Contracted Security Providers Minimum Standards

Last updated: 11 Feb 2026

Any queries, please email: compliance@sps-global.com

DOWNLOAD PDF COPY
ANNEX A & B QUESTIONNAIRE

EXECUTIVE SUMMARY

This document sets out the Security standards and professional conduct expected by Special Projects and Services (SPS) in relation to activities undertaken by its Contracted Security Providers (CSPs). Its purpose is to establish a consistent operational framework that enables CSPs to meet a common standard, thereby fostering an environment that prioritises the safety and Security of SPS clients and third-party contracted personnel.

SPS recognises that full adherence to all requirements outlined in this document may not always be feasible, particularly in environments affected by conflict, civil unrest, or within developing economies. Notwithstanding these challenges, SPS maintains that transparency, accountability, and alignment to a common standard of safe conduct remain essential objectives and are achievable in the majority of operating contexts.

This document is structured into two components:

Additionally:

  • Annex D provides a list of vehicle and first aid kit necessities.

  • Annex E outlines the Scope of Practice for FREC.

  • Annex F sets out SPS's Data Processing Agreement, defining the data protection, privacy, and breach-notification obligations that apply to all Contracted Security Providers processing personal data on SPS's instructions.

1. INTRODUCTION

This document is provided in support of previous communications between SPS and contracted security providers.

1.1 SPS provides its clients with a range of Security services based upon its extensive industry knowledge, skills, and experience throughout the world. It is important that SPS has full visibility of all Contracted Security Providers' (CSPs) protocols in terms of professional and ethical standards and procedures. This process is designed to enable SPS to maintain effective oversight of all delivered services and, in doing so, reduce risk to its clients, staff, and reputation.

1.2 SPS requests that its CSPs comply with its Security Minimum Standard requirements (see Annex A), thereby ensuring a commonality of approach in Security-related activities. It is essential that CSPs conduct themselves in accordance with these standards to ensure visibility and accountability.

1.3 For the purpose of this document, and unless specified otherwise, the term "Contracted Security Providers" (CSPs) refers to third-party companies and partner organisations engaged by SPS for the delivery of Security services.

2. SPS ETHOS

2.1 SPS's ethos is to establish and maintain a safe and secure operating environment for its CSPs and clients alike. SPS's minimum requirements extend to all levels of services delivered by the CSP, who remains ultimately responsible for the overall conduct, safety, and welfare of its staff.

3. OUR SECURITY APPROACH

3.1 A key element of SPS's approach to Security is the requirement that CSPs operate according to the highest levels of professional and ethical standards. SPS selects its CSPs according to strict criteria, taking all reasonable measures to verify a third-party company's business credentials prior to entering a contractual relationship.

4. AIM

4.1 The aim of this document is to ensure that the highest standards of Security-related services are maintained and delivered by contracted support to SPS operations and activities.

5. CONTRACTOR OBLIGATIONS

5.1 CSPs are expected to adhere to the minimum standards set out in this document. SPS recognises that, in certain high-risk or constrained environments, pragmatic flexibility may be required. Any deviation must be proportionate, justified, and transparent. It is accepted that in certain circumstances, a degree of pragmatic flexibility may be required to deliver Security services in high-risk environments. However, the wilful failure to comply with these minimum standards will likely result in exclusion from SPS contracted support partnering.

5.2 CSPs are encouraged to achieve the minimum standards set out in this document and adhere to recognised international best practice. SPS expects and anticipates the implementation of a transparent, common-sense approach and a practical application of training and development of third-party contracted personnel.

5.3 Compliance with Annexes CSPs shall comply with all applicable requirements set out in Annexes A through F of this document. The Annexes form an integral part of these Minimum Standards and are contractually binding unless expressly stated otherwise.

6. CONDUCT

6.1 The conduct of contractors shall be consistent with the professionalism and competencies of SPS.

7. CREDENTIALS

7.1 SPS reserves the right to conduct audits, reviews, and fact-checking activities pertinent to the stated credentials of a contracted Security provider. In some cases, SPS may utilise a third-party organisation to conduct such investigations. In certain circumstances, SPS may request details of services provided elsewhere by a CSP and request evidence of services delivered in crisis situations.

7.2 Security Minimum Standards

7.2.1 Fully Licensed Security Company Where applicable, CSPs should be fully licensed and compliant within the legal framework of the country of operations.

7.2.2 Assurance and Adherence to Human Rights CSPs shall assign a responsible senior manager who, among other duties, will oversee and ensure adherence to all Human Rights assurances and compliance with anti-slavery and human trafficking regulations.

7.2.3 Ethical Policy CSPs must be able to demonstrate how they inform and advise staff on matters of bribery, corruption, and extortion in their commitment to honest, ethical, and proper business practices.

7.2.4 Pre-employment Vetting (Security Clearances and Background Checks) CSPs must demonstrate how they recruit personnel and conduct background checks and vetting of staff deployed on Security-related duties. CSPs must ensure that:

  • No employee has responsibility or association with any previous human rights violations or violations of international humanitarian law.

  • No employee has been dishonourably discharged from the police, armed forces, or any other branch of government Security service.

  • No employee has been convicted of a serious crime, including but not limited to terrorism, murder, acts of violence, sexual offences, human or drugs trafficking, organised crime, or fraud.

7.2.5 Fit to Work Criteria (Employees) CSPs must demonstrate how they determine that Security staff or those employed as subcontractors are physically, medically, and psychologically fit to work.

7.2.6 Dress Standards – Guidance for CSPs

Casual

  • A collared shirt or a professional, collarless top.

  • T-shirts, tank tops, or similar casual wear are not permitted.

  • Smart, well-presented jeans are acceptable, provided they are not faded, torn, or distressed.

Business Casual

  • A collared shirt or professional, collarless top.

  • T-shirts, tank tops, or similar casual wear are not permitted.

  • Solid-colour slacks or dress trousers.

  • Solid black or brown casual-to-dress shoes with matching-coloured socks.

  • Athletic footwear and tactical boots are not permitted.

  • This attire is to be worn when attending professional appointments such as meetings with office associates, completing administrative tasks, signing out equipment, entering shared office or café areas, or attending internal meetings.

Business Professional

  • To be worn when attending client meetings, Executive Protection (EP) events, when specifically required by a client, or at the direction of SPS operations staff.

  • A dark grey, navy, or black suit with a solid white or blue button-down dress shirt with a traditional collar.

  • Optional conservative tie, climate-dependent.

  • Black or brown belt.

  • Solid black or brown dress shoes with matching-coloured socks.

  • Athletic footwear and tactical boots are not permitted.

Cold or Inclement Weather Dress should be appropriate to prevailing weather conditions while remaining consistent with the applicable dress category and professional standards.

7.2.7 Vehicles – Minimum Standards CSPs must provide assurances that all vehicles used to support SPS requirements are mechanically sound and be able to provide (on request) details of routine maintenance plans and daily serviceability checks. CSPs must ensure that vehicles are no more than four (4) years old, are clean and presentable without visible damage, and have not exceeded 70,000 miles (112,000 km). All vehicles must carry appropriate vehicle equipment and emergency supplies, including breakdown and safety equipment, in accordance with Annex D – Vehicle and First Aid Kit List.

7.2.7a Aircraft – Minimum Standards CSPs must provide assurances that all aircraft used to support SPS requirements are airworthy, mechanically sound, and maintained in accordance with applicable aviation regulations. Details of maintenance programmes and serviceability checks must be available on request. Aircraft Operators supporting SPS operations must hold a valid Air Operator Certificate (AOC) issued by the relevant national aviation authority. Aircraft Operators must maintain valid aviation insurance, appropriate to the type and scope of operations undertaken.

Aircraft utilised for SPS-supported operations should be no more than ten (10) years old unless otherwise approved by SPS following a documented, risk-based assessment. Where aircraft are operated within Europe, or fall under European regulatory jurisdiction, the operator must hold appropriate European Union Aviation Safety Agency (EASA) certification or approval via a recognised National Aviation Authority (NAA), confirming compliance with applicable European aviation safety standards.

7.2.8 Driving Licensing and Driving Standards CSPs must ensure all drivers are licensed, trained, and qualified to drive the vehicles allocated to any SPS-derived tasks and be able to provide evidence of driver qualifications and specialist skills where relevant.

7.2.9 Weapon Management CSPs must demonstrate that any weapons carried or used are legally owned, serial-numbered, and registered with appropriate authorities. They must also:

  • Provide secure, lockable storage when weapons are not in use (stored separately from ammunition).

  • Have clear policies for access, control, and sign-out of weapons.

  • Ensure personnel are vetted, trained, tested, and licensed to carry weapons.

  • Provide Use of Force guidelines and ensure compliance.

  • Maintain training records, including last weapon discharge.

  • Ensure regular inspection of weapons by a qualified armourer.

7.2.10 Close Protection / Executive Protection Qualifications

  • CSPs are required to verify that their Close Protection / Executive Protection Officers have appropriate experience and career backgrounds, such as police, military, government service, or accredited commercial security roles.

  • CSPs must provide evidence that all CPOs/EPOs hold in-date training credentials, including course details and completion dates. Officers should be trained in close protection and accredited wherever possible.

  • CSPs are required to verify that staff directly responsible for the physical security and wellbeing of SPS-derived client personnel are physically, medically, and psychologically fit for duty.

  • CSPs must confirm that up-to-date criminal background checks have been conducted for all relevant staff.

  • CSPs must ensure that at least one Close Protection / Executive Protection staff member possesses appropriate conversational language skills relevant to the operating environment (e.g. French, English, Spanish). This is particularly important for personnel engaged directly with SPS-derived clients.

  • CSPs must ensure that all employees and subcontractors act at all times in a lawful manner.

SPS recognises that not all countries have internationally recognised or accredited training courses. In such cases, a full and detailed explanation of an operative's professional history, experience, and relevant competencies will be required to support the decision-making process.

7.2.11 Medical Qualifications CSPs must provide details of any CPO/EPO Medical qualifications and confirm contents of Medical equipment carried (see Annex D). FREC 3 is considered industry standard where applicable.

7.2.12 Incident Reporting & Escalation Protocol Incident Reporting and Escalation Requirements CSPs must maintain a formal incident reporting and escalation procedure aligned with SPS operational governance standards.

For the purposes of this framework, an "Incident" includes but is not limited to:

  • Injury or fatality involving client personnel, CSP personnel, or third parties

  • Use of force or discharge of weapons

  • Arrest or detention

  • Serious vehicle or aviation accident

  • Security breach or operational compromise

  • Allegations of misconduct, corruption, or human rights violations

  • Media exposure or reputational risk event

CSP obligations include:

Immediate Notification

  • Critical incidents must be reported to SPS Operations within one (1) hour of occurrence.

  • Serious but non-life-threatening incidents must be reported within four (4) hours.

  • All other operational incidents must be reported within twenty-four (24) hours.

Written Reporting

  • A preliminary written report must be submitted within 24 hours of notification.

  • A full incident report, including timeline, actions taken, lessons identified, and mitigation measures, must be submitted within 72 hours unless otherwise agreed.

Cooperation & Investigation

  • CSPs must cooperate fully with any SPS internal investigation.

  • Relevant documentation, body camera footage (where applicable), radio logs, and witness statements must be preserved.

  • No public statement may be made without prior consultation with SPS unless legally required.

Escalation Authority SPS reserves the right to:

  • Suspend operational activity pending review.

  • Remove personnel from tasking.

  • Conduct formal audit.

  • Terminate engagement where material breach is identified.

Failure to report incidents within required timeframes may constitute a material breach of standards.

7.2.13 Drug and Alcohol Policy CSPs must demonstrate a policy of zero tolerance regarding drugs and alcohol in the workplace, including disciplinary procedures.

7.2.14 Disciplinary and Investigation Procedure CSPs must have formal disciplinary and investigative procedures for misconduct.

7.2.15 Adherence to Local, National, and International Law CSPs must comply with all applicable laws and human rights obligations.

7.2.16 Contractor Undertaking Upon request, CSPs must provide a written undertaking that all personnel and subcontractors understand and will comply with SPS Security Minimum Standards wherever possible.

7.2.17 International Standards Organisation (ISO) CSPs are required to indicate whether they adhere to any International Standards Organisation (ISO), or recognised country equivalents, within their organisation. Where applicable, CSPs should specify the relevant standards held, for example: ISO 9001, ISO 27001, ISO 18788, and ISO 14001.

7.2.18 Data Protection and Processing All Contracted Security Providers (CSPs) engaged by SPS shall comply with SPS's Data Processing Agreement (DPA), as set out in Annex F, and with all applicable data protection and privacy laws.

CSPs shall process personal data solely on the documented instructions of SPS, implement appropriate technical and organisational measures to protect such data, and ensure the ongoing confidentiality, integrity, and availability of information. CSPs shall not engage sub-processors for the processing of personal data except in accordance with the DPA and shall notify SPS of any proposed changes to sub-processing arrangements as required under the DPA. CSPs must promptly notify SPS of any actual or suspected personal data breach in accordance with the notification requirements set out in the DPA.

CSP's are required to conform to UK GDPR (General Data Protection Regulations) and use this standard as a bench mark. In country DATA regulations may vary but UK GDPR is seen as a world wide standard. Minimum requirement for CSP's is that all Personal Identifiable Information (PII) provided by SPS or obtained during the task is deleted after every task.

7.2.19 Minimum Insurance Requirements

Insurance & Financial Assurance All Contracted Security Providers (CSPs) must maintain adequate insurance coverage appropriate to the nature, scale, and geographic scope of services provided to SPS.

At a minimum, CSPs shall maintain:

  • Public Liability (PL): Minimum limit of indemnity of not less than USD5,000,000 (or local currency equivalent) per occurrence.

  • Professional Indemnity (PI): Minimum limit of indemnity of not less than USD2,000,000 per claim, covering errors, omissions, negligence, and failure in professional services.

  • Employers' Liability (EL): In accordance with applicable national legislation, and in any event not less than USD5,000,000 per occurrence.

Where services include:

  • Armed security,

  • Aviation operations,

  • Maritime operations,

  • High-risk or hostile environment deployments,

SPS reserves the right to require enhanced indemnity limits proportionate to operational exposure.

CSPs must:

  • Provide valid certificates of insurance.

  • Notify SPS immediately of any lapse, cancellation, material amendment, or reduction in coverage.

  • Ensure policies remain active throughout the duration of engagement with SPS.

ANNEX A – SPS SECURITY MINIMUM STANDARDS QUESTIONNAIRE and ANNEX B - SPS BUSINESS PARTNERS ASSURANCE QUESTIONNAIRE

ANNEX C: SPS CODE OF CONDUCT FOR BUSINESS PARTNERS AND SUPPLIERS

SPS's Code of Conduct applies to all business partners, suppliers, and Security providers. SPS expects that they collectively share and uphold the fundamental principles expressed herein.

The purpose of SPS's social, environmental, and ethical requirements is to outline, in greater detail, the standards that SPS expects all business partners and suppliers to adhere to.

The United Nations Global Compact is the foundation of SPS's Code of Conduct. It covers areas such as human rights, labour standards, the environment, and the fight against corruption.

1. UNITED NATIONS GLOBAL COMPACT PRINCIPLES

1.1 Human Rights Businesses should support and respect the protection of internationally proclaimed human rights within their sphere of influence and ensure that they are not complicit in human rights abuses.

1.2 Labour Standards Businesses should:

  • Uphold the freedom of association and the effective recognition of the right to collective bargaining.

  • Eliminate all forms of forced and compulsory labour.

  • Effectively abolish child labour.

  • Eliminate discrimination in respect of employment and occupation.

1.3 Environment Businesses should:

  • Support a precautionary approach to environmental challenges.

  • Undertake initiatives to promote greater environmental responsibility.

  • Encourage the development and diffusion of environmentally friendly technologies.

1.4 Anti-Corruption Businesses should work against all forms of corruption, including extortion and bribery.

2. HUMAN RIGHTS

2.1 Conditions of Employment and Work SPS Ltd expects that external partners comply with the legal minimum standards or the relevant industry benchmark standards concerning minimum and overtime wages, sick leave, and other forms of compensation.

SPS Ltd expects that external partners ensure that the working week is in accordance with local regulations. Overtime shall be voluntary, infrequent, and compliant with local laws.

Employees are entitled to at least one day off per week and shall be given reasonable breaks while working, with sufficient rest periods between shifts.

2.2 Workplace Health and Safety SPS Ltd expects that external partners provide a safe and healthy working environment, including protection from accidents and injuries. Adequate health and safety standards must be established and consistently followed.

External partners shall comply with all applicable local laws and regulations to prevent accidents and injuries. Furthermore, they are expected to continuously improve working conditions and reduce workplace-related risks and hazards, including through appropriate protective equipment and training necessary to perform jobs safely.

3. MODERN SLAVERY & HUMAN TRAFFICKING ALIGNMENT

3.1 Modern Slavery and Ethical Labour Standards SPS maintains a zero-tolerance approach to modern slavery, forced labour, child labour, and human trafficking in any form.

All CSPs must:

  • Confirm compliance with all applicable Modern Slavery legislation, including (where applicable) the UK Modern Slavery Act 2015 and equivalent national regulations.

  • Provide a current Modern Slavery Statement where legally required.

  • Demonstrate due diligence processes to ensure that forced, bonded, involuntary, or trafficked labour is not present within their operations or supply chains.

  • Maintain transparent recruitment practices and ensure that no employee is required to pay recruitment fees.

  • Permit audit or verification by SPS where concerns arise.

CSPs must ensure that their subcontractors and supply chain partners adhere to equivalent standards.

Any confirmed breach of Modern Slavery obligations will result in immediate review and may lead to termination of engagement.

4. EMPLOYMENT STANDARDS

4.1 Freedom of Association and Collective Bargaining SPS Ltd expects that external partners do not prevent employees and other workers from associating freely with any lawful workers' association or trade union of their choice.

4.2 Child Employment and Young Workers External partners shall not engage in, or benefit from, the use of child labour.

The minimum age for employment shall not be less than the age of completion of compulsory schooling and, in any case, shall not be less than 15 years old (or 14 years old where permitted by national law).

External partners shall refrain from hiring young workers (below 18 years of age) to perform any work likely to jeopardise their health, safety, or morals.

If a child is found working within a company or supply chain, the external partner must act in the best interests of the child.

4.3 Forced Labour and Freedom of Movement SPS Ltd will not work with companies that engage in or support the use of forced labour.

This includes employees who have not offered their labour voluntarily or who are not free to withdraw from their employment contract.

4.4 Discrimination SPS Ltd expects that external partners do not discriminate on the basis of sex, race, colour, religion, nationality, disability, age, or any other protected characteristic.

Hiring, remuneration, benefits, training, promotion, termination, retirement, or any other employment-related decisions should be based solely on relevant professional criteria.

5. ENVIRONMENT

5.1 Environmental Legislation SPS Ltd expects that external partners comply with all relevant host-country environmental legislation and strive to minimise any damaging effects to the environment arising from their operations.

6. ANTI-CORRUPTION AND BRIBERY

6.1 External Partners SPS Ltd expects that external partners do not engage in any form of corruption, including extortion, fraud, or bribery, whether directly or indirectly.

7. MONITORING AND COMPLIANCE

7.1 Auditing SPS Ltd reserves the right to conduct audits to monitor and ensure proper compliance with this Code of Conduct.

SPS Ltd expects that suppliers ensure that their own sub-suppliers are aware of and comply with the principles expressed in this Code of Conduct.

ANNEX D: VEHICLE AND FIRST AID KIT LIST AND DEFINITIONS

Definitions

Trained Responder: A staff member formally certified to use advanced Medical equipment.

First Aid Kit: Basic equipment for non-invasive emergency care.

Trauma Kit: Advanced emergency equipment for severe injury management.

Critical Item: Equipment required for immediate life-saving intervention.

Vehicle Standard Equipment Requirements

CATEGORY REQUIRED ITEMS Vehicle Must-Haves 1 bottle (500ml) of cold water per person; Hand sanitiser; Protective mask (COVID-19); Phone chargers (iPhone and Android); Umbrella per person. Suggested: mints, nuts, dried fruit, protein bars (no chocolate) Mandatory Onboard Kits Trauma Kit; Vehicle Equipment Kit

Vehicle Equipment Kit Contents

ITEM GROUP CONTENTS Vehicle Tools Spare tyre and jack set; Jumper cables; Tow chain or rope; Basic tools (triangle, wheel spanner); Sledgehammer and crowbar; Bolt cutter; Spare wheel Safety Equipment Fire extinguisher; Flashlights and spotlight; High-visibility vest; Flares; Thermal/space blanket; Blankets Communication & Navigation Spare radios and spare batteries; Cellular phone and power bank; Area maps Other Containers of water; Umbrella; Spare sets of vehicle keys

MEDICAL KIT CONTENTS

General Medical Supplies

  • Sterile flushing solution (saline)

  • Hand soap or sanitiser

  • Eye pads (2)

  • Sterile sponges (4x4)

  • Abdominal pads (5x9)

  • Clean wipes (15)

Bandaging and Wound Care

  • Triangular bandages (minimum 2)

  • Gauze bandage (4"x4)

  • Elastic bandage (6")

  • Adhesive tape rolls (2)

  • Bandage strips (16)

  • Conforming bandage (150mm, 75mm, 50mm)

Trauma and Advanced Care (Responder-Dependent)

  • Tourniquets (2) and haemostatic dressing

  • Large and small splints

  • Chest seals (vented preferred)

  • Pressure/Israeli bandage

  • Airway set (trained responders only)

  • Haemostat (trained responders only)

  • Suture set (trained responders only)

Burns and Cold Therapy

  • Burn aid or burn shield (large and small)

  • Instant ice packs (2)

  • Sterile gauze (minimum 4)

Tools

  • EMT shears

  • Tweezers

  • Irrigation syringe

Infection Control

  • Nitrile gloves (minimum 4–6 pairs)

  • CPR face shield

  • Biohazard waste bag

  • Eye protection and face mask

  • Hand sanitiser

Medication (If Authorised)

  • Pain medication

  • Antihistamines

  • Topical antibiotic creams

Note: All medications must be recorded in a Medication Expiry Log.

INSPECTION AND MAINTENANCE REQUIREMENTS

Inspection Frequency

  • Monthly, and after every activation.

Mandatory Inspection Components

  • Inventory checklist inside each kit

  • Restock and inspection log sheet

  • Expiry date logbook for all consumables

  • Tamper indicator applied after inspection

Compliance Requirements

  • Kits must remain sealed until activated.

  • Expired or damaged items must be replaced immediately.

  • Advanced items (airways, suture sets) are only permitted in kits for trained responders.

Roles & Responsibilities

Drivers

  • Ensure kit presence and report deficiencies.

  • Assist with inspections when required.

Field Team Members

  • Maintain situational readiness.

  • Report missing or damaged items.

Medical Team

  • Approve advanced Medical items.

  • Ensure Medical compliance.

Supervisors

  • Sign off on inspections.

  • Approve replacements.

Safety and Department Heads

  • Conduct annual SOP review.

  • Undertake compliance audits.

MONTHLY INSPECTION LOG TEMPLATE

Field Entry Date Inspector Kit Condition Replacements Needed Supervisor Sign-off

MEDICATION EXPIRY TRACKING FORM

Field Entry Medication Name Quantity Expiry Date Replaced on

ANNEX E: SCOPE OF PRACTICE FOR FREC

1. Patient Assessment

  • Conduct a primary survey (DRABC).

  • Perform a secondary survey including history taking (SAMPLE) and top-to-toe examination.

  • Record and interpret basic vital signs, including: Respiration rate and quality; Pulse rate and quality; Blood pressure (manual or automatic); SpO2; Temperature; Blood glucose levels.

2. Airway Management

  • Manual airway opening (head-tilt–chin-lift, jaw thrust).

  • Suctioning using manual or electric units.

  • Use of airway adjuncts: Oropharyngeal airways (OPAs); Nasopharyngeal airways (NPAs).

  • Basic airway maintenance and monitoring.

  • Use of bag-valve-mask (BVM) for assisted ventilation with oxygen.

3. Breathing and Oxygen Therapy

  • Administration of oxygen therapy via: Nasal cannula; Simple face mask; Non-rebreather mask; Nebuliser (under Medical oversight).

  • Recognition of: Asthma; Chronic obstructive pulmonary disease (COPD); Hyperventilation; Chest injuries (simple rib fractures, flail chest signs).

  • Assisting a patient with their prescribed inhaler.

4. Circulation and Shock Management

  • Control of external bleeding using: Direct pressure; Wound dressings; Haemostatic dressings; Tourniquet application.

  • Manage shock (hypovolaemic, anaphylactic, etc.) at first responder level.

  • Recognise signs and symptoms of: Heart attack; Stroke; Hypoglycaemia or hyperglycaemia; Early indicators of sepsis.

5. Medical Emergencies

  • Provide initial care for: Anaphylaxis (including use of auto-injectors such as EpiPen); Seizures; Diabetic emergencies; Suspected meningitis; Poisoning and overdose (supportive care only).

  • Use of an automated external defibrillator (AED).

6. Trauma Management

  • Management of minor trauma.

  • Limb immobilisation using: Slings; Splints; Improvised immobilisation.

  • Suspected spinal injury management, including manual inline stabilisation and assisting with log roll.

  • Burns and scalds (cooling, dressing, recognising severity).

  • Head injury support and monitoring.

7. CPR and Resuscitation

  • Adult, child, and infant CPR.

  • AED use.

  • Management of choking (all age groups).

  • Post-resuscitation care until handover.

8. Mental Health and Behavioural Emergencies

  • Recognise and support individuals experiencing: Acute anxiety; Panic attacks; Mental health crises.

  • Apply de-escalation and communication techniques.

9. Infection Prevention and Safeguarding

  • Apply standard infection control procedures.

  • Ensure safe disposal of clinical waste.

  • Recognise and report safeguarding concerns for adults and children.

10. Scene Safety and Incident Management

  • Maintain personal safety.

  • Conduct basic triage using organisational tools.

  • Communicate effectively with control rooms and other emergency responders.

11. Legal, Ethical, and Professional Responsibilities

  • Understand the limits of the FREC 3 scope of practice.

  • Apply principles of consent, refusal, and capacity.

  • Maintain accurate documentation and patient handover.

  • Uphold duty of care and accountability.

ANNEX F: DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") is entered into between:

  • Special Products and Services (SPS), ("Controller"), and

  • Contracted Security Provider, ("Processor"), together the "Parties."

This DPA forms part of the Main Services Agreement / Statement of Work / Contract ("Principal Agreement").

The summary below highlights your key responsibilities as a Processor under this DPA:

You must process personal data only on the Controller's instructions, keep it secure, and ensure your staff maintain confidentiality. You must notify the Controller before adding or changing any sub-processors. You must report any data breach immediately, assist the Controller with privacy and security obligations, and support data subject requests. You must follow the Standard Contractual Clauses (SCCs) and UK Addendum for any international transfers. You must delete or return all data at the end of the engagement unless the law requires retention.

1. Definitions Terms such as personal data, processing, controller, processor, data subject, personal data breach, and international transfer have the meanings given in the GDPR and UK GDPR.

2. Roles of the Parties (a) Controller determines the purposes and means of processing. (b) Processor processes personal data only on documented instructions of Controller, including with regard to international transfers.

3. Subject Matter and Duration The processing, its purpose, types of data, categories of data subjects, and duration are described in Annex I (Description of Processing Activities).

4. Processor Obligations Processor shall:

  1. Process only on written instructions from Controller.

  2. Ensure confidentiality of personnel with access to personal data.

  3. Implement appropriate technical and organizational measures ("TOMs") as listed in Annex II (Security Measures).

  4. Assist Controller with data subject rights, security obligations, impact assessments, and prior consultations.

  5. Not engage sub-processors without prior written approval of Controller (general or specific).

  6. Enter into written agreements with sub-processors imposing the same data protection obligations as this DPA.

  7. Inform Controller of any personal data breach without undue delay, and no later than 24 hours after becoming aware.

  8. At termination, delete or return all personal data at Controller's choice, unless EU/Member State law requires storage.

  9. Make available to Controller all information necessary to demonstrate compliance and allow audits or inspections.

5. Sub-Processor Authorization Controller grants Processor a general authorization to engage sub-processors for the processing of personal data. Processor shall maintain an up-to-date list of all authorized sub-processors and shall provide Controller with prior written notice of any intended addition or replacement of sub-processors, including sufficient information to allow Controller to assess the proposed change. Unless otherwise agreed, Processor shall provide at least 30 days' notice before the new or replacement sub-processor begins processing personal data.

Controller may object to the engagement of a new sub-processor on reasonable data protection grounds. In such case, the Parties will work in good faith to find a commercially reasonable alternative. If the Parties are unable to reach a mutually acceptable solution within 30 days of the objection, Controller may terminate the affected portion of the Services with written notice and without penalty.

Processor shall ensure that it imposes on all sub-processors data protection obligations that are no less protective than those set out in this DPA, including as required by Article 28 GDPR and the Standard Contractual Clauses where applicable.

6. International Transfers

6.1 Transfers from the EEA For transfers of personal data from the EEA to a third country without an adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) shall apply.

The Parties agree that Module 2 (Controller to Processor) of the SCCs applies. To the extent Processor transfers personal data to a sub-processor, Module 3 (Processor to Processor) applies to that onward transfer.

The SCCs are incorporated by reference and form Annex IV of this DPA. The completed Annex I, II, and III of this DPA shall populate the corresponding Annexes of the SCCs.

6.2 Transfers from the United Kingdom For transfers of personal data that are subject to the UK GDPR and that are made to a third country without an adequacy decision under the UK Data Protection Act 2018, the Parties agree that the UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner's Office and effective 21 March 2022 ("UK Addendum"), shall apply.

The UK Addendum is incorporated by reference and forms Annex V of this DPA. The Parties agree that:

  1. The SCCs referenced in Section 6.1 constitute the "Approved EU Clauses" for purposes of the UK Addendum.

  2. The applicable SCC modules (Module 2 and Module 3) shall likewise apply to transfers subject to the UK GDPR.

  3. The tables in the UK Addendum shall be completed by reference to Annex I, Annex II, and Annex III of this DPA, except as otherwise specified in Annex V.

In the event of any conflict between the terms of the UK Addendum and the SCCs as applied under this Section 6.2, the UK Addendum shall prevail for transfers subject to the UK GDPR.

6.3 Data Privacy Framework If Processor participates in the EU-U.S. Data Privacy Framework, UK Extension, or Swiss-U.S. Framework, Processor may rely on that as a transfer mechanism to the extent permitted by applicable data protection laws. If participation lapses, is suspended, or is otherwise withdrawn, SCCs and the UK Addendum automatically apply.

7. Liability Each Party is liable under applicable data protection law. Nothing in this DPA limits the rights of data subjects or supervisory authorities.

8. Precedence If conflicting terms exist between:

  1. Principal Agreement

  2. This DPA

  3. SCCs or UK Addendum

Then the SCCs/UK Addendum prevail, followed by the DPA, and then the Principal Agreement.

9. Governing Law For Module Two of the EU SCCs, the Parties agree that the governing law shall be the law of Ireland, without regard to conflict-of-law principles. For the UK Addendum, the governing law is England and Wales unless otherwise specified.

ANNEX I — DESCRIPTION OF PROCESSING ACTIVITIES

1. Purpose(s) of processing: To provide the Services described in the Principal Agreement, including service delivery, account administration, security monitoring, incident detection and response, customer support, troubleshooting, reporting, analytics, and other activities necessary to perform the contracted services on behalf of Controller.

2. Categories of data subjects:

  • Employees, contractors, and personnel of Controller

  • End users or customers of Controller (as applicable)

  • Prospective customers or leads (if processed)

  • Any other individuals whose personal data Controller lawfully submits to Processor in connection with the Services

3. Categories of personal data:

  • Identification data (e.g., name, username, job title)

  • Contact details (e.g., email address, phone number)

  • Login, authentication, or access management data

  • Online identifiers and technical data (e.g., IP address, device identifiers, log files, metadata)

  • Usage data related to interactions with Controller's systems

  • Any additional personal data that Controller transmits to Processor within the scope of the Services, provided such data are not special categories unless expressly identified below

4. Special category data (if any): Processor does not intentionally process special category data. If Controller submits such data, it shall do so only where strictly necessary and with all required legal bases and safeguards.

5. Nature of processing:

  • Collection, recording, structuring, storage, retrieval, consultation, use, transmission, analysis, monitoring, and deletion of personal data as necessary for the provision of the Services

  • Hosting, support, troubleshooting, and security-related processing

  • Onward disclosure to approved sub-processors strictly for the purposes described above

6. Duration/retention: Processor will process personal data for the term of the Principal Agreement and will delete or return personal data upon termination, unless applicable law requires retention for a longer period.

7. Frequency of transfer: Continuous or as determined by the Controller's configuration and use of the Services.

Annex II — Technical and Organizational Measures

Include, as applicable:

  • Encryption in transit and at rest

  • Access control and least privilege

  • Multifactor Authentication (MFA) for all systems and data access

  • Network segmentation

  • Logging and monitoring

  • Vulnerability management

  • Secure development and change management

  • Incident response procedures

  • Business continuity and disaster recovery

  • Employee training and confidentiality obligations

Annex III — Approved Sub-Processors Pursuant to the general authorization granted by Controller under Section 5, Processor may engage sub-processors without a pre-approved list. Processor shall provide prior notice of any intended changes to sub-processors as required under the DPA.

Annex IV — EU Standard Contractual Clauses (2021/914) The SCCs are incorporated by reference with Annex I–III populated using this DPA.

Annex V — UK Addendum to the EU SCCs The ICO's International Data Transfer Addendum is incorporated with the following fields completed:

  • Table 1: Parties – as listed in Annex I

  • Table 2: Selected SCCs – EU 2021/914

  • Table 3: Annexes – aligned with Annex I–III

  • Table 4: Mandatory clauses – default

End of document