Page number 6
WHISTLEBLOWER POLICY 2. The administrator team assesses and categorizes the report and conducts an initial investigation. In this phase, it is possible that the administrator team needs more information or documentation. The team will start an anonymous dialogue with you through the system. 3. The processing of the report is based on the type and severity of the report. Initially, the report is processed internally. In case of particularly severe misconduct or violations, the authorities will be involved. 4. You are informed of the actions taken within 3 months of the submission of the report. In long-term cases, you will be updated on a regular basis. 5. Any personal information in the report is processed in accordance with Nine United’s GDPR policy. 6. The report is deleted from the system when it is no longer relevant. Retaliation Part of the EU directive states that whistleblowers cannot be punished for coming forward with information. That way you do not have to worry about future consequences for your career and personal life as a result of the report. If the report is relevant under the whistleblower directive, you cannot be penalized by Nine United after the report has been submitted. This includes the following penalties: • Termination • Suspension • Degradation • Failed promotion • Change in working time and tasks 6 af 8
Page number 7
WHISTLEBLOWER POLICY • Decline in wages • Intimidation, harassment and social exclusion at work With Nine United’s whistleblower policy, we wish to provide better opportunities for openness and security for the individual employee and external stakeholders associated with Nine United. Security The system utilizes several security measures to ensure that you are protected. Some of these measures include: 1. Full encryption throughout the process 2. ISO 27001 certified (Information security) 3. ISO 27701 certified (GDPR compliance) 4. ISO27001 approved servers in Europe 5. Schrems II compliant 6. SSL technology 7. Shield and WAF on application level 8. Two-factor authentication at administrator level 9. Redundancy at both application and database level 10. Architecture built on the latest technology 11. Continuous AI monitoring 12. No IP logging 7 af 8
