Whistleblower Policy and Procedure

Click on the three dots on the top right to export this article in PDF.

Purpose

This Whistleblower Policy and Procedure (“Policy”) is drafted in line with the principles articulated in the Code of Ethics of Cint Group AB and its subsidiaries and affiliates (the “Company,” “Cint,” or “Cint Group”), which is a vital part of the Company’s Corporate Compliance Program.

Employees are often the first to discover misconduct at their workplace, and it is important that an employee who discovers wrongdoing by the Company or any of its employees, consultants, contractors, or suppliers is able to report it without risk of retaliation or discrimination.

The purpose of this Policy is to encourage employees and others to raise concerns about matters occurring within or related to the Company, rather than overlooking a problem or seeking a resolution of the problem outside the Company.

Scope

This Policy applies to everyone at the Company, including:

• present and former managers, executive officers, and members of the board of directors as well as other persons who are at the disposal of the Company for such positions.

• present and former employees, hired labour, independent or other contractors, self- employed persons, interns, and voluntary workers inclusive, as well as candidates for such positions; and

Roles and responsibilities

Chief Executive Officer – The CEO is ultimately responsible for ensuring the continuous operations and compliance of the company. The CEO may instruct leadership and other employees and business functions to implement and effectuate company policies. Those instructions are set out in this document.

Policy subject

In order to allow and encourage reports about wrongdoing, Cint has established a whistleblowing system that serves as a contact interface designed specifically for receiving and handling reports on suspected misconduct.

Whistleblowing concerns, which for purposes of this Policy refer to certain misconducts within the Company about which an individual has learned in a work-related context, can be reported through the whistleblowing system. The misconduct may consist of an act as well as an omission, and it may already have occurred or may be ongoing or imminent.

To file a “Whistleblower Report” through Cint’s whistleblowing system, there must be a public interest that the concern addressed in the report is revealed to the Company or to a broader public.

Examples of misconducts that can be reported through the whistleblowing system are misconducts concerning:

• accounting, internal accounting control, auditing, bribery or other financial crime;

• public procurement, competition, money laundering and terrorist financing, privacy and personal data protection, and network and information system security;

• serious and systemic harassment or discrimination²;

• serious violations of the Company’s Code of Ethics and;

• other serious misconducts contrary to law or relating to the Company’s vital interests or individuals’ lives and health.

Concerns related to an employee’s personal or individual work situation or their terms and conditions of employment that do not constitute the type of misconduct described above should NOT be reported through the dedicated “Whistleblower Report” channel in the online system. Such reports should instead be made through the Company’s standard reporting measures or through the designated “HR Report” channel that is also available in the online whistleblower system. Either way, such concerns are handled in accordance with the Company’s policies, employment contracts, and relevant legislation.

Reporting in the whistleblowing system should be done in good faith. Anyone filing a report should, to the best of his/her/their ability and knowledge, ensure that the information included in the report is as accurate and complete as possible. No one using the whistleblowing system may report security classified information³.

The whistleblowing system complements Cint’s internal information and reporting avenues. The whistleblowing system is available for use on a voluntary basis. Reports regarding whistleblowing concerns are handled in accordance with this Policy and any person submitting or assisting with submitting such a report in accordance with this Policy enjoys the protection as described in section 4 below.

² “Serious and systemic” is not a single act or practice; it refers to institutionalized and structural patterns, actions or inactions, or behaviours of harassment, discrimination or widespread bias that have broad impact on the company, protected groups or a geographic location, etc..³ E.g. pursuant to the Swedish Security Protection Act (2018:595) (Sw. “säkerhetsskyddslagen”) or equivalent legislation in other jurisdictions.

Whistleblower Reporting Procedure

1. How to Report a Concern Through the Whistleblowing System

1.1 Reporting a whistleblowing concern that fits the description above can be done in the following three (3) ways through Cint’s online whistleblowing system, which is provided by an external partner, WhistleB, to ensure secure reporting. The communication platform is encrypted, password protected, and completely anonymous (unless contact information is voluntarily disclosed).

1.1.1 In writing: Electronic whistleblower reports can be submitted through Cint’s confidential online whistleblowing system at https://report.whistleb.com/en/cint using the dedicated “Whistleblower Report” channel.

1.1.2 By telephone: Whistleblower reporting can be done verbally. To leave a verbal message, visit https://report.whistleb.com/en/cint and click on the phone icon for a list of country-specific phone numbers to call.

1.1.3 At a physical (digital) meeting: Upon request, whistleblower reports can be made at a physical (digital) meeting with a member of the Whistleblowing Team (see section 2 below). To report in this way, please use Cint’s online whistleblowing system and request a meeting by calling and leaving a message to this effect. The online system is available at https://report.whistleb.com/en/cint.

1.2 Whistleblowers also have the option to report misconduct externally to relevant authorities. A non-exhaustive list of such authorities is attached as Exhibit A to this Policy.

1.3 Regardless of what is stated in this Policy, whistleblowers are always free to gather and disclose information to the media in accordance with and subject to restrictions under applicable law in their jurisdiction, such as those stated in the Swedish Freedom of the Press Act (Sw. “tryckfrihetsförordningen”) and the Swedish Fundamental Law on Freedom of Expression (Sw. “yttrandefrihetsgrundlagen”). Furthermore, this Policy does not limit freedom of speech entitlements afforded under applicable law in any applicable jurisdiction.

1.4 Concerns related to a person or issue that do not fit the description of matters which may be reported through the whistleblowing system generally should not use the whistleblowing system. Instead, such issues should be raised through Cint’s standard reporting channels, which include reporting to an employee’s direct manager, another manager whom the employee trusts, and/or the People Team. There is, however, a designated “HR Report” channel in the whistleblowing system that may be used to the extent that it is justified not to turn to the Company’s standard information and reporting channels.

2. How to Report a Concern Through the Whistleblowing System

2.1 The Company will act upon any concerns raised through the whistleblower system in accordance with its internal procedures and as described in this Policy.

2.2 Reports made in accordance with this Policy will be received and handled by a group of specifically designated and trained persons (“the Whistleblowing Team”) only.

2.3 Where deemed appropriate, the Whistleblowing Team may, as described below, submit a report for further investigation. An investigation will then take place as quickly as possible and in a confidential, fair and impartial manner.

2.4 Where appropriate, matters raised may:

2.4.1 be investigated by the Whistleblowing Team;

2.4.2 be shared with other impartial and independent persons for the purpose of investigating a whistleblowing report;

2.4.3 be referred to the police or other law enforcement authorities;

2.4.4 be referred to an independent auditor; or

2.4.5 become the subject of an independent inquiry within the Company.

2.5 In order to protect the individuals involved and those suspected of the alleged wrongdoing, an initial inquiry will be made by the Whistleblowing Team to decide whether an investigation is appropriate and, if so, what form it should take. If urgent action is required, it will be taken before any investigation is conducted.

3. Timing

3.1 Within seven (7) days of submitting a whistleblower report, the reporting individual will receive confirmation that the report has been received.

3.2 Concerns raised in a whistleblower report will be investigated as quickly as is practicable.

3.3 Typically within three (3) months of the date the whistleblower report was received, the reporting individual will receive feedback on the actions taken in relation to the report. However, in some instances it may be necessary to refer a matter to an external advisor, which may result in an extension of the investigative process. The seriousness and complexity of a report may also have an impact on the time needed to investigate the matter reported.

4. Prevention of Retaliation and Release from Liability

4.1 Cint will not hinder, penalize, discriminate or retaliate against a person who uses, attempts to use or has used the whistleblowing system in good faith to report a genuine concern regarding misconducts or wrongdoings, nor will it tolerate any attempt to do any of the foregoing. Any such actual or attempted discrimination or retaliation may be subject to disciplinary action by the Company, up to and including termination of employment, contract or assignment.

4.2 In general, Cint will not hold a whistleblower liable for having reported information that is subject to a duty of confidentiality, if the whistleblower had reasonable grounds to believe that the disclosure of the information was necessary to report and reveal serious misconduct. Cint also will not hold a whistleblower liable for having obtained information through a breach of provisions if the whistleblower had reasonable grounds to believe that the obtaining of the information was necessary to reveal the misconduct.

4.3 However, in Sweden, release from liability under this Policy is not applicable if one disregards any applicable duties of confidentiality under the Swedish Law about Defence Inventions (1971:1078) (Sw. “lagen om försvarsuppfinningar”), or deliberately disregards the duty of confidentiality according to the Swedish Public Access to Information and Secrecy Act (2009:400) (Sw. “offentlighets- och sekretesslagen”) that restricts the right to communicate and publish information under the Freedom of the Press Act (Sw. “tryckfrihetsförordningen”) or the Fundamental Law on Freedom of Expression (Sw. ”yttrandefrihetsgrundlagen”).

4.4 Release from liability and protection against retaliation under this Policy are also not applicable if a crime is committed by reporting or obtaining information.

5. Anonymity

5.1. Whistleblower reports can be made anonymously. Anonymous reports will be treated with the same level of seriousness and will be thoroughly investigated to the extent possible. However, providing contact details normally facilitates subsequent investigation and handling of the matter reported. Therefore, while anonymity is within a whistleblower’s discretion, Cint encourages whistleblowers to consider providing name and contact details when reporting a concern.

6. False and Malicious Allegations

6.1 Cint strives to meet the highest standards of honesty and integrity and will ensure that sufficient resources are put into investigating each whistleblower report received.

6.2 However, it is important for any person considering making allegations in a whistleblower report to ensure that they are sincere and in good faith. To be able to enjoy the protection under this Policy, the reporting person must have reasonable grounds to believe that the information disclosed is true to the best of their knowledge and belief at the time of reporting. The making of any knowingly or deliberately false or malicious allegations may result in disciplinary action.

Processing of Personal Data

Reports made through the whistleblowing system are likely to contain personal data (that is, data that directly or indirectly pertains to an identified or identifiable individual). Personal data may pertain to the person who has made the notification (if not anonymous), witnesses and/or to a person suspected of the alleged wrongdoing.

Cint is the data controller of any personal data collected via the whistleblowing system and is responsible to ensure that the personal data collected is processed in accordance with applicable laws and regulations on data protection.

The details of the Company for purposes of its role as data controller are as follows: Cint Group AB (publ), 559040-3217

1. What types of personal data can be processed?

   1. The types of personal data that may be processed in conjunction with an investigation are typically the following:

      1. The name, position, and contact details (for example e-mail and telephone number) of the person who submitted the complaint and of the individual to whom the complaint relates, as well as any witnesses or other individuals affected.

      2. Details of the misconduct of which the person(s) reported is(are) suspected.

   2. Cint will only process personal data that is correct and relevant to the investigation. Superfluous personal data will not be processed. Sensitive personal data, such as information relating to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation may not be submitted unless essential for the reported issue, and will be erased unless legal to process and deemed absolutely necessary for the investigation.

2. Why is personal data processed?

   1. Any personal data collected via the whistleblowing system will be processed for the purpose of administering and investigating allegations raised, and dealing with discovered misconduct, as described in this Policy.

3. What is the legal basis for processing personal data?

   1. The legal basis for processing personal data is a legal obligation. All companies with 50 or more employees, Cint included, are required by law to establish channels and procedures for internal reporting. The processing of personal data is therefore required by law.

4. Who has access to personal data?

   1. Cint takes both technical and organisational security measures to protect personal data processed. Personal data collected will be processed only by the Whistleblowing Team and, where applicable, such persons to whom the Whistleblowing Team may have referred a matter in accordance with section 2 (Process) of this Policy above. When matters are referred outside of the Whistleblowing Team, access to personal data in the whistleblowing system will be limited to what is necessary for each person to carry out their investigative and related tasks.

   2. In some cases, personal data may be transferred to countries outside the EU/EEA, which may have a lower level of protection than within the EU/EEA, as part of the investigation.

5. For how long is personal data kept?

   1. The personal data that is compiled and processed will not be retained longer than is necessary. Reports and information regarding misconduct that have been investigated will be deleted within two (2) months of the conclusion of the investigation or, if the investigation results in action being taken against the individual who has been reported, when the information is no longer needed for the purpose of carrying out an investigation and taking action. If it is determined that no investigation will be initiated, the information will be deleted immediately after such decision has been made. In any case, personal data will never be retained longer than two (2) years after an investigation has been concluded.

6. Subject to any legal preconditions, the applicability of which have to be assessed in each individual case, what rights do whistleblowers have?

   1. If personal data is incorrect or needs to be updated, whistleblowers may at any time request that Cint correct or update the personal data. Whisteblowers may also contact Cint if they no longer want the Company to process their personal data, would prefer the Company to restrict its processing in any manner, or wants Cint to erase their personal data. In addition, whistleblowers may receive a copy of the personal data relating to them, and information regarding Cint’s processing of such personal data, by making a request in writing. In such case, Cint will provide the personal data in a commonly used data format.

   2. When personal data pertaining to an individual is collected via the whistleblowing system, the individual must be informed. If it is not possible to inform the individual immediately, for example if such information could jeopardize the Company’s investigation, information will be provided at a point of time where it would no longer constitute a risk to the investigation.

   3. Whistleblowers have the right to lodge a complaint regarding how Cint processes their personal data to the relevant data protection authority or similar body within their jurisdiction.

   4. Any queries regarding the processing of personal data, or if there is a desire to exercise any of the rights stated above, please contact Cint’s Data Protection Officer at dpo@cint.com.

Compliance

This Whistleblowing Policy and Procedure is drafted in line with the Swedish Whistleblowing Act (2021:890) (Sw. “lagen om skydd för personer som rapporterar missförhållanden”) and the EU Whistleblower Directive ((EU) 2019/1937).

Exhibit A

Sweden: The competent Swedish authorities and their areas of responsibility can be found in the Swedish Regulation on the Protection of Whistleblowers (2021:949) (Sw. “förordning om skydd för personer som rapporterar om missförhållanden”), available here. Whistleblowers can be confident that their reports will be dealt with since all competent authorities listed in the Swedish regulation are obligated to transfer a received report to the appropriate competent authority.

Additional regional reporting authorities are below; this list is not exhaustive:

US: Securities law violations can be reported to the Securities and Exchange Commission: Information About Submitting a Whistleblower Tip and Report Suspected Securities Fraud or Wrongdoing

UK: Employees can report concerns to specified authorities listed here and here.

Australia: Employees can report concerns to appropriate authorities here.