Supplier Code of Conduct

SUPPLIER CODE OF CONDUCT

Purpose. This Supplier Code of Conduct (“Code”) sets minimum expectations for ethical conduct, labor and human rights, health and safety, environmental responsibility, confidentiality, information security, and privacy for any supplier, contractor, consultant, or sub-processor (collectively, “Supplier”) that provides goods or services to Pleio.

Relationship to contracts. This Code complements (and does not replace) your contractual obligations to Pleio. If your agreement with Pleio contains stricter requirements, the stricter requirements apply.

Flow-down. Supplier must ensure its employees and any approved subcontractors supporting Pleio comply with this Code.

1. Legal and Regulatory Compliance
Supplier must comply with all applicable laws and regulations, including those related to anti-corruption, competition/antitrust, labor and employment, health and safety, environmental protection, privacy and data protection, and export controls/sanctions. Where this Code and applicable law differ, Supplier should meet the stricter standard where legally permitted.

2. Business Integrity and Ethical Conduct
Supplier must conduct business with honesty and integrity and avoid even the appearance of improper influence.

  • Anti-bribery and anti-corruption: Do not offer, promise, give, request, or accept bribes, kickbacks, facilitation payments, or anything of value to obtain an improper advantage.
  • Gifts, hospitality, travel, and entertainment: Provide only modest, infrequent, and legally compliant business courtesies. Never offer cash or cash equivalents. Do not provide gifts or hospitality intended to influence decisions.
  • Conflicts of interest: Disclose any actual or potential conflict of interest involving Pleio personnel or Pleio work (e.g., family or close personal relationships, financial interests).
  • Accurate books and records: Maintain complete and accurate records for Pleio-related work, including invoices, time records, and supporting documentation.
  • Fair competition: Compete fairly and comply with antitrust and competition laws; do not engage in price fixing, bid rigging, market allocation, or improper information exchange.
  • Trade controls: Comply with applicable export controls and sanctions laws; do not provide controlled items or services without required notices and approvals.
  • Public statements and lobbying: Do not speak on Pleio’s behalf or engage in lobbying/representation relating to Pleio without written authorization.

3. Human Rights and Labor Practices
Supplier must respect internationally recognized human rights and provide a workplace free of harassment, discrimination, and abuse.

  • Freely chosen employment: No forced, bonded, indentured, or involuntary prison labor; no human trafficking.
  • No child labor: Do not employ workers under the minimum legal working age; young workers must not perform hazardous work.
  • Non-discrimination and anti-harassment: Maintain a workplace free from unlawful discrimination, harassment, and retaliation.
  • Wages, benefits, and hours: Pay workers in compliance with applicable wage and hour laws (including overtime) and provide legally required benefits.
  • Freedom of association: Respect workers’ rights to organize and bargain collectively, consistent with applicable law.

4. Health and Safety
Supplier must provide a safe and healthy work environment and take reasonable steps to prevent workplace injuries and illness.

  • Implement appropriate safety policies, training, and incident reporting.
  • Identify and mitigate hazards relevant to the work performed (physical, chemical, ergonomic, and psychosocial).
  • Maintain emergency preparedness appropriate to the workplace and services delivered.

5. Environmental Responsibility
Supplier must operate in an environmentally responsible manner and comply with applicable environmental laws and permits.

  • Manage waste, emissions, and hazardous materials safely and lawfully.
  • Use resources efficiently and, where reasonable, pursue continuous improvement in environmental performance.

6. Confidentiality and Intellectual Property
Supplier must protect Pleio confidential information and intellectual property.

  • Use Pleio confidential information only for the purpose of performing the contracted services.
  • Restrict access to those with a legitimate need-to-know and protect information from unauthorized use or disclosure.
  • Respect third-party intellectual property and use only properly licensed software and tools.
  • Return or securely destroy Pleio confidential information at the end of the engagement or upon request, subject to legal retention obligations.

7. Information Security and Privacy
If Supplier accesses, stores, processes, transmits, or otherwise handles Pleio Data (including personal data, customer data, or protected health information), Supplier must implement a risk-based information security program and comply with Pleio’s security and privacy requirements, including any Data Processing Addendum (DPA) and/or Business Associate Agreement (BAA).

7.1 Minimum security expectations (for any Supplier handling Pleio Data)

  • Access control: Use unique user IDs, least privilege, and multi-factor authentication for privileged access and remote access where technically feasible.
  • Asset/device security: Keep systems used for Pleio work patched and protected; use anti-malware where applicable; encrypt laptops and portable media.
  • Encryption: Protect Pleio Data in transit using strong encryption (e.g., TLS) and at rest using industry-standard encryption where feasible.
  • Secure development and change control (if delivering software/services): Follow secure SDLC practices, code review, and vulnerability remediation.
  • Logging and monitoring: Maintain appropriate logs for Pleio-related systems and investigate suspected security events.
  • Incident response: Maintain an incident response process and cooperate with Pleio in investigations, containment, and remediation.

7.2 Privacy expectations

  • Process personal data only on documented instructions from Pleio and only for the contracted purpose.
  • Support data minimization, retention limits, and secure disposal.
  • Do not disclose or transfer Pleio Data to third parties without Pleio approval and appropriate contractual protections.
  • Notify Pleio promptly of any unauthorized access, use, or disclosure of Pleio Data (timelines are defined in the contract/DPA/BAA).

7.3 Additional requirements for Suppliers handling PHI (HIPAA)
Where Supplier is a business associate or subcontractor business associate under HIPAA:

  • Execute and comply with a BAA before accessing PHI.
  • Use, disclose, and safeguard PHI only as permitted by the BAA and applicable law.
  • Report breaches of unsecured PHI and other security incidents to Pleio as required by the BAA and applicable regulations.
  • Ensure subcontractors that handle PHI sign equivalent written agreements and meet the same safeguards.

8. Quality, Safety, and Integrity (Pharma/Healthcare Context)
Supplier must support the quality and integrity of services delivered to regulated customers. Where relevant to Supplier’s scope:

  • Follow documented procedures, maintain appropriate training/competency, and keep accurate records supporting the services delivered.
  • Promptly notify Pleio of issues that could materially affect service quality, security, or compliance.
  • Cooperate with reasonable customer or regulatory inquiries related to Supplier’s Pleio-facing services, subject to confidentiality obligations.

9. Reporting, Cooperation, and Audits
Supplier must promptly report suspected violations of this Code and cooperate in remediation efforts.

  • Reporting: Notify Pleio of suspected or actual violations related to Pleio work, including suspected fraud, corruption, or misuse of Pleio Data.
  • Non-retaliation: Do not retaliate against individuals who raise concerns in good faith.
  • Assessments and audits: Upon reasonable notice, Supplier will provide information needed for Pleio’s vendor due diligence and may be asked to complete security/privacy questionnaires or provide relevant third-party assurance reports (e.g., SOC 2, ISO 27001, HITRUST) when applicable.
  • Corrective action: Supplier will promptly implement corrective actions for any identified gaps, and will provide a remediation plan upon request.
  • Consequences: Failure to comply with this Code may result in corrective action requirements, suspension of work, removal of personnel from Pleio work, and/or termination of the business relationship.

Last updated: February 2026

WE PUT PRIVACY FIRST. GOODSTART® IS A FULLY TESTED, HIGHLY RELIABLE, TCPA, SOC 2 TYPE 2 CERTIFIED, AND HIPAA COMPLIANT MEDICATION SUPPORT PROGRAM.

Patient data is strictly used to support patients to take medications as prescribed by their healthcare professional.

CONTACT   |   PRIVACY   |   SUPPLIER CONDUCT   |  CAREERS

© 2025 Pleio, Inc All rights reserved.