage equivalent to ALAI's policy (minimum 5-10M NOK). ALAI must verify partner's insurance certificate annually. ### 6. IP Clause - ALAI owns final report delivered to client - Partner retains methodology and tooling IP ### 7. SLA Back-to-Back If ALAI promises client "final report within 10 business days", partner must contractually promise ALAI "draft report within 7 business days". ### 8. Partner-Cert Legitimacy Clause Partner guarantees active CREST/NSM/PCI certification during engagement period. If certification lapses, ALAI has termination right. ## Norwegian Employment Law Constraint ### Arbeidsmiljøloven §14-12 / §14-13 ("Innleie") If partner sends individual testers to work under ALAI's direction (vs. partner delivering service as independent firm), Norwegian law may classify this as employment leasing. **Mitigation:** Structure contract as firm-to-firm B2B service delivery. Partner retains operational control over testers. ALAI engages partner for deliverable (pen-test report), NOT for staff augmentation. ## Marketing Do's and Don'ts ### ✅ Permitted Claims - "Delivered in partnership with \[X\]" - "Powered by \[X\]" - "ALAI coordinates security testing through certified partners" ### ❌ Prohibited Claims - "ALAI is CREST-certified" (false — partner is, ALAI is not) - "ALAI is NSM Sikkerhetsgodkjent" (false — unless ALAI itself holds clearance) - "ALAI performs pen-tests" (technically partner performs, ALAI coordinates) ### ⚠️ Special Constraints for Specific Certifications #### NSM Sikkerhetsgodkjent Work (Classified) Only certified firms can deliver classified security work. ALAI CANNOT promise this unless ALAI itself obtains NSM clearance (12-24 month process). #### PCI ASV Scan Payment Card Industry Approved Scanning Vendor (ASV) reports must be signed directly by ASV firm. ALAI cannot white-label PCI ASV scans — client must contract ASV directly (or ALAI refers under Model 1). ## What You CANNOT Promise to Client - NSM Sikkerhetsgodkjent delivery (unless ALAI holds clearance) - PCI ASV scan under ALAI name (ASV firm must sign report) - Specific tester by name (partner retains operational control) --- *Related: [Outsource Models](/books/alai-sec-service-line/page/outsource-models), [Practical First Steps](/books/alai-sec-service-line/page/practical-first-steps)* *Source: MC #10446, CEO email 2026-05-01 (Message-ID 4929b145)*