Whistleblower Protection Policy

Sigma Software together with its subsidiaries and controlled affiliates (hereinafter – Sigma Software) are committed to ensuring high standards of ethical business conduct while carrying out business around the world.

For this reason, Sigma Software is setting up this policy, covering current and former employees, freelancers, interns, contractors, candidates, and other persons who have or have had work-related affairs with Sigma Software (hereinafter – personnel).

If you have a concern regarding suspected wrongdoing within Sigma Software, you can always raise your concern to your manager or HR.

However, if, for some reason, you don’t want to share your concerns with your manager or HR, or concerns you have shared were not properly addressed, you can report under this policy and enjoy the respective protection against possible retaliation.

We’ve created this policy to provide a safe and structured way for you to report any wrongdoing. However, it’s essential to understand that this policy doesn’t apply in the same way everywhere. The eligibility and applicability of this policy can vary depending on the local laws and regulations where you live or work. These laws determine the terms and conditions of protection against retaliation, and they can be quite different from one place to another.

This means that not everyone may receive the same level of protection under the program. We want to make sure you’re fully informed and supported. That’s why we recommend consulting with a legal advisor who is familiar with your country’s laws and regulations regarding whistleblower protection. This will help you understand your specific rights and protections.

Regardless of the local laws and regulations, we are committed to protecting your confidentiality and anonymity in all cases. We understand the importance of feeling secure when reporting concerns, and we take every measure to ensure that your identity remains protected if you choose to remain anonymous.

By participating in our whistleblower program, you acknowledge that you’re aware of these differences and have taken steps to learn about your local protections. We’re here to support you and want to ensure that you feel confident and protected when reporting any concerns.

Under this policy, you can report concerns that create or potentially may create threats or harm to the public interest:

violation of laws and regulations,
violation of Sigma Software policies, instructions, and guidelines.
acts of bribery or corruption.
violation of public procurement procedures.
money laundering or terrorist financing activities.
threats to the protection of privacy and personal data in Sigma Software, or threats to security of network and information systems in Sigma Software.
serious risks concerning the life or health of individual persons (such as alleged environmental crimes or major deficiencies in the security at a place of work).
systematic bullying, discrimination, or harassment.
any other conduct by someone in Sigma Software that is inconsistent with Sigma Software values.

Examples of cases covered by this policy

a report stating that your or your colleagues’ salaries are lower than a statutory minimum set in a respective country.
you are the victim of retaliation or harassment from your colleague or manager.
you are the witness of the bribery act.

Examples of cases not covered by this policy, which should be solved by your manager or HR.

a report stating that you are unhappy with your birthday gift or laptop model or stating that you are not happy with your salary or social pack, will not be investigated by Sigma Software under this policy.

We understand that it might be not an easy job for you to define if your report concerns public interest. And we definitely do not expect that you will do this assessment yourself. Leave this task to us. For this reason, we ask you to provide more information in your report. This will help us to make a proper assessment.

You are provided with the two options for reporting*:

wrongdoing@sigma.software – non-anonymous channel
https://sigmasoftware.visslan-report.se – 100% anonymous channel**

Your report may include documents, images and/or videos.

Reports and attached items are processed confidentially by the designated team of independent and proficient representatives of Legal, HR, and Compliance Management departments.

Note.

* Reports should be created in English
**The Visslan online platform (the third-party provided service) is specially designed for anonymous reporting. You are only required to keep a sixteen-digit code provided by the platform, which you shall use onwards to communicate with the investigation team and to access your matter at the reporting channel through the relevant link above.

Within 10 working days after you submit a report, you will receive a response whether your report falls under this policy or not.

If it is within the scope of this program, investigation and further actions will be accomplished within 3 months (in some circumstances – within 6 months) and you will be well informed and engaged if necessary.

Please find below more details about the whistleblower protection framework.

What Can be Reported?

If, in the context of the work-related activities you have or have had with Sigma Software, you reveal or have revealed threats or harm to the public interest, which arise or have arisen in that context, you have the right to report them to Sigma Software.

For example, if, during negotiating with, working for, or doing business with Sigma Software, you reveal or have revealed evidence of actual or suspected violations that create or potentially may create threats or harm to the public interest (so-called wrongdoing), do not hesitate to submit a report to Sigma Software.

As was stated above, the following violations and/or threats are covered by this policy:

Violation of laws and regulations,
Violation of Sigma Software policies, instructions, and guidelines.
acts of bribery or corruption.
violation of public procurement procedures.
money laundering or terrorist financing activities.
threats to the protection of privacy and personal data in Sigma Software, or threats to security of network and information systems in Sigma Software.
serious risks concerning the life or health of individual persons (such as alleged environmental crimes or major deficiencies in the security at a place of work).
systematic bullying, discrimination, or harassment.
any other conduct by someone in Sigma Software that is inconsistent with Sigma Software values.

We encourage you to provide a detailed description of the wrongdoing as well as to include documents, images and/or videos if possible.

Please pay attention to the two main points below, which will help you to understand the scope of the framework better.

This framework covers reports on actual or alleged wrongdoing you encounter or have encountered in the course of employment, doing business or other work-related activities with Sigma Software. Consequently, Sigma Software will not investigate reports that deal with actual or alleged wrongdoing outside of the mentioned context. For example, a report on excess of powers against you by a respective authority in your country will not be investigated by Sigma Software under this program.
To be covered by this program, a report shall deal with the public interest.

“Public interest” is a subjective category. A lot of criteria are taken into consideration to define whether a particular report deals with the public interest.

To name a few of them:

a number of persons whose interests the disclosure served – if a disclosure covers you and your colleagues, it is more likely to be in the public interest. However, in some cases, it is not an obligatory criterion, and a disclosure may concern only you.
the nature of the interests affected and the extent to which they are affected by the wrongdoing disclosed – a disclosure of wrongdoing directly affecting a very important interest is more likely to be in the public interest than a disclosure of trivial wrongdoing affecting the same number of people.
the nature of the wrongdoing disclosed – disclosure of willful wrongdoing is more likely to be in the public interest than the disclosure of unintentional wrongdoing affecting the same number of people.
the identity of the alleged wrongdoer – the larger or more prominent the wrongdoer (in terms of the size of its relevant community, i.e. staff, suppliers, and clients), the more obviously should a disclosure about its activities engage the public interest.

The list of criteria is not exhaustive, and every report will be assessed by Sigma Software on a case-by-case basis.

How to Submit a Report Anonymously?

Sigma Software provides a possibility to submit a wrongdoing report in writing anonymously through the online reporting channel [https://sigmasoftware.visslan-report.se], which is called Visslan.

At completion of your submitted report, you will receive a sixteen-digit code, which you shall use onwards to communicate with the investigation team and to access your matter at reporting channel through the relevant link above.

It is important to keep the code as otherwise you will not be able to access your report again.

If you lose the code, you can submit a new report referring to the previous report.

Verbal: It is possible to submit a verbal report by uploading an audio file as an attachment when creating a report through Visslan. To do this, you need to select that you have evidence for the report and upload an audio file. In the audio file, you can describe the same facts and details as if you had submitted it in writing.

Meeting: A physical meeting with the investigation team can be requested via Visslan. This is most easily done by either requesting it in an existing report or creating a new report asking for a physical meeting. During the meeting, information may be brought forward by you orally and/or in writing.

Confidentiality and Anonymity

No matter which channel (email or Visslan channel) is used to submit a report, the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected as well as the access by non-authorized staff members to the information is strictly limited.

In case the report is submitted through the https://sigmasoftware.visslan-report.se (the channel specially designed to maintain anonymity of the reporter), it will be processed anonymously to the extent possible according to law. Reporter remains anonymous when they submit a report or question via Visslan channel unless they decide to disclose their identity. However, to facilitate a proper investigation, they may be asked to disclose their identity to the investigation team.

Only the designated team of independent and proficient representatives of Legal, HR, and Compliance Management departments (the investigation team) reviews and investigates the report.

All investigation-related documentation will be stored confidentially for the period required by applicable law and will be anonymized to the maximum extent permitted by law and technically feasible.

Please note that Sigma Software reserves the right to dismiss anonymous reports to the extent the anonymity hinders Sigma Software from revealing all the circumstances and data necessary for the report’s assessment and investigation.

Who Processes My Report?

The reports are processed by the designated team of independent and proficient representatives of Legal, HR, and Compliance departments. This team can be extended by subject matter experts, lawyer, and local representatives.

Team members are obligated to work according to the implemented whistleblowing procedures, maintain and protect confidentiality of the reporting person.

I have Submitted a Report, What’s Next?

You will receive a written acknowledgment within 10 business days of report submission. In case of questions or concerns, you and the investigation team can communicate through email or through the platform’s built-in anonymous chat function depending on the platform used for the report submission.

In the event of the report submitted through the Visslan channel, you will receive a sixteen-digit code. Please use that code onwards to communicate with the investigation team and to access your matter at the reporting channel through the same link. It is important to keep the code as otherwise you will not be able to access your report again. If you lose the code, you can submit a new report referring to the previous report.

You will receive feedback on your report within 3 months from the acknowledgment of receipt.

Feedback may include information on measures planned or implemented due to the reporting.

If required by the specific circumstances of the case, in particular the nature and complexity of the subject of the report, which may require lengthy investigation, the mentioned 3 months term may be extended up to 6 months.

Please note that your collaboration with the investigation team is an essential part of the investigation process.

Please always answer the follow-up questions the investigation team may have and provide necessary information and documents upon their request.

To do this, please regularly check your email or the Visslan system for questions or comments from the investigation team.

Please note that, in some cases, the report cannot be taken forward without the additional information requested by the investigation team.

The investigation team has a right to dismiss a report, if:

a report does not fall within the scope of Sigma’s whistleblowing program.
a report contains insufficient information, and the investigation team has no possibility of obtaining necessary data within a reasonable timeframe despite its reasonable efforts.
a report is unfounded.
a report is anonymous and such anonymity hinders the investigation team from revealing all the circumstances and data necessary for the report assessment and investigation.
the investigation team has reasonable grounds to believe that the report was made in bad faith.

If a report is dismissed for the above-mentioned reasons, it will be deleted. If it is possible, the investigation team will inform you about this.

What Rights do I Have?

Right to confidentiality

We will ensure that your identity as well as the identity of any third party mentioned in the report is treated confidentially. The access to the case materials is prevented for unauthorized personnel.

Protection against negative consequences¹

We will take the necessary measures to prohibit any form of retaliation against you due to your report covered by this policy.

As a whistleblower, you are protected from any negative consequences that may arise from submitting a report under this policy.

Examples of negative consequences you are protected against. Please note that the list is not exhaustive:

dismissal or equivalent measures.
demotion or withholding of promotion.
transfer of duties, change of location of place of work, reduction in wages, change in working hours.
withholding of training.
a negative performance assessment or employment reference.
imposition or administering of any disciplinary measure, reprimand, or other penalty, including a financial penalty.
coercion, intimidation, or harassment.
discrimination, disadvantageous or unfair treatment.
failure to convert a temporary employment contract into a permanent one, where a person had legitimate expectations that they would be offered permanent employment.
failure to renew, or early termination of, a temporary employment contract.
harm, including to a person’s reputation, particularly in social media, or financial loss, including loss of business and loss of income.
blacklisting based on a sector or industry-wide informal or formal agreement, which may entail that the person will not, in the future, find employment in the sector or industry.
early termination or cancellation of a contract for goods or services.

Where applicable, protection against negative consequences also covers persons in the workplace who assist you with the reporting, third persons who relate to you and who could suffer retaliation in a work-related context, such as your colleagues or relatives, and legal entities you own, work for or that are otherwise connected with you in a work-related context.

If Sigma Software discovers that any person within the organization has engaged in retaliation against you or the protected persons mentioned above due to your report, Sigma Software will promptly investigate and take appropriate disciplinary action, which shall include disciplinary action, dismissal, termination of a contract, forwarding information to the respective authorities to initiate prosecution process.

You are also protected against retaliation outside the work-related context, for example, in legal proceedings related to defamation, copyright infringement, breach of confidentiality, breach of data protection rules, disclosure of trade secrets or compensation claims based on private, public, or on collective labour law. In this case, you shall not incur liability of any kind as a result of report or public disclosure, if you had reasonable grounds to believe that the reporting or public disclosure was necessary to expose a misconduct.

Note 1. The terms and conditions of protection against retaliation are governed by local laws and regulations, which means the actual form and extent of protection can vary significantly. Therefore, we strongly recommend seeking legal advice specific to your country’s terms and conditions regarding protection against retaliation.

Publication of information

In certain circumstances, you have a right to make information on breaches available in the public domain (e.g. on social media, media, etc.). In other words, you have a right to so-called public disclosure.

You will be protected against negative consequences as a result of public disclosure if any of the following conditions is fulfilled:

you first reported internally and externally, or directly externally to the respective authorities, but no appropriate action was taken in response to the report within 3 months (6 months – in duly justified cases);
OR
you had reasonable grounds to believe that:
- the breach may constitute an obvious danger to the public interest, for example, in case of an emergency or a risk of irreversible damage;
  OR
- in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, for example, you believe that there is a risk that evidence may be destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.

The right to review documentation at meetings with the investigation team

If you request a meeting with the investigation team, they will, upon your consent, ensure that the complete and correct documentation of the meeting is preserved in a lasting and accessible form. For this purpose, a conversation may be recorded, or the respective meeting minutes may be kept. Afterwards, you will have the opportunity to check, correct and approve the respective documentation by signing a respective protocol.

The right to report externally

Sigma Software encourages you to report first internally. However, based on the circumstances of your case, you also have a right to report externally to competent authorities according to the rules set by them.

For your convenience, please find below a list of the respective authorities in some locations (the list is not exhaustive):

Germany

External Federal Reporting Office as part of the Federal Ministry of Justice https://www.bundesjustizamt.de/DE/MeldestelledesBundes/MeldestelledesBundes.html

The Czech Republic

Czech Ministry of Justice https://oznamovatel.justice.cz/chci-podat-oznameni/

Sweden:

The Swedish Work Environment Authority https://www.av.se/en/about-us/contact-us/reporting-health-and-safety-risks/

Bulgaria:

Commission for Personal Data Protection https://cpdp.bg/en/

Hungary:

Directorate-General for Audit of European Funds: https://eutaf.hu/
the Integrity Authority: https://integritashatosag.hu/
Hungarian Competition Authority: https://www.gvh.hu/
Public Procurement Authority: https://www.kozbeszerzes.hu/
Hungarian Energy and Public Utility Regulatory Authority: https://www.mekh.hu/
Hungarian National Bank: https://www.mnb.hu/
Hungarian National Authority for Data Protection and Freedom of Information: https://www.naih.hu/
National Media and Infocommunications Authority: https://nmhh.hu/
Hungarian Atomic Energy Authority: https://www.haea.gov.hu/
Supervisory Authority for Regulated Services: https://sztfh.hu/