# Outsource Models — Referral / White-label / Managed Service # Outsource Models — Referral / White-label / Managed Service **Context:** If ALAI outsources pen-test work to a certified partner (partner holds CREST/NSM license, ALAI operates under it), there are three business models. **Recommended: Model 2 (White-label Sub-Kontrakt).** ## Model 1: Referral (Easiest, Lowest Revenue) ### How It Works ALAI refers client to partner. Partner contracts directly with end-client. ### What You Need - Referral Agreement with partner - Finder's fee: 10-25% of contract value ### Risk Low — ALAI not liable for technical delivery. ### Marketing "ALAI partners with \[X\]." You CANNOT claim partner's security work as your own. --- ## Model 2: White-label Sub-Kontrakt (RECOMMENDED) ### How It Works ALAI signs prime contract with end-client. Partner performs technical work under sub-contract. ALAI is legal counterparty to client. ### Margin 15-30% markup on partner's cost. ### Legal Requirements 1. **Master Services Agreement (MSA)** with partner — back-to-back clauses 2. **Sub-Processor DPA (GDPR Art.28)** — partner processes client data 3. **NDA chain** — partner signs client-equivalent NDA 4. **Right-to-audit clause** over partner 5. **Cyber liability insurance back-to-back** — partner must carry minimum equivalent coverage to ALAI policy 6. **IP clause** — ALAI owns report to client; partner retains methodology IP 7. **SLA back-to-back** — whatever ALAI promises client, partner must promise ALAI 8. **Partner-cert legitimacy clause** — partner guarantees active CREST/NSM/PCI status during engagement ### Norwegian Context ⚠️ **Arbeidsmiljøloven §14-12 / §14-13 ("innleie")** — If partner sends individual testers (not a firm-to-firm service), it may be classified as employment leasing. Must structure as B2B firm-to-firm contract. ### Marketing - ✅ "Delivered in partnership with \[X\]" - ✅ "Powered by \[X\]" - ❌ "ALAI is CREST-certified" (false — partner is, ALAI is not) --- ## Model 3: Managed Service (Most Complex, Highest Revenue) ### How It Works Subscription model. Recurring billing. ALAI provides customer success layer + partner provides technical delivery. ### What You Need - Everything from Model 2 - Customer success team on ALAI side - Escalation matrix between ALAI and partner --- ## What ALAI Holding Must Have (All Models) 1. ISO 27001 or plan to obtain (clients ask) 2. Cyber liability insurance 5-10M NOK (Gjensidige/IF) — see MC #9412 3. DPA template — ✅ already exists (AI Services legal pack) 4. MSA template — ⚠️ NEED to add (similar to Retainer template) 5. Brønnøysund registration "konsulentvirksomhet sikkerhet" — already covered under existing NACE 62.02 --- *Related: [Legal & Marketing Constraints](/books/alai-sec-service-line/page/legal-marketing-constraints), [Practical First Steps](/books/alai-sec-service-line/page/practical-first-steps)* *Source: MC #10446, CEO email 2026-05-01 (Message-ID 4929b145)*