Epic Chat

Epic Supplier Policy

Download Epic Supplier Policy

Epic Communications Limited (C 10865), hereinafter referred to as “Epic”, is a leading electronic communications company established in Malta. At Epic we act with honesty, integrity and fairness in our dealings both internally and externally to ensure we are trusted by our customers, colleagues, business partners and the communities in which we work. We have adopted business principles and policies to govern our activities and interactions across our operations, to ensure that trust and that we behave to the highest standards of integrity. Epic expects any Supplier to reflect such principles and policies as set out in this Epic Supplier Policy.

The phrase “Supplier” in this Supplier Policy shall, where relevant, also include all officers, employees, contractors, subcontractors and agents of Supplier. All references to “Epic” include Epic and any of its affiliated companies that benefit from the goods and services being provided by the Supplier.


Supplier Business Principles & Ethical Purchasing

Supplier shall act with honesty, integrity and fairness in its dealings both internally and externally. Also, it shall pursue mutually beneficial relationships and seek to promote the application of Epic Supplier Policy with relevant business partners and suppliers.

Supplier recognises that Epic will:

  • base its investment decisions, acquisitions and business relationships on economic criteria but will also take into account social and environmental considerations;
  • voice its opinions on government proposals and other matters that may affect Epic and its stakeholders;
  • not make gifts or donations to political parties or intervene in party political matters;
  • communicate openly and transparently with all its stakeholders within the bounds of commercial confidentiality;
  • protect confidential information from improper disclosure;
  • value the trust its customers place in it and will safeguard the information provided to it.

Supplier shall ensure that any authorised communication of confidential information should be duly protected and limited to individuals who need it to carry out their work.

Compliance with the law

Supplier shall comply with the provisions of all applicable domestic and international laws and appropriate standards and principles.

Health and safety

Supplier shall protect the health, safety and wellbeing of Epic and its customers, employees, partners and the communities in which Epic and it operate and disclose to Epic any information that comes to its knowledge that clearly demonstrates that any of Epic or its products or services breach internationally accepted safety standards or guidelines.

Supplier shall provide a healthy and safe working environment for employees, contractors, partners or others who may be affected by Supplier’s activities, in accordance with international standards and national laws.

Supplier shall ensure it meets general principles of health and safety risk prevention which include identifying, minimising and preventing hazards, using competent and trained people, providing and maintaining safe equipment and tools, including personal protective equipment as required.

Supplier shall have mechanisms and shall implement them to ensure that all its employees are competent to carry out the health and safety aspects of their responsibilities and duties. This shall include the nomination and training of persons at an appropriate level (and in particular executives), who are responsible for discharging Supplier’s health and safety obligations.

Supplier shall ensure facilities and amenities, including employee accommodation where provided by Supplier, shall be hygienic, safe and meet the basic needs of employees.

Supplier shall have systems and training to prepare for and respond to accidents, health problems and foreseeable emergency situations. Supplier shall have means and procedures in place for recording, investigating and implementing learning points from accidents and emergency situations.


Supplier shall base relationships with and between employees on respect for individuals and their human rights and treat them with respect and dignity. Supplier shall not accept any form of discrimination, harassment, threats or other forms of intimidation or bullying in hiring, employment terms, remuneration, access to training, promotion, termination, retirement procedures or decisions. Supplier shall pursue equality of opportunity and inclusion of all employees through its employment policies and practices.

Supplier shall ensure its employees understand their employment conditions, are provided with leave entitlements, fair and reasonable pay, including overtime, as well as any legally entitled or agreed benefits. Supplier’s employees shall be entitled to leave work or terminate their employment with reasonable notice which shall be included in employment contracts. Employees shall be free to leave work after such reasonable notice period expires.

Child Labour: Supplier shall strictly prohibit child labour[1]. No person shall be employed who is below the minimum legal age for employment.

In the event Supplier discovers a child is employed, the best interests of the child shall be the primary consideration. Supplier shall contribute, support and/or develop policies and programmes that assist any child found to be performing child labour.

Forced Labour: Supplier shall not use any form of forced, bonded, compulsory labour, slavery or human trafficking.

Freedom of Association & Right to Collective Bargaining: Supplier shall respect the rights of employees to join or not to join trade unions or similar representative bodies and the rights of employees to collective bargaining to the extent permitted by applicable law. Supplier shall allow open communication and direct engagement between its employees and management in building employee relations and for the resolution of any issues.

Anti-bribery, Corruption and Individual Conduct

Supplier shall not tolerate or enter into any bribery, including improper offers or payments to or from employees, customers, suppliers, organisations or individuals. Supplier shall avoid any contracts that might lead to, or suggest, a conflict of interest between personal activities and the business. Supplier shall neither give nor accept hospitality or gifts that might appear to incur an obligation. Furthermore, Supplier shall:

  • have an anti-bribery policy that sets out the principle of zero tolerance to any form of bribery or corruption within their organisation, including facilitation payments;
  • not give, promise, receive or request any bribes (financial or other advantage), including but not limited to in relation to any public official;
  • ensure its employees, contractors and sub-contractors are aware of its anti- bribery policy and how to comply with its requirements.

Fraud and money laundering

Supplier shall:

  • act in accordance with all applicable international standards and laws on fraud and money laundering;
  • not do or omit to do anything likely to cause any party to be in breach of any of such international standards and laws;
  • maintain an effective anti-fraud and (where appropriate) an anti-money laundering compliance programme, designed to ensure compliance with the law including the monitoring of compliance and detection of violations.


Supplier shall comply with relevant legislation and international standards[2], and in countries where environmental legislation is not evident or enforced, ensure reasonable practices for managing environmental impacts are in place. Supplier shall implement an internal environmental management system to the extent applicable to Supplier’s business.

Supplier shall commit to protecting the environment. Supplier shall minimise its use of finite resources (such as energy, water and raw materials) and the release of harmful emissions to the environment (including waste, air emissions and discharges to water). Supplier shall seek to improve the environmental performance of the products and services it provides, as well as support those that offer environmental and social benefits to Epic’s customers.

Supplier shall obtain, maintain and keep current all necessary environmental permits (e.g. waste management, transportation), approvals and registrations.


Working with Epic

Business Continuity

Supplier shall have its own business continuity management system, based on an accepted standard (e.g., ISO22301) and appoint a person with responsibility to coordinate Supplier’s support to business continuity strategies.

  • promptly and accurately complete and return any c questionnaire whenever requested by Epic;
  • provide Epic with a copy of Supplier’s top level Business Continuity policy within four (4) weeks after commencing work if so requested by Epic;
  • establish and maintain Business Continuity strategies and plans which ensure that Supplier can continue to deliver its services to Epic in the event of any major incident, and which are compliant with the agreed Business Continuity requirements and objectives of Epic within three (3) months after commencing work;
  • review Business Continuity strategies and plans in the event Epic identifies a weakness or non- compliance and implement the agreed improvements within three (3) months;
  • directly support Epic’s Crisis Management Team if requested by Epic;
  • provide Epic, if requested, with a copy of Business Continuity strategies, Business Continuity exercise or Business Continuity audit reports;
  • participate in Epic’s managed Business Continuity exercises or Business Continuity audits as requested by Epic (up to a maximum of once per year);
  • notify Epic in any case of invoking Supplier’s Business Continuity plan for Epic.
  • If Supplier breaches the obligations in this policy or Epic identifies a weakness in Supplier’s Business Continuity management system, Epic has the right to audit Supplier (up to a maximum of once per year).

Expenses and Travel

Supplier shall keep expenses to a minimum, taking a responsible approach to travel and the environment and to plan any travel so as to find an appropriate balance between business need, environmental impact, financial cost and health and wellbeing. Supplier shall undertake travel only when absolutely necessary, when the use of video/web conferencing is not an appropriate option. When travel is required it shall:

  • conclude business efficiently to limit the need for overnight accommodation;
  • arrange meetings at a convenient hub location having regard to numbers attending and the locations that they need to travel from;
  • avoid the use of external venues;
  • only claim expenses if a specific Purchase Order is in place to cover them; and
  • always submit expenses within 1 month of incurring them, and provide original receipts.
  • put appropriate travel and medical insurance in place, at its own cost, prior to travel;
  • book the lowest cost tickets available in economy (standard) class, including non-flexible tickets (unless there is a significant possibility that the arrangement may need to change), regardless of carrier and considering non-direct routes;
  • book standard business class hotel accommodation (i.e. not executive, luxury class or suites
  • not claim for travel by taxi except where no form of public transport is available;
  • not claim for parking or motoring related fines or penalties;
  • not claim for sundry expenses (e.g. laundry, internet charges, clothing, toiletries, personal grooming, newspapers, publications, client/business entertainment, hotel videos/pay to view movies, gym etc.)

Supplier shall not be entitled to claim for:

  • purchases of any capital equipment e.g. laptops, mobile phones or data cards;
  • passports, visas, work permits or anything relating to entry/ entitlement to work in a country;
  • personal taxation;
  • expenses incurred on behalf of Epic employees (all Epic employees should make their own expenses claim);
  • printing costs;
  • communication costs of any kind (e.g. phone/ videoconferencing calls, internet connection); and
  • other expenses prohibited by Epic from time to time

Law Enforcement Assistance

As a communication network and service provider, Epic may be subject to local statutory and regulatory obligations to provide assistance to local government, law enforcement and national security agencies. These obligations fall into the following categories:

  • Lawful interception of communications in real time;
  • Retention of specific categories of communication data; and
  • Disclosure of communication data on receipt of a lawful request.

Where Supplier provides a service or services to Epic that involve(s) or relate(s) to the provision of communication network or services, the following will apply:

  • Epic will notify Supplier of any regulatory or statutory obligations that apply and will provide details of what those obligations require of Supplier (“notified assistance”).
  • Such notified assistance may include but not be limited to:
    • implementing and maintaining interception capability;
    • retaining the required communication and network data on the use of the services by customers;
    • implementing and maintaining customer identification procedures; and
    • providing such other assistance as is necessary to deliver compliance with the notified statutory or regulatory obligations.


  • When providing the notified assistance, Supplier will enter into a data processing agreement with Epic to address any legal, regulatory and/or data protection obligations that are imposed on the Epic local market.
  • When providing the notified assistance, Supplier will make appropriate technical and organisational security arrangements to ensure that any data generated are protected against compromise.
  • Those security measures will be commensurate with the privacy sensitive and confidential nature of the required notified assistance.
  • Those security measures will include but not be limited to:
    • Ensuring the integrity of employees who are to deliver the services by:
      • appointing nominated individuals who are permanent employees of Supplier and who are notified and agreed in advance with Epic;
      • providing appropriate training and awareness to ensure that those nominated individuals are aware of the privacy sensitive and confidential nature of the services that are being provided, and the information being generated and stored;
      • requiring those nominated individuals to sign and be legally bound by, and notified of, confidentiality and secrecy obligations in respect of all information concerning law enforcement assistance, including surveillance targets, frequency of requests or the details of any information provided.
  • Complying with legal minimum security requirements that form part of the data processing agreement.
  • In respect of any data generated and/or retained as a result of providing the required and notified assistance, Supplier shall treat that data as the confidential  and  proprietary information of Epic and shall ensure that that data are only processed in accordance with  the instructions of Epic and the contractual obligations set out in the data processing agreement.
  • Where Supplier receives a direct request for assistance from a government, law enforcement or national security agency, Supplier shall immediately inform the relevant Epic operating company, unless prohibited by law from doing so.

Information Security

Supplier shall:

  • Promptly and accurately complete and return any Epic Information Security Questionnaire whenever requested by Epic;
  • safeguard the security of all Epic Confidential Information (such phrase in this policy shall have the meaning given in NDA, Framework Agreement, PO Terms or other agreement as may be applicable), using appropriate technical and organisational security systems and processes reasonably acceptable to Epic;
  • perform regular and full testing procedures on such security systems and processes;
  • permit Epic, upon reasonable notice to Supplier, to conduct security audits against such security systems and processes (including the right to test the security of any hardware and software used by Supplier in the performance of its obligations under the Agreement);
  • take all appropriate steps, including technical and organizational steps, to mitigate identified security weakness;
  • not reduce the security levels associated with such security systems and processes as defined within the Information Security Questionnaire without Epic’s prior written consent;
  • advise Epic of changes to the security implementation via an update to the Information Security Questionnaire on an annual basis; and
  • notify Epic’s ‘Cyber Security Team’ by email at cybersecurity@epic.com.mt immediately after becoming aware of an incident where any Epic Confidential Information is at risk of unauthorised or unlawful disclosure, loss or damag
  • Provide such assistance as Epic may reasonably require to all security and fraud investigations in connection with the services provided.


Quality Assurance

Quality System: Supplier shall operate a quality management system which conforms as a minimum to the requirements of ISO9000 (or ISO20000 where applicable) or equivalent standard and is certified by an independent accredited third party. Supplier shall upon Epic request:

  • provide Epic with the name of a management representative responsible for quality assurance;
  • identify Supplier facilities associated with the Epic related work;
  • identify all third party suppliers upon which the supply of products and services to Epic is materially dependent;
  • permit access to Supplier’s facilities to assess their suitability and procure access also to the facilities of Supplier’s major third party suppliers for the same purpose;
  • permit Epic (on reasonable notice) to conduct a review of relevant aspects of Supplier’s operations  and  systems  including  design,  development,  manufacture,
  • production, performance, deployment, testing and servicing processes, regardless of whether these items are in-house or subcontracted;
  • make available appropriate personnel and facilities to enable Epic to conduct review or audits;
  • make available, during audits, all documentation sufficient to demonstrate compliance with (i) the requirements of the relevant Epic Procurement Agreement and; (ii) Supplier’s own process requirements;
  • identify the quality assurance and project management activities necessary for the performance of obligations under the relevant Epic Procurement Agreement through the use of quality plans and/or project plans, as appropriate;
  • provide to Epic (prior to shipment) (i) the results of any regulatory and/or compliance testing necessary for inspection and review and; (ii) certification relating to such regulatory compliance (e.g. CE/Radio and Telecommunications Terminal Equipment Directive/ Specific Absorption Rate); and
  • bear the costs associated with any quality audit (including any revisits).

Supplier shall provide Epic, upon request, with a report detailing corrective actions and measures taken to prevent recurrence in relation to any product and/or documentation repaired, corrected or replaced.

Identification and Traceability: Supplier shall provide a “tracking and tracing” system for all items in transit from the point of origin and provide both the location and relevant data, upon request. Such a system shall provide the following as a minimum:

  • all transit information as is necessary for compliance with Applicable Laws;
  • due delivery date;
  • country of origin;
  • country of shipment;
  • part numbers; and
  • quantity.


Export and Sanctions

Epic is committed to complying with all host nation laws and regulations applicable to the exporting/importing of Suppliers’ products and technologies. Epic maintains an internal compliance program that is dependent upon the continued cooperation of its Suppliers. This collaborative effort will ensure that compliance of the export/import laws and regulations are properly applied by Epic.

Epic may wish to import, export, re-export, transfer, re-transfer, use or enjoy the subject matter of the procurement activities in any part of the world (if Epic is entitled to do so under the respective Agreement).

Supplier shall, in connection with Epic’s procurement activities with Supplier not do anything which may cause Epic to breach to all export control laws and regulations in the Relevant States (i.e. countries of the European Union, the United States of America and any other countries with jurisdiction over Epic or the Supplier in connection with the procurement activity), hereinafter referred to as Export Control Laws and Sanctions.


Supplier shall:

  • comply with all Export Control Laws and Sanctions, including clearly indicating on all delivery notices the relevant export control classification and export licence numbers.
  • not carry out any activities from as from time to time appear on restricted lists published by Relevant States or sub-contract to any entity from a list;
  • keep Epic appraised at all times of such information as Epic may need in order to comply with Export Control Laws and Sanctions, including details and copies of applicable restrictions and export classification numbers (such as under the U.S. licensing jurisdiction of the U.S. State Department ITAR), export licences or equivalent documentation, exemptions or exception and conditions relating to export, transfer or use, and provide Epic with such assistance as Epic may reasonably request in this respect; and
  • keep Epic appraised at all times (as soon as reasonably practicable in the given circumstances) of all relevant information on: (a) any changes in circumstances relevant to compliance with Export Control Laws and Sanctions; (b) actual or potential breaches of Supplier’s obligations in relation to Export Control and Sanctions; (c) loss, suspension or invalidation of any relevant licence, authorisation, approval or export control privileges, including by being placed on a Restricted Party List; or (d) it becoming aware that any relevant authority has initiated or will initiate any investigation or proceedings against Supplier relating to an actual or potential breach of any Export Control Laws or Sanctions.



Monitoring, Corrective Action and Reporting

Supplier is expected to identify, correct and monitor the continued compliance of any activities that fall below the standards of this Supplier Policy.

Supplier shall immediately report to Epic any serious breaches of this Supplier Policy and together with Epic agree a schedule for corrective action.

A breach of this Supplier Policy may be considered to be a material breach of contract with Epic, and Epic accordingly reserves all its legal rights and remedies in respect of any such breach.

Supplier shall provide Epic with reasonable access to all relevant information and premises for the purposes of assessing performance against this Supplier Policy, and use reasonable endeavours to ensure that sub-tier suppliers do the same. Audits may be conducted by an independent third party on behalf of Epic. Audits may also be conducted jointly between Epic and Supplier, and include the assistance of an industry representative, or relevant non-governmental organisation.



[1] The minimum age for employment shall be the age for completing compulsory education in the relevant country or not less than 15 years of age (or not less than 14 years, in countries where educational facilities are insufficiently developed, in accordance with international principles), whichever is higher. Children (persons under the age of 18) shall not be employed for any hazardous or night work, or work that is inconsistent with the child’s personal development.

[2] Supplier shall respect all applicable laws, regulations and customer requirements regarding prohibition or restriction of specific substances. Hazardous chemicals and other materials included in products, especially those included in the substances of Very High Concern list of the REACH regulation, must be identified and managed by Supplier to ensure their safe use, recycling or re-use and disposal. The use of such chemicals and materials by Supplier must be avoided (and if not possible to avoid, minimised). Where required, Supplier must deliver electrical or electronic equipment in line with all relevant European Union regulations such as but not limited to RoHS and REACH.