Ethics & Supplier Alignment
Public summary for large healthcare / defense / federal-style buyers. This page stays stable. Buyer-specific annexes, negotiation knobs (e.g. HITRUST CSF or buyer-specified equivalent, flow-down text), and onboarding instructions are issued through the access/assurance flow — not here. Operational/onboarding instructions are provided only to identified buyers.
Federal anchor: For federal work we maintain a written Code; see FAR 52.203-13. Applicability is prescribed at FAR 3.1004 (generally contracts at or above the current threshold and performance ≥ 120 days).
Why it’s public
Major buyers (including UHG-like healthcare buyers and NGC-like defense primes) publish their supplier codes openly so vendors can self-align before onboarding. We do the same: we publish the posture, and we gate the annexes.
This makes it clear to security/TPRM people that we have a written code, know how to flow requirements down, and can mirror a buyer’s public materials — without revealing the parts we actually negotiate.
Healthcare-style alignment (example: UHG)
When a healthcare buyer that publishes a Supplier Code of Conduct (for example UnitedHealth Group) is the counterparty, we align to the buyer’s publicly available supplier policies and code and we pass those requirements to our internal teams.
Public reference: UHG Supplier Policies
Not an endorsement. This is our summary; it only applies when we are actually operating under that buyer’s PO/SOW.
- Lawful, ethical business; anti-corruption; fair dealing.
- Human rights (no forced/child labor; anti-trafficking; dignity and respect).
- Safe, healthy workplaces.
- Safeguarding buyer data/systems per buyer security standards for in-scope access.
- Accurate, transparent records.
Defense / aerospace-style alignment (example: NGC)
When a defense or aerospace buyer that publishes a supplier SOBC (for example Northrop Grumman) is the counterparty, we align to that public material and make sure our people and subs follow it.
Public reference: NGC Supplier SOBC
Again: our summary, not their endorsement. Active only when we are working under that buyer.
- Lawful, ethical business; anti-corruption and fair dealing.
- Human rights; no forced/child labor; anti-trafficking.
- Protection of buyer/USG data and assets.
- Accurate books and records.
Speak up / reporting
EchoClone internal Email the compliance owner: ops@echoclonelabs.com.
When operating under a buyer program we follow that buyer’s own reporting / hotline / portal instructions exactly as published by the buyer. Because those instructions are public at the source, we point to them — we do not republish the phone numbers here.
If you’re already in that buyer’s portal: use their channel. If not, email us and we will direct you to the right buyer channel.
Data & healthcare posture (public)
Our assurance/evidence work is buyer-hosted and non-PHI by default. If a buyer needs PHI or other regulated data in scope, we do that under the buyer’s BAA and buyer security standards. Detailed security / certification statements (including “HITRUST CSF or buyer-specified equivalent” language) are provided in the gated assurance/onboarding kit.
Document control & integrity
- Canonical PDF: /docs/echo-supplier-code.pdf • v1.1 • Effective 2025-10-17 • Reviewed annually • Policy owner: ops@echoclonelabs.com
- Buyer-aligned annexes (healthcare / defense) are sent after access approval.
- Integrity: /docs/SHA256SUMS.txt. Verify with
sha256sum <file>(Linux) orshasum -a 256 <file>(macOS). - Contracts control. If a contract, PO, TO, or buyer portal specifies different or stricter language, that document prevails over this public summary.
- Buyer names and titles are referenced neutrally to their public materials; this page is not an endorsement by any buyer.