Whistleblowing Policy

Purpose

At Xpand IT, we are committed to the highest levels of ethics and integrity, both internally and externally in our interactions with customers, partners and other stakeholders.

Our values, principles and policies guide our daily conduct. Our responsibility is to report unethical behaviour. Xpand IT’s Whistleblower policy is an important part of regulating the reporting of corrupt, illegal or other undesirable conduct.

Audience

This policy applies to everyone who is considered a whistleblower.

Enforcement

In order to comply with all the requirements of independence, impartiality and absence of conflicts of interest, Xpand IT has defined a team responsible for handling reports and enforcing the policy.

Update and Review

This document must be reviewed at least once a year or when the management of Xpand IT recognizes significant (organizational, regulatory or other) changes. Quality Improvement Team has the ownership and responsibility for reviewing this document.

The CTO is responsible for approving the document.

General Principles

The General Regime for the Protection of Whistleblowers of Infraction and our Report Management Process is based on the following set of principles:

Confidentiality

All those involved in the report management process have a confidentiality obligation, including in situations where information disclosure is required in other legal areas. The whistleblower’s identity will only be disclosed in the case of a legal obligation or a court decision. Where anonymity is not requested, the identity of the whistleblower and any third parties remains confidential during the process and is known only to a strictly necessary few.

The whistleblower communication and management platform is segregated from internal channels, ensuring the integrity and confidentiality of the identity of the whistleblower and other concerned parties, as is all information concerning the report, preventing access to unauthorised persons. This confidentiality over identity does not prevent the whistleblower from being contacted through the platform to obtain information relevant to the investigation of the facts.

Anonymity

The whistleblower may request anonymity while initially reporting a breach. This anonymity does not obstruct the submission of documentation supporting the reported facts. Neither does it prevent the whistleblower from being contacted for relevant information. A documentary record will be kept in the whistleblower channel of all interactions.

Data that could contribute to recognising the whistleblower will not be mentioned. Anonymity will be guaranteed through message encryption and other security routines ensured by the system, and all communications are carried out exclusively within the whistleblower channel.

Independency and Autonomy

The procedures for receiving, processing, investigating, taking action on and documenting reported breaches ensure that they are handled independently, autonomously, impartially and confidentially.

All persons in whom there is a conflict of interest regarding the performance of their duties will be excluded from the process.

No retaliation

Xpand IT will not be able to take any retaliatory action against anyone who legally reports a breach or provides any information or assistance in the context of the investigation of the reported breaches.

Communications made by the whistleblower cannot serve as a basis for any procedure initiation that constitutes a detriment to the reporting person unless they are deliberate and manifestly unfounded.

Good faith

Anyone who makes a report in bad faith, frivolously or without any basis in facts may be subject to disciplinary, civil and criminal liability under the terms of applicable laws.

Personal Data Protection

The process management does not prejudice full compliance with applicable legislation on personal data protection.

Whistleblower

A “whistleblower” is a natural person who denounces or discloses a breach based on information obtained through the course of their professional activities.

Whisteblower are:

  • Employees with an employment affiliation, regardless of the modality (permanent, fixed term, full time, or part time);
  • Volunteers and interns, paid or unpaid;
  • Former employees;
  • Recruitment process candidates or those in the pre-contractual negotiation phases of a professional relationship, whether constituter or not;
  • Service providers, contractors, subcontractors, and suppliers, as well as any persons acting under their supervision and direction;
  • Shareholders and people belonging to legal administrative, management, tax or supervisory bodies, including non-executive members.

Breaches covered by the Whistleblower Channel

The whistleblower channel must be used exclusively to make breach reports in good faith and with a foundation.

Using the whistleblower channel, report situations into the following one can:

  • Abuses of power;
  • Acts of retaliation following a report;
  • Competition or Fiscal obligations;
  • Consumer rights violation;
  • Corruption or Trafficking of influences;
  • Discrimination;
  • Hygiene, Health and Safety at Work;
  • Labour or corporate obligation violations;
  • Money laudering and Terrorist financing;
  • Potential Theft, Robbery, Fraud or Conflict of Interest;
  • Privacy, Protection of Personal Data and Information Security Violations;
  • Product safety and compliance;
  • Public contracting and Tender procedures:
  • Serious violations of Human Rights, Health, Safety or Environmental;
  • Sexual, Moral or Labour Harassment;
  • Violations of organisational policies, internal rules or code of conduct;
  • Other infractions.

Internal Report Management

The report will be received, analysed and follow the flow presented below.

1. Report submission

The whistleblower will fill in a form using the whistleblower channel, in which they will, at a minimum, identify the type of event being reported, give a brief description of the facts supporting their case, and identify the connection with Xpand IT. The whistleblower can also attach documentation that supports their case.

As soon as the whistleblower submits a report, he/she/they will receive a reference to the automatically created process and be asked to store a password.

Warning: These personal and confidential references are the only way to access and monitor your reporting process (if lost or forgotten, they cannot be reset).

2. Report admission

Within a maximum period of 7 days, after making the report, receipt of it will be acknowledged, and information will be given regarding the requirements, competent authorities and form of admissibility of the external report. During the investigation, the team may still need to contact the whistleblower for additional information.

3. Report follow-up

All reports are managed by the team operating the whistleblower channel, which will analyse them in an impartial and independent manner, with safeguarding procedures assured, in the event of a possible situation of conflict of interest.

Under the “Follow up an existing report” button, the whistleblower can access any messages exchanged, allowing them to follow the progress of the process, ask questions, make further communications, and speak directly with the team in the whistleblower channel, maintaining the confidentiality of such communications.

4. Report conclusion

The whistleblower will be informed of planned or adopted measures to resolve their complaint and the respective reasons for these.

If required, the whistleblower will also be appraised of the result of the whistleblowing analysis within a maximum period of 15 days of its conclusion.

Data Protection and Preservation

As mentioned before, the processing of personal data within the scope of the report treatment complies with the provisions of the General Data Protection Regulation.

The received report records will be kept for at least a period of five years and, regardless of that period, during the pendency of judicial or administrative proceedings relating to the report.

Ana PaneiroWhistleblowing Policy