Whistleblower Policy and Procedure

CEO, General Counsel, CHRO

Last reviewed: 16 April 2026

Version: 1.2

Approved By: Name: Cint Board of Directors, Date: 29 April, 2026

Click on the three dots on the top right to export this article in PDF.Click on the three dots on the top right to export this article in PDF.

Purpose

This Whistleblower Policy and Procedure (“Policy”) is drafted in line with the principles articulated in the Code of Conduct of Cint Group AB and its subsidiaries and affiliates (the “Company,” “Cint,” or “Cint Group”), which is a vital part of the Company’s Corporate Compliance Program. 

Employees are often the first to discover misconduct at their workplace, and it is important that an employee who discovers wrongdoing by the Company or any of its employees, consultants, contractors, or suppliers is able to report it without risk of retaliation or discrimination.

The purpose of this Policy is to encourage employees and others with whom we do business to raise concerns about matters occurring within or related to the Company, rather than overlooking a problem or seeking a resolution of the problem outside the Company.

Speaking up about concerns is part of how we work together responsibly and with integrity. We do not expect employees or others to “prove” misconduct before raising a concern. If something does not feel right, raises a question, or could become a problem if left unaddressed, we want to hear about it early. Raising concerns helps protect our colleagues, our business, and our reputation.

What does this mean for you?

• The Company encourages and expects that you’ll speak up if you see or suspect serious misconduct or something wrong.

• No one needs to be 100% certain or have all the facts before raising a concern, you just need to act honestly and in good faith.

• Raising concerns is something Cint considers to be part of acting with integrity, not a sign of disloyalty.

Scope

This Policy applies to all individuals who acquire information about suspected misconduct in a work-related context involving the Company. This includes, but it not limited to:

• all present and former employees, whether full-time or part-time, temporary or permanent;

• independent contractors, consultants, agency workers, interns, and volunteers;

• executive officers and members of the Board;

• candidates for employment or other work-related positions; and

• third parties who interact with or provide services to the Company, including suppliers, vendors, customers, business partners, and their respective employees or representatives.

This Policy also applies to individuals who assist a reporting person or who are otherwise connected to a reporting person in a work-related context.

Roles and Responsibilities  

Chief Executive Officer – The CEO is ultimately responsible for ensuring the continuous operations and compliance of the company. The CEO may instruct leadership and other employees and business functions to implement and effectuate company policies. Those instructions are set out in this document.

Policy Subject

In order to allow and encourage the reporting of concerns, Cint has established a confidential reporting system designed to receive and handle different types of reports in a clear and appropriate way.

The whistleblower reporting system includes two types of reporting channels:

• Whistleblower Report channels, which may include one or more country-specific whistleblower reporting channels where required by local law, as well as a general whistleblower reporting channel for other locations, for purposes of reporting whistleblowing concerns; and

• An HR Report channel, intended for people-related concerns that do not meet the criteria for whistleblower reporting.

Which channel should be used depends on the nature of the concern being raised:

1. “Whistleblower Report” channel(s) should be used to report suspected misconduct within the Company about which an individual has learned in a work-related context. Where regional Whistleblower Report channels exist, the applicable one should be utilized based on where the reporting party resides. Such misconduct may consist of an act or an omission and may already have occurred, be ongoing, or be imminent. The concern must relate to a matter of public interest. This means that it goes beyond a purely personal workplace issue and may affect the Company, other individuals, or the public at large.

   Examples of misconduct that can/should be reported through the Whistleblowing Report channel(s) are those concerning:

   1. accounting, internal accounting control, auditing, bribery or other financial crime;

   2. public procurement, competition, money laundering and terrorist financing, privacy and personal data protection, and network and information system security;

   3. serious and systemic harassment or discrimination¹;

   4. serious violations of the Company’s Code of Ethics; and

   5. other serious misconduct contrary to law or relating to the Company’s vital interests or individuals’ lives and health.

2. “HR Report Channel” can be used to report concerns that relate primarily to an employee’s own role, working conditions, performance, compensation, or other individual employment matters that do not constitute the type of misconduct described above. Alternatively, such concerns can be raised through Cint’s standard reporting processes to management and/or the People Team directly. Either way, these reports are handled in accordance with the Company’s policies, employment contracts, and applicable legislation.

Reporting in the whistleblowing system should always be done in good faith. Anyone filing a report should, to the best of his/her/their ability and knowledge, ensure that the information included in the report is as accurate and complete as possible. No one using the whistleblowing system may report security-classified information².

The whistleblowing system is available for use on a voluntary basis. Reports regarding whistleblowing concerns are handled in accordance with this Policy and any person submitting or assisting with submitting such a report in accordance with this Policy enjoys the protection as described in the Whistleblower Reporting Procedure, section 4, below.

When Should I Use the Whistleblowing System?

Use the whistleblowing system when you are concerned about serious wrongdoing, legal or ethical violations, or behavior that could harm people, the Company, or the public interest.

If your concern is about your own role, performance, pay, or day-to-day working conditions, the People Team or your manager is usually the right first step. However, if you are uncomfortable using these avenues or prefer anonymity, the whistleblower system is available and includes an “HR Report” option.

Cint’s Commitment to Speaking Up

A culture of openness depends on trust, respect, and shared responsibility. We expect leaders at all levels to listen carefully, take concerns seriously, and respond in a fair and respectful way. Speaking up helps us learn, improve, and address issues before they cause harm. Every report, question, or concern contributes to making Cint a safer and more ethical place to work.

Whistleblower Reporting Procedure

1. How to Report a Concern Through the Whistleblowing System

1.1 Reporting a whistleblowing concern that fits the description above can be done in the following three (3) ways through Cint’s online whistleblowing system, which is provided by an external partner, WhistleB, to ensure secure reporting. The communication platform is encrypted, password protected, and completely anonymous (unless contact information is voluntarily disclosed).

1.1.1. In writing: Electronic whistleblower reports can be submitted through Cint’s confidential online whistleblowing system at https://report.whistleb.com/en/cint using the dedicated and applicable “Whistleblower Report” channel(s).

1.1.2. By telephone: Whistleblower reporting can be done verbally. To leave a verbal message, visit https://report.whistleb.com/en/cint and click on the phone icon for a list of country-specific phone numbers to call.

1.1.3. At a physical (digital) meeting: Upon request, whistleblower reports can be made at a physical (digital) meeting with a member of the Whistleblowing Team (see section 2 below). To report in this way, please use Cint’s online whistleblowing system and request a meeting by calling and leaving a message to this effect. The online  system is available at https://report.whistleb.com/en/cint.

What does this mean for you?

• You have more than one avenue to raise a concern, including talking to a manager, People Team member, or using the whistleblowing system.

• You can choose the channel/approach that feels safest and most appropriate for the situation.

• You can report concerns in writing, by phone, or request a meeting.

• You can report anonymously if you prefer.

1.2. Whistleblowers always have the option to report misconduct externally to relevant authorities. A non-exhaustive list of such authorities is attached as Exhibit A to this Policy.

1.3. Regardless of what is stated in this Policy, whistleblowers are always free to gather and disclose information to the media in accordance with and subject to restrictions under applicable law in their jurisdiction, such as those stated in the Swedish Freedom of the Press Act (Sw. “tryckfrihetsförordningen”) and the Swedish Fundamental Law on Freedom of Expression (Sw. “yttrandefrihetsgrundlagen”). Furthermore, this Policy does not limit freedom of speech entitlements afforded under applicable law in any applicable jurisdiction.

2. Post-Report Process

2.1. For reports to the “Whistleblower Report” channel(s):

2.1.1. The Company will act upon any concerns raised through the whistleblower system in accordance with its internal procedures and as described in this Policy.

2.1.1.1. Reports made in accordance with this Policy will be received and handled by a group of specifically designated and trained persons (“the Whistleblowing Team”) only.

2.1.2. Where deemed appropriate, the Whistleblowing Team may, as described below, submit a report for further investigation. An investigation will then take place as quickly as possible and in a confidential, fair and impartial manner.

2.1.3. Where appropriate, matters raised may:

2.1.3.1. be investigated by the Whistleblowing Team;

2.1.3.2. be shared with other impartial and independent persons for the purpose of investigating a whistleblowing report;

2.1.3.3. be referred to the police or other law enforcement authorities;

2.1.3.4. be referred to an independent auditor; or

2.1.3.5. become the subject of an independent inquiry within the Company.

2.1.4. In order to protect the individuals involved and those suspected of the alleged wrongdoing, an initial inquiry will be made by the Whistleblowing Team to decide whether an investigation is appropriate and, if so, what form it should take. If urgent action is required, it will be taken before any investigation is conducted.

2.2. For reports from the “HR Report” channel:

2.2.1. The Company will act upon concerns raised through the HR Report system in accordance with its internal procedures and as described in this Policy and in other policies related to internal investigation.

2.2.2. Reports made through the HR Report channel will be received and handled by designated members of the People Team, who are responsible for reviewing and addressing employee concerns in the ordinary course.

2.2.3. To protect all individuals involved, the People Team may conduct an initial assessment to determine whether further review or investigation is appropriate and, if so, the form it should take. If immediate action is required (for example, an interim suspension of an accused individual), it may be taken prior to the conclusion of any review or investigation.

2.2.4. Where appropriate, the People Team will assess the report and determine the appropriate course of action, which may include conducting an internal review or investigation. Any such review will be carried out as promptly as practicable and in a manner that is fair, proportionate, and respectful of all individuals involved.

2.2.5. Where appropriate, matters raised may:

2.2.5.1. be reviewed or investigated by the People Team;

2.2.5.2. be shared with other appropriate internal stakeholders (such as Legal or Compliance) on a need-to-know basis;

2.2.5.3. be escalated for further internal review or independent investigation; and/or

2.2.5.4. be referred to external advisors or authorities where required.

2.2.6. Reports submitted through the HR Report channel are encrypted and handled confidentially to the extent possible. While anonymous reports are accepted, the Company’s ability to investigate and respond may be limited where insufficient information is provided or where follow-up is not possible

3. Timing

3.1. Within seven (7) days of submitting a report through the whistleblower system, the reporting individual will receive confirmation that the report has been received.

3.2. Concerns raised in a whistleblower report will be investigated as quickly as is practicable.

3.3. Feedback:

3.3.1. Typically within three (3) months of the date a report to the Whistleblower Channel(s) was received, the reporting individual will receive feedback on the actions taken in relation to the report. However, in some instances it may be necessary to refer a matter to an external advisor, which may result in an extension of the investigative process. The seriousness and complexity of a report may also have an impact on the time needed to investigate the matter reported.

3.3.2. Reports to the HR Channel are handled separately from reports submitted through a Whistleblower Report channel and are not subject to the same timelines. When an HR Report is submitted, the People Team will review the matter and conduct an appropriate inquiry or investigation based on the nature of the concern. The reporting individual may be asked to participate in the process or provide additional information, IF his/her/their identity is known; anonymous HR Reports may limit the Company’s ability to follow up or investigate fully. Details regarding any disciplinary or corrective action taken in relation to another individual are generally confidential and will not be shared. Where an investigation substantiates wrongdoing, the Company will take appropriate corrective action based on the findings and in accordance with applicable policies and law.

4. Prevention of Retaliation and Release from Liability

4.1. Cint will not hinder, penalize, discriminate or retaliate against a person who uses, attempts to use or has used the whistleblowing system in good faith to report a genuine concern regarding misconducts or wrongdoings, nor will it tolerate any attempt to do any of the foregoing. Any such actual or attempted discrimination or retaliation may be subject to disciplinary action by the Company, up to and including termination of employment, contract or assignment.

4.2. Cint will not hold a whistleblower liable for having reported in good faith information that is subject to a duty of confidentiality, if and to the extent that the whistleblower had reasonable grounds to believe that the disclosure of the information was necessary to report and reveal serious misconduct. Cint also will not hold a whistleblower liable for having obtained information through a breach of provisions if the whistleblower had reasonable grounds to believe that the obtaining of the information was necessary to reveal the misconduct.

4.2.1. Note: in Sweden, release from liability under this Policy is not applicable if one disregards any applicable duties of confidentiality under the Swedish Law about Defence Inventions (1971:1078) (Sw. “lagen om försvarsuppfinningar”), or deliberately disregards the duty of confidentiality according to the Swedish Public Access to Information and Secrecy Act (2009:400) (Sw. “offentlighets- och sekretesslagen”) that restricts the right to communicate and publish information under the Freedom of the Press Act (Sw. “tryckfrihetsförordningen”) or the Fundamental Law on Freedom of Expression (Sw. ”yttrandefrihetsgrundlagen”).

4.3. Release from liability and protection against retaliation under this Policy are also not applicable if a crime is committed by reporting or obtaining information.

What does this mean for you?

• You will not be penalized, disadvantaged, or treated differently for raising a concern in good faith.

• The Company prohibits retaliation and considers it alone a serious policy violation, which will be addressed if it occurs.

• Even if an investigation does not confirm misconduct, you are still protected as long as you raised the concern honestly and in good faith.

5. Anonymity

5.1. Whistleblower reports can be made anonymously. Anonymous reports will be treated with the same level of seriousness and will be thoroughly investigated to the extent possible. However, providing contact details normally facilitates subsequent investigation and handling of the matter reported. Therefore, while anonymity is within a whistleblower’s discretion, Cint encourages whistleblowers to consider providing name and contact details when reporting a concern.

5.2. Concerns reported anonymously will never be held against the person reporting (if they later choose to identify themselves). While providing name and contact details can make follow-up and investigation easier, the decision to remain anonymous is entirely left to the person making the report.

6. False and Malicious Allegations

6.1. Cint strives to meet the highest standards of honesty and integrity and will ensure that sufficient resources are put into investigating each whistleblower report received.

6.2. However, it is important for any person considering making allegations in a whistleblower report to ensure that they are sincere and in good faith. To be able to enjoy the protection under this Policy, the reporting person must have reasonable grounds to believe that the information disclosed is true to the best of their knowledge and belief at the time of reporting. The making of any knowingly or deliberately false or malicious allegations may result in disciplinary action.

Processing of Personal Data

Reports made through the whistleblowing system are likely to contain personal data (that is, data that directly or indirectly pertains to an identified or identifiable individual). Personal data may pertain to the person who has made the notification (if not anonymous), witnesses and/or to a person suspected of the alleged wrongdoing.

Cint is the data controller of any personal data collected via the whistleblowing system and is responsible to ensure that the personal data collected is processed in accordance with applicable laws and regulations on data protection.

The details of the Company for purposes of its role as data controller are as follows:

Cint Group AB (publ), 559040-3217

A. What types of personal data can be processed?

1. The types of personal data that may be processed in conjunction with an investigation are typically the following:

   1. The name, position, and contact details (for example e-mail and telephone number) of the person who submitted the complaint and of the individual to whom the complaint relates, as well as any witnesses or other individuals affected.

   2. Details of the misconduct of which the person(s) reported is(are) suspected.

2. Cint will only process personal data that is correct and relevant to the investigation. Superfluous personal data will not be processed. Sensitive personal data, such as information relating to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation may not be submitted unless essential for the reported issue, and will be erased unless legal to process and deemed absolutely necessary for the investigation.

B. Why is personal data processed?

1. Any personal data collected via the whistleblowing system will be processed for the purpose of administering and investigating allegations raised, and dealing with discovered misconduct, as described in this Policy.

C. What is the legal basis for processing personal data?

1. The legal basis for processing personal data is a legal obligation. All companies with 50 or more employees, Cint included, are required by law to establish channels and procedures for internal reporting. The processing of personal data is therefore required by law.

D. Who has access to personal data?

1. Cint takes both technical and organisational security measures to protect personal data processed. Personal data collected will be processed only by the Whistleblowing Team and, where applicable, such persons to whom the Whistleblowing Team may have referred a matter in accordance with section 2 (Process) of this Policy above. When matters are referred outside of the Whistleblowing Team, access to personal data in the whistleblowing system will be limited to what is necessary for each person to carry out their investigative and related tasks.

2. In some cases, personal data may be transferred to countries outside the EU/EEA, which may have a lower level of protection than within the EU/EEA, as part of the investigation.

E. For how long is personal data kept?

1. The personal data that is compiled and processed will not be retained longer than is necessary. Reports and information regarding misconduct that have been investigated will be deleted within two (2) months of the conclusion of the investigation or, if the investigation results in action being taken against the individual who has been reported, when the information is no longer needed for the purpose of carrying out an investigation and taking action. If it is determined that no investigation will be initiated, the information will be deleted immediately after such decision has been made. In any case, personal data will never be retained longer than two (2) years after an investigation has been concluded.

F. Subject to any legal preconditions, the applicability of which have to be assessed in each individual case, what rights do whistleblowers have?

1. If personal data is incorrect or needs to be updated, whistleblowers may at any time request that Cint correct or update the personal data. Whisteblowers may also contact Cint if they no longer want the Company to process their personal data, would prefer the Company to restrict its processing in any manner, or wants Cint to erase their personal data. In addition, whistleblowers may receive a copy of the personal data relating to them, and information regarding Cint’s processing of such personal data, by making a request in writing. In such a case, Cint will provide the personal data in a commonly used data format.

2. When personal data pertaining to an individual is collected via the whistleblowing system, the individual must be informed. If it is not possible to inform the individual immediately, for example if such information could jeopardize the Company’s investigation, information will be provided at a point of time where it would no longer constitute a risk to the investigation.

3. Whistleblowers have the right to lodge a complaint regarding how Cint processes their personal data to the relevant data protection authority or similar body within their jurisdiction.

4. Any queries regarding the processing of personal data, or if there is a desire to exercise any of the rights stated above, please contact Cint’s Data Protection Officer at dpo@cint.com.

Compliance

This Whistleblowing Policy and Procedure is drafted in line with the Swedish Whistleblowing Act (2021:890) (Sw. “lagen om skydd för personer som rapporterar missförhållanden”) and the EU Whistleblower Directive ((EU) 2019/1937). This Policy also forms part of Cint’s Code of Conduct (CoC) and should be read together with the “Speak Up and Non-Retaliation” section of it. Where the CoC encourages open dialogue and early reporting, this Policy explains how formal reports through the whistleblower system are handled and protected.

¹“Serious and systemic” is not a single act or practice; it refers to institutionalized and structural patterns, actions or inactions, or behaviours of harassment, discrimination or widespread bias that have broad impact on the company, protected groups or a geographic location, etc.

²E.g. pursuant to the Swedish Security Protection Act (2018:595) (Sw. “säkerhetsskyddslagen”) or equivalent legislation in other jurisdictions.

Exhibit A

Sweden: The competent Swedish authorities and their areas of responsibility can be found in the Swedish Regulation on the Protection of Whistleblowers (2021:949) (Sw. “förordning om skydd för personer som rapporterar om missförhållanden”), available here. Whistleblowers can be confident that their reports will be dealt with since all competent authorities listed in the Swedish regulation are obligated to transfer a received report to the appropriate competent authority.

Additional regional reporting authorities are below;  this list is not exhaustive:

US: Securities law violations can be reported to the Securities and Exchange Commission: Information About Submitting a Whistleblower Tip and Report Suspected Securities Fraud or Wrongdoing

UK: Employees can report concerns to specified authorities listed here: https://www.gov.uk/government/publications/blowing-the-whistle-list-of-prescribed-people-and-bodies--2  and https://www.gov.uk/government/publications/blowing-the-whistle-list-of-prescribed-people-and-bodies--2/whistleblowing-list-of-prescribed-people-and-bodies  

Australia: Employees can report concerns to appropriate authorities, including: https://asic.gov.au/about-asic/asic-investigations-and-enforcement/whistleblowing/how-asic-handles-whistleblower-reports/