Compliance & Ordering Policy 

Sales & Compliance Terms (B2B, English Law)

These terms apply to sales of vessels, subsystems, software, and technical data.

1) Scope & Classification

1. Products and technical data may be strategic (military or dual-use). Classification and licensing will be undertaken against the UK Strategic Export Control Lists. You will cooperate fully with information requests.

2) Licensing Condition

1. All performance is conditional on applicable UK export/trade licences (including OGEL, SIEL, OIEL) and compliance with licence conditions.
2. If a required licence is refused, suspended, or revoked, we may suspend or terminate without liability for delay or non-performance arising from that licensing outcome.

3) End-User, End-Use & Diversion

1. You will provide accurate end-user and end-use undertakings.
2. No diversion: you must not re-export, transfer, lend, lease, or provide technical assistance to any third party or new destination without our prior written consent and, where applicable, fresh licensing.

4) Sanctions

1. You warrant that you (and any beneficial owner, director, consignee, end-user, or financier) are not subject to UK asset-freeze or other sanctions.
2. We will screen counterparties and may refuse or cancel where sanctions risk exists. You acknowledge UK civil penalties may be imposed on a strict-liability basis for sanctions breaches.

5) Contracting Formalities

1. Governing law/jurisdiction: English law; courts of England & Wales (exclusive).
2. Execution: Electronic signatures are valid unless a wet-ink/witnessed execution is legally required for a particular instrument.

6) Payments

1. Payments must be made via UK-regulated banks from your own account. No cash, cryptoassets, or third-party settlement. We may request proof of funds. No goods/software/technical data are released until cleared value.

7) Technology & Remote Support Controls

1. Access to firmware, source/object code, CAD, manuals and diagnostic portals is limited to the licensed scope and destination and may be geofenced or feature-locked.
2. Transfers by electronic means (email, cloud, remote access) are treated as controlled transfers where applicable.

8) Compliance Cooperation & Audit

1. You will keep and produce records necessary to evidence compliance and licence use. Minimum retention is four (4) years unless a licence sets a longer period.
2. For OGELs, you agree to the record-keeping and inspection conditions attached to that licence class.

9) Privacy & Disclosures

1. We process KYC, end-use, and screening data to meet legal obligations (export control/sanctions) and our legitimate interests (fraud/diversion prevention). Where legally required or permitted, we may disclose data to UK authorities. See our Privacy Notice.

10) Termination for Risk

1. We may refuse, suspend, or terminate if provided information is false/incomplete, risk is unacceptable (export, sanctions, AML), or if performance could breach law or licence conditions.

11) Force Majeure & Regulatory Change

1. We are not liable for licensing, sanctions, or regulatory delays beyond our reasonable control.
2. We may update these terms to reflect changes in UK law and regulator guidance.

Internal Compliance SOP (For Staff)

Operational steps to ensure compliance with UK export controls, sanctions, and data-protection rules.

Roles

• Export Control Lead (ECL) – classification, licensing, ECJU liaison.
• Compliance Officer (CO) – sanctions/KYC screening, policies, training, audits.
• Sales PM – collects end-user pack; blocks progress until ECL/CO green-lights.
• Engineering & IT – access control, geofencing, feature locks, logging.
• Legal – clauses, privacy, transfer mechanisms, escalations.

Stage 1 – Initial Screen (Pre-Quote)

1. Identify all parties: customer, consignee, end-user, and beneficial owners (obtain corporate registry extracts where available).
2. Sanctions screening against HMT consolidated list; assess ownership/control. Record evidence and analyst notes. Escalate any positive/uncertain match.
3. Check destination and end-use risk; flag embargoed or sensitive use-cases.

Stage 2 – Item Classification

1. Classify hull, subsystems (comms, GNSS/INS, radar/EO/IR, autonomy, encryption), spares, and “technology” (drawings, firmware, manuals) against the UK Consolidated Lists. Record control entries.
2. If unlisted but high-risk end-use is suspected, apply catch-all controls and consult ECJU.

Stage 3 – Licence Strategy

1. Determine route: OGEL (if applicable) vs SIEL/OIEL. Register for OGELs before use; document conditions.
2. Prepare End-User Undertaking (EUU) and end-use narrative; obtain signatures.

Stage 4 – Classified/Defence Security (If Applicable)

1. Where UK-classified or partner-nation controlled data/equipment is involved, initiate MOD Form 680 and any facility security steps before disclosure.

Stage 5 – Contracting Gate

1. Insert mandatory clauses: export/sanctions compliance, no-diversion, audit, technology-control, data-protection, licence-dependency/termination, UK-bank payments.
2. Execution: e-signature permitted unless law requires a specific formality.

Stage 6 – Technology & Access Control

1. Restrict repository and portal access to cleared personnel and licensed locations; implement geofencing and feature-locks; log every remote action.
2. Treat electronic transfers (email/cloud/remote access) as controlled where applicable.

Stage 7 – Pre-Shipment / Pre-Enablement Check

1. Verify licence conditions (quantities, values, end-user, destination), rescreen parties, confirm shipping paperwork accuracy. Hold until all checks pass.

Stage 8 – Records & Reporting

1. Maintain complete classification, screening, licence and shipping records for at least four (4) years or longer if required by a licence.
2. Keep files inspection-ready for ECJU compliance visits.

Stage 9 – Incidents & Escalations

1. On suspected breach, freeze activity, notify Legal/CO, consider self-report to OFSI/ECJU, and preserve evidence. Note: UK civil sanctions penalties can be strict-liability.

Stage 10 – Training & Audits

1. Annual staff training for Sales, Engineering, Ops and IT. Quarterly file reviews; spot-check recent cases for completeness and accuracy.

Privacy Notice (UK GDPR)

How we collect, use and share personal data for compliance and contract performance.

Controller & Contact

Controller: [Company legal name], [Company number], [Registered office].
Contact: [privacy@yourdomain.com]  |  [postal address].
DPO (if appointed): [Name / contact].

Data We Collect

• Identification and business contact data (names, roles, emails, telephone, business address).
• Organisation and beneficial-ownership details; intended end-user and end-use; deployment destination.
• Screening outputs (sanctions screening results, analyst notes), licence documentation (EUU, applications, decisions).
• Technical support logs (limited to safety and compliance needs).
• Payment and invoicing identifiers (payer identity, bank details). We do not store payment card data.

Why We Use Your Data (Purposes)

• Classify products/technology and determine export-control licensing.
• Conduct sanctions screening and risk assessments.
• Prepare, conclude and perform contracts; deliver, commission and support products.
• Prevent diversion, fraud and abuse; protect our people and systems.
• Maintain regulatory records and respond to regulator enquiries.

Our Legal Bases (Article 6 UK GDPR)

• Legal obligation: compliance with UK export-control and sanctions laws, including disclosures in licensing or lawful requests.
• Contract: steps at your request before entering a contract and performance of that contract.
• Legitimate interests: risk management, fraud prevention, and diversion prevention (balanced against your rights; you may object to this processing).

Who We Share With

• UK authorities where legally required or permitted (e.g., ECJU for licensing; OFSI for sanctions matters; law-enforcement on lawful request).
• Professional advisers (law firms, auditors) and vetted vendors (screening tools, secure hosting, logistics) under contract.
• MOD/ISAC where MOD Form 680 or defence-security processes apply to classified releases.

International Transfers

Where we use providers or counterparties outside the UK, we apply appropriate safeguards for restricted transfers, typically the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by transfer risk assessments.

Retention

We keep business-relationship and compliance records for the life of the contract plus a minimum of four (4) years, or longer where a licence or law requires. Screening logs are retained no longer than necessary for audit and legal-defence purposes.

Your Rights

You have rights of access, rectification, erasure, restriction, portability and objection (subject to legal exemptions where disclosure would prejudice regulatory or law-enforcement functions). You can complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we process your data.

Updates

We will update this notice to reflect changes in law and regulator guidance. The most current version will always be published on this page.