Managed VPN Policy - GENAccess v1.001 2026-01-29

This Managed VPN Policy (the “Policy”) sets out the operational, security, and risk management terms for GEN’s managed VPN service (the “Service”) known as GENAccess. This Policy is incorporated into, and forms an adjunct to, the Framework Agreement between GEN and the customer (“Customer”). Capitalised terms not defined here have the meaning given in the Framework Agreement. If there is any inconsistency between this Policy and the Framework Agreement, the Framework Agreement takes precedence.

Service Overview (what the Service is)

The Service provides a centrally managed, WireGuard-based, zero-trust VPN mesh using NetBird components operated by GEN, allowing GEN to issue Customer Users credentials and securely route approved traffic to one or more exit nodes. Access is controlled through identity, device association, cryptographic keys, and policy-based routing and access control.

The Service may include (without limitation):

• Identity and device enrolment: provisioning and lifecycle management for Users and endpoints.
• Mesh connectivity: encrypted tunnels between enrolled endpoints.
• Exit nodes and routing: routing selected traffic to defined exit nodes and/or Customer networks, with fine-grained access control lists (ACLs) and segmentation.
• Policy controls: group-based access, route authorisation, and deny-by-default design.
• Operational management: monitoring, logs, key rotation/revocation, and incident response for the Service components under GEN control.

Definitions

• Credential: any account, authentication factor, device identity, token, configuration profile, or cryptographic key material used to access the Service (including WireGuard keys and NetBird enrolment artefacts).
• Endpoint: a device used by a User to access the Service (for example a laptop, desktop, mobile device, or server).
• Exit node: a gateway within the Service through which approved traffic is routed to specific networks or destinations.
• Authorised Contact: the Customer’s nominated individual(s) authorised to request changes, approve access, and manage security actions for the Customer account.

Security Model (zero trust and least privilege)

The Service is designed on a deny-by-default model: Users and Endpoints are not trusted solely because they are “on the VPN”. Access is permitted only where explicitly authorised via policy (for example by identity, group membership, route authorisation, and ACL rules). GEN may implement segmentation, restricted routing, and service-level guardrails to reduce the blast radius of any compromise.

Credential and Endpoint Responsibilities (Customer obligations)

The Customer must ensure that all Users and Endpoints accessing the Service comply with the following:

• No sharing: Credentials must not be shared, reused across individuals, posted to ticket systems, emailed in plaintext, stored in shared folders, or embedded into scripts without appropriate secret management.
• Endpoint security: Endpoints must be maintained to a reasonable security standard, including supported OS versions, timely security patches, disk encryption where available, and local access controls (PIN/password/biometrics).
• Malware protection: Endpoints must run reputable anti-malware/EDR controls (where applicable) and must not be knowingly compromised.
• Administrative access: Users must not run the VPN client with unnecessary local admin privileges; administrative rights should be restricted and monitored.
• Physical security: Customer must implement controls to mitigate theft or loss of devices (e.g., secure storage, lock screens, asset management).
• Offboarding: Customer must notify GEN promptly when Users leave or roles change, so access can be removed or modified.

Where the Customer fails to meet these responsibilities, the Customer accepts that risk of unauthorised access increases.

Compromise Scenarios (theft, lost devices, leaked keys, account takeover)

The Customer must notify GEN via the HelpDesk immediately upon becoming aware (or reasonably suspecting) any of the following:

• lost or stolen Endpoint, or unauthorised physical access to an Endpoint;
• suspected Credential compromise, phishing, malware infection, or account takeover;
• unexpected VPN activity, anomalous routing, or unauthorised access attempts.

On notification (or where GEN reasonably suspects compromise), GEN may take proportionate protective action including (without limitation): immediate credential revocation, device removal, key rotation, route withdrawal, ACL tightening, temporary suspension of the Service for the Customer, and/or additional verification of Authorised Contacts. Such protective action may be necessary to protect the Customer, GEN, and other Customers.

Authorised Contacts and Change Control

Changes to VPN access, routing, exit node usage, ACL policy, group membership, and onboarding/offboarding may only be requested by Authorised Contacts through the approved channel (typically the HelpDesk). GEN will act on requests only where identity and authority checks are satisfied.

GEN operates a security-first change control process and may require written confirmation, a change window, or additional validation for high-risk changes. Examples of high-risk changes include (without limitation): allowing broad network routes (e.g., 0.0.0.0/0), enabling lateral movement between groups, adding privileged exit nodes, or relaxing deny-by-default rules.

Unsafe or Insecure Requests (GEN right to refuse)

The Customer may request configuration changes. However, GEN may refuse, delay, or require modification to any request that GEN reasonably considers unsafe, non-compliant, or likely to increase risk materially. Where GEN proceeds with a Customer-requested change that increases risk, GEN may require written acknowledgement of the residual risk and may impose compensating controls (for example tighter ACLs, additional verification, device restrictions, or time-bounded access).

Routing, Exit Nodes, and Scope of Access

• Least privilege: Access will be scoped to the minimum networks, hosts, and ports required for the stated purpose.
• Segmentation: GEN may segment access between teams, environments (e.g., production vs non-production), or functions.
• Default deny: Unauthorised traffic is blocked by policy. Broad routes are not enabled by default.
• Exit node constraints: Traffic may be routed only via designated exit nodes; GEN may restrict or withdraw routes where risk is identified.

Logging, Monitoring, and Audit

To operate and secure the Service, GEN may perform proportionate monitoring, logging, and auditing of Service activity. This may include (without limitation) connection metadata, device enrolment events, policy changes, route changes, authentication events, and operational logs from Service components. Content inspection is not a standard feature of the Service; however, metadata and security telemetry may be required for troubleshooting, incident response, abuse prevention, and compliance.

Any processing of personal data is carried out in accordance with the Framework Agreement and GEN’s Privacy Notice.

Customer Environment and Endpoints (Customer-managed risk)

The Service provides encrypted transport and centrally managed access controls. It does not by itself secure the Customer’s Endpoints, identity systems, applications, or internal networks. The Customer remains responsible for the security, patching, configuration, and appropriate monitoring of its own systems and Endpoints.

Where an Endpoint is compromised (e.g., malware, remote control, stolen device, weak local credentials), an attacker may be able to use the Service as that User. The Customer accepts that Endpoint compromise is a primary risk and must implement appropriate controls.

Onboarding, Offboarding, and Access Reviews

• Provisioning: GEN provisions access based on Customer-approved scope (Users, groups, routes, and ACLs).
• Periodic review: GEN may request periodic confirmation that Users and routes remain required, and may withdraw stale access pending confirmation.
• Leavers and role changes: Access removal must be requested promptly; delays materially increase risk.
• Emergency revocation: GEN may revoke access immediately where compromise is suspected.

Service Suspension, Containment, and Emergency Actions

Where GEN reasonably believes that continued operation of the Customer’s VPN access creates a material risk (for example, suspected credential leakage, confirmed malware outbreak, active intrusion, or repeated policy violations), GEN may: suspend the Service (in whole or part), restrict routes, disable exit nodes, require re-enrolment, and/or mandate key rotation. GEN will use reasonable endeavours to minimise impact, but security containment may require immediate action.

Prohibited Activities

The Service must not be used to facilitate unauthorised access, lateral movement beyond authorised scope, evasion of security controls, or any unlawful activity. The Customer and Users must comply with GEN’s Acceptable Use Policy.

Third-Party Dependencies

The Service may rely on third-party software components (including WireGuard) and may interface with Customer identity providers, device platforms, networks, and internet connectivity. GEN is not responsible for failures, outages, or security weaknesses in Customer-managed components or third-party services outside GEN’s reasonable control.

Disclaimers and Limitations

The Service is delivered using reasonable skill and care and on a best-efforts basis, subject to the Framework Agreement. No security system can eliminate all risk. The Customer acknowledges that credential compromise, Endpoint compromise, and social engineering are material risks in remote access services. To the maximum extent permitted by law, GEN’s liability is limited as set out in the Framework Agreement.

Changes to this Policy

GEN may amend this Policy from time to time. Material changes will be notified in accordance with the Framework Agreement. Changes take effect prospectively from the stated effective date or, if none, from the date of posting.