Whistleblower Policy Costa Rica

1. INTRODUCTION

1.1. This Whistleblower Policy (hereinafter referred to as the Policy) establishes that 3-102-954166, company number incorporated in Costa Rica, with registered address Provincia 06 Puntarenas, Canton 11 Garabito, Jaco, Costado Este de la Municipalidad Garabito, Bufete Sanchez Chavarria, email costarica@xchange-360.com (hereinafter referred to as the Company), is committed to strengthening its integrity system and supporting protected whistleblowing activities. The Policy complies with Costa Rican labor laws (Código de Trabajo), AML/CFT regulations under SUGEF (Superintendencia General de Entidades Financieras), and international standards including FATF recommendations, ensuring confidentiality, protection, and fair treatment of whistleblowers while prohibiting retaliation. The Company establishes an internal whistleblowing system so employees and stakeholders have secure channels for reporting misconduct.
1.2. This Policy defines rights and obligations of the Company’s employees, board members, external stakeholders, and witnesses for reporting violations and unethical conduct. Reports aim to protect public interest and prevent unlawful activities, including financial regulations breaches, AML compliance, consumer rights, workplace safety, environmental violations, and data protection. Reports solely for personal interests do not qualify for protections.
1.3. Reports pertain to areas like corruption, public procurement, financial services/AML/CFT, product safety, transport/environmental protection, food safety, public health, consumer protection, data privacy/cybersecurity, financial interests protection, and human rights.

2. DEFINITIONS 

2.1. COMPANY INTERNAL CHANNEL – refers to a secure, designated reporting system within the Company that allows employees, external parties, and others associated with the Company to report potential violations. The system ensures confidentiality, protects the whistleblower’s identity, and allows the Company to address the issue efficiently. It is key to maintaining integrity and ensuring prompt resolution of reported issues. 

2.2. COMPANY PERSONNEL – refers to any individual employed by or contracted with the Company, including an employee, a person providing work on a basis other than an employment relationship, including on the basis of a civil law contract, also a job applicant, as well as contractors and third-party service providers. 

2.3. CONFIDENTIALITY – ensures that a whistleblower’s identity and the details of their report are protected from unauthorized access or disclosure. This is crucial for maintaining trust in the system and encourages reporting by safeguarding the whistleblower from retaliation. Confidentiality extends to all individuals mentioned in the report, including witnesses and affected parties 

2.4. CREDIBILITY – refers to the reliability and trustworthiness of the information provided in a whistleblowing report. For a report to be considered valid, the whistleblower must provide verifiable facts supported by evidence. 

2.5. FALSE REPORT – refers to a whistleblowing report made with the intention of misleading, deceiving, or fabricating claims of violations. False reports can harm the integrity of the process and may result in disciplinary actions against the reporter. 

2.6. GOOD FAITH – means reporting violations with honest intent, aimed at protecting the public interest, rather than seeking personal gain or causing harm. Whistleblowers reporting in good faith are protected under Company policies, even if their report turns out to be inaccurate, provided the intention was genuine. 

2.7. INVESTIGATION – is the formal process undertaken by the Company to validate a reported violation, involving the collection of evidence, interviews, and assessment to determine the nature of the violation and necessary corrective actions. 

2.8. NON-RETALIATION POLICY – ensures that individuals who report violations will not face retaliation in any form, such as dismissal, harassment, or discrimination. Retaliation is strictly prohibited and may result in disciplinary action. 

2.9. WHISTLEBLOWER PROTECTION AUTHORITY – the PRODHAB (Agencia de Protección de Datos de los Habitantes de Costa Rica is designated as the competent authority for whistleblower protection. The authority is responsible for receiving and assessing external reports, ensuring compliance with whistleblower protections, providing guidance and support to whistleblowers 

2.10. RELATED PERSONS – individuals who are directly or indirectly connected to a reported violation, including family members, colleagues, or business partners. Their actions may be relevant to the investigation. 

2.11. REPORTING – is the act of submitting information regarding a violation through the Company’s designated internal channels. Reports include descriptions of the violation, involved parties, evidence, and possible consequences. 

2.12.  RETALIATION – refers to negative actions taken against someone for reporting violations or assisting in an investigation. This includes firing, demotion, or creating a hostile work environment. Retaliation is prohibited and may lead to disciplinary action. 

2.13.  VIOLATION – refers to any criminal act, administrative offense, misconduct, or breach of duties within the Company, including serious ethical violations, cover-ups, or illegal acts threatening public interest. 

2.14.  WHISTLEBLOWER – an individual who reports violations of laws, regulations, or Company policies, often based on information acquired through employment or contractual relationships with the Company. 

2.15.  WHISTLEBLOWER MANAGER (or COMPLIANCE OFFICER) – the designated person responsible for handling and responding to whistleblowing reports, ensuring compliance with legal and internal policies, and protecting the whistleblower throughout the process. 

2.16. WHISTLEBLOWING PROCEDURE – is a formal and structured process developed by our company, to facilitate the reporting of misconduct, violations, or unethical behavior by employees, contractors, or other stakeholders. This procedure is a critical part of our commitment to transparency, accountability, and compliance with relevant laws and regulations. It is designed to ensure that individuals feel safe and supported in raising concerns, without fear of retaliation. 

2.17.  WITNESS – individuals who have direct knowledge of or have observed the violation. Their testimonies can provide crucial evidence during an investigation. 

2.18.   VERIFIABILITY – the ability to substantiate the accuracy of a whistleblower’s report through available evidence such as documents, emails, or records. 

2.19.  ANONYMITY – the option for whistleblowers to report violations without revealing their identity, ensuring protection from potential retaliation. 

2.20.  WHISTLEBLOWER PROTECTION– encompasses legal safeguards and internal policies designed to protect individuals from retaliation or harm for reporting violations. 

2.21. WRONGDOING– refers to any act of misconduct, illegal activity, or violation of Company policies, laws, or ethical standards that could harm the Company or its stakeholders, whether it is an act already committed, or one being planned. 

3. LEGAL BASIS AND APPLICABILITY 

3.1. Costa Rica incorporates international whistleblower protection standards through FATF recommendations, OAS anti-corruption conventions, and national laws promoting transparency. Key frameworks include Código de Trabajo (Labor Code, Arts. 4-6 prohibiting discrimination and retaliation), Ley de Protección de Datos Personales (Data Protection Law enforced by PRODHAB), and Ley contra el Lavado de Dinero (AML Law No. 8204 administered by SUGEF). These ensure whistleblowers are protected from retaliation with confidentiality and due diligence in handling disclosures.

3.2. National laws align with global best practices, providing safeguards for reporting breaches of law, ethical misconduct, or violations. Whistleblowers can use internal channels or go directly to external authorities without prior internal reporting if internal channels seem ineffective or unsafe.

3.3. This Policy establishes a comprehensive framework for protecting individuals reporting breaches, handled confidentially per data protection rules. Personal data processing complies with Costa Rican Data Protection Law and SUGEF guidelines for financial entities.

3.4. Whistleblowers may report externally to PRODHAB (for data/privacy), SUGEF (for AML/financial), or other authorities like Poder Judicial without internal prerequisite. External reports ensure viable alternatives when fearing retaliation.

3.5. PRODHAB (Agencia de Protección de Datos de los Habitantes, prodhab.go.cr) and SUGEF handle external reports, providing guidance, compliance oversight, and retaliation prevention.

3.6. Policy applies to all: employees, contractors, suppliers, third parties witnessing violations. Includes:

• Internal mechanisms first (unless ineffective).

• External to PRODHAB/SUGEF.

• Public/private sector uniformity.

• Strict non-retaliation (no dismissal, harassment; remedies via labor courts).

4. MANAGEMENT OF REPORTS AND REPORTING CHANNELS 

4.1 Internal Reporting Channels
Employees, contractors, and other relevant stakeholders may report concerns, suspicions, or allegations of wrongdoing through the Company’s internal reporting channels. These channels include:

• Reports may be submitted via the dedicated whistleblowing email address costarica@xchange-360.com. The Compliance Officer (or other designated Whistleblowing Officer appointed by the Company) will review and act upon submissions.

• An online form available on the Company’s intranet or website portal, enabling the submission of detailed concerns in a secure and confidential manner.

• Reports may be made directly to an immediate supervisor or manager, who must ensure prompt escalation of the report to the Compliance Officer or the designated Whistleblowing Officer.
  All reports will be acknowledged within seven (7) days, assessed within thirty (30) days (extendable up to ninety (90) days in complex cases), and handled with strict confidentiality and protection against retaliation, in accordance with applicable Costa Rican law, the Company’s internal policies, and international best practices.

4.2 External Reporting Procedure
Whistleblowers may submit a report externally, either independently or after using internal channels, to any competent authority in Costa Rica, depending on the nature of the report. For example, reports relating to personal data protection and privacy matters may be directed to the Agencia de Protección de Datos de los Habitantes (PRODHAB), and reports relating to AML/CFT or financial services compliance may be directed to the relevant competent authority, including where applicable SUGEF.
External authorities receiving and handling an external report are independently responsible for managing personal data contained in the report and will process such data in accordance with applicable Costa Rican data protection laws and their own procedures.
Whistleblowers may submit external reports through official channels made available by the relevant authority. Submission methods may include:
(i) Written requests, including by post, to the relevant authority’s designated correspondence address.
(ii) Electronic submissions, including by email or via an electronic reporting service provided by the relevant authority.
(iii) Online forms or applications approved by the relevant authority for electronic submissions.
(iv) Oral reports, including in person or by phone, where such channels are offered by the relevant authority.
Where applicable under the receiving authority’s procedures, receipt of an external report may be acknowledged within seven (7) days, unless the whistleblower requests otherwise or if acknowledgment could jeopardize confidentiality. The receiving authority may request clarification or additional information where required, provided such request does not compromise the protection of the whistleblower’s identity.

4.3 Procedures for Reporting and Handling Regulatory Breaches (Costa Rica)
4.3.1 The Company maintains a structured internal procedure ensuring that all employees, contractors, and external stakeholders can effectively report any actual or potential breaches of applicable Costa Rican laws and regulations, including (where relevant) AML/CFT obligations and the Company’s internal compliance policies.
4.3.2 The AML Officer (or another designated Compliance Officer) acts as the Designated Person responsible for receiving and managing whistleblowing reports. The appointment decision and role responsibilities are documented and retained in the Company’s compliance records, and the Company ensures that the Designated Person has adequate independence, resources, and expertise to perform their duties.
4.3.3 Reports may be submitted through any of the following secure channels:
(i) By email to: costarica@xchange-360.com;
(ii) Through a secure online form available on the Company’s platform;
(iii) Orally or in person upon request, with a confidential meeting arranged within five (5) working days where feasible;
(iv) Via internal communication channels that are restricted to authorized personnel and monitored to ensure integrity and protection of submitted reports.
4.3.4 The Designated Person will acknowledge receipt of each report within seven (7) days from submission. Each report receives a unique reference number and is recorded in the Whistleblower Register, including the date, time, and type of report.
4.3.5 Within fourteen (14) days of acknowledgment, the Designated Person evaluates whether the report is credible, relevant to the Company’s regulatory or compliance obligations, and contains sufficient information for investigation. If verified, the Designated Person initiates an internal investigation and informs the whistleblower (if identifiable). If rejected, the whistleblower is notified in writing with a brief justification where possible. Anonymous reports are assessed on the same basis, but feedback may be limited if no contact details are provided.
4.3.6 The Company aims to provide feedback on the outcome of the report within three (3) months from acknowledgment. If additional time is required due to complexity, the whistleblower will be informed of the delay and the reasons, where feasible.
4.3.7 Access to submitted reports and related personal data is restricted to authorized personnel only, primarily the Designated Person and senior management on a strict need-to-know basis. Technical measures (including access controls, logging, and secure storage) are implemented to protect confidentiality and prevent unauthorized access or disclosure.
4.3.8 The Company publishes on its website, or otherwise makes available upon request, basic information on: (i) the internal reporting channel(s), (ii) available external reporting options, and (iii) key elements of the reporting procedure and whistleblower protection principles, subject to applicable law and operational constraints.
4.3.9 All reports, including evidence and correspondence, shall be stored for at least three (3) years after closure of the investigation and may be retained longer where required for audit, legal, or regulatory purposes. After the applicable retention period expires, records are securely destroyed in accordance with the Company’s data protection and retention practices.

4.4 The Company guarantees protection of the whistleblower’s identity, ensuring confidentiality and, where possible, anonymity throughout the process. Reports will only be disclosed to authorized personnel involved in investigating the matter, and information will be handled with utmost care to protect the whistleblower from retaliation.

4.5 The Company prohibits retaliation against individuals who report concerns in good faith through established reporting channels. Any retaliation will be treated as a serious breach of Company policy and investigated promptly, and affected persons may also seek remedies available under applicable Costa Rican law.

4.6 Whistleblowers may seek guidance from the Compliance Department on how to report a concern or obtain clarification on the process. Where appropriate, the Company may provide access to support resources, including legal or psychological assistance, to support the whistleblower’s well-being during the process. The Company is committed to fostering a transparent, ethical, and secure environment where individuals can report violations without fear of retaliation.

5. VERIFICATION PROCESS 

5.1 Upon receiving a whistleblower report, the Compliance Officer (or other designated Whistleblowing Officer) is responsible for logging the report in a secure and confidential register. The report is then subject to an initial verification to determine whether it contains sufficient information about a potential violation and whether any immediate protective or risk-mitigation measures are required. If the report is clear and actionable, it proceeds for further processing; if additional information is needed, it will be flagged for follow-up, subject to preserving confidentiality. Unauthorized disclosure of a whistleblower’s identity or report details is strictly prohibited and may result in disciplinary measures and other consequences under applicable Costa Rican law and the Company’s internal policies.

5.2 The Company accepts anonymous reports, provided they meet the minimum criteria for handling as outlined in this Policy. Anonymous reports are processed with the same care and attention as non-anonymous reports, and confidentiality is maintained with access limited to authorized personnel only. If a report is deemed insufficient for further investigation, the whistleblower’s anonymity (where known internally) remains protected throughout the assessment and decision-making process.

5.3 Each report is analyzed to determine whether it is credible and falls within the scope of the Company’s policies and applicable Costa Rican laws and regulations. The Compliance Officer assesses the validity of the report, may gather additional facts or documentation, and decides whether an investigation is warranted, including whether escalation to senior management, Legal, Information Security, AML/Compliance, or other relevant functions is necessary. If the report is verified as valid, it proceeds to the investigation stage; if not, the whistleblower is informed of the decision where reasonably possible, and the report is archived in line with the Company’s retention rules.

5.4 If the report passes the initial verification, an internal investigation is initiated by the designated team or department. The investigation follows the Company’s standard procedures and is conducted in a fair, impartial, and confidential manner, including appropriate documentation of all steps taken and measures to avoid conflicts of interest. The investigative team gathers and evaluates evidence, interviews relevant persons where appropriate, and reviews supporting documentation to confirm or refute the allegations. Based on the findings, corrective actions or other necessary measures are implemented. The investigation is completed within a reasonable timeframe, and all parties involved are kept appropriately informed, subject to confidentiality, legal requirements, and the integrity of the process.

5.5 The whistleblower is informed about the acceptance of their report and the initiation of an investigation where applicable and where contact details are available. During the investigation, the whistleblower may receive periodic status updates where feasible and permitted, and once the investigation is concluded, the whistleblower is informed of the outcome in a way that does not breach confidentiality, privacy rights, or legal obligations.

5.6 All actions taken throughout the process prioritize protection of the whistleblower’s identity and seek to prevent retaliation. If any form of retaliation, intimidation, harassment, discrimination, or other adverse treatment is reported or suspected, the Company takes prompt corrective action, including interim protective measures where appropriate. Violations of whistleblower protection principles or confidentiality obligations are treated as serious misconduct and may result in disciplinary action and other remedies available under applicable Costa Rican law and internal policies.

6. PROCEDURE FOR HANDLING INFORMATION ON VIOLATIONS REPORTED ANONYMOUSLY 

6.1 The Company recognises the importance of allowing whistleblowers to submit reports anonymously in order to encourage the reporting of violations without fear of retaliation. Anonymous reports will be accepted and processed with the same level of diligence, objectivity, and confidentiality as non‑anonymous reports, provided they contain sufficient detail to enable a meaningful assessment and, where appropriate, an investigation.

6.2 Any anonymous report of a violation that meets the minimum content requirements (for example, description of specific incidents, dates or timeframes, involved parties, and any available supporting evidence) will be registered in the whistleblowing register and reviewed by the Compliance Officer or other designated Whistleblowing Officer. The assessment will determine whether there is a reasonable basis to proceed with an investigation.

6.3 Where an anonymous report is accepted for investigation, the inquiry will proceed without attempting to identify the whistleblower. If additional information is necessary, the Company may, where technically possible, use the same anonymous channel (for example, an anonymous web form reference) to request further details, provided that this does not compromise the anonymity of the whistleblower. If there is a risk that anonymity could be compromised, no further clarification will be sought.

6.4 Due to the anonymous nature of such reports, providing direct feedback to the whistleblower is not always possible. Nonetheless, the Company will ensure that all accepted anonymous reports are investigated thoroughly, that decisions and actions are documented internally, and that any necessary remedial or disciplinary measures are implemented and recorded.

6.5 The Company guarantees that the anonymity of whistleblowers who choose not to disclose their identity will be protected throughout the entire process. All anonymous reports will be handled with the utmost care to prevent any potential retaliation, misuse of information, or breaches of confidentiality, in alignment with applicable Costa Rican law, the Company’s data protection practices, and its commitment to a safe reporting environment.

7. STORAGE OF INFORMATION 

7.1. The Company is committed to ensuring the protection of whistleblowers’ personal data, including their identity, throughout the entire reporting and investigation process. All personal data submitted by whistleblowers, whether through internal or external channels, will be handled with the utmost care and in compliance with applicable data protection laws and the Company’s policies. 

7.2. Personal data, including any information that could potentially identify the whistleblower, is subject to strict confidentiality and will only be accessible to those involved in the management of the report, in accordance with the Company’s internal procedures. 

7.3. In cases where the disclosure of the whistleblower’s identity is legally required in the context of proceedings conducted by public authorities, the Company will inform the whistleblower about this requirement and explain the reasons for such disclosure. This will only occur if such a legal obligation exists, and the Company will ensure transparency in the process. 

7.4. Personal data collected in connection with the acceptance of a whistleblower report will be retained for a period of up to three years after the completion of the follow-up actions, or one year from the conclusion of the investigation or corrective measures. The retention period ensures that any necessary records are available for audit or review, while respecting the whistleblower’s right to privacy. 

7.5. The Company guarantees that all measures are taken to ensure the security of stored personal data, with access granted only to authorized individuals who require it for legitimate purposes. Any data retention or processing will be in line with the company’s data protection policy and applicable legislation on personal data protection. 

8. ARCHIVING OF REPORTS 

8.1. The Company is committed to maintaining an internal register of all whistleblower reports, ensuring proper administration of the data contained within the register in compliance with our policies and applicable legal requirements. This register will be securely stored and managed, with access granted only to authorized personnel involved in the handling and processing of reports. 

8.2 The internal register will include the following essential details for each whistleblower report:  

(i) A unique reference number for the report.  

(ii) A brief description of the alleged breach or issue.  

(iii) The personal and contact details of the whistleblower (if provided).

(iv)  The date the report was received.  

(v) Information regarding any follow-up actions taken during the investigation process. 

1. The date on which the report was closed, including the outcome of any actions taken. 
2. The Company recognizes the importance of maintaining transparency in the whistleblowing process. As such, all records will be kept in accordance with the data retention policy, which ensures that the information is securely stored for the required period. The mandatory retention period for the whistleblower report records is three years, starting from one year after the completion of follow-up actions or closure of the investigation. 
3. During this retention period, all records will be easily accessible for audit, review, or further legal purposes if required. After the retention period has elapsed, all records will be securely archived or destroyed in accordance with the Company’s data protection policy, ensuring that personal data is handled with care and in compliance with relevant privacy regulations. 
4. This archiving process allows the Company to maintain a comprehensive and secure record of all whistleblower reports, ensures compliance with legal and regulatory obligations, and protects the confidentiality of the whistleblower and all parties involved in the process. The Company is committed to upholding the highest standards of transparency and security while safeguarding the privacy of all individuals involved in the whistleblowing procedure. 

9. MAXIMUM PERIOD FOR FEEDBACK TO THE COMPLAINANT 

9.1. The Company is committed to providing timely responses to internal complaints in accordance with legal requirements and best practices. The following procedure outlines the maximum period for providing feedback to the complainant: 

9.2. Upon receiving an internal complaint, the company is required to acknowledge receipt of the complaint within 7 days. The acknowledgment will confirm the receipt of the complaint and provide an overview of the next steps in the process. 

9.3. The maximum period for providing feedback to the complainant regarding the outcome of the internal complaint is 3 months. This period starts from the date of acknowledgment of receipt of the internal complaint. 

9.4. If the acknowledgment is not sent to the complainant within 7 days (due to a lack of provided contact information), the 3-month period for feedback will begin after 7 days have elapsed from the date of the internal complaint. 

9.5. In cases where the complainant has not provided the necessary contact details (postal address or email address), the company will make reasonable efforts to contact the complainant. However, feedback may be delayed if no contact information is available, and it will not be considered the Company’s responsibility if the complainant does not provide such details. 

9.6. The Company will make every effort to ensure that feedback is provided within the 3-month period. In cases where additional time is required, the complainant will be informed promptly and provided with an explanation for the delay.  

10. WHISTLEBLOWING AND LIABILITY 

10.1. The Company is committed to providing protection for whistleblowers who report misconduct or violations in good faith. In line with the Company’s internal policies and relevant legal frameworks, whistleblowers are protected from retaliation and should they face any adverse actions as a result of their report, they are entitled to appropriate compensation. 

10.2. If a whistleblower faces retaliatory actions—such as demotion, harassment, discrimination, or termination of employment—due to their report, they are entitled to compensation. The amount of compensation will be no less than the average monthly remuneration in the national economy for the previous year. This ensures that whistleblowers are protected and not penalized for their decision to report violations in the workplace. Compensation claims may be submitted through relevant authorities, including the Ministry of Justice. 

10.3. While the Company encourages the reporting of any potential violations or misconduct, it is also essential that whistleblowers ensure the accuracy of the information they provide. In cases where a whistleblower intentionally submits false or misleading reports, or makes false public disclosures, the person who has suffered harm due to the false report or disclosure is entitled to compensation for the damage done to their personal rights. This compensation may be sought directly from the whistleblower responsible for making the false report. 

10.4. In the event that a whistleblower claims retaliation, it is presumed that any action taken by the Company, such as disciplinary measures or adverse changes to their work conditions, may constitute retaliation. The burden of proof then shifts to the Company. The Company must demonstrate that the action was taken for objective and justifiable reasons, unrelated to the whistleblower’s report. 

10.5. The Company is committed to ensuring that all whistleblowers can report in good faith without fear of retaliation. Any retaliation is not tolerated and will be met with corrective action. At the same time, the Company acknowledges the potential risks involved in false reporting and emphasize that malicious, false reports may result in legal and financial consequences for the whistleblower. 

10.6. The Company ensures that any claims of retaliation or false reporting will be thoroughly investigated with the highest level of impartiality, and the Company will uphold both the rights of the whistleblower and those potentially affected by the report. 

By implementing these measures, the Company guarantees a transparent, legally compliant, and fair whistleblowing framework, ensuring protection for whistleblowers while preventing abuse of the system. 

11. CONFIDENTIALITY 

11.1. The Company is committed to maintaining the highest level of confidentiality in the whistleblowing process, in accordance with § 20 and § 27 of the Act. This includes safeguarding the personal data and identities of the whistleblower, the affected person, and any third parties mentioned in the report. We take necessary measures to prevent unauthorized access to any sensitive information related to the whistleblowing procedure. 

11.2. Only individuals specifically authorized by the Company, in writing, are permitted to receive, verify, monitor, or process internal reports. These authorized personnel are entrusted with handling sensitive data and are required to maintain strict confidentiality regarding the information and personal data obtained during the whistleblowing process. This duty of confidentiality extends even beyond the termination of their employment or legal relationship with the Company. 

11.3. All personal data and information related to a report, including the identity of the whistleblower, the affected party, and any third parties, shall be securely stored and only accessible to authorized individuals. This data will be retained for the minimum period required by law and as specified in the Company’s internal procedures. 

11.4. To ensure that unauthorized individuals do not have access to whistleblowing information, the Company has implemented various security measures, including encrypted communication channels and restricted access to digital and physical records. Any breach of confidentiality will be investigated promptly, and appropriate measures will be taken to prevent future occurrences. 

11.5. The Company commits to protecting the identity of the whistleblower throughout the investigation process. The information contained within the report will only be disclosed to other parties if required by law, such as for criminal investigations, or where explicit consent has been given by the whistleblower. In such cases, the whistleblower will be informed and provided with a clear explanation regarding the disclosure of their identity. 

11.6. The authorized personnel who handle whistleblowing reports are obliged to maintain confidentiality regarding the information and personal data obtained in the course of the reporting process. They must refrain from disclosing any sensitive information unless legally mandated or when disclosure is essential for the purposes of the investigation. This confidentiality obligation continues even after the termination of the employee’s or authorized individual’s relationship with the company. 

11.7. All employees involved in receiving, processing, or investigating reports are required to undergo regular training on the importance of confidentiality and data protection. This training includes a clear understanding of the legal requirements surrounding whistleblowing and the responsibilities of those involved in the process to protect sensitive information. Employees are also reminded of the serious legal and ethical consequences of breaching confidentiality. 

11.8. The Company ensures that the whistleblower’s identity is protected throughout the process to prevent retaliation or harm. If retaliation or discrimination against the whistleblower is reported, the Company will take immediate corrective action. The whistleblower is provided with reassurance that their identity will be kept confidential and that their protection is a priority. 

11.9. By implementing these confidentiality measures, the Company demonstrates its commitment to creating a safe environment for whistleblowers, ensuring that their concerns are addressed while protecting the privacy and rights of all parties involved. 

12. POLICY UPDATES AND REVISIONS 

12.1. The Director of the Company approves this Policy, and the Compliance Officer oversees its updates. The Compliance Officer is also responsible for ensuring that the Policy is communicated to all Company’s  executives and employees, external stakeholders, contractors, and third parties, provides updates to reflect changes in legislation or best  practices, oversees the implementation of this Policy, and ensures  compliance with applicable whistleblower protection laws. The Policy will be made available on the Company’s website for easy access. Should there be any questions or concerns about compliance with this Policy, employees are encouraged to reach out to the Compliance Officer for further assistance and clarification.   

END OF POLICY

LAST UPDATE 17.02.2026