FCA Handbook: SYSC 8.1 General Outsourcing Requirements (October 2025)

Summary

SYSC 8.1 within the Financial Conduct Authority Handbook sets out general outsourcing requirements for regulated firms.

FundApps position: Taken together, our Security Documentation, comprehensive internal Risk Management Framework and General Terms provide clients with sufficient information to address the requirements of SYSC 8.1. No additional contractual terms are required to support your compliance with SYSC 8.1.

Overview of SYSC 8.1 Outsourcing Requirements

When outsourcing a function deemed critical or important (meaning a failure would materially impair the regulated firm's compliance or the continuity of its services), the regulated firm must ensure:

• Retention of responsibility by senior personnel for the outsourced function.

• Due skill, care, and diligence when selecting, entering into, managing, and terminating the arrangement.

• Respective rights and obligations of the firm and the service provider must be clearly set out in a written agreement.

• The firm must retain its rights to instruction, termination, information, inspection, and access to the service provider's books and premises.

How this Applies to FundApps

FundApps’ governance and security framework aligns with the requirements set out in SYSC 8.1. To address the requirements of SYSC 8.1, you may consider:

1. Quality of internal control (8.1.1(2)(a)): FundApps’ service acts as a rules-based notification tool. Clients are responsible for configuring the Services (with the assistance of our Implementation team), reviewing and approving the rule logic and disclosures within their own environment, and reviewing disclosures and filings before submission. For further information, please see: https://support.fundapps.co/en/articles/240021-how-we-code-and-test-rules

2. Ability of FCA to monitor firm’s compliance (8.1.1(2)(b)): FundApps will fully cooperate with supervisory authorities and regulators exercising their audit, information and access rights.

3. Monitoring and reporting (8.1.3): Clients can monitor FundApps’ performance of the Services by checking our uptime availability at http://status.fundapps.co/. We send NPS surveys for Client users to complete, and we have a designated Account Manager who meets with Clients at a regular cadence and CS support team available for support requests. Clients can also review audit logs within the environment and stream these to their own system. We maintain an Incident Response Policy which is a key component of the Information Security Management System (ISMS) documentation. This policy defines the requirements for incident reporting and expected escalation procedures. All incidents are logged, reviewed, and linked to root-cause remediation actions tracked in Shortcut.

4. Ability, capacity and authority to perform the Services reliably and professionally (8.1.8(1)): FundApps currently serves over 160 clients, managing over US$30tn in AUM. Our website details the growth of the company and the makeup of our teams, the partners we work with, and our Help Centre explains our coding and testing process (as well as other relevant articles). FundApps will comply with all applicable laws and regulations in the provision of the Services.

5. Standard of performance (8.1.8(2)): Our SLAs are included in our General Terms at Schedules A and B.

6. Supervision and risk management (8.1.8(3)): FundApps has designated the Head of Information Security (reporting to the CTO) to manage information security, cyber security, and business continuity risks. The CTO ensures appropriate resources for security and reports to leadership including the Board. Additionally, the Head of Legal oversees privacy and data protection matters, reporting into the CFO who is a member of the Board. We maintain a comprehensive Risk Management Framework. Risks are identified via monthly security meetings, incident reviews, Secure Development Lifecycle (SDLC), and ongoing operations. Risks are scored by likelihood/impact, assigned owners, tracked in a risk register, and reviewed at least annually. Mitigation strategies include avoidance, reduction, transfer, and acceptance. Additionally, risk assessments are also performed on the privacy side through Data Protection Impact Assessments (DPIAs). The ISMS Manager and implementer are required to report annually in a formal management review. This review must cover risk assessment results, audit results, control performance, and any opportunities for improvement. Following this review, the Head of Information Security and the Head of Legal will report to their respective Senior Leadership Team (SLT) members, who will then provide updates to the Board.

7. Notification of developments (8.1.8(6)): Information about notifications and updates relating to developments that materially impact our ability to perform the Services can be found in our Incident Response policy, our Vulnerability Management policy, Schedules A, B and C of the General Terms.

8. Termination (8.1.8(7)): Clients may cease using FundApps’ Services at any time, and may terminate the Agreement in accordance with the termination rights detailed in the General Terms. Upon request, and subject to payment of related fees, FundApps will also continue to supply the Service for a period of 3 months or a longer period if agreed between the parties. This transition period is intended to allow the Parties to implement a program to effect an orderly cessation of the Service and to maintain business continuity to the client’s business. Clients may retrieve their data in a structured format prior to termination and during this transition period. After the end of this period, data is securely deleted in accordance with our data retention and privacy policies.

9. Cooperation and effective access to data (8.1.8(8) and (9)): FundApps will fully cooperate with supervisory authorities and regulators exercising their audit, information and access rights.

10. Confidential information (8.1.8(10)): FundApps implements specific safeguards based on our risk assessments to protect confidential information, Client data and personal data:

• Identifying and Managing Assets: FundApps maintains an Information Asset Register, an Information Systems Register covering data, systems, and owners (reviewed monthly), and a Processing Activities Register maintained in accordance with data protection laws and updated as required. Inventoried Assets include: data, systems, personnel, and devices.

• Access Controls: We enforce multi-layer access control including both technical and physical controls such as: Multi-Factor Authentication (MFA), Single Sign-on (SSO), role-based authorization, IP restrictions, infrastructure-level segregation, full audit trails, secure facilities, badge access and restricted areas. See our Access Control Policy for further details.

• Encryption: Data in transit is secured using HTTPS with industry-standard ciphers (transport layer security (TLS) 1.2+). Data at rest is encrypted in Amazon Web Services (AWS), utilizing key rotation and encrypted backups. Furthermore, our due diligence process includes assessing vendor security posture and reviewing certifications like SOC 2 and ISO 27001 to ensure comprehensive security and compliance coverage. See our Cryptographic Policy for further detail.

• Secure Development: Our SDLC practices include test-driven development (TDD), code reviews, static and dynamic security testing, Open Source Software (OSS) license scans, and automated deployment pipelines. We perform annual penetration testing and evaluate external applications as part of vendor due diligence, including assessment of their security posture and review of relevant certifications. See our Software Development Policy.

• Data Disposal: We ensure the secure deletion, encryption, and destruction of all client data, aligned with its classification. Our Data Retention Policy provides that client data is only kept for the duration of the contractual relationship and is securely deleted within 30 days of termination. Should we receive an earlier deletion request, we will comply in accordance with our Privacy Policy. Our current disposal methods include wiping, shredding, cryptographic erasure and retention periods pre-set with auto-deletion. See our Data Classification & Protection Standard Policy for further details.

• Personnel Training: FundApps provides security awareness, data handling and incident response training to all staff, conducts phishing tests, and maintains competency assessments for ISMS roles. Knowledge requirements are tested annually. Security personnel undergo external training as needed. Additionally, we have dedicated Supplier Relationship Managers (SRMs) who are trained to securely onboard and manage suppliers.

• Selection and Due Diligence Process: Our Security and Privacy teams execute a thorough due diligence process for all new vendors and data uses to mitigate risks. This involves due diligence reviews, evaluation of continuity and security controls, and utilization of a Third-Party Risk Management System. Vendors must also complete a Due Diligence Questionnaire (DDQ) to assess their security, privacy, and compliance practices. Data Processing Agreements (DPAs) are signed where applicable, and specific data protection provisions are included in vendor contracts to ensure compliance. Third-party systems are recorded in our Information Systems Register and are continuously reviewed for risk ratings and required controls.

1. Disaster recovery and backup (8.1.8(11)): FundApps maintains a Business Continuity Policy which is tested and updated at least annually. Our disaster recovery process is detailed within our Technical Resilience policy.

2. Written agreement (8.1.9): The rights and obligations of the Client and FundApps are clearly allocated and set out in our Agreement, comprised of the Order Form, General Terms and other associated documentation defined within the General Terms.

3. Supervisory access (8.1.11): Clients may access their data at any time and may provide their regulator or supervisory authority with access as necessary.