Skip to main content

Outsource Models — Referral / White-label / Managed Service

Outsource Models — Referral / White-label / Managed Service

Context: If ALAI outsources pen-test work to a certified partner (partner holds CREST/NSM license, ALAI operates under it), there are three business models. Recommended: Model 2 (White-label Sub-Kontrakt).

Model 1: Referral (Easiest, Lowest Revenue)

How It Works

ALAI refers client to partner. Partner contracts directly with end-client.

What You Need

  • Referral Agreement with partner
  • Finder's fee: 10-25% of contract value

Risk

Low — ALAI not liable for technical delivery.

Marketing

"ALAI partners with [X]." You CANNOT claim partner's security work as your own.

Model 2: White-label Sub-Kontrakt (RECOMMENDED)

How It Works

ALAI signs prime contract with end-client. Partner performs technical work under sub-contract. ALAI is legal counterparty to client.

Margin

15-30% markup on partner's cost.

  1. Master Services Agreement (MSA) with partner — back-to-back clauses
  2. Sub-Processor DPA (GDPR Art.28) — partner processes client data
  3. NDA chain — partner signs client-equivalent NDA
  4. Right-to-audit clause over partner
  5. Cyber liability insurance back-to-back — partner must carry minimum equivalent coverage to ALAI policy
  6. IP clause — ALAI owns report to client; partner retains methodology IP
  7. SLA back-to-back — whatever ALAI promises client, partner must promise ALAI
  8. Partner-cert legitimacy clause — partner guarantees active CREST/NSM/PCI status during engagement

Norwegian Context

⚠️ Arbeidsmiljøloven §14-12 / §14-13 ("innleie") — If partner sends individual testers (not a firm-to-firm service), it may be classified as employment leasing. Must structure as B2B firm-to-firm contract.

Marketing

  • ✅ "Delivered in partnership with [X]"
  • ✅ "Powered by [X]"
  • ❌ "ALAI is CREST-certified" (false — partner is, ALAI is not)

Model 3: Managed Service (Most Complex, Highest Revenue)

How It Works

Subscription model. Recurring billing. ALAI provides customer success layer + partner provides technical delivery.

What You Need

  • Everything from Model 2
  • Customer success team on ALAI side
  • Escalation matrix between ALAI and partner

What ALAI Holding Must Have (All Models)

  1. ISO 27001 or plan to obtain (clients ask)
  2. Cyber liability insurance 5-10M NOK (Gjensidige/IF) — see MC #9412
  3. DPA template — ✅ already exists (AI Services legal pack)
  4. MSA template — ⚠️ NEED to add (similar to Retainer template)
  5. Brønnøysund registration "konsulentvirksomhet sikkerhet" — already covered under existing NACE 62.02

Source: MC #10446, CEO email 2026-05-01 (Message-ID 4929b145)

No comments to display

Back to top