Reference portal: Legal Software Whistleblowing - Digital PA

Whistleblowing manager: Avv. Giulia De Maio   3202240865

ODV: Avv. Antonio Demitry

Premises and purpose of the document

With this Vademecum, Mexedia S.p.A. SB defines a violation reporting system and the related organizational and procedural aspects, in particular: the subjects who can activate this system, the violations subject to the Report, the channels for the Reports, the management activities and protections for the Reporter and the Reported.

This policy is intended to provide detailed information on the WHISTLEBLOWING management system.

This document is made available and made known to potential interested parties through:

- publication on the website www.mexedia.com so as to be made available to external parties;

- posting on the company's noticeboards;

Subjects involved: Reporters and Reported

In relation to the current legislative and regulatory provisions, see art. 3 of Legislative Decree no. 24/2023, the reporting system can be activated by the following subjects:

-employees (any type of contract)

-those who operate on the basis of relationships that determine their inclusion in the company organisation, even in a form other than an employment relationship such as, but not limited to, interns, interns, collaborators.

- members of corporate bodies, shareholders and people with administrative, management, control, supervisory or representation functions.

- third parties having relationships and business relationships with Mexedia S.p.A. SB. (for example

customers, suppliers, consultants).

Reports may concern the following subjects:

-employees and/or managers of Mexedia S.p.A. SB

- members of the corporate bodies;

-third parties (for example suppliers, consultants, collaborators), who can determine how

direct or indirect, economic, financial and/or image damage to the Company.

Case subject to whistleblowing

The Reports may concern violations of national and European law, for example illustrative but not exhaustive, they may concern:

-conflicts of interest;

- violation of the principles of impartiality, transparency, correctness, professionalism;

- violations relating to the protection of workers;

-alleged offences, among those envisaged by Model 231, by company representatives in the interest or  advantage of the company;

- behavior inconsistent with the ethical duties of employees;

-attempted, alleged, actual acts of corruption;

-improper use of company assets;

-illicit and/or fraudulent activities to the detriment of customers or company assets in general;

In relation to these premises, it seems appropriate to indicate which topics and situations/circumstances are such that they are not considered subject to reporting:

Disputes, claims, requests linked to a personal interest that pertain to the working relationship.

- Reports of violations where already regulated on a mandatory basis by European Union or national acts.

- Limits established by national and European legislation regarding "classified information" remain, i.e. those for which there is a legal obligation of secrecy. For example, information covered by professional, medical and forensic secrecy as well as information concerning the decisions of the jurisdictional bodies cannot be reported.

Channels and Report Management Process

A Reporting party, if he has reasonable suspicion that one of the violations provided for by the law has occurred or may occur, has the possibility of making a Report using the various channels made available.

The internal reporting channels have been identified, not only to allow different reporting methods, but also to guarantee confidentiality, including through the use of encryption tools, where IT tools are used:

- of the reporting person;

- of the facilitator;

- of the person involved or in any case of the subjects mentioned in the report;

- the content of the report and the related documentation

In order to facilitate the reporting party, the latter is guaranteed the choice between different reporting methods:

- Written form using IT methods via the Digital Pa Legal Software platform configured expressly for our organisation.

Ordinary email and certified e-mail, as also indicated by ANAC in its guidelines, are not adequate tools to guarantee confidentiality.

Therefore, our organization does not provide such channels for reporting.

- Oral form: alternatively with voice recording systems always available on the platform indicated above, through a specific recording and sending message function that can be activated at the will of the interested party and equipped with a voice camouflage system or, at the request of the reporting person, through a direct meeting with the person responsible for managing the channel set within a reasonable time.

Reports made via the voice messaging system made available by the platform will be documented by recording on a device suitable for storage and listening with the prior consent of the reporter pursuant to art. 14, co. 2, of Legislative Decree 24/2023.

For reports for which the oral route has been chosen, through a meeting, a specific report may be drawn up always subject to the consent of the person making the report pursuant to art. 14 c.2 Legislative Decree 24/2023

How to use reporting channels:

For oral reporting through a meeting with the channel management manager, it is necessary to confidentially contact the same manager either via the platform or by contacting him directly and define the best meeting methods that guarantee the appropriate timeliness and confidentiality of the reporter.

For the other channels, however, the IT platform can be reached at the following link also present on the website

www.mexedia.com

https://mexedia.segnalazioni.net

Through the platform the reporter, upon his/her own choice and will, can:

- forward a written report

- forward a report via a voice messaging service;

in both cases the reporting party will be able to send the reports anonymously or by also entering their contact details (which will in any case be treated confidentially and disconnected from the content of the report);

Once the reporting data has been entered, the reporting party can review them on a summary page before proceeding with sending.

At the same time, the person responsible for managing the reports receives a notification regarding the presence of a new report. It should be noted that reports are NOT sent by email, but the communication simply informs the Manager that there is a notification.

The signaling.net system provides two reporting methods indicated below.

A) Registered user: it is possible to create an account through which to access reports with username and password. In this case the identity of the reporter is available to the Responsible recipient, but is separate from the report and hidden.

B) Unregistered user: it is possible to create the report and access it using the codes issued by the system. The importance of keeping the codes is underlined since in case of loss you will not be able to access the report.

If you indicate your name and surname, your identity will remain hidden but accessible only to the recipient of the report. If you prefer to remain anonymous, it is advisable not to indicate references that could lead to the profile. If requested by the Manager, the identity profile can be communicated subsequently via

the message area. The reports and the identity of the Whistleblower are highly confidential; the software hides the identity of the reporter.

For transparency we specify that, in cases where:

- the entity has not adopted the internal reporting channel or, despite having adopted it, it is not active or does not comply with the law;

- the offense has already been reported through the internal channel but there is no confirmation;

- there is reasonable reason to believe that, in the event of a report of an offence, there would be no response through the internal channel and/or there is a fear of retaliation;

- there is reasonable reason to believe that the offense may constitute an imminent danger to the public interest,

you have the right to:

1. Use the external reporting channel set up by the National Anti-Corruption Authority (A.N.AC) which can be reached at the following link whistleblowing - form for reporting illicit conduct pursuant to Legislative Decree no. 24/2023 (anticorruzione.it).

2. Report the illicit act to the judicial or accounting authority.

3. Publicly disclose the illicit fact (through the press, electronic means or means of dissemination capable of reaching a large number of people).

Please remember that, in the event of public disclosure, one of the following conditions must be met in order to be entitled to the protection guaranteed by the whistleblowing legislation:

- An internal and/or external report must have been previously made without receiving a response;

You have reasonable grounds to believe that the violation you intend to report constitutes an imminent or obvious danger to the public interest;

- There is reasonable reason to believe that the external report may involve the risk of retaliation or may not have an effective follow-up (for example because there is a well-founded fear that the evidence may be destroyed or hidden and/or that the recipient of the report may be colluded with the infringer).

The following must be clear in the report:

- the personal details of the person making the report (unless you decide to remain anonymous);

- the type of legal relationship with the company;

- the circumstances of time and place in which the reported event occurred;

- the description of the fact;

- personal details or other elements that allow the identification of the person to whom the reported facts can be attributed;

- the indication that you wish to keep your identity confidential and benefit from the protection provided in the event of any retaliation.

It is possible to use the internal reporting channel to report the violation of the 231 Organizational Model possibly adopted by the company.

Verify and carry out the checks necessary to evaluate the validity and objectivity of the report, indicating, by way of example but not limited to:

- references on the development of the facts (e.g. date, place) any information and/or evidence that can provide valid confirmation regarding the existence of what was reported;

- general information or other elements, where possible, which allow identifying who committed what was declared by the Reporter;

- details of any other subjects who can report on the facts covered by the Report;

-any private interests connected to the Report.

Reports must be made in good faith.

It is underlined that reports submitted through tools and/or channels other than those indicated will not be accepted.

Examination and evaluation of Reports

The Whistleblowing Manager, having received the Reports through the dedicated channels, carries out the following activities:

- analyzes the documentation received from the Reporter and prepares the preliminary checks of the case, firstly carrying out a careful examination of the conduct detected in the report, verifying the requirements and the existence of the conditions.

- promptly sends the report to the competent Compliance functions. Should there be specific references to alleged violations of Model 231 and/or the Code of Ethics, the Manager promptly informs the Supervisory Body, so that the latter

can proceed with the evaluation of the facts and arrange the investigations deemed necessary, also making use of the support of the company control functions.

The SB, as the body responsible for supervising and complying with the MOGC (Organisation, Management and Control Model), communicates the decisions taken to the Whistleblowing Manager, evaluates the feasibility and necessity of the actions to be carried out, consistently with the company regulatory instruments in force, in order to ascertain the validity of the Reports. The decision-making measures linked to the Report are left to the functions or managerscompetent corporate bodies, from time to time based on organizational responsibilities.

The timing of the procedural process following the report is as follows:

• within 7 days of submission, the person in charge must issue an acknowledgment of receipt to the reporting party and, where necessary, request additions; maintain discussions and follow up diligently;

• feedback must be provided to the reporter within 3 months;

• within 7 days the report received by an incompetent person must be forwarded to the correct recipient.

Archiving, conservation and traceability of reports

In order to guarantee the reconstruction of the different phases of the process, it is the responsibility of the Whistleblowing Manager to ensure:

- the traceability of the Reports and the related reception, investigation and evaluation activities;

- the preservation of the documentation relating to the Reports and the related verification activities, as well as any decision-making measures adopted by the competent functions in the Whistleblowing Portal.

- the conservation of the documentation and Reports for a period of time not exceeding that necessary for the purposes for which the data were collected or subsequently processed and in any case in compliance with current legislation on the protection of personal data (5 years from receipt of the reports themselves).

Protection of the whistleblower and the reported party

Mexedia S.p.A. SB, in compliance with the relevant legislation, in order to promote the diffusion of a culture of legality and to encourage the reporting of offences, ensures the confidentiality of the personal data of the Reporter and the confidentiality of information contained in the Report, in compliance with the GDPR 679/2016 regulation.

Violation of the obligation of confidentiality is a source of disciplinary responsibility, without prejudice to any further form of liability provided by law.

No form of retaliation or discrimination having effects on working conditions for reasons related to the complaint is permitted, neither for those who report the alleged offenses nor for those who collaborate in the activities to verify their validity. By discriminatory measures we mean unjustified disciplinary actions, harassment in the workplace and any other form of retaliation that leads to intolerable working conditions and in any case worse than those experienced previously.

Mexedia S.p.A. In this regard, SB implements follow-up tools, adopting all the necessary measures to prevent the identity of the Reporter from being traced directly or indirectly and therefore extending the investigations to a large number of greater number of employees employed in different functions/structures, aimed at knowing the evolutions of the work situations experienced by the Reporter in order to demonstrate the effectiveness of the violation reporting system, encourage its use and prove the absence of discriminatory actions or other forms of retaliation against the Reporting employee. Mexedia S.p.A. SB, as Data Controller, informs the Reporter about the processing of their personal data.

With regard to technical and organizational security measures, we provide a systematic list of the main measures:

-Complete separation of the reporting person's data and the contents of the reports;

- possibility of reporting anonymously

-Advanced encryption system to protect the data provided

- Encryption and decryption flow for the reporting party who remains anonymous

-Log encryption

- Encryption and decryption flow for the Manager

-System log tracking all operations carried out

- Mandatory password change quarterly

-Access with 2-factor authentication and SPID

-Anonymous reporting or with registration chosen by the reporting party and, in any case, separation of the reporting party's data from the reporting

-Voice signaling with Morfing system

Protection of the Reported

In compliance with current legislation, Mexedia S.p.A. SB has adopted forms of protection to guarantee the confidentiality of the Reporter also for the alleged person responsible for the violation, the person reported, without prejudice to any further form of liability provided for by the law that imposes the obligation to communicate the name of the Reported Party, such as requests from judicial authorities.

This document is without prejudice to the criminal and disciplinary liability of the Reporter in the event of slander or defamation pursuant to current legal provisions, and is also a source of liability, in disciplinary proceedings and in other competent bodies, any forms of abuse, such as Reports that are manifestly opportunistic and/or made for the sole purpose of harming the reported person or other subjects, and any other hypothesis of improper use or intentional exploitation of the institution covered by this document policy.

Responsible for the Whistleblowing Reporting System

The Whistleblowing Manager holds the role of Reporting System Manager and as such:

- ensures the correct carrying out of the violation reporting process;

-reports, directly and without delay to top management, any critical issues to be managed;

-has the obligation to guarantee the confidentiality of the information received, also regarding the identity of the Reporter and the Reported Party.

- evaluates the reports and carefully examines the profiles found within them, with particular attention to the activities and circumstances highlighted.

- evaluates the checks to be carried out, the functions to be involved in the analyzes or any archiving;

- ensures the confidentiality of the information received, also regarding the identity of the Reporter;

Together with the Whistleblowing Manager, there is the figure of the IT technician as a highly qualified senior profile and in possession of the requirements required by law.