Human Resources

• 1: Code of Conduct
• 2: Conflict of Interest Policy
• 3: Anti-Slavery Policy
• 4: Environmental and Cultural Heritage Policy
• 5: Offboarding of a Contractor Procedure
• 6: Onboarding of a Contractor Procedure

1 - Code of Conduct

General Expectations

Always treat fellow employees, clients, and suppliers with the utmost respect and courtesy. Interactions should be friendly, professional, and focused on excellent service.

Unacceptable Behaviors

Engaging in any of the following actions may result in disciplinary measures, including reprimand, warning, suspension, or dismissal.

1. Disobeying the Law and Instructions

Examples of things you should consider to remain compliant with the law and Vaxa’s policies include:

• Compliance with Professional Codes: Follow all Professional Codes of Conduct or Ethics relevant to your work.
• Legal compliance: Adhere to all laws related to Vaxa’s operations.
• Company policies: Comply with all Vaxa policies and procedures in this handbook.
• Instructions from management: Carry out any reasonable and lawful instructions from your manager.
• Health and safety: Follow health and safety regulations and do not encourage others to violate them.
• Prohibited items: Do not possess firearms, weapons, illegal drugs, or drug paraphernalia on company property.

2. Respect for Others

• Professional conduct: Treat clients and colleagues with respect. Avoid using threatening, obscene, profane, or abusive language, gestures, or behaviour.
• Violence: Do not engage in physical or verbal violence.
• Disorderly conduct: Refrain from horseplay or disruptive behaviour.
• Discrimination: Do not unlawfully discriminate against anyone.
• Harassment and bullying: Avoid harassing or bullying clients or employees.
• Victimisation: Do not victimise anyone who reports a breach of this code or any other policy.
• Dress code: Wear uniforms if provided, or dress according to Vaxa’s standards if uniforms are not supplied.

3. Integrity

• Conflict of interest: Declare any real or perceived conflicts of interest promptly; see below section on Conflict of Interest.
• Bribery: Report any attempted bribery immediately.
• Confidentiality: Do not disclose any confidential or official information without authorisation.

Reporting of any breaches or concerns in any shape are encouraged. Refer to our Responsible Disclosure Policy for more information.

4. Diligence

• Smoking policy: Do not smoke in areas where it is prohibited.
• Punctuality: Be at your workplace and ready to work at your scheduled start time.
• Timekeeping: Personally clock in and out at the beginning and end of your shift.
• Work ethic: Focus on your duties and avoid wasting time during working hours.
• Substance use: Do not come to work under the influence of alcohol or illegal drugs. Do not bring alcohol or illegal substances onto Vaxa property.
• Internet and technology use: Do not access or share pornography, hate speech, or illegal content using company equipment or personal devices used for work. See the Acceptable Use of Technology Policy for more information.
• Online conduct: Avoid posting offensive, defamatory, threatening, discriminatory, bullying, inappropriate, false, sexist, derogatory, or malicious comments or materials online or on social media.
• Communication: Inform your manager promptly upon completing tasks or if there are any delays.
• Attitude: Maintain a cooperative and positive attitude.
• Personal devices: Do not use personal electronic devices like smartphones, music headsets, wearables, or handheld games during work hours unless authorised.

5. Economy and Efficiency

• Care for company property: Take proper care of Vaxa equipment and tools. Do not neglect or abuse them.
• Theft and damage: Do not wilfully damage, destroy, or steal property belonging to colleagues or Vaxa.
• Honesty: Provide truthful information when requesting leave or other accommodations.
• Attendance: Avoid unexcused absences from work.
• Use of resources: Do not use Vaxa equipment, property, or supplies for personal purposes without prior authorisation.

Conflict of Interest

Avoid any interests, influences, or relationships that might conflict—or appear to conflict—with the best interests of Vaxa or our clients. If your loyalty could be divided, disclose the situation promptly to your manager and remove yourself from any related decision-making processes.

Refer to the Conflict of Interest Policy for more information.

2 - Conflict of Interest Policy

Purpose

The purpose of this Conflict of Interest Policy is to ensure that all employees of Vaxa act in the best interests of both the company and our clients. This policy aims to prevent situations where personal interests could interfere with professional duties and responsibilities, thereby providing assurance to our clients that we diligently and transparently manage potential conflicts on their behalf.

Scope

This policy applies to all employees, contractors, consultants, officers, and directors of Vaxa, covering all interactions with clients, suppliers, competitors, and other stakeholders.

Roles & Responsibilities

Policy Statements, Standard, or Procedure

All employees must avoid any interests, activities, or relationships that conflict—or appear to conflict—with the best interests of Vaxa and its clients. The following guidelines must be followed to ensure our clients can trust in our integrity and the impartiality of our services:

• Disclosure of conflicts:

  • Employees must promptly inform their manager or the HR Department of any actual or potential conflicts of interest, especially those that could affect client interests.
  • Disclosures should be made in writing, detailing the nature of the conflict and any potential impact on clients.

• Avoidance of participation:

  • Employees with a conflict must remove themselves from any decision-making processes related to the conflict, particularly those affecting clients.
  • They may provide information or expertise if it benefits Vaxa and the client but should not influence decisions.

• Client interests:

  • Employees must prioritize the interests of clients above themselves or Vaxa in all business dealings.
  • Any conflicts that could adversely affect a client must be managed promptly and effectively to prevent negative impacts.
  • Confidentiality of client information must be maintained at all times.

• Examples of potential conflicts:

  • Financial interests:
    • Owning a significant financial stake in a company that does business with Vaxa or its clients.
    • Engaging in business transactions with Vaxa or clients for personal gain.
  • Personal relationships:
    • Supervising or influencing employment decisions about a close friend or family member involved in client-related work.
    • Being in a position to affect client projects involving someone with whom you have a close personal relationship.
  • External affiliations:
    • Holding a position (e.g., advisor, consultant, employee) with a competitor, customer, or supplier that could affect client interests.
    • Accepting secondary employment that affects your ability to serve clients effectively.
  • Gifts and benefits:
    • Accepting gifts, entertainment, or other benefits of more than nominal value from any competitor, customer, supplier, or client.
    • Offering or receiving bribes or kickbacks that could influence client-related decisions.
  • Acting upon confidential information:
    • Using confidential client information for personal gain or to benefit others.
    • Disclosing confidential client information to unauthorized parties.

• Guidelines for Gifts and Entertainment:

  • Gifts of nominal value (e.g., promotional items, modest meals) may be accepted if they do not influence, or could be perceived to reasonably influence, business decisions or compromise client interests.
  • Any gift or benefit exceeding a nominal value must be reported to the HR Department.
  • Cash gifts of any amount are strictly prohibited.

• Conflict resolution:

  • Upon disclosure, management will assess the situation and determine appropriate actions to protect client interests.
  • Possible actions include restructuring job duties, reassigning projects, or other measures to eliminate the conflict. Employees wil not be penalized for disclosing conflicts of interest appropriately.
  • Clients will be informed as necessary to maintain transparency and trust.

• Client communication:

  • When appropriate, clients will be informed of any conflicts of interest that could affect them and the steps taken to manage these conflicts.
  • Vaxa commits to maintaining open communication with clients regarding our conflict management practices.

Exceptions

Any exceptions to this policy must be approved in writing by the Managing Director. Requests for exceptions should include a full explanation of the circumstances, justification, and an assessment of potential impacts on clients.

Compliance & Monitoring

• Monitoring:

  • The HR Department should maintain a register of all disclosed conflicts of interest, including those related to client engagements.
  • Regular reviews shall be conducted to ensure compliance with this policy and verify that client interests are protected.

• Non-Compliance:

  • Violations of this policy may result in disciplinary action, up to and including termination of employment.
  • Legal action may be taken if the conflict results in unlawful activities or breaches of client contracts.

• Reporting Violations:

  • Employees are encouraged to report any suspected violations of this policy, especially those that could affect clients.
  • Reports can be made confidentially to the Compliance Officer or through the whistleblower disclosure process detailed here.

• Client audits:

  • Vaxa may allow clients to audit our conflict of interest management processes as part of contractual agreements or regulatory requirements.
  • Audit findings will be addressed promptly to improve our conflict management practices.

References

• Vaxa Employee Code of Conduct

3 - Anti-Slavery Policy

Purpose

This policy outlines Vaxa’s commitment to ensuring, to the best of our ability, that there is no modern slavery in any part of our business operations or supply chain. We are dedicated to acting ethically and with integrity in all business dealings and relationships, in compliance with the Modern Slavery Act 2018 (Cth).

Scope

This policy applies to all employees, contractors, suppliers, service providers, and any other parties working on behalf of Vaxa.

Roles & Responsibilities

Policy Statement

We are committed to:

• Prohibiting Modern Slavery: Including specific prohibitions against the use of forced, compulsory, or trafficked labour, or anyone held in slavery or servitude, in all our contracts.
• Ethical Expectations: Expecting our service providers, suppliers, and contractors to share our commitment to act lawfully and ethically, ensuring modern slavery does not occur within their organizations or supply chains.
• Due Diligence: Conducting due diligence on suppliers to assess their compliance with anti-slavery measures.
• Training: Providing training to employees on modern slavery risks and indicators.
• Reporting Mechanisms: Encouraging the reporting of any concerns related to modern slavery.

Under the Modern Slavery Act 2018 (Cth) ‘Act’, we are not required to publish a Modern Slavery Statement as we have an annual consolidated revenue of less than $100 million. However, we are committed to ensuring that modern slavery does not occur within our operations or supply chain.

Definitions

The term ‘modern slavery’ describes situations where coercion, threats or deception are used to exploit victims and undermine their freedom. Coercion, threats and deception can be explicit or implicit.

The Act defines modern slavery as including eight types of serious exploitation; trafficking in persons, slavery, servitude, forced labour, forced marriage, debt bondage, the worst forms of child labour and deceptive recruiting for labour or services.

The worst forms of child labour means extreme forms of child labour that involve the serious exploitation of children, including through enslavement or exposure to dangerous work. The worst forms of child labour does not mean all child work.

Under Australian law, modern slavery is defined in the Act. In the event of any inconsistency between this policy and the Act, the Act will prevail.

Exceptions

No exceptions to this policy are permitted.

Compliance & Monitoring

We will ensure compliance by:

• Regular Audits: Conducting regular audits of our operations and supply chain.
• Supplier Assessments: Performing supplier assessments and due diligence processes.
• Policy Review: Reviewing and updating the policy annually.
• Reporting: Monitoring reports of any concerns related to modern slavery.

References

• Modern Slavery Act 2018 (Cth)
• Vaxa’s Code of Conduct

4 - Environmental and Cultural Heritage Policy

Purpose

This policy outlines Vaxa’s commitment to clearly communicate environmental and cultural heritage expectations, meet legal requirements, and progress beyond compliance towards innovation and excellence. It aims to drive continual improvement in managing matters affecting the environment and cultural heritage.

Scope

This policy applies to Vaxa, its officers, employees, contractors (where applicable), and any other personnel notified that this policy applies to them.

Roles & Responsibilities

Policy Statement

Vaxa is committed to:

• Developing policies and systems: Establishing, maintaining, and communicating policies, processes, and systems to drive continual improvement in environmental and cultural heritage management.
• Setting objectives and allocating resources: Setting challenging objectives and targets, and allocating resources to achieve our organisational goals related to the environment and cultural heritage.
• Empowering employees: Sustaining a high level of performance by empowering employees to take ownership of environmental and cultural heritage outcomes.
• Partnering with stakeholders: Collaborating with regulators, traditional owners, Indigenous communities, and other stakeholders as appropriate.
• Community engagement: Responding appropriately to community expectations on environmental and heritage matters.
• Environmental protection: Protecting the environment by prioritizing pollution prevention, biodiversity preservation, and sustainable natural resource management.
• Cultural heritage respect: Respecting and protecting Indigenous and non-Indigenous heritage, including active participation and consultation with Indigenous communities.
• Sustainable future: Building a sustainable future through safe, efficient, and sustainable energy solutions.

Vaxa personnel should:

• Adhere to policies: Follow all relevant policies, processes, and systems for environmental and cultural heritage management.
• Risk management: Understand and manage environmental and cultural heritage risks during all phases of their work.
• Lead by example: Demonstrate commitment through actions and dedication to environmental and cultural heritage performance.
• Take action: Address any acts or situations that may result in harm to the environment or cultural heritage.
• Collaborate and communicate: Engage collaboratively to effectively communicate and improve Vaxa’s environmental and cultural heritage performance.
• Support indigenous participation: Encourage and facilitate Indigenous participation in projects and decision-making processes.

Exceptions

Any exceptions to this policy must be approved by senior management and properly documented.

Compliance & Monitoring

Compliance with this policy will be ensured by:

• Regular audits: Conducting regular audits and assessments of environmental and cultural heritage practices.
• Reporting: Recording and reporting any breaches in accordance with applicable policies and procedures.
• Training: Providing training to employees and contractors on environmental and cultural heritage responsibilities.
• Performance reviews: Reviewing environmental and cultural heritage performance against set objectives and targets.
• Legal compliance: Ensuring all activities comply with relevant legislation, regulations, codes of practice, and guidelines.

References

• Vaxa’s Code of Conduct
• Environmental Protection and Biodiversity Conservation Act 1999 (Cth)
• Aboriginal and Torres Strait Islander Heritage Protection Act 1984 (Cth)
• Native Title Act 1993 (Cth)

5 - Offboarding of a Contractor Procedure

Purpose

The purpose of this procedure is to outline the steps to be followed when offboarding a contractor from Vaxa’s systems and applications. It ensures that the offboarding process is conducted securely, efficiently, and in compliance with Vaxa’s policies and legal requirements.

Scope

This procedure applies to all contractors engaged by Vaxa, including temporary staff, consultants, and third-party vendors. It covers the steps to be taken by the IT team and the Onboarding Lead (or designated manager) to remove access to Vaxa’s systems and applications when a contractor’s engagement ends.

Roles & Responsibilities

Procedure

Important: Offboarding must be initiated as soon as the contractor’s engagement ends, or as directed by HR or Legal. The Onboarding Lead (or designated manager) is responsible for initiating this process and ensuring all offboarding steps are completed, but will be supported by the IT team.

1. Initiation of Offboarding Process

• Trigger: Offboarding should begin immediately once the contractor’s term is concluded, or upon receipt of a termination request from HR or Legal.
• Responsibility: HR or Legal to inform the IT team and Onboarding Lead of the end date.
• Documentation: Capture the final date of access and reason for offboarding in the contractor’s personnel record.

2. Disable and Remove Access from Microsoft Entra / M365

• Action: Disable the contractor’s M365 account as soon as possible (preferably within 24 hours of termination notice).
  • Log in to the Microsoft 365 Admin Center using an admin account (admin.microsoft.com).
  • Navigate to Users > Active Users.
  • Locate the contractor’s account and select Block sign-in. This will prevent any further access to M365 services.
• Remove from Groups:
  • Open the user’s profile in the Admin portal.
  • Under Groups, select Manage groups.
  • Remove the contractor from OS_x_Contractors and any other groups granting access to resources.
• Licence Removal:
  • While still in the user’s profile, navigate to Licences and Apps.
  • Unassign all Microsoft 365 licences, including Business Basic, Business Premium, or any other assigned licence.
  • Navigate to Licenses and reduce the number of purchases licenses to reduce costs.

3. Revoke Session Tokens and Invalidate Access

• Action:
  • Visit entra.microsoft.com and log in with an admin account.
  • In the Entra/Azure AD portal, under the user’s profile, select Authentication methods and ensure no active sessions remain.
  • Use the “Revoke Sessions” option to invalidate all existing refresh tokens, blocking any chance of re-entry.

4. Removal of Access from Other Systems

• Cloudflare Access Portal:

  • Navigate to Vaxa’s Cloudflare Access administration portal.
  • Remove the contractor’s seat and revoke any sessions.

• Productive (Project Management Tool):

  • The contractor’s account in Productive is tied to their M365 identity.
  • With M365 access removed, they will no longer be able to log in.
  • Confirm that no direct, non-SSO logins exist.
  • Reassign any of the contractor’s tasks, projects, or responsibilities to internal staff. This step is usually performed by the Project Manager or Onboarding Lead
  • Remove the license from the contractor’s account to reduce costs, if required.

• Client Sites and Third-Party Services:

  • Remove the contractor from any client SharePoint sites, Teams channels, or external portals.
  • Revoke permissions from BitWarden, production IT environments (e.g. Google Cloud, AWS), scheduling software (e.g. Cal.com), LMS platforms, or any other services the contractor was granted access to.
  • Ensure no residual accounts or API keys tied to the contractor’s identity remain active.

5. Data Retrieval and Handover

• Mailbox and Data:
  • If required, preserve the contractor’s mailbox content by placing it on eDiscovery hold (if applicable) or exporting mailbox data for legal and compliance purposes.
  • Transfer ownership of any SharePoint documents, Teams files, or OneDrive data to a designated internal staff member. This is usually best done by converting to a Shared Mailbox and assigning access to the relevant person.
• Productive Project Handover:
  • Verify that all time entries and expense records are finalised.
  • Ensure that any non-completed tasks are reassigned to another user.

6. Hardware and Physical Asset Recovery

• Action:
  • If the contractor was issued any Vaxa-owned devices (e.g. laptops, phones, security tokens), arrange for their immediate return.
  • Perform a factory reset or secure wipe of returned hardware to remove any residual data.

7. Notification and Confirmation

• Communications:
  • HR or Legal to confirm with IT once all steps have been completed.
  • Notify the Onboarding Lead that the contractor’s offboarding is finalised.
• Record Keeping:
  • Document the completion of offboarding steps in the contractor’s personnel file.
  • Retain any necessary access logs or audit reports in line with compliance requirements.

The contractor may be notified with an email to their personal email, similar to the following:

Subject: Vaxa Offboarding Notification

Dear [Contractor Name],

This email is to confirm that your access to Vaxa’s systems and applications has been disabled in line with the conclusion of your engagement. If you have any questions or require further information, please contact [Onboarding Lead’s Name] at [Onboarding Lead’s Email Address].

Thank you for cooperation.

Best regards, [Onboarding Lead’s Name]

Compliance and Monitoring

The Onboarding Lead or IT Manager should periodically review the offboarding process to ensure all steps are followed consistently. Identify any gaps or risks and update this procedure as needed.

Exceptions

If a contractor requires partial offboarding (e.g. retaining access to certain systems for a defined period), ensure it is documented by the Onboarding Lead. Any deviation from this process must be approved by HR or Legal and recorded for audit purposes.

6 - Onboarding of a Contractor Procedure

Purpose

Contractors may be engaged by Vaxa to provide services that are not part of the core business. This procedure sets out the steps to onboard a contractor at Vaxa, including the documentation required and the process for setting up access to systems and facilities. This is important to ensure we’re consistently implementing requirements/controls placed upon contractors e.g. under our Security Policy.

Scope

The scope of this procedure is limited to contractors engaged by Vaxa, usually on a day-rate or similar arrangement. It doesn’t include employees or vendors providing a product. It also doesn’t include the accounting or payment process for contractors e.g. setup in Productive/Xero etc.

Roles & Responsibilities

Procedure

Contractor Engagement

A suitable contractor must be found; the process for finding and engaging a contractor is outside the scope of this procedure. However, in selecting a suitable contractor, one must consider:

1. The contractor’s experience and qualifications
2. The contractor’s availability
3. The contractor’s reputation
4. The contractor’s cost
5. The contractor’s ability to meet the requirements of the role

Consider whether an NDA is required prior to sharing any sensitive information with the contractor regarding the job.

You should get verbal approval from the contractor on these matters before proceeding to the next step.

Screening

Under our Personnel Security Policy, we are implementing requirements for screening of contractors. Generally, most contractors we engage are classified as Level 1, and so have limited screening requirements.

At the time of writing this procedure, we haven’t implemented checks for Level 2 and above contractors. We endeavour to make this change soon.

Document Exchange

Contract

The first step here is to sign contracts. To do so, we require the following information:

• Contractor details
  • If a sole trader:
    • Full name
    • Phone number
    • Email
  • If a company:
    • Company name
    • Signatory and witness details for the contract
      • Name
      • Position
      • Email
      • If no witness is available, then we require a mobile phone number of the signatory
• Contract specifics
  • Proposed job title for use in Vaxa systems
  • Fees, including specification on structure e.g. fixed fee, daily/hourly rate, and GST inclusive/exclusive
  • Scope of Works
  • Start and end date
  • Any required insurances, otherwise standard insurances will be required
  • Optionally, a custom restraint period otherwise 3 months will be applied
  • Optionally, place of work otherwise we’ll assume their office/as directed by Vaxa
  • Optionally, key personnel / designated personnel
  • Optionally, headshot photo for use in Vaxa systems
• Internal signatory/witness details
  • In line with Vaxa policy, signatories must be a Director; specify the Director who will sign the contract
  • Any client SharePoint sites the contractor will be working on
  • Any project budgets the client will need access to in Productive (usually to track time/expenses against)
  • Who the contract will report to i.e. who is the Manager

Provide this information the Legal team, who will issue the contract. The contract shall be sent to Vaxa’s internal signatory/witness first for vetting, and only once signed will it be sent to the contractor for signing.

Remember, signed contracts are automatically filed away into the Contract Register via the Vaxa Link integration.

Insurances

The contractor must provide evidences of the required insurances.

If this was customised in the contract, then defer to the contract. Otherwise, the standard insurances required are:

• Public liability insurance @ $10m
• Professional indemnity insurance @ $2m
• Workers compensation for the contractor’s employees (if applicable)

Vaxa requires copies of these insurances to be provided before the contractor can commence work.

IT Setup

IT setup cannot commence until contracts are signed, per our Security Policy.

Once the contract is signed, Legal shall inform the IT team will be notified to set up the contractor in the required systems. The IT team will reference the contract and onboarding information to set up the contractor in the required systems.

Entra / M365 accounts

The first step is to create a new user in M365/Entra. This will take the format of:

• Name: as defined in contract/onboarding information
• Position: as specified in contract
• Phone number: as specified in contract
• Email: first.last@vaxagroup.com
• License: M365 Business Basic
  • This provides basic access to email, Teams, SharePoint, and online Office apps (but not desktop apps).
  • This is sufficient for most contractors, but if they require more access, then the IT team will need to be informed.
  • By default, we won’t issue access to any Client Sites, so if the contractor requires access to a Client Site, then the IT team will need to be informed.

We first create the account within the Admin portal:

1. Visit admin.microsoft.com and log in with an admin account
2. In the left-hand menu, click on Users , then Active Users
3. In the toolbar, click Templates and select Contractor (Business Basic) or Contractor (Business Premium) depending on the level of licensing required
4. Fill in the details like first name, email, etc, then at the bottom of the pane, click Add user
   • This will automatically issue a license to the user, but you may need to double check we have enough licenses purchased.
5. Find the newly created user in the list of Active users, and select it.
6. Assign the contractor’s manager (usually the Onboarding Lead).
7. In the pane that appears, under Groups click Manage groups
8. Use the Assign memberships button to assign access to OS_x_Contractors group at a minimum, and any other required groups.

We then need to setup authentifaction for the contractor within Entra:

1. Visit entra.microsoft.com and log in with an admin account
2. In the left-hand menu, click on Users , then All Users, and click on the newly created contractor user
3. Click on Authentication methods in the left-hand menu, then Add authentication method
4. In the pane that appears, select the Temporary access pass method and configure it as follows:
   • TAPs are limited to up to 24 hours. You should make it as short as possible, but long enough for the contractor to receive the email and set up their account.
   • You can delay the start time if the contract isn’t due to start for a while but make sure you communicate this to the contractor.
   • One-time use is OK, but generally not required; usually we leave it set to No.
5. Click Add to finalise the TAP creation.
6. Save the TAP code into a Bitwarden Send and copy the link.

We then need to inform the contractor of their new account and how to set it up. To do so:

1. Fetch the contractor’s personal email address (not the Vaxa one) and draft a new email to them using the below template.
2. Send the following email to the contractor, and CC the Onboarding Lead and IT team.

Subject: Setting up your Vaxa account

Hi [Contractor Name], welcome aboard.

Your Vaxa account has been setup and just requires a few final setup steps from you, stepped out in these instructions. Please note this is a time-sensitive process so please complete it as soon as possible.

Your Temporary Access Pass is available here: [Bitwarden Send Link]

Once you’ve setup your account, you can access Productive (our time tracking and project management tool) via Cloudflare Access here: vaxagroup.cloudflareaccess.com. Simply sign in with your new Vaxa account, then click the tile called Productive.

We’ve also provided you access to:

• [List any other systems the contractor has access to e.g. client site]

If you have any issues, please contact reach out to me directly.

Warm regards,

The contractor will receive an email with the onboarding instructions, temporary access pass, and IT’s contact details. The temporary access pass cannot be issued for more than 24 hours.

IT will assign the contractor to the OS_x_Contractors group in M365. This provides basic levels of access to SSO-linked systems, and some Sharepoint sites etc.

Productive

By being assigned to the OS_x_Contractors group, the contractor will automatically be given access to Productive. This is our project management tool, and the contractor will be able to log their time and expenses here. IT will provide instructions on how to use Productive.

Accounts in Productive are only issued upon first sign-in, so the contractor must sign in, then IT will be able to assign them to the correct projects. These instructions will be provided in the onboarding email.

Other systems

The contractor will be advised of our Cloudflare Access portal for apps at vaxagroup.cloudflareaccess.com. This is where they can access other systems including Productive.

Noted limitations

By default, the contractor will not have access to:

• Client Sharepoint sites (except those specified)
• BitWarden
• Production IT environments (e.g. Google Cloud, AWS)
• Scheduling software (e.g. Cal.com)
• LMS

Exceptions

Some contractors may require different onboarding procedures. If this is the case, the Onboarding Lead should work with the contractor to determine the best course of action. This should be documented in the onboarding documentation.

Compliance & Monitoring

The Onboarding Lead is responsible for ensuring this procedure is followed for each relevant contractor.

We don’t yet have artifacts in place to monitor compliance with this procedure. This is a gap we need to address.

References

• Personnel Security Policy
• Information Security Policy
• Acceptable Use of Technology Policy