Policies

It is the policy of 3core² Certification Limited to deliver consistent, reliable, and efficient certification of management systems that meet the highest standards of quality. Our aim is to enable clients to benefit from our company's expertise, integrity, and commitment to excellence.

All enquiries and applications are handled with integrity and confidentiality, with a clear focus on enhancing customer satisfaction. We are committed to maintaining impartial, objective, and fair treatment of all clients.

The pursuit of quality is essential to the long-term growth and success of 3Core² Certification. To achieve this, we believe in working collaboratively with our clients and continually improving our services, internal processes, and management system.

We maintain an effective and continually improving management system aligned to the following international standard:

• ISO/IEC 17021-1:2015 – Requirements for bodies providing audit and certification of management systems

Our management system is defined through this Policy, our Management System Manual, and our supporting documented procedures.

3Core² Certification is fully committed to:

• Complying with all applicable legal, regulatory, and other relevant requirements.

• Periodically evaluating compliance to ensure ongoing conformance and effectiveness.

• Continual improvement of our management system, operational performance, and customer satisfaction.

• Ensuring that no part of the certification activity is outsourced to any other organisation, in alignment with our core principles and risk-based approach.

• Maintaining high levels of professional competence, confidentiality, and customer focus across all activities.

• Maintaining impartiality at all levels of the organisational processes.

Quality Objectives and Performance Monitoring

To support the implementation of this policy and drive improvement:

• Quality objectives are set by top management, in line with the strategic direction of the organisation.

• Objectives are measurable, relevant to our core services, and aligned with client expectations, accreditation requirements, and regulatory obligations.

• Performance against these objectives is monitored and reviewed regularly, with corrective and improvement actions implemented as required.

This Quality Policy is communicated, understood, and applied across all levels of the organisation. All employees are expected to support and contribute to its implementation. The policy is reviewed periodically to ensure it remains relevant and appropriate to the purpose and context of 3Core² Certification.

Donn Houldsworth

Managing Director

3Core² Certification Limited and its Directors, Managers, and Staff fully recognise the critical importance of impartiality in the delivery of its certification, inspection, and compliance activities. We are committed to ensuring that all dealings with clients or potential clients are conducted in a manner that upholds independence, objectivity, and fairness.

To safeguard and demonstrate impartiality, 3Core² Certification Ltd has identified and risk-assessed all relationships that may present a conflict of interest or pose a threat to impartiality. In support of this, the following principles are established and enforced:

Independent Certification Decisions:

• All certifications are granted following review by an authorised and competent member of the team who was not involved in the audit, ensuring impartiality in decision-making.

Consultancy and Internal Auditing Services:

• 3Core² Certification does not and has never provided management system consultancy or internal audit services.

• 3Core² Certification does not own or hold any financial or other interest in companies offering certification, consultancy or internal audit services for management system standards.

• 3Core² Certification will not be marketed or presented in a manner that implies association with management system consultancy.

• Any such misrepresentation identified will be addressed promptly and appropriately.

Separation from other Organisations:

• Any proposed business relationship is subject to a documented risk assessment prior to formalisation. However, 3Core² Certification will not maintain and will not enter into relationships with organisations that may affect the impartiality of our certification processes.

• Existing relationships are reviewed regularly to ensure continued impartiality.

Declaration of Interests:

• All personnel (employees or contractors) are required to declare current and past relationships with clients or related organisations. Any potential conflict of interest must be disclosed and risk assessed.

• Individuals will not be assigned to audits or be involved in decision making where it is identified that a conflict exists.

• Such restrictions will apply for a minimum of two years following the existence of the past relationship, and will always be subject of a risk assessment prior to lifting of those restrictions

Training Services:

• 3Core² Certification does not provide organisation-specific training for the implementation of standards.

• Any training offered is general in nature and available to all interested parties.

Auditor Independence and Pressure Prevention:

• All auditors and personnel involved in certification decisions operate free from internal or external pressure.

• No influence shall be exerted to alter the outcome of an audit.

• No member of staff or sub-contractor will perform any part of an internal audit of their own work to ensure independence of the audit undertaken

Donn Houldsworth

Managing Director

3Core² Certification Ltd is committed to maintaining the integrity, credibility and appropriate use of certification. Where a certified client no longer meets certification requirements, or where certification cannot be maintained with justified confidence, 3Core² will take timely and proportionate action to suspend, withdraw, and/or reduce the scope of certification.

All such decisions will be made fairly, transparently, and in accordance with our rules of registration, contractual terms and conditions, and our appeals and complaints process. The circumstances under which certification may be suspended, withdrawn, or have its scope reduced are set out below:

Suspension:

• The client's management system persistently or seriously fails to meet certification requirements.
• The client is no longer compliant with the certified standard(s) to the extent certification cannot be justified.
• The client fails to address new issues/standard upgrades where the impact is serious.
• The client does not permit surveillance or recertification audits at required frequencies.
• The client requests voluntary suspension.
• The client fails to meet financial obligations (e.g., non-payment).
• The client fails to provide evidence that corrections/corrective actions are implemented within agreed timescales.
• The client requests voluntary suspension.

Withdrawal:

• The client is no longer in business.
• The client requests deregistration.
• The client fails to complete actions required to lift a suspension within the stated timescale.
• The client persistently or seriously fails to meet certification requirements for their scope.

Scope reduction:

• 3Core² cannot effectively audit elements of the scope over a certification cycle (e.g., lack of relevant activity or inability to witness/assess certain activities during the cycle).

Upon suspension, withdrawal or reduction in scope of the certification for whatever reason, the client shall be notified in writing and provided with the details of the appeals procedure.

Suspensions will only be lifted following receipt of evidence that the actions needed to consider lifting the suspension have been completed within the required timescale, and which are deemed satisfactory upon review.  

Donn Houldsworth

Managing Director

PL03 r02 February 2026

Introduction

3core² Certification Ltd is committed to complying with relevant economic and trade Sanctions laws ("Sanctions") in all jurisdictions in which it operates, as these may apply to its operations, through identifying, mitigating, and managing the risks of both primary and secondary Sanctions violations.

In this Sanctions Compliance Policy ("Policy"), "3core² Certification Ltd" refers to 3core² Certification Ltd (a company incorporated in UK 20 May 2019 Registered number 12004687.

Policy Applicability

This Policy applies to:

All employees, officers, directors, and contracted personnel of 3core² Certification Ltd, and to such other persons as designated by 3core² Certification Ltd from time to time (each an "Employee", collectively "Employees"); and,

All natural and legal persons (and their respective employees, officers and directors) that perform services for or on behalf of 3core² Certification Ltd, including without limitation, supply chain business partners, suppliers, consultants, contractors, distributors, and agents (including without limitation, sales agents/representatives) (each an "Associated Person", collectively "Associated Persons").

As a condition of doing business with 3core² Certification Ltd, 3core² Certification Ltd will require each Associated Person to accept that this Policy be incorporated into the contract entered into between the Associated Person and 3core² Certification Ltd .

Contracts and agreements executed between 3core² Certification Ltd and Associated Persons may contain more specific provisions addressing some of the issues set out in this Policy. Nothing in this Policy is meant to supersede any more specific provision in a particular contract or agreement executed between 3core² Certification Ltd and an Associated Person, and to the extent there is any inconsistency between this Policy and any other provision of a particular contract or agreement, the provision in the contract or agreement will prevail.

This Policy is intended to supplement and not replace other 3core² Certification Ltd codes of conduct, policies, rules and procedures that are applicable to Employees and Associated Persons from time to time. If any Employee or Associated Person has any doubt as to the codes, policies, rules and procedures applicable in a given situation, or if any Employee or Associated Person perceives any conflict or inconsistency between this Policy and any other 3core² Certification Ltd code of conduct or any other 3core² Certification Ltd policies, rules or procedures, then he/she should raise the issue with, and seek direction from the 3core² Certification Ltd info@3core2.co.uk. This Policy is a statement of principles and expectations for individual and business conduct. It is not intended to and does not in any way constitute a contract, an employment contract, or assurance of continued employment, and does not create any right in any Employee or Associated Person. The enforcement and interpretation of this Policy rests solely with 3core² Certification Ltd. This policy only creates rights in favour of 3core² Certification Ltd. The headings contained in this Policy are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this Policy. In the event of any conflict between this Policy and applicable mandatory law, the applicable mandatory law shall prevail.

Overview of Sanctions and Prohibited Conduct

Purpose

This Policy sets out 3core² Certification Ltd ʹs approach to identifying and managing Sanctions‐related risks, including:

Guidance about the meaning of Sanctions and how to comply.

Principles and measures that 3core² Certification Ltd follows to comply with Sanctions legislation and to identify, mitigate and manage Sanctions risk in the jurisdictions where it operates; and,

Consequences of failing to comply with this Policy.

This Policy applies to all countries and/or jurisdictions in which 3core² Certification Ltd operates and extends to any additional countries and/or jurisdictions where 3core² Certification Ltd commences operations and/or has an active registration or license.

Meaning of Sanctions and How to Comply

Sanctions are laws and regulations enacted by governments (such as the government of the United States (ʺU.S.ʺ), international organisations (such as the United Nations (ʺU.N.ʺ)) and supernational bodies (such as the European Union (ʺE.U.ʺ)) to promote foreign policy and other objectives, including:

• limiting the adverse consequences of a situation of international concern (for example, by denying access to military or paramilitary goods, or to goods, technologies or funding that enable international terrorism or the proliferation of weapons of mass destruction);
• seeking to influence other persons or governments to modify their behaviour; and
• penalizing other persons or entities (for example, by blocking or ʺfreezingʺ their assets, or denying access to international travel or to the international financial system). Sanctions are intended to deter a range of activities, which may include political or military aggression, providing sanctuary for criminals and terrorists, developing nuclear or other weapons programs, and abusing human rights.

Sanctions are implemented largely by prohibiting companies and individuals from doing business with persons, entities, countries and governments that are the targets of the Sanctions. Such restrictions can include:

• export bans, import bans and prohibitions on the provision of certain specified services;
• prohibiting certain commercial activities (such as joint ventures and other investment);
• barring the transfer of funds to and from a sanctioned country;
• targeted financial Sanctions, which include freezing the assets of and prohibiting any dealings with a government, country, or territory, and designated entities and individuals;
• travel bans;
• other financial restrictions.

One key method of imposing Sanctions is to designate a country, territory, government, individual or entity as a target of Sanctions (a ʺSanctions Targetʺ). For example, the United States publishes a list of Specially Designated Nationals (or ʺSDNsʺ), which includes individuals and entities. In general, persons subject to U.S. jurisdiction must block (or freeze) any assets of an SDN within the U.S. personʹs possession or control, and may not have any dealings with, or provide any services to, an SDN. The United States also imposes economic sanctions and embargoes that target geographic regions and governments; some programs are comprehensive in nature and block the government and include broad‐based trade restrictions, while others target specific individuals and entities. In non‐comprehensive programs, there may be broad prohibitions on dealings with countries, and also against specific named individuals and entities.

Most Sanctions regimes prohibit actions taken to circumvent applicable Sanctions or to facilitate activities by another person or entity that would violate Sanctions if undertaken directly. Employees and Associated Persons shall be careful not to inadvertently violate sanctions by facilitating or brokering a transaction that would be prohibited if conducted by 3core² Certification Ltd. Employees and Associated Persons cannot facilitate, swap, approve, finance, or broker any transaction or activity if such transaction or activity would be prohibited if performed by 3core² Certification Ltd. This prohibition also includes referrals to a foreign person of business opportunities involving any nation subject to comprehensive sanctions or any persons designated on an SDN list. Example: if an Employee or Associated Person introduces a person from a Sanctioned Country (with whom no business can be made as per applicable Sanctions) to a foreign person for the purpose of facilitating or fostering a business opportunity, then that Employee or Associated Person would be in violation of the ʺfacilitationʺ clause of the Sanctions.

Moreover, some Sanctions regimes have extraterritorial applications, such that they may be extended to persons abroad who cause a domestic person to violate Sanctions, for example, by removing SDN‐ identifying information from funds transfers or other business records so that a domestic person cannot properly screen the transaction for Sanctions violations.

3core² Certification Ltd 's principles and measures to comply with Sanctions and to identify, mitigate, and manage Sanctions risk

Key Principles

The following key principles govern 3core² Certification Ltd 's approach to Sanctions and export controls. All other requirements in this document are to be read in the context of these principles. In the event of a conflict between principles and requirements, the principles will prevail.

3core² Certification Ltd maintains a Sanctions policy to meet obligations under Sanctions regimes of the jurisdictions in which it operates, is registered and/or licensed

3core² Certification Ltd complies with the requirements of the UK, U.S., U.N. and E.U. Sanctions regimes (whenever these apply to its operations) wherever it operates, and will not undertake any business that would breach those Sanctions regimes.

In addition to complying with the requirements of the UK, U.S., U.N. and E.U. Sanctions regimes (whenever these apply to its operations), 3core² Certification Ltd complies with other Sanctions regimes whenever they apply to particular 3core² Certification Ltd operations and will not undertake any business that would breach those Sanctions regimes.

3core² Certification Ltd also considers Sanctions regimes imposed by other jurisdictions where the facts of the transaction make it appropriate to do so.

3core² Certification Ltd may decide not to provide products or services even where it is permitted by law, particularly where the circumstances presents a reputational risk.

3core² Certification Ltd will not undertake any business that would breach any export laws that apply to it.

Measures to Comply with Sanctions

Before engaging in any commercial relationship or transaction, 3core² Certification Ltd ensures that these relationships and transactions comply with applicable UK, U.S., U.N., and E.U. Sanctions laws, by screening those individuals or entities against the SDN list and other relevant Sanctions lists.

3core² Certification Ltd shall also screen its transactions as to potential violations on country specific sanctions.

The level of screening and due diligence undertaken depends on the risk profile of the particular relationship or transaction, with enhanced screening and diligence undertaken where the risks are greater. For example, where a relationship or transaction is with an internationally recognised individual or business in a country or countries that are not subject to Sanctions, a lower standard or diligence may be applied. Conversely, where a relationship or transaction is with an individual or business located in a high‐ risk jurisdiction, enhanced due diligence must be undertaken.

In carrying out such screening, 3core² Certification Ltd may rely on information provided to it by its customers and business partners unless it is aware or suspects that those customers and business partners, or the information provided, is unreliable or dishonest, or relates to a high‐risk jurisdiction.

Contracts with Associated Persons must include provisions (i) representing that the Associated Person is not itself an SDN or otherwise the subject or target of Sanctions; (ii) requiring compliance with UK, U.S., U.N. and E.U. Sanctions laws and with this Policy, (iii) requiring that its Associated Persons do not engage in or facilitate any business activity that would lead 3core² Certification Ltd to breach any applicable Sanctions obligations; and (iv) permitting 3core² Certification Ltd to exit the contract if the Associated Person violates its contract with 3core² Certification Ltd or this Policy, or becomes an SDN or otherwise the subject or target of Sanctions.

Neither 3core² Certification Ltd nor any Employee shall engage in any commercial relationship or transaction that directly or indirectly involve:

• countries that are subjects or targets of Sanctions ("Sanctioned Countries"); or,
• nationals of Sanctioned Countries;

unless the contemplated commercial relationship or transaction has been screened and cleared for action in accordance with the applicable 3core² Certification Ltd sanction screening systems, processes and procedures that are implemented by 3core² Certification Ltd from time to time. For clarity, the fact that a country is a Sanctioned Country or a person is a national of a Sanctioned Country does not automatically mean that 3core² Certification Ltd or an Employee cannot engage in any commercial relationship or transaction involving any such Sanctioned Country or person; however the transaction or commercial relationship intended by 3core² Certification Ltd or the Employee would first need to be thoroughly screened by 3core² Certification Ltd to ensure that it does not breach any Sanctions related legal obligation. If in doubt advice should always be obtained from the 3core² Certification Ltd (info@3core2.co.uk).

From time to time relevant Employees shall be informed by 3core² Certification Ltd of those countries that are Sanctioned Countries. Because Sanction programs are dynamic and constantly changing, the countries that are Sanctioned Countries can change quickly; 3core² Certification Ltd regularly reviews the UK, U.S., U.N. and E.U. Sanction regimes, and may update the list of Sanctioned Countries at any time.

Associated Persons shall also ensure that they do not engage in any commercial relationship or transaction that directly or indirectly involve countries that are subjects or targets of Sanctions and nationals of such countries unless the commercial relationship or transaction would have been screened and cleared for action in accordance with the applicable screening procedures and processes implemented by each Associated Person. Associated Persons shall at all times have in place systems, processes, policies and procedures to ensure compliance with this limitation. If in doubt as to whether any commercial relationship or transaction conducted by an Associated Person violates this policy, the Associated Person shall notify 3core² Certification Ltd as soon as practicable.

For clarity and avoidance of any doubt

all commercial relationships and transactions, directly or indirectly, involving Sanctioned Countries and nationals of Sanctioned Countries shall be immediately cancelled and/or not pursued until screened and cleared for action in accordance with the applicable 3core² Certification Ltd sanction screening systems, processes and procedures that are implemented by 3core² Certification Ltd from time to time; and

commercial relationship and transactions with persons whose name is not on a list of Specially Designated Nationals may still be prohibited if that commercial relationship or transaction directly or indirectly, involves Sanctioned Countries and nationals of Sanctioned Countries. In such cases commercial relationships and transactions shall also be immediately cancelled and/or not pursued until screened and cleared for action in accordance with the applicable 3core² Certification Ltd sanction screening systems, processes and procedures that are implemented by 3core² Certification Ltd from time to time.

Employees and Associated Persons must not facilitate activities by any persons, including customers and passengers, that involve Sanctioned Countries or nationals of Sanctioned Countries, including by referring such business to other persons or entities.

If any Employee or Associated Person becomes aware of an actual or potential breach or a Sanctions regime, then he/she must notify the 3core² Certification Ltd immediately. 3core² Certification Ltd will then assess any notification received in the list of, amongst other things, any applicable reporting legal obligations binding 3core² Certification Ltd.

Obligations of Employees and Associated Persons

Employees and Associated Persons must read and apply this Policy and must ensure compliance with this Policy.

The relevant 3core² Certification Ltd units/departments dealing with customers suppliers and other business partners/counterparties shall screen and perform due diligence on each prospective customer, passenger, suppliers and potential business partner/counterparty. If there is any doubt whether screening and due diligence has been conducted with respect to any such person or entity, the 3core² Certification Ltd Director must be contacted immediately.

Under no circumstances may an Employee or Associated Person act to avoid Sanctions obligations or detection of a relationship or transaction that would breach this Policy. 3core² Certification Ltd and Employees and Associated Persons cannot advise customers or others as to how transactions may be structured or presented to evade applicable Sanctions or this Policy. This includes, but is not limited to, advising customers and others to amend any information or documents to include false or misleading information, to omit accurate information, or changing, removing or omitting information from a transaction or any business record that would otherwise lead to detection of a Sanctions issue.

Employees and Associated Persons may be subject to the Sanctions laws not only of the country or countries in which they live and work, but also of the country or countries of which they are a citizen, permanent resident, or visa holder. In addition, mere presence in a country, or even on a transitory basis, generally will make the Employee or Associated Person subject to the laws of that country while they are within or transiting through it. It is the responsibility of each Employee and Associated Person to understand and meet their Sanctions obligations as a citizen of a particular country or as a result of their presence in a particular country. Questions about particular circumstances should be directed to the 3core² Certification Ltd Compliance Director. Depending on such circumstances, 3core² Certification Ltd may require the Employee or the Associated Person to adhere to certain practices to ensure that 3core² Certification Ltd adhere to certain practices to ensure that 3core² Certification Ltd and the individual Employee or Associated Person comply with all applicable Sanctions requirements.

Consequences of Failure to Comply

Failure to comply with relevant Sanctions laws would constitute a breach of legal and/or regulatory requirements, and can expose 3core² Certification Ltd to significant reputational damage, legal and regulatory actions, and financial loss, and can expose individual Employees or Associated Persons involved in any violation to substantial fines and imprisonment.

3core² Certification Ltd has a zero tolerance approach to intentional violation of this Policy or applicable Sanctions regimes. If an Employee fails to comply with this Policy, then he/she may be subject to disciplinary action that may include dismissal from employment. Disciplinary measures will depend on the circumstances of the violation and will be applied in a manner consistent with 3core² Certification Ltd 's policies. In addition, Employees who violate the law during the course of their employment may also be subject to criminal and civil action.

3core² Certification Ltd may terminate a business relationship with any Associated Person (including terminating all contracts and agreements in force between 3core² Certification Ltd and any such Associated Person) by means of written notice to the Associated Person, with immediate effect, without need of judicial recourse, and without liability for compensation or damages (whether direct and/or indirect) of any type or nature in favour of the said Associated Person, in the event that: i. the Associated Person fails to comply with any provision in this Policy and fails to remedy (if such a failure is remediable) that failure within 10 days of the Associated Person being notified in writing of the failure; or, ii. the Associated Person becomes a Specially Designated National or the subject or target of Sanctions.

Audits

Each Associated Person shall, without expense to 3core² Certification Ltd, provide access (with appropriate prior notice from 3core² Certification Ltd ) to all relevant documents, records, systems, processes, policies and procedures in order to enable 3core² Certification Ltd (or its third party professional representatives) to audit and verify compliance by the Associated Person with this Policy. If an audit shows that an Associated Person is in breach of this Policy then the Associated Person shall, without delay, implement the necessary corrective action (if the breach can be corrected) determined by 3core² Certification Ltd.

Revisions and Enquiries

3core² Certification Ltd will unilaterally review this Policy on a regular basis at its absolute discretion, and will introduce revisions where necessary or appropriate. 3core² Certification Ltd may also issue addenda, guidelines and memoranda from time to time to supplement this Policy.

For enquiries or any other matter relating to this Policy, the 3core² Certification Ltd info@3core2.co.uk

Reporting of Violations

3core² Certification Ltd is fully committed to developing a "Speak up culture" – Employees and Associated Persons should not be afraid to speak up if they think that something is wrong or needs to be fixed. Employees and Associated Persons should at all times feel comfortable sharing their views, asking questions, flagging anomalies, expressing concerns, or reporting perceived violations of this Policy. If an Employee or Associated Person becomes aware of any suspected or known violations of this Policy or he/she realises that 3core² Certification Ltd or an Associated Person performed a transaction prohibited by Sanctions, then he/she has a duty to promptly report such concerns in accordance with 3core² Certification Ltd 's Speak Up process for Reporting Concerns Relating to Financial Matters

Confirmation

Employees and Associated Persons shall periodically, whenever requested by3core² Certification Ltd (in the case of Employees, as a minimum once a year), individually confirm in writing to 3core² Certification Ltd that he/she/it has read this Policy and agrees to comply therewith.

Donn Houldsworth

Managing Director

PL06 r00 October 2022 

3core² is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or otherwise interact with us.

When we process your personal data we comply with all applicable data protection legislation, including the UK GDPR and the Data Protection Act 2018.

1. Information We Collect:

• The information we collected is limited to the information we need to process your request for training or certification services.

• Personal Information: We may collect personal information such as your name, email address, postal address, phone number and other contact details when you voluntarily provide it to us.

2. How We Use Your Information:

We may use the information we collect to:

• Communicate with you about your enquiries, and purchases,

• Customise your experience and deliver personalised content and offers.

• Protect against fraudulent or unauthorised activity.

• Comply with legal obligations.

3. Sharing Your Information:

We may share your information with:

• Service Providers: Third-party service providers who assist us in operating our website, conducting business, or servicing you.
• Legal Requirements: When required by law or in response to valid legal process.
• Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets.

4. Data Security:

We implement appropriate technical and organisational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

5. Your Choices:

You have the right to access, correct, update, or delete your personal information. You may also opt-out of receiving marketing communications from us.

6. Children's Privacy:

Our website is not directed to children under the age of 17. We do not knowingly collect personal information from children without parental consent.

7. Changes to This Policy:

We reserve the right to update or modify this Privacy Policy at any time. Any changes will be effective immediately upon posting the revised policy on our website.

8. Contact Us:

If you have any questions or concerns about this Privacy Policy or our practices regarding your personal information, please contact us at info@3core2.co.uk

Donn Houldsworth

Managing Director

PL09 r01 March 2024

1. Purpose

3core² Certification Ltd is committed to the responsible, lawful, secure and effective use of artificial intelligence (AI) in support of its business activities. This policy sets out the organisation's direction and intentions for use, governance, oversight and continual improvement of AI within the business.

The purpose of this policy is to ensure that AI is used in a manner that supports business objectives while protecting the integrity of certification activities, maintaining impartiality, safeguarding confidentiality, supporting compliance obligations, and reducing the risk of harm to clients, personnel, interested parties and society.

2. Scope

This policy applies to all employees, directors, subcontract auditors, contractors, consultants and any other persons working under the control of 3core² Certification Ltd who use, approve, manage, procure, configure, monitor or rely upon AI systems or AI-enabled tools as part of company activities.

This includes the use of AI in, but is not limited to:

• administration and internal operations.
• document drafting and editing support.
• research and information gathering.
• data analysis and reporting.
• marketing and communications.
• workflow support and automation.
• customer-facing systems and services; and
• any third-party software or platform incorporating AI functionality.

For the avoidance of doubt, this policy also applies where AI functionality is embedded within software or online services used by the organisation.

3. Alignment with Business Purpose and Management Systems

This policy is appropriate for the purpose of 3core² Certification Ltd as a certification body and provider of related certification and assurance services. It is intended to provide a framework for setting AI objectives, managing AI-related risks and opportunities, and supporting the establishment, implementation, maintenance and continual improvement of the organisation's AI management arrangements.

This policy shall be read alongside other relevant organisational policies and controls, including those relating to impartiality, confidentiality, information security, data protection, acceptable use, document control, competence, supplier management, risk management and corrective action.

4. Policy Statement

3core² Certification Ltd recognises that AI can create opportunities to improve efficiency, consistency, accessibility, analysis and innovation. The organisation also recognises that AI can introduce risks relating to inaccuracy, bias, lack of transparency, misuse, privacy, confidentiality, intellectual property, cyber security, over-reliance and accountability.

Accordingly, 3core² Certification Ltd commits to ensuring that AI is used responsibly, proportionately and under appropriate human oversight. AI shall support competent personnel and controlled processes and shall not be used in a way that compromises professional judgement, legal compliance, certification integrity, or trust in the organisation's services.

5. Policy Commitments

5.1 General commitment

3core² Certification Ltd shall establish, implement, maintain and continually improve arrangements for the responsible use and governance of AI in line with the organisation's context, interested party requirements, business risks and operational needs.

5.2 Commitment to meet applicable requirements

The organisation shall ensure that the use of AI takes account of applicable legal, regulatory, contractual, accreditation, ethical and customer requirements. This includes, where relevant, obligations relating to certification activity, confidentiality, information security, data protection, intellectual property, human rights, equality, fairness and transparency.

5.3 Commitment to continual improvement

3core² Certification Ltd is committed to the continual improvement of its AI management arrangements, including the review of AI-related risks, controls, objectives, incidents, training, monitoring results, internal audit outcomes and management review outputs.

5.4 Responsible and proportionate use of AI

AI shall only be used for legitimate business purposes and only where its use is appropriate to the task, proportionate to the level of risk, and subject to suitable oversight. The organisation shall determine the extent of control needed according to the intended use of the AI system, the significance of the output, and the possible impact on individuals, clients, certification activities or society.

5.5 Human oversight and accountability

AI shall support, and not replace, accountable human judgement where professional assessment, decision-making, review or approval is required.

Final accountability for the use of AI, the outputs produced, and any resulting decisions remains with authorised personnel of 3core² Certification Ltd.

AI shall not be permitted to make autonomous certification decisions, final audit conclusions, or any other determinations requiring impartial professional judgement. All such matters shall remain under the control of competent authorised persons.

5.6 Impartiality, independence and integrity

As a certification body, 3core² Certification Ltd shall ensure that AI is not used in a manner that creates unacceptable threats to impartiality, independence or objectivity. AI-generated materials shall be critically reviewed before use, and no person shall rely on AI output in a way that undermines audit evidence, sound professional judgement, or the integrity of certification processes.

5.7 Transparency and appropriate disclosure

The organisation shall determine where transparency regarding the use of AI is required internally or externally. Where AI materially contributes to content, analysis, recommendations, communications or business outputs, the need for disclosure, review records or traceability shall be considered.

Interested parties shall be provided with appropriate information about AI use where this is required by contract, law, regulation, accreditation expectation, risk level or organisational policy.

5.8 AI risks and opportunities

The organisation shall identify and assess AI-related risks and opportunities, taking account of:

• the intended purpose of the AI system or tool.
• the context in which it is used.
• the nature of the information processed.
• the significance of the output.
• potential impacts on individuals, groups, clients and society; and
• the organisation's legal, regulatory and accreditation obligations.

AI-related risks shall be assessed, prioritised and treated using a risk-based approach. Where appropriate, the organisation shall also assess the wider impact of AI use on individuals, groups of individuals and society.

5.9 Information security, confidentiality and privacy

No person shall input confidential, personal, client-sensitive, certification-sensitive, commercially sensitive or proprietary information into an AI system unless that use has been expressly authorised and suitable contractual, technical and organisational controls are in place.

All AI use shall align with the organisation's information security, confidentiality and data protection requirements. Care shall be taken in relation to client information, audit evidence, certification records, personnel information and any information subject to contractual or statutory restrictions.

5.10 Accuracy, validation and reliability

AI-generated outputs shall not be accepted at face value. Outputs must be reviewed, validated and, where necessary, corrected by competent personnel before they are relied upon, issued externally, used in decision-making or incorporated into controlled business outputs.

Users shall remain alert to the possibility of inaccurate, incomplete, misleading, biased, fabricated or outdated AI outputs.

5.11 Fairness, bias and societal impact

The organisation shall take reasonable steps to identify and manage risks relating to unfairness, unjustified bias, discrimination or adverse societal impact arising from the use of AI.

Where AI is used in a context that could materially affect individuals, groups or business outcomes, the organisation shall consider the need for additional assessment, oversight, testing, restriction or approval before use.

5.12 Competence and awareness

3core² Certification Ltd shall ensure that people using or overseeing AI are competent on the basis of appropriate education, training, experience or guidance. Personnel shall be aware of this policy, the limitations of AI, approved and prohibited uses, and the need to protect information and exercise professional judgement.

5.13 Resources and documentation

The organisation shall identify and maintain appropriate documented information relating to AI use, as necessary for effective governance and control. This can include approved AI tools, use cases, roles, responsibilities, risk assessments, impact assessments, approvals, monitoring arrangements, records of incidents, and evidence of competence.

5.14 Third-party AI tools and suppliers

Where AI tools or AI-enabled services are provided by third parties, the organisation shall apply proportionate controls to supplier selection, approval, oversight and review. This shall include consideration of confidentiality, security, contractual terms, data handling, reliability, legal risk and business suitability.

5.15 Monitoring, reporting and continual review

The organisation shall monitor the effectiveness of its AI controls and governance arrangements as appropriate. Concerns, incidents, errors, misuse or adverse impacts involving AI shall be reported and addressed through the relevant organisational processes.

This policy shall be reviewed at planned intervals, and additionally where necessary, to ensure its continuing suitability, adequacy and effectiveness.

6. Rules for Acceptable Use

AI shall not be used to:

• make certification decisions.
• issue audit findings without competent human review.
• generate audit conclusions without validation against objective evidence.
• input confidential or client-sensitive information into unapproved public AI platforms.
• create misleading, fabricated or unverified content presented as fact.
• bypass document control, approval or review processes.
• undertake activities that could compromise impartiality, confidentiality, legality or professional integrity.

Any permitted use of AI shall be undertaken in accordance with approved processes, role responsibilities, and relevant supporting controls.

7. Roles and Responsibilities

7.1 Top Management

Top Management shall:

• approve this policy and ensure that it remains appropriate to the purpose and strategic direction of the organisation.
• ensure that AI objectives are established and aligned to this policy.
• ensure that AI management requirements are integrated into relevant business processes.
• provide appropriate resources.
• support responsible AI use and a culture of awareness and accountability; and
• review the performance and effectiveness of AI management arrangements.

7.2 Relevant Managers and Process Owners

Relevant managers and process owners shall:

• identify AI-related risks and opportunities within their areas of responsibility.
• ensure that appropriate controls are implemented and maintained.
• approve or restrict AI use according to risk and business need.
• ensure personnel competence and awareness; and
• escalate concerns, incidents or significant changes as appropriate.

7.3 All Personnel and Subcontractors

All personnel and subcontractors working under the control of 3core² Certification Ltd shall:

• comply with this policy and associated procedures.
• use only approved AI tools for approved purposes.
• apply professional judgement and appropriate review to AI outputs.
• protect confidential, personal and client information.
• report concerns, incidents, misuse or weaknesses promptly; and
• cooperate with monitoring, audit and improvement activities relating to AI.

8. Communication and Availability

This policy shall be maintained as documented information, communicated within the organisation, and made available to interested parties as appropriate.

9. Breaches

Failure to comply with this policy may result in corrective action, removal of access to AI tools, disciplinary action, contractual action or other appropriate response depending on the nature and severity of the breach.

Serious misuse of AI, particularly where it affects confidentiality, impartiality, legal compliance, accreditation obligations, client trust or certification integrity, shall be treated as a significant matter.

10. Review

This policy shall be reviewed at planned intervals and also where there are significant changes to:

• the organisation's use of AI.
• applicable legal, regulatory or accreditation requirements.
• relevant risks or opportunities.
• business processes or services.
• third-party AI tools or providers; or
• the wider internal or external context of the organisation.

11. Approval

Donn Houldsworth

Managing Director

PL04 r01 March 2026