Siili Solutions Plc’s Whistleblowing Policy

1. What is whistleblowing, and why is it important?

It is essential for Siili Solutions Plc and its group companies (hereinafter “Siili” or “we” or “us”) to work for transparency and a high level of business ethics. We are committed to responsibility in our business operations. Accordingly, we do not by any means accept corruption, bribery, discrimination, harassment, bad behavior, or any other unethical or unlawful actions.

Our whistleblowing service offers a possibility to alert us about suspicions of misconduct in a confidential way. It is an important tool for reducing risks and maintaining trust in our operations by enabling us to detect and act on possible misconduct at an early stage.

Our whistleblowing service and this policy are based on the EU’s whistleblowing directive (EU 2019/1937) and related national legislation. Please note that whistleblowing legislation and whistleblower protection apply only to certain matters defined in section 2.

Our whistleblowing service is available for Siili Solutions, Siili One, and Siili Auto employees and stakeholders in Finland, Poland and Germany regarding matters defined in the whistleblowing legislation. However, anyone can use the whistleblowing service to report other matters than those falling within the scope of whistleblowing legislation. For example, anyone can use the service to report discrimination, harassment, bad behavior, dissatisfaction in the workplace or related matters. Please note that in this case, the message will not be handled as a whistleblowing issue but as required by the guidelines and practices according to the nature of the issue.

2. When to raise a concern?

The whistleblowing service can be used to alert us about serious risks of wrongdoing affecting people, our organisation, the society or the environment. In our whistleblowing service, we only handle serious wrongdoings as whistleblowing matters. Reported issues include criminal offenses, irregularities and violations or other actions in breach of EU or national laws within a work-related context, for example:

• Corruption and financial irregularities; for example, bribes, unfair competition, money laundering, fraud, conflict of interest

• Health and safety violations; for example, workplace health and safety, product safety, serious discrimination and harassments that are against the law

• Privacy violations; for example, unlawful processing of personal data

• Environmental violations; for example, actions that harm air, ground or water intentionally or by gross negligence

A person who submits a whistleblowing message does not need to have firm evidence for expressing a suspicion. However, deliberate reporting of false or malicious information is forbidden. Abuse of the whistleblowing service is a serious disciplinary offense.

If your matter concerns other areas, such as discrimination, harassment, bad behavior, dissatisfaction in the workplace or related matters, you can submit a message through the whistleblowing service and your message will be handled as required by the guidelines and practices according to the nature of the matter.

3. How to raise a concern?

There are different ways to raise a concern:

• contact Legal, your supervisor, other supervisor or HR, or

• submit an anonymous or confidential message through the whistleblowing service: https://report.whistleb.com/en/siilisolutions.

We encourage everyone submitting a message to tell their identity. All messages received will be handled confidentially. If you would like to submit a message anonymously, please do so. WhistleB, an external service provider, administrates the whistleblowing service. All messages are encrypted. To ensure the person's anonymity, WhistleB deletes all metadata, including IP addresses. The person sending the message also remains anonymous in the subsequent dialogue with responsible report receivers.

Conversation with the anonymous person is possible by using the username and password received after sending the message. The person who has submitted the message can log into the service using the username and password received and read the reply.

Dialogue can continue as long as the parties want.

If your message concerns other matter than whistleblowing matter, such as discrimination, harassment, bad behavior, dissatisfaction in the workplace or related matters, we recommend you tell us your identity in order to get your matter processed more quickly.

If you report your concern to Legal, your supervisor, other supervisor or HR instead of submitting your message through the whistleblowing service, your report will be handled according to this Whistleblowing Policy.

4. The investigation process

4.1. Whistleblowing team

Access to messages received through our whistleblowing service is restricted to appointed individuals with authority to handle whistleblowing cases. Their actions are logged, and handling is confidential. Individuals who can add expertise may be included in the investigation process when needed. These individuals can access relevant data and are also bound to confidentiality.

The whistleblowing team consists of Legal and designated persons from HR.

4.2. Receiving a message

Upon receiving a message, the whistleblowing team decides whether to accept or decline the message. If the team accepts the message, it will take appropriate measures for investigation (please see section 4.3. “Investigation” below).

The whistleblowing team may not investigate the reported misconduct if:

• the message has not been made in good faith or is malicious;

• there is insufficient information to allow for further investigation; or

• the subject of the message has already been solved.

If the message does not belong to the scope of whistleblowing legislation but the message is appropriate, the matter will be handled as required by the guidelines and practices according to the nature of the matter.

The person who has submitted the message will receive an acknowledgment of receipt of the report within 7 days. The whistleblowing team will send appropriate feedback within 3 months upon receiving the report.

Please do not include any sensitive personal data in your message unless such data is necessary for describing the concern. Sensitive personal data means data related to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or a person’s sex life or sexual orientation.

4.3. Investigation

All messages are treated seriously and in accordance with this Whistleblowing Policy. The following principles are being obeyed:

• No one from the whistleblowing team, or anyone taking part in the investigation process, will attempt to identify the person who has submitted an anonymous message.

• The whistleblowing team can, when needed, submit follow-up questions via the service for anonymous communication.

• A message will not be investigated by anyone who may be involved with or connected to the wrongdoing.

• Whistleblowing messages are handled confidentially by the parties involved.

If a person belonging to the whistleblowing team is identified in the message, the person in question will be excluded from the investigation, and their user rights to the management system of the cases will be removed.

5. Whistleblower protection and privacy

5.1. Whistleblower protection when a whistleblower has submitted the message with their identity

A person expressing genuine suspicion or misgiving regarding a whistleblowing matter will not be at risk of losing their job or suffering any form of sanctions or personal disadvantages as a result. It does not matter if the whistleblower is mistaken, provided that they act in good faith.

Subject to considerations of the privacy of those against whom allegations have been made and any other issues of confidentiality, a whistleblower will be kept informed of the outcomes of the investigation.

In cases of alleged criminal offenses, the non-anonymous whistleblower will be informed that their identity may need to be disclosed during judicial proceedings.

5.2. Privacy of the persons identified in the message

Personal data of the person who has submitted a message and the persons identified in the message will be handled according to the applicable data protection legislation and Siili’s data protection policies. Please familiarize yourself with our Whistleblowing

Data Protection Statement, in which personal data processing in our whistleblowing service has been described in more detail.

6. Confirming the Whistleblowing Policy

Siili’s Board of Directors confirms this policy and the changes made to it.

Originally accepted by Siili’s Board of Directors on 14 December 2021.

Technical updates by Siili Legal on 13 December 2023.

Whistleblowing Data Protection Statement

Siili Solutions Plc and its group companies ("Siili", also "we", "us", "our"; Finnish Business ID 1979903-5) place the highest value on protecting your personal data. Siili is the data controller of the personal data handled through whistleblowing service as described in this Whistleblowing Data Protection Statement ("Statement"). As a data controller, Siili is responsible for personal data processing and defines the purposes and means for processing personal data.

Personal data collected through whistleblowing service is handled to such extent as necessary to conduct an appropriate and sufficient investigation process.

More information on submitting a message and the investigation process is available on our Whistleblowing Policy.

Lawfulness of Personal Data Processing

Processing of personal data is based on:

• Siili’s mandatory legal obligations and

• Siili’s legitimate interests (our whistleblowing service is a way to oversee that our business operations are lawful and ethical).

Personal Data Collection Methods and Sources

Personal data collection methods are as follows:

• a message received through the whistleblowing service accessible on our website and possible additional information received from the person who has submitted the message and

• material that has been received and/or reported in our internal investigation process.

If the message has not been submitted through the whistleblowing service, but the person has instead contacted supervisor, Legal or HR, personal data of the reporting person and the persons identified in the report will be handled according to this Statement.

Personal Data Siili Collects and Processes

The following type of personal data may be handled through the whistleblowing service:

• name and contact details of the person who has submitted the message (if they have given such information);

• identities of the persons identified named in the message (to the extent such information has been given);

• information given in the message on the identified person and the actions of the person that are against the law or ethical principles; and

• information on evaluating the person’s actions and the lawfulness or ethicalness of such actions received in an internal investigation process.

Purposes of Personal Data Processing

A message through our whistleblowing service can be submitted openly or anonymously. If a person who has submitted a message tells their identity or submits a message concerning the actions of the other person, personal data is used for identifying and investigating the wrongdoings as well as possible investigation by the authorities and monitoring the phases of the investigation.

Retention

Personal data will be stored as long as necessary for the purpose it has been collected and is being handled or as long as the applicable legislation requires. If the legislation doesn’t require storing personal data when the investigation has been completed, and there are no other legal grounds for storing the personal data, permanent deletion is carried out 30 days after completion of the investigation.

Investigation documentation and messages that are archived will be anonymised under GDPR; they will not include personal data through which persons can be directly or indirectly identified.

Disclosures and Transfers

Access to messages received through our whistleblowing service is restricted to appointed individuals with authority to handle cases. However, individuals who can add expertise may be included in the investigation process when needed. The whistleblowing team consists of Legal and designated persons from HR.

Personal data is not disclosed outside of Siili unless there is a lawful ground. The lawful ground may be at hand, for example, when the authority must carry out the investigation.

Our external service provider WhistleB Whistleblowing Centre Ab (World Trade Centre, Klarabergsviadukten 70, SE-107 24 Stockholm) processes the personal data on our behalf and acts as a data processor. WhistleB is responsible for the whistleblowing application, including processing encrypted data, such as whistleblowing messages. However, neither WhistleB nor any subcontractors can decrypt and read messages. As such, neither WhistleB nor its subcontractors have access to readable content.

Personal data is not transferred outside of the European Union or European Economic Area.

Security and personal data protection principles

The identity and other information of the persons involved in the matter is only disclosed to third parties to the extent required by appropriate and sufficient investigation. The identity of the person who has reported misconduct (if the person has told their identity) will be kept confidential to the extent necessary for the investigation.

Access to messages received through our whistleblowing service is restricted to appointed individuals with authority to handle cases. Siili’s personnel is bound by confidentiality obligations and internal security policies and instructions.

All actions of the whistleblowing team in the whistleblowing service are logged.

The information security management system of the external service provider WhistleB complies with the international security standard ISO/IEC 27001:2017.

Automated Decision-Making

We do not make decisions about the reporting person, or the person identified in the message through automated decision-making.

Your Rights

At any time, you have the right to:

• gain access to your personal data and receive a copy of the personal data and related supplementary information concerning personal data processing as required by the law;

• verify the accuracy of your personal data and at your request, have your incomplete, inaccurate or outdated personal data modified or erased;

• under certain circumstances, be forgotten by us with regards certain personal data if;

o personal data are no longer necessary in relation to the purposes of processing;

o personal data must be erased for compliance with a legal obligation in EU or member state law to which Siili is subject; or

o personal data have been unlawfully processed by Siili;

• have the processing of your personal data restricted under certain circumstances if;

o data subject contests the accuracy of the personal data;

o the processing is unlawful, and the personal data subject opposes the erasure of the personal data and requests the restriction instead; or

o Siili no longer needs the personal data for the purposes of uses, but personal data are required by the data subject for the establishment, exercise or defense of legal claims;

• receive your personal data which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller; and

• lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman).

You may send us an e-mail at [email protected] in order to use your rights. However, the request may be declined or restricted when allowed or required under the law.

New Versions of This Statement

We may change or amend this Statement as necessary, and therefore we recommend that you revisit this Statement regularly.

Contact Information

If you want to contact us in data protection related matters, please send us an e-mail at [email protected].

Code of Conduct

For Siilis and Siili’s partners

Foreword

Siili creates a better tomorrow by combining human needs, technology and sustainability. Our shared value is responsibility, which helps Siilis, our employees, reach their goals. The foundation for responsibility is laid by adherence to the Code of Conduct.

Each employee of the Siili Group must comply with this Code of Conduct. Siili’s subcontractors and other partners must also follow this Code or a similar set of terms.

Adhering to the Code of Conduct will help us realize our purpose, which is to be the best community for our customers, employees and entrepreneurs to learn, grow and create sustainable value.

Siili regularly provides training for its employees in matters related to the Code of Conduct.

Siili and Siili’s partners:
Siili’s Code of Conduct is attached. It describes our way of working.

This Code of Conduct concerns the companies that belong to the same Group as Siili Solutions Plc, as well as all the employees and partners of these companies.

As a Siili, I comply with all applicable legislation and ethically sustainable operating models

Siili has operations in several countries. We comply with and respect local laws and regulations. We are honest and just in everything we do. We take responsibility for all our ventures. Every Siili employee complies with the laws, regulations and ethical norms as well as other guidelines defined by Siili, which are applicable to their field of work.

Expertise and development of competences

New Siilis are hired for their expertise and for being a good match for the company culture, all the while keeping diversity in mind.

As Siili employees, we make sure that we develop our competences so that our expertise and professional skills are always up to date and we can feel proud to put our skills to use for the service of our clients. While we work in various work communities and with our clients, we do our best to share our expertise with others. We don’t look down on our less experienced or less competent colleagues when we meet them in our work. Instead, we understand that we have a responsibility to share our knowledge and make use of it while carrying out our duties.

Equality, non-discrimination and a safe work environment

We treat everyone as an equal and don’t tolerate discrimination of any kind. We promote equality.

We seek to ensure a work environment with no harassment, inappropriate behavior or abuse. Siili condemns sexual and all other types of psychological or physical harassment. Siili provides a work environment where people can work safely and efficiently towards reaching their goals. Each Siili is responsible for creating a safe place to work for others.

We respect human rights and do not use child labor

We respect internationally recognised human rights in all that we do and advance their realization. Siili does not use child labor. The employees of Siili can decide whether they want to belong to a labor union or a similar representative organization. Siili must not prevent its staff from using their right to choose their political views.

We avoid conflicts of interest

Work must be carried out without regard to self-interest or the interest of friends or family members. When doing business with our friends and family, we treat them like any other business partner, and our decision making isn’t affected by any personal relationship we may have with them. We report any situation that could potentially be interpreted as a conflict of interest by following the guidelines given below.

We do not give or receive bribes or support dishonest activities, and we believe in fair competition

We want Siili’s clients and other partners to trust the company and the services it provides.

Members of Siili staff are not permitted to give or receive any gifts that would influence Siili’s business decisions or that are of considerable personal nominal or monetary value. Siili will not offer inappropriate financial incentives to any representative of an authority with the intention of promoting business or some other interest of the Group.

A Siili employee may give or receive only occasional token gifts or business-related hospitality of low value as long as these don’t result in obligations or expectations of returning any favors to the person giving or receiving the gift or hospitality.

As a Siili employee, I will not work in a way that supports the dishonest conduct of others. This includes activities such as embezzlement, blackmailing, theft and fraud, tax fraud, submitting misleading financial statements, forging data or propositions, deception and breach of trust in order to gain an unfair or unlawful advantage for Siili or other parties, such as Siili’s clients.

As a Siili employee or as a partner of Siili, I will not tolerate any type of bribery, corruption or fraudulent activity.

Siili is an honest competitor and complies with marketing and competition legislation. We believe in fair competition and support the advancement of fair competition by adhering to laws and regulations. Our goal is to provide our clients and partners with reliable services by acting in accordance with the guidelines of our clients and partners as well as with local legislation. If we notice any operational models that do not comply with competition legislation, we will take immediate action. We do not discuss sensitive issues (e.g. prices, strategy or clients) with our competitors.

Siili will make business-related decisions in a way that promotes the company’s competitiveness and that is financially sound and appropriate.

Environmental work is on every Siili’s responsibility

Siili is committed to acting according to the principles of sustainable development and to preventing and reducing harm to the environment. We comply with existing environmental legislation and regulations of public authorities. We strive to minimize our environmental burden.

We also take environmental aspects into consideration in our facilities, acquisitions and invitations to tender.

Data security, data protection and confidentiality

Siili provides a reliable and secure service for its clients. Siili manages its processes and services by using appropriate and integrated security related operational models. Security is very important to us, and we expect Siili personnel and partners to take safety matters into consideration.

Siili is committed to protecting the privacy of its clients, employees and other stakeholders and to complying with applicable privacy and data protection laws and regulations. Respecting privacy is an essential part of our business operations and company culture. We always handle personal data with care and process personal data in a transparent way.

As a Siili employee, I will keep any information related to the operations of the business, staff, clients or partners confidential and will not disclose this information to anyone apart from those concerned.

Communication and insider regulations

Siili’s communication is timely, open, direct and honest. As a Siili employee, I will not act in a way that will harm Siili’s reputation or its success in business. As a listed company, Siili is obligated to comply with insider regulations.

How does Siili monitor compliance with the Code of Conduct, and how can I report abuse?

Siili monitors compliance with these guidelines. Our goal is to promote adherence to these principles in the operations of our partners as well. The Management Team of Siili is responsible for communicating the principles of these guidelines to the employees. The superiors’ job is to ensure that the principles are understood and complied with.

Failing to comply with and breaching of Siili’s Code of Conduct may result in disciplinary action. In such case, Siili may, for example, terminate the contract of an employee or end the business relationship with a partner.

Breach of the Code of Conduct is reported to the superior, to Siili’s legal services or to https://report.whistleb.com/en/siilisolutions. Suspected abuse or breaches will be investigated and resolved confidentially. Siili employees will not suffer any negative contractual consequences for reporting abuse or breach.

The Siili Code of Conduct has been approved by the Board of Directors of Siili Solutions Plc. The guidelines are updated as needed.

/////////////
Originally accepted by Siili’s Board of Directors on 16 December, 2019.
Minor changes accepted by the Chairman of the Board of Directors on 30 March 2021 based on the Board’s authorization on 16 December 2019.