-
Better Buying Institute is committed to protecting supplier anonymity and securely storing information related to buyer ratings. Better Buying Institute has prepared this document to ensure that suppliers are fully informed when making the decision to rate their buyers. This document outlines benefits suppliers may receive as a result of rating their buyers and describes how we protect the information suppliers share when rating buyers.
-
What is Better Buying™ and how does it benefit a supplier?
Better Buying Institute reimagines supply chain sustainability, leveraging data to strengthen supplier-buyer relationships and improve purchasing practices that drive profitability while protecting workers and the environment. Better Buying’s programs provide retailers, brands, suppliers, and industry with data-driven insights to help drive lasting improvements in global purchasing practices. Our activities fall into three main areas: conducting independent research; operating a ratings and evaluation platform that provides buyers and the public with information about buyer purchasing practices; and conducting projects and training on supply chain industry practices to support innovation and promote change. Through extensive research, Better BuyingTM has determined that improved purchasing practices can support supplier business success and allow suppliers to improve factory working conditions and environmental performance. The relationship between retailer and brand purchasing practices and workplace conditions are highly and significantly correlated.
The Better Buying™ secure cloud-based platform gives suppliers the ability to safely and anonymously rate their customers (e.g., brands, retailers, and intermediaries) on seven aspects of purchasing practices – planning and forecasting, design and development, cost and cost negotiation, sourcing and order placement, management of the purchasing process, payment and terms, and win-win sustainable partnership. A series of required questions allows suppliers to fully and fairly assess key measures across the full business relationship with their customers. Additionally, suppliers are given an opportunity to provide descriptive feedback and suggestions for ways the rated retailer or brand can improve, as well as to share their customer’s best practices. Ratings and descriptive feedback provide a holistic understanding of current practices and facilitate guidance to resolve issues and share best practices within the industry.
Better Buying™ ratings cycles are conducted annually. At the close of a ratings cycle, all ratings are aggregated and used to develop an industry benchmark and reports about purchasing practices used globally. Ratings for a single brand/retailer or other type of customer are aggregated and turned into an overall Better Buying™ score in addition to scores for each of the seven categories. A minimum of five supplier ratings of a single brand/retailer are required for Better Buying™ to analyze the data for a brand/retailer and develop scores. The scores are then made available to the brands/retailers that have been rated. Brands and retailers subscribing to Better Buying™ (subscribers) receive a question-by-question report with charts and figures highlighting their aggregated performance compared against the industry benchmark. Better Buying™ provides targeted recommendations so subscribers can improve their practices and partner with suppliers to make progress toward achieving financial, social, and environmental sustainability for the entire supply chain.
There is no fee for suppliers to use the rating platform. Information required to answer the rating questions is already typically maintained by suppliers.
There are several benefits for suppliers who rate their buyers using the Better Buying™ system.
An effective way to communicate about problematic purchasing practices. Independent external evaluation revealed that Better Buying™ is a more effective tool for communicating problems with purchasing practices than anything else currently available, including supplier forums and surveys initiated by buyers. Suppliers can safely and honestly report information since anonymity is protected.
Measures the effectiveness of buyer efforts to improve over time. Rating information provided by suppliers helps retailers and brands understand which purchasing practices are working well and which will require further examination and efforts to improve. Given that poor purchasing practices impact buyer-supplier relationships, as well as the business and sustainability goals of both parties, retailers and brands will be compelled to improve their ratings and adopt best practices. Better Buying™ has already received positive feedback from brands and retailers who previously engaged with the platform. Based on Better Buying™ reports, these brands and retailers conduct internal discussions involving top management to develop plans for reforming their purchasing practices toward supply chain sustainability. Many of our recent reports demonstrate the year-over-year improvements in purchasing practices of brands and retailers who have engaged with Better Buying™ over multiple cycles. However, continuous engagement with Better Buying™ is critical for both buyers and suppliers to ensure ongoing efforts toward improvement. Without supplier-driven ratings, buyers may avoid accountability and continue business as usual. Alternatively, buyers may implement solutions that simply do not work.
Contribute suggestions for how retailers and brands can improve. Increasingly, suppliers are making constructive suggestions for how their customers can address poor purchasing practices. This opportunity is available in the open-ended comment sections for each of the seven categories of purchasing practices. Brands and retailers are very interested in receiving this type of feedback; thus, suppliers are given a “seat at the table” in shaping how purchasing practices are changed for mutual benefit.
-
What do suppliers need to do to participate in Better Buying™?
The first step is to register as a supplier on the Better Buying™ platform. The registration process asks a few basic questions about the supplier’s business that are used by Better Buying™ to describe the suppliers who have rated buyers. The profiles of suppliers who have rated will always be based on aggregate data from a minimum of five ratings so as not to reveal the identity of any single supplier.
As part of the registration process, each company will identify a “Super Admin” who maintains records with Better Buying™ and who submits the annual ratings of brands and retailers. Suppliers will also be able to identify three additional users with varying levels of responsibility and access to the ratings platform.
As part of the registration process, the Super Admin will be asked to acknowledge receipt of this Better Buying Institute Privacy and Data Protection Policy.
After completing the registration form, users are emailed log-in credentials and can begin rating buyers. Once registered into the Better Buying™ platform, the supplier can use the same credentials to access their account and rate their buyers every time a new ratings cycle begins.
When creating a new rating, suppliers are required to upload a document that demonstrates they had a business relationship during the last 12 months with the buyer that is being rated. Better Buying™ select staff reviews these documents and the data from each rating, and may contact suppliers through the Better Buying™ platform to verify certain responses if questions arise about the accuracy of the information provided.
-
What does Better Buying™ do (and not do) with the information provided by suppliers?
All the information a supplier provides to Better Buying™ is considered confidential. Only information that helps facilitate buyers’ efforts toward improvements of purchasing practices is shared and only anonymously. Better Buying™ uses the information suppliers provide to educate the industry and subscribing companies and encourage broad transformation of buyer purchasing practices so that relationships between buyers and suppliers support financial, social, and environmental sustainability.
Analytical reports and presentations using the data are made publicly available in various forums aimed at industry, academics, civil society, investors, the public, and other interested parties. Reporting utilizes a sufficient level of aggregation to mask the identity of any individual supplier company that has submitted a rating and every brand/retailer that is rated.
Company-specific reports made available to buyers subscribing with us use combined data from all suppliers submitting ratings and provide recommendations for improvement. Subscribing brands and retailers rated by a minimum of five suppliers will be able to access their suppliers’ descriptive comments, including information on best practices and suggestions for how to improve. Brands and retailers will not be able to identify which suppliers made the comments unless you reveal this in your comments. As a result, Better Buying™ advises suppliers not to provide any identifying information in the open-ended comments sections to maintain anonymity.
Please note that while select Better Buying™ staff have access to the names of supplier companies that participate, company names are never shared with any external audience, including buyers.
-
How does Better Buying™ protect the information suppliers provide?
Better Buying™ takes a range of special precautions to maintain supplier privacy and protect the information that is provided on the ratings platform. These include hardware and software security provided by our platform host, Fair Factories Clearinghouse (FFC), and standard operating procedures that limit access to sensitive data. As a result, the ratings platform and the data contained in it are secure.
Additional steps that may be possible to take to avoid security breaches are under regular review.
-
Hardware Security
Datacenter security: The Better Buying™ application is housed in an FFC technical infrastructure managed by SunGard Availability Services (SunGard) and hosted in an Amazon Web Services (AWS) data center located in the European Union (Ireland). SunGard and AWS certifications can be shared upon request. All the AWS Datacenters are secured facilities equipped with redundant power supplies and backup generators. The on-site staff is available to manage any hardware issues that might arise. More information regarding SunGard and AWS can be obtained at www.SunGardas.com and aws.amazon.com respectively.
● Server hardware is managed and monitored 24/7 by the AWS team and all of the servers are configured for high availability and maximum redundancy. They inform the SunGard and FFC teams if there is an issue and when it will be fixed.
● This service provides > 99% uptime.
● The production web servers are on load balancing and are always available. Users are given a minimum of one week’s notice for scheduled network downtime for upgrades, maintenance etc. All scheduled maintenance is performed on Saturdays in Eastern Time Zone.
Firewall security: FFC servers are behind redundant firewalls which have very strict rules about allowing only selected connections into the servers. Some of the servers are completely unreachable from the internet without a secure VPN (Virtual Private Network) connection. This VPN access is given only to selected senior FFC employees.
Monitoring: SunGard manages and monitors the FFC network. FFC and SunGard use several tools provided by AWS for performance monitoring, event monitoring, bandwidth use/bottlenecks, alerts, logs etc. Details can be provided if requested.
Server and Database Backups: All database transaction logs are backed up every 2 hours. All databases are backed up daily. In the case of accidental data loss, data can be successfully recovered for up to a month from any day. FFC can provide the formal database backup schedule if requested.
Threat Management: The FFC infrastructure is continuously monitored (24/7) by AWS and SunGard utilizing a threat detection service (GuardDuty) that uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. This includes but is not limited to the detection of compromised credentials behavior, unusual and unauthorized data access attempts, and calls from malicious IPs. The SunGard / AWS team will take immediate action to respond to the threats and will alert the FFC Team as to any further actions required.
-
Software Security
Secured Socket Layer (SSL) Protocol:The Better Buying™ Web application is accessed via HTTPS, a combination of HTTP and SSL/TLS protocols to encrypt communication between the end user’s computer and Better Buying™ application on FFC server thus preventing hacking of this communication channel.
Roles Manager: The entire Better Buying™ application is based on Roles based Security System which allows the Better Buying™ Super User Administrators (SUAs) to create roles according to tasks and detailed permissions. SUAs can assign roles to logins/users thus allowing users to perform their tasks with ease and with only necessary access to functions/pages in the application. The name of suppliers has been substituted with a Supplier ID number in most pages of the application and only select Better Buying™ staff can access information about which supplier submitted a rating.
URL spoof prevention: FFC is a web-based application. Sometimes, if someone obtains valid login credentials, robots are used to spoof (change) URLs to access parts of web applications where users do not have rights–thus either able to download or upload data where the users are not allowed. FFC has blocked such capability on the server and the user will encounter a “No access” page.
Captcha image: To avoid invalid users from accessing the platform, if a user inserts a wrong username and password combination 3 times in a row, the user is asked to enter a valid response from a Captcha image to make sure a robot/automated application is not trying to hack into the application. Sophisticated hacking tools include automated applications (bots) to access applications. These applications guess passwords of a user until they are successful. The Captcha image helps eliminate this threat too.
Password security: Better Buying™ mandates each user to use complicated passwords (a combination of upper case, lower case, number, and symbol to make it as difficult as possible for others to guess passwords).
-
Standard Operating Procedures
In addition to the restricted access to supplier company names and ratings discussed under the Roles Manager portion of software security, the rating a specific supplier gives to a buyer is only visible to the supplier submitting the rating (and without the supplier company name shown on those pages) and select Better Buying™ staff.
Multiple supplier ratings are averaged so that buyers cannot identify which specific suppliers rated them. Only buyers who have five or more ratings will receive a Better BuyingTM rating and related reports that draw on aggregated data. All FFC staff with access to the Better Buying™ website and all Better Buying™ staff have signed confidentiality agreements that preclude sharing any confidential information.
-
What are the risks of rating buyers with Better Buying™?
There may be situations where contractual nondisclosure agreements buyers have with suppliers would prohibit disclosure of certain information that is necessary to submit a Better Buying™ rating. However, Better Buying™ will not disclose any information about suppliers that have rated unless required to by legal action. Suppliers are encouraged to weigh the benefits and risks associated with rating buyers and seek legal counsel if appropriate.
April 2021
-
BETTER BUYING LEGAL DISCLAIMER (TERMS AND CONDITIONS)
-
RULES OF CONDUCT
Any individual given access (“User”) to the Better Buying Institute (“BBI”)’s Software and/or Database (collectively the “BBI Platform”) must abide by the following Rules of Conduct (“Rules”).
BBI generally does not pre-screen, monitor or edit the content posted by Users of the BBI Platform. However, BBI and its representatives or agents have the right, at their sole discretion, to remove any content that, in BBI’s sole judgment, does not comply with the Rules or is otherwise harmful, objectionable or inaccurate. BBI is not responsible for any failure or delay in removing such content. Moreover, if any User violates the Rules, to be determined by BBI at its sole discretion, BBI will terminate their account and right to use the BBI Platform. The Rules are:
1. Purpose of Access.User will have access to the BBI Platform for the sole purpose of safely and anonymously rating their customers.
2. Restrictions on Use.
2.1. User may not input, upload, post, transmit or otherwise distribute via the BBI Platform any content or data that is obscene, defamatory, libelous, slanderous, violative of any person’s rights of privacy, publicity or personality, or that otherwise causes or results in any tort, injury, damage or harm to any person.
2.2. User will use the BBI Platform only for lawful purposes, and may not violate any local, state, national or international law or regulation, including but not limited to those related to obscenity, privacy, information security, antitrust and export control.
2.3. User will not use the messaging functionality to send unsolicited, unauthorized commercial or illegal advertising or other material.
3. Use of Information Accessed on BBI Platform.
3.1. User will use information accessed in the BBI Platform solely and exclusively to rate their customers as related to purchasing practices.
3.2. User will treat all information in the BBI Platform as business confidential and will not disclose it to unauthorized parties.
3.3. User will, individually and independently assess the information gathered in the BBI Platform and will decide, in his/her sole discretion, how he/she will use the data, including what action, if any, he/she will take with respect to the information. User shall manage, maintain and take action regarding any relationships with its customers as he/she deems fit, in his/her sole discretion.
4. Security.
4.1. User will not disclose to others his/her user IDs or personal passwords that give access to the BBI Platform.
4.2. User will not enable or permit unauthorized third-party access to the BBI Platform.
4.3. User will not knowingly introduce viruses or other harmful programs or files and will exercise reasonable care to avoid doing so.
4.4. User will not, directly or indirectly, reverse engineer, decompile, disassemble or otherwise attempt to discover the source code or underlying ideas or algorithms of the BBI Platform.
5. Sharing on the BBI Platform.
5.1. User shall use his/her best efforts to ensure that content posted in the sharing module of the BBI Platform is accurate and current as of the stated date of the content. User agrees that, where making any redactions or other changes in documents prior to posting on the platform, it has also taken reasonable efforts to ensure redaction of information does not materially distort or misrepresent findings from an audit or corrective action plan.
5.2. User acknowledges that access to any content through the shared section of the BBI Platform is granted on condition that the BBI member providing the content shall have no liability for unintended inaccuracies, errors or omissions.
5.3. Sharing content on the BBI Platform is voluntary, i.e., User has the sole discretion whether to share content, such as its audit or corrective action information, on the BBI Platform. User is encouraged to share audit and remediation information with others only via the platform.
5.4. User acknowledges that all BBI members must access all shared information on the platform equally. Where joint audit or remedial activity is actively underway, members may only share their audit or CAPs for this purpose with the member participating in this joint activity.
5.5. Prior to transmitting or posting content on the sharing module of the BBI Platform, User has ensured he/she has redacted any information that is considered company confidential, potentially harmful to workers, or subject to legal restrictions such as antitrust-competition laws.
5.6. As with all areas and content on the BBI Platform, User agrees that his/her use of information in the sharing module of the BBI Platform is in accordance with the Rules and is solely focused on the oversight of factory code of conduct efforts as related to workplace standards. User agrees that he/she will, in his/her sole discretion, decide how he/she will use the information posted in the sharing module of the BBI Platform, including any action, if any, he/she will take with respect to any findings and the member’s relationship with its manufacturing partners.
5.7. User will not delete, amend or otherwise corrupt the data of other users without their explicit permission.
5.8. User will use the message functionality in sharing module of the BBI Platform to notify the owner of any document should he/she identify any information that is shared that could be considered confidential, potentially harmful to workers, or subject to legal restrictions. Owner shall take immediate action to consult with legal counsel regarding the removal of such information from the platform and immediately remove such information where necessary.
-
ANTITRUST POLICY STATEMENT
-
The Better Buying Institute (BBI) is a Delaware not-for-profit corporation, with headquarters in Texas, organized to promote the improvement of buyer purchasing practices, supply chain management, worker conditions and the natural environment through (i) independent research, (ii) the operation and management of a ratings and evaluation platform on which suppliers provide information about their buyer customers relating to various aspects of purchasing practices and (iii) projects and training on supply chain industry practices to support innovation and promote change.
BBI acknowledges and understands that their activities must at all times be undertaken in compliance with all applicable laws and regulations, including but not limited to laws and regulations relating to antitrust.Therefore, in carrying out its activities, it is the policy of BBI to act at all times in accordance with, and strictly adhere to, the letter and the spirit of all applicable national and international antitrust laws and regulations (Antitrust Laws).
-
HANDLING OF PERSONAL DATA
-
Each person that uses the BBI platform is required to provide the following data when creating a user account: first name, last name, email address, phone number, parent account (company name), and parent account (company name) address. The personal data provided by each user are saved and used by BBI solely for purposes of administration of the user accounts and provision of the BBI services. The personal data are not forwarded or disclosed to any third party or used for any other purpose. By accessing the BBI Platform, each user agrees to the aforementioned use of its personal data and confirms that the data provided are correct.