It's important to note that not all of these criteria will be applicable or be equally critical in every situation.

Each project has its own set of unique requirements and constraints and we’ll prioritise these criteria based on the specific context of our needs, industry standards, and regulatory environment. The process of supplier selection is inherently flexible and should be adapted to align with Montala's strategic objectives, operational demands and information security policies.

We may choose to apply a weighted scoring system to these considerations, specific to that particular procurement, allowing for a customised and nuanced evaluation of potential suppliers.

1. Technical and Operational Capabilities

  • Modern, scalable, and resilient infrastructure.
  • Ability to support required operating systems and platforms.
  • Adequate compute, storage and network resources.
  • Provision of monitoring capabilities, including logs for auditing and SIEM ingestion.
  • Real-time dashboards for performance and usage.
  • Capability to customise or tailor solutions to our needs.
  • Modular architectures allowing future changes or additions.

2. Security Features and Protocols

  • Enhanced access control mechanisms (e.g., SSO, MFA, RBAC, etc.).
  • Regular security audits and assessments (i.e. penetration testing and vulnerability assessments, where applicable).
  • Data encryption in transit and at rest.
  • Secure storage of data and procedures for data retrieval.
  • Incident response plan covering breach handling.
  • Security training and awareness for relevant staff.
  • Use of secure coding practices aligned with Montala’s own standards, at a minimum.

3. Service Levels (SLAs), Performance, and Reliability

  • Clearly defined uptime guarantees (e.g. 99.9% uptime).
  • Defined response and resolution times for support.
  • Compensation mechanisms for SLA failures.
  • Demonstrated performance benchmarks and optimisation techniques.
  • Ability to handle expected loads and scale accordingly.

4. Certifications, Standards, and Compliance

  • ISO 27001 for information security management.
  • ISO 9001 for quality management systems.
  • Other relevant certifications (e.g. ISO 22301 for business continuity, ISO/IEC 20000-1 for IT service management, SOC2, etc.).
  • Applicable software-industry accreditations or certifications.
  • Compliance with relevant data protection laws (e.g. GDPR, CCPA).
  • Adherence to secure coding standards and recognised software development practices (e.g. OWASP).

5. Reputation and Recommendations

  • High ratings and positive reviews from credible sources.
  • Testimonials and case studies from similar-sized businesses in the same industry.
  • Endorsements from trusted professionals within the industry.

6. Software Development Life Cycle (SDLC) Practices

  • Best practice SDLC covering planning through maintenance.
  • Multiple environments (development, testing, staging, production).
  • Use of static and dynamic analysis tools to detect vulnerabilities and bugs.
  • Effective management of software dependencies.
  • Rigorous testing (unit, integration, system, UAT).
  • Automated testing procedures.
  • Dedicated QA team with relevant expertise.
  • Regular status reports and clear documentation (technical specifications, user guides, API docs).

7. Support and Maintenance

  • Availability of support channels (email at minimum; phone/chat if provided; 24/7 where applicable).
  • Response time within agreed limits (e.g. within a day).
  • Escalation procedures for critical issues.
  • Clear maintenance window procedures and notifications.
  • Post-deployment support, bug fixes, and optional training.

8. Documentation and Transparency

  • Comprehensive and accessible documentation for systems, solutions, and integrations (e.g. user manuals, technical specifications, and API documentation).
  • Transparent communication protocols and collaboration tools for updates.
  • Regular project updates and review meetings (for development suppliers).
  • The supplier must permit audits/inspections by the controller or provide equivalent independent audit evidence.

9. Financial Stability and Business Continuity

  • Evidence of sufficient financial health for long-term viability.
  • Business continuity and disaster recovery plans.

10. Cost and Payment Terms

  • Competitive pricing (without compromising quality) and clear billing practices.
  • Flexible payment schedules (e.g. monthly, annually).
  • Cost transparency for additional services or resources.

11. Data Protection and Privacy

  • Compliance with relevant data protection regulations (e.g. GDPR, CCPA).
  • Policies for data breach notification and response.
  • Data sovereignty assurances, if applicable.
  • Ability to retrieve Montala’s data when required.
  • Staff with access to personal data must be bound by confidentiality obligations (NDAs).
  • The processor must process personal data only on documented instructions from the controller. (applies to the entire supply chain)
  • The supplier must assist the controller in meeting data subject rights requests (e.g. access, deletion, etc.).
  • The supplier must assist with conducting DPIAs and security assessments, where relevant.
  • The supplier must ensure secure deletion or return of all personal data at contract end (including copies).

12. Geographical and Legal Considerations

  • Location of data centres and associated jurisdictional implications.
  • Proximity where relevant for latency or legal considerations.
  • If data is transferred outside the UK: the supplier must ensure there are appropriate safeguards in place, for example, the countries or territories are covered by adequacy regulations -or- there’s an applicable international data transfer agreement (IDTA) addendum to the European Commission’s standard contractual clauses (SCC).

13. Environmental and Social Governance

  • Commitment to sustainability and environmentally friendly practices.
  • Ethical labor practices and supply chain transparency.

14. Intellectual Property and Licensing

  • Clear agreements on IP ownership (Montala retains IP for work it funds).
  • Transparent and fair licensing terms.

15. Innovation and Roadmap

  • Demonstrated investment in R&D.
  • Clear technology roadmap aligning with future infrastructure or software trends.

Background and reasoning

The purpose of this is to comply with the data protection (UK GDPR) law, when engaging with a new sub-processor, by allowing Montala (as the data processor) to select our sub-processors based on a general authorisation criteria.

This supports our "Information Security Policy" and "Supplier Management Policy and Procedure".

Data Controller notification triggers

Any material change to our sub-processor selection criteria must be notified to all relevant Data Controllers in advance, as it constitutes an intended change under Article 28(2) GDPR. If no objection is raised within 30 days of the notice, the change will proceed.

View all policies