Anti-Bribery & Other Forms of Corruption Policy

Sophos Solutions is committed to complying with the rules aimed at the Prevention of national and transnational bribery, adopting policies, procedures and high standards of transparency, honesty, integrity, and legality in the fight against Acts of Corruption through the management of risks and the strengthening of the Government and our corporate principles.

The purpose of the Anti-Bribery and Anti-Corruption Management System is to publicly declare the commitment of Sophos Solutions and senior managers to an ethical and transparent procedure before their stakeholders, and to conduct business in a responsible manner, acting under an ideology of Zero Tolerance* with those situations that contradict the fight against Acts of Corruption, Bribery and Transnational Bribery.

To this end, Sophos Solutions and its affiliates undertake to:

• Manage the risks of fraud, corruption or bribery associated with the business and with third parties, in accordance with the values established in a strategic and structured manner.
• To constantly promote an ethical culture for the prevention, detection, investigation and management of fraud, corruption, or bribery.
• Enforce the Anti-Bribery and Anti-Corruption Management System, Transparency and Business Ethics Program, Anti-Bribery and Other Forms of Corruption Policy, Gift, Presents, Hospitalities and Others Policy, Conflict of Interest Policy and any other applicable policy or standard.
• Promote continuous improvement and compliance with the Anti-Bribery and Anti-Corruption Management System according to ISO 37001 international standards, and applicable legal regulations of each country, to prevent damage to Sophos Solutions’ image and reputation.

In addition, each employee is responsible for applying the criteria defined in this policy and acting in accordance with the corporate values and guidelines established in the Code of Ethics.

*The Zero Tolerance ideology refers to the fact that it is strictly forbidden to give, offer, promise or accept a payment, an object of value or any benefit such as bribery, commission or any other corrupt form of payment, regardless of its amount or whether it is generated internally, externally, directly or indirectly.

Sophos Solutions is committed to doing business fairly, honestly, with integrity and in accordance with the laws of each of the countries in which it operates, incorporating guidelines under which the different activities of the company are oriented nationally and internationally, advocating compliance with international standards through ISO 37001, the FCPA (USA), the law 1778 (Colombia) as well as the circulars and resolutions that complement it and the ethical parameters of transparency and integrity, with which the organization rejects any illegal or corrupt practices.

The company's strategy for the fight against bribery and corruption includes, among other related elements and systems, the Code of Ethics, the Internal Control System, the Anti-Bribery and Anti-Corruption Management System, Transparency and business ethics program, and the System for Self-Control and Management of the Integral Risk of Money Laundering and Financing of Terrorism (SAGRILAFT).

This Policy applies to all Sophos employees including subsidiaries and all related parties, stakeholders, shareholders, associates, and business partners, understood as customers, business alliance, contractors, consultants, subcontractors, national and international suppliers, advisors, representatives, intermediaries, and third parties, as well as its analogy to the countries where the subsidiaries operate, in general to all those with whom directly or indirectly any commercial or contractual relationship is established.

It must be disclosed and applied in an immediate and mandatory manner to all third parties linked to the Organization, so that they can denounce those events of fraud, corruption and/or bribery.

Terms appearing with initial capital letters shall have the meaning assigned to them in this Policy and may be used both in the singular and in the plural, provided that the context so requires and unless otherwise indicated.

Stakeholders: Those individuals or legal entities that have contributed in money, labor or other assets that can be valued in money to a company in exchange for quotas, interest shares, shares, or any other form of participation.

Senior Director: These are natural or legal persons, designated in accordance with the social statutes or any other internal provision of the Legal Person and Colombian law, as the case may be, to administer and direct the Legal Person, whether members of collegiate bodies or individuals considered individually.

Compliance Audit: It is the systematic, critical, and periodic review of the proper implementation of the Anti-Bribery and Anti-Corruption Management System, including the Business Ethics Program and its policies.

Collaborator: An individual who undertakes to render a personal service under subordination to the Organization or to any of its Subordinate Companies, in exchange for remuneration.

Foreign collaborator: Includes and is not limited to employees of any foreign government, its political subdivisions, or local authorities, or in a foreign jurisdiction, whether within a public body, a state enterprise or an entity whose decision-making power is subject to the will of the state, its political subdivisions or local authorities, or a foreign jurisdiction, as well as any employee of an international entity or organization, whether commercial or not.

Contract: An agreement of wills between the parties, whereby one of them undertakes to deliver or do something in exchange for a payment in money.

Conflict of Interest: Corresponds to those situations in which the employees of the Organization face in the decision-making their personal interests, or self-interest, with those of the Organization, its suppliers, shareholders, investors or Interest Group and/or third parties, which could infer in their ability to decide objectively and in the best interest of the Organization.

Self-advantage means the derivation of any decision for the benefit of the employee, his spouse, partner or permanent companion or his relatives within the second degree of consanguinity, second of affinity or first civil, or his partner or partners in law or in fact. In this case there is an obligation for the Partner to disclose and manage the Conflict of Interests

Corruption: Any deliberate act, including but not limited to the offer, provision, solicitation or acceptance of an incentive or reward, directly or indirectly, with the intention of inducing an inappropriate action, for one's own benefit or that of a third party and to the detriment of the organization's interests.

Thing of value: It should be understood as any payment in cash or another kind, capable of being considered of value such as travel, reimbursement of expenses, scholarships, sponsorships, gifts, donations, contributions, favorable contracts, investment opportunities, stock option, promises of future employment, discounts, recreation activities, among others, regardless of their amount.

Due Diligence (DD): Used for risk prevention, or for concepts that involve the validation of a company or person prior to signing a contract or a law with some care diligence.

Donation: It is a contract whereby an asset is transferred free of charge to another person who accepts the transfer.

F.C.P.A The foreign corrupt practices act, prohibits U.S. and U.S.-related companies and citizens from bribing government officials abroad.

Fraud: Intentional distortion of financial statements or other documents by one or more persons, internal or external to the organization, conducted to conceal the embezzlement of assets, obtain an undue, unfair, illicit, or other profit advantage.

Anti-Bribery Law: Law No. 1778 of 2016, which dictates rules on the liability of legal persons for acts of transnational corruption and dictates other provisions on the fight against corruption.

Compliance Officer/Function: Is the natural person appointed by the Senior Management to lead and administer the Anti-Bribery and Anti-Corruption Management System including the Business Ethics Program and its policies.

Organization: It refers to Sophos Solutions S.A.S. and all its subordinate companies, subsidiaries, and affiliates, which are under its authority as a controlling company.

Policy: It refers to this document as the guideline compiling the instructions and practices to be followed for the prevention of bribery and other forms of corruption in the organization.

Business Ethics Program: These are the specific procedures under the Compliance Officer, aimed at operationalizing the Compliance Policies, to identify, detect, prevent, manage, and mitigate the risks of Transnational Bribery, as well as others that relate to any act of corruption that may affect a Legal Person.

Anti-Bribery and Anti-Corruption Management System: It is the system oriented to the correct organization of Compliance Policies and interrelated elements of the company that interact to establish policies, objectives, and processes to achieve compliance with international regulations and the Business Ethics Program, as its proper implementation in the Legal Person.

Bribery:  Also known as illicit payment is anything (money or gift) that can induce, to the recipient, to grant an official favor or advantage that the payer should not or could not otherwise get.

Transnational Bribery:  Act by virtue of which, a legal person, through its employees, administrators, associates or contractors, gives, offers or promises to a foreign public servant, directly or indirectly: sums of money, objects of pecuniary value or any benefit or utility in exchange for that public servant performing, omitting or delaying any act related to his functions and in relation to an international business or transaction.

Subordinate Company: A company shall be subordinated or controlled when its decision-making power is subject to the will of another person or persons who will be its parent or controlling company, either directly, in which case it will be called a subsidiary or with the assistance or through the subordinates of the parent, in which case it will be called a subsidiary.

Business Partner: External party with which the organization has, or plans to establish, some kind of commercial or contractual relationship.

The Colombian Government has made several international agreements for the treatment of bribery such as the Inter-American Convention against Corruption of the Organization of American States of 1997, the United Nations Convention against Corruption (UNCAC) of 2005, Convention to Combat Bribery of Foreign Public Officials in International Commercial Transactions of the Organization for Economic Cooperation and Development (OECD) of 2012, as a result of these agreements, national laws were enacted such as Law 1474 of 2011, Law 1778 of 2016, Resolution 100-002657 of 2016, External Circular 100-000003 of 2016 issued by the Superintendency of Companies.

Sophos Solutions’ Anti-Bribery and Other Forms of Corruption Policy complies with all current legal regulations and is based on the following legal framework.

Law 1474 of 2011: By which rules are issued aimed at strengthening the mechanisms for the prevention, investigation and punishment of acts of corruption and the effectiveness of the control of public management. (Anti-Corruption Statute)
https://wp.presidencia.gov.co/sitios/normativa/leyes/Documents/Juridica/Ley%201474%20de%2012%20de%20Julio%20de%202011.pdf

Law 1778 of 2016: By which rules are issued on the responsibility of legal persons for acts of transnational corruption and other provisions on the fight against corruption.
https://www.funcionpublica.gov.co/eva/gestornormativo/norma_pdf.php?i=67542

External Circular 100-000003 of 2016: Guidance aimed at implementing business ethics programs for the prevention of the conducts provided for in Article 20 of Law 1778 of 2016, which includes a Guide to Good Practices in Internal Controls, Ethics and Compliance of the Organization for Economic Cooperation and Development and the guidelines on compliance programs related to the Foreign Corrupt Practices Act of the United States and the Anti-Bribery Act of the United Kingdom.
https://www.supersociedades.gov.co/delegatura_aec/Documents/Circular_Externa_100-000003_del_26_de_julio_de_2016.pdf

Act No. 2195 of 2022 Adopting measures in the area of transparency, prevention and fight against corruption and adopting other provisions https://dapre.presidencia.gov.co/normativa/normativa/LEY%202195%20DEL%2018%20DE%20ENERO%20DE%202022.pdf

On the other hand, there is implementation of international standards such as ISO 37001, which presents requirements for international application in accordance with the FCPA Law of the United States, thus allowing the implementation of an Anti-Bribery Management System based on good practices recognized globally.

ISO 37001: International standard that is applicable only for bribery. It sets out the requirements and provides guidance for a management system designed to help an organization prevent, detect and address bribery and comply with anti-bribery laws and voluntary commitments applicable to its activities.

UKBA Law: The UK Anti-Bribery Act or The Bribery Act of the United Kingdom (UK Bribery Act) criminalizes bribery of domestic officials, bribery of foreign officials and bribery in a commercial context.

Considering the legal presence of Sophos internationally through each of the subsidiaries, it also has the application of the law regulations or regulations of each of the regions, however, this application is covered by international standards.

United States
FCPA law: The Foreign Corrupt Practices Act (FCPA) is a law that prohibits U.S. companies or any of their subsidiaries, regardless of where their operations and employees are located, from directly or indirectly encouraging bribery of public officials abroad in order to benefit from this action.

Mexico
General Law of the National Anti-Corruption System
It establishes bases for the proper functioning of the National Anti-Corruption System with the enactment of 7 packages of legislation to prevent and combat corruption.

Panama
Law 59 of 1999
It regulates article 299 (now 304) of the Political Constitution and dictates other provisions against administrative corruption.

Peru
Law N°30424
Law that Regulates the Administrative Responsibility of Companies for Crimes of Bribery or kickbacks. This Law establishes that legal entities are obliged to implement a Prevention Model, likewise, it holds organizations responsible for any possible fraud initiated by a collaborator of the company.

Chile
Law N. 20.393
It regulates a system of criminal liability of legal persons applicable only to the crimes of money laundering, financing of terrorism and bribery of national and international public officials.

Law N. 21.121
It amends rules on corruption and other offences, creates new criminal offences and extends the criminal liability of legal persons.

 

India:

The Lokpal and Lokayuktas Act 2013 (No. 1 of 2014)*

This Anti-Corruption Act of the Indian Parliament intended to provide for the establishment of the Lokpal Institution to investigate allegations of corruption against public officials within and outside India.

Companies Act 2013

It is India's law governing companies and places a strong emphasis on corporate governance and the prevention of corporate fraud. Under the company law, auditors and accountants are required to report any suspected fraud to the central government.

*https://www.advocatekhoj.com/library/bareacts/lokpal2014/index.php?Title=Lokpal%20and%20Lokayuktas%20Act,%202013

The following Principles will serve as paths of interpretation, in the execution of all measures and actions aimed at the prevention of Bribery and other forms of Corruption, within which interpretations that seek to give the appearance of legality to conduct or operations, which are classified as contrary to international best practices, will not be admissible, such as those described in ISO 37001 and the FCPA, as well as those provided for in the Anti-Bribery Act; therefore, the Policy will be mandatory in the Organization.
 

1. Principle of morality:

   By virtue of the principle of integrity, all actions that must be carried out derived from compliance with this Policy, as well as all members of the Organization who exercise them, must act under a constant assessment of rectitude, respect and transparency in all professional interactions that are developed in fulfillment of the mission and vision of the Organization.

2. Principle of integrity:

   By virtue of the principle of morality, all actions to be performed in compliance with this Policy must be carried out with rectitude, loyalty and honesty towards all levels of the Organization.

3. Principle of coherence:

   By virtue of the principle of coherence, all members of the Organization will seek that all their actions in the fulfillment of their functions are consistent with the provisions of this Policy, the Code of Ethics of the Organization, the Business Ethics Program and its corresponding manual, as well as with the other internal and external rules that may modify the subject matter of these.

4. Principle of efficiency:

   By virtue of the principle of effectiveness, all actions carried out as a result of compliance with this Policy must always be aimed at achieving a sufficient degree of planning to enable the achievement of the expected results.

5. Principle of communication:

   By virtue of the principle of communication, all actions to be carried out as a result of compliance with this Policy, as well as all members of the Organization who carry them out, must emphasize effective, assertive, clear, express and respectful communication, which allows for the continuous improvement of the Organization’s Business Ethics Program

• SOPHOS SOLUTIONS S.A.S does not accept or justify any event of Fraud, corruption or bribery by collaborators, suppliers, customers, interested parties, business partners and in general any of their counterparties, in the operations conducted.
• Compliance and Information Security Area is responsible for guiding the interpretation and application of the present policy.
• All contracts must have a Due Diligence (DD) process, which must be performed and documented by the Administrative Area (Suppliers), the Commercial Area (Customers) and security study (Candidates), including their sources.
• Results of Due Diligence (DD) conducted to any contractor will be approved by Administrative Area. When an alert signal is identified, the compliance team will perform Extended Due Diligence.
• If it is necessary to submit a complaint to the competent authorities, the Leader of the Legal & Compliance Area should make it, after meeting with the Audit and Compliance Committee.
• Compliance Team should develop the Anti-Bribery Policy and other forms of Corruption, considering, among others, at least the following aspects:
  • The Compliance Officer/Function will establish on a biannual basis the GHS communication plan for appropriate and appropriate anti-bribery awareness and training for all partners, through various activities.
  • The Compliance Officer/Function will periodically promote trainings and trainings to all areas and eventually to third parties on anti-corruption, anti-bribery, conflict of interest, and Code of Ethics policies and laws.
  • Conduct investigations into allegations of possible fraud, corruption, bribery within the organization, in the shortest possible time.
  • Report to the Human Management to proceed with the application of disciplinary actions in accordance with the provisions of this policy and the internal rules of work.
  • Report all reported and investigated fraud, bribery, and corruption events to senior management.
  • Periodically review established procedures to mitigate the risk of fraud, bribery and/or corruption and submit to the Audit and Compliance Committee suggested changes for approval.
  • Define with the Human Management area a mobility plan for those collaborators who have made complaints if the situation warrants it and is checked.

Fraud events are considered, but are not limited to or excluded, the following:

• Misappropriation of assets, money and funds.
• Appropriation or misuse of Financial Resources.
• Any type of bribery or attempted bribery
• Fraudulent or fictitious expenses
• Modification or falsification of records
• Modification of financial information and/or concealment of information.
• Unauthorized falsification or modification of any type of document or communication issued.
• Phishing
• Disclosure of privileged or confidential information, which affects the organization.
• Accept and / or offer benefits for the linking of suppliers, customers, collaborators, parties of interest and any third party with whom a relationship is generated.
• Extortion
• Hide Information
• Undeclared conflict of interest to make a profit
• Illegal copying or distribution of Intellectual Property
• In general, the diversion of the power or authority granted by the company for personal benefits or that of a third party to the detriment of the profits of the company

• SOPHOS SOLUTIONS S.A.S. prohibits bribery, extortion or payments to third parties to obtain business or benefits in any country or geography where they have or are considered to conduct business. The above, in addition to payments includes payments in kind, investments, shares and jobs.
• It is obligation for all employees to comply with both the present policy and applicable laws failure to do so may result in disciplinary consequences that include dismissal, as well as legal actions before the competent authorities. These actions also apply to administrators and partners who violate the provisions of this policy, the code of ethics and the Transparency and Business Ethics Program.
• The employees of the leader level organization must certify every 12 months the knowledge and compliance with the anti-bribery and anti-corruption management system in with ISO 37001 the FCPA, Law 1778 and other applicable laws are included. Through SP Academy, people of the mentioned level of positions must take the corresponding course once a year to assess knowledge and compliance with the aforementioned laws.
• It is responsibility of the risk and information security area to design the training program of the anti-bribery and anti-corruption management system in which ISO 37001 the FCPA, Law 1778, Transparency and Business Ethics Program, and other applicable laws are included, as well as they must evaluate the knowledge and capacity of the knowledge and ability of the collaborators to identify signs of corruption or bribery, every 12 months.
• All transactions aboard must be authorized by the administrative area and must have the supporting documentation that proves the nature and relevance of the transfer.
• It is forbidden to make cash payments for any concepts that exceeds the provision of the company´s petty cash policy
• Transfer to natural person abroad must with the following parameters:
• Beneficiary accounts must be based in the country where the service is provided
• For all operations with state entities the beneficiary must be the state entity
• It must pass the due diligence processes carried out by the administrative area
• The expenses of per diems aboard will be authorize by the administrative area for its accounting record.
• Transport cost abroad must be authorized by the administrative area and must describe the routes made and the amount used
• Reimbursements if the expenses of foreign collaborators will be approved by the administrative area.
• The Internal Audit area within its audit plan must include the monitoring of the transactions of the subsidiaries in accordance with the parameters if this policy and is related laws and regulations identifying possible violations thereof.
• It is responsibility of the financial area to maintain de record of the accounting operation together with the supporting documentation in accordance with the accounting standards implementing the necessary controls for the fulfilment of this numeral.
• Any contract entered with Legal or Natural Persons with residence or operations in the United States must include a compliance clause for both parts of the FCPA and Law 1778, and therefore the acceptance of the sanctions that may be generated for their non-compliance.
• Contracts abroad must be monitoring in accordance with the parameters of this policy until its completion
• The procedures associated with compliance whit anti-bribery and anti-corruption management system must be reviewed and updated every 24 months by the risk and information security area as well as the levels that reviewed and approved such changes.

Each collaborator and third parties acting on behalf of Sophos are prohibited from negotiating, receiving, offering, promising, paying, providing, or authorizing (directly or indirectly) bribes, undue advantages, payments, gifts, travel, the transfer of any Thing of Value to any person, whether public official or not, to influence or reward any action, omission, favorable treatment or decision of such person for the benefit of Sophos.

Anti-corruption and anti-bribery laws penalize people who pay bribes, and those who acted to incentivize the payment of bribes, that is, they apply to any individual who:

• Approve the bribery’s payment.
• Provide or accept fraudulently issued invoices.
• Relay instructions for the payment of bribes.
• Cover the payment of the bribe.
• Cooperate with the payment of the bribe.

Sophos prohibits the offering, promising, authorizing, payment, receiving and performing bribery, however, the FCPA law allows the facilitation payment, which is the payment that is made to promote routine actions of the government, is an exception that is made only by Migration Management, and is stipulated the procedure of the internal Policies of the area.

Nonperson shall receive a repression reprimand or penalty for loss of business resulting from declining to pay a bride.

Payment of bribes to contractors and suppliers on behalf of Sophos is prohibited, likewise we refuse to do business with third parties that have reputation and integrity questioned, in addition it is not admitted, under any circumstances, that a third party exercises any type of inappropriate influence for the benefit of the company on any person, whether this public official or not performing a due diligence to each of the parties to vivificate the antecedents.

On the other hand, all contracts signed with national, or international Legal or Natural Persons must include the Anti-Bribery and Anti-Corruption Clauses of compliance for both parties, to ensure compliance with anticorruption laws and therefore the acceptance of the sanctions that may be generated for their noncompliance.

All procurement processes must be conducted on merit and respect for rules and policies, and not through he improper use of influence over any person, whether public official or not. No contributor or third party acting on behalf of Sophos may receive or offer any gift, present, advantage, benefit, or attention, from or to any person, natural or legal, whether public official or not

To guarantee the compliance with this policy, employees and third parties must be attentive to warning signs to identify undue advantages or payments that may be occurring. Warning signs are not necessarily evidence of fraud, bribery, or corruption. However, they are suspicions that must be proven through investigation.

The following are considered warning signs, but are not limited to or excluding:

• The counterparty has a reputation, even indirectly, in matters related to bribery and corruption, unethical or potentially illegal acts.
• The counterparty requested a commission or payment that is excessive and must be paid in cash or other irregular form.
• The counterparty is controlled by a government official or has a close relationship with the government.
• The counterparty is recommended by a public official.
• Counterparty refuses to include anti-corruption clauses in the contractual relationship.
• The counterparty proposes a financial operation different from the commercial practices usually adopted for the type of operation/business to be carried out.
• The counterparty has no office or staff, or the office appears to be a “front office”.
• The counterparty fills out the forms or formats with illegible or altered handwriting.
• The counterparty refuses to support a transaction or to update basic information.
• The counterparty splits transactions to avoid documentation requirements and/or cash transaction reporting.
• The counterparty does not provide complete information such as main activity, references, name of directors, financial statements, among others.
• The counterparty presents financial statements that reflect very different results from other companies in the same sector with similar economic activities.
• Managers present job profiles that are not aligned with the company.
• The counterparty frequently uses intermediaries to carry out commercial or financial transactions.
• The counterparty seeks to have payments executed on an account in a foreign country other than the location of its services.
• The counterparty requests payment of the accounts in cash.
• The counterparty frequently processes transactions with exceptions.
• The employee frequently evades established internal controls or approval.
• The employee has a lifestyle that does not correspond to the amount of his or her salary.
• The employee is reluctant or unwilling to take vacation time or compensatory leave.
• The employee does not accept changes on its activities or promotions that imply not continuing to carry out the same activities.
• The employee frequently remains in the office past closing time or attend the office outside of normal business hours.
• The related issues in the Transparency and Business Ethics Program

We seek to protect the good name of Sophos Solutions and each of the members of senior management and its collaborator when they are immersed in a real or potential conflict of interest associate with gifts, presents, hospitality attention and others.

That is why no gift, present, attention, object, benefit, advantage, hospitality, food, travel, accommodation or form of entertainment should be given or accepted if it can, or if it creates the appearance of being able to influence unduly directly or indirectly, contractual or commercial relations, if it alters its independence, if it creates obligations, or causes a potential discredit and / or violates the law or policies of Sophos Solutions.

This Policy recognizes that in business invitations to meals, attentions and in limited circumstances, modest or symbolic gifts are considered as courtesy. For example, merchandising and/or corporate branding gifts or attentions delivered or received which must be proportionate and reasonable and in accordance with Sophos Policies (Gifts, Presents, Hospitality and Others Policy), which are generally distributed for promotional purposes, or during the celebration of a holiday, such as Christmas.

Each time gifts, attention or any other benefit is received, it must be reported in writing to the email: funcioncumplimientoaa@sophossolutions.com

Any gift that is considered as inappropriate in accordance with the provision of the policy must be returned by the collaborator who receives it, communicating this circumstance to the email of the Compliance Officer/Function. In case of not being able to make the return it will be put in custody of risk management to be riffled between areas or projects of the company.

Due to the level of complexity that may arise from the necessary analysis of all the variables of bribery and other forms of corruption risk management, recognized the importance of designation to compliance Officer / Function with the necessary skills, experience and leadership to manage such risks and any other risk related to an act of corruption

For that reason, compliance with the Bribery and Other Forms of Corruption Risk Management System will be delegated to a trusted collaborator, who will perform the anti-bribery compliance function, and will have the autonomy and the human, technological and economic resources required to implement the respective Anti-Bribery and Anti-Corruption Management System, and their respective policies such as the Transparency and Business Ethics Program, Anti-Bribery and Other Forms of Corruption Policy, Gift, Presents, Hospitalities and Others Policy ,and Conflict of Interest Policy.

Accordingly, the compliance Officer / Function will be responsible for the implementation of the present policy and the senior management designate the responsibility for:
 

1. Supervise the design and implementation of the Anti-Bribery and Anti-Corruption system by the organization.
2. Provide advice and guidance to staff on the Anti-Bribery and Anti-Corruption management system and bribery related issues.
3. Ensure that the Anti-Bribery and Anti-Corruption management system is compliance with the requirements of ISO 37001, and of the current legal regulations in Colombia and subsidiaries of anti-corruption issues.
4. Report the performance of the anti-bribery and anti-corruption management system to the Board of Directors and senior management.
5. Submit reports to the board of directors at least once a year.
6. Ensure that appropriate channels are in place to allow anyone to report, confidentially and securely, breaches of the Transparency and Business Ethics Program and possible suspicious activities related to Corruption.
7. Verify the proper application of whistleblower protection.
8. Fulfillment of the explicit functions of the Anti-Bribery and Anti-Corruption Management System

Sophos Solutions has put in place mechanism that allow for the confidential reporting of any type of complaint where our employees, shareholders, third parties, related individuals or any foreign or national person must be diligent and promptly report any suspected violation of the Anti-Bribery and anti-Corruption law, the code of ethics, Transparency and Business Ethics Program, anti-bribery and other forms of corruption policy, or any potential or existing illegal or immoral behavior of which they are aware.

In addition, Sophos allows collaborators to receive advice from an appropriate person (Compliance Officer/Function) on what to do if they face a problem or situation that could involve bribery, also ensuring that the complaint or report generated will be kept confidential and properly analyzed.

Any consultation, suspicion or suggestion should be channeled through the following communication mechanisms

• Compliance Officer/Function: funcioncumplimientoaa@sophossolutions.com

Sophos Solutions will treat all complaints with the utmost confidentiality and will be properly analyzed.

No contributor shall receive any warning, retaliation, discrimination or disciplinary action (threats, isolation, degradation, impediments to promotion, transfer, dismissal, bullying, victimization or other forms of harassment) for:

• Refusing to participate in, or refusing to participate in, any activity for which they have reasonably judged that there is more than a low risk of bribery that has not been mitigated by the organization.
• Concerns raised or reports made in good faith or on the basis of a reasonable belief, actual intent or suspicion of bribery or violations of the anti-bribery policy or anti-bribery management system (except where the individual participated in the violation).

Whether the communications are anonymous or not anonymous, Sophos will take legal steps to protect the confidentiality and anonymity of any complaints made.

The mechanisms established by Sophos for the filing of complaints are:

• E-mail
• Website

Likewise, Sophos Solutions being a company supervised by the SuperSociedades, promotes the Transnational Bribery Complaints Channel and the Corruption Complaints Channel of the Transparency Secretariat.

Transnational Bribery Complaints Channel

Channel of Complaints for Acts of Corruption

• It is the responsibility of all employees of the organization to report to the Ethics line any action of actual or potential fraud, corruption, or bribery of which they have knowledge or suspicion, so that they are investigated.
• The organization will not allow the development of coercive actions, reprimands and / or reprisals for personnel who make complaints, whether they end in materialized fraud or in investigations due to suspicion.
• If it is confirmed that a complaint of ill-intentioned fraud has been made, it is considered a serious misconduct that is sanctioned in accordance with the internal working regulations.
• The organization under the leadership of the Risk Committee area shall keep under reserve as long as it can manage the name of the complainant, as well as the advanced investigation processes.
• Complaints within the company within the company by collaborators or third parties are received by the Legal Area and / or the Area of Risks and Information Security and they are managed within a confidentiality program.

The actions implemented to protect and support the complainant in the face of retaliation are:

• Clarify that the search for identification of the complainant or harmful conduct in relation to a complaint report is not tolerated and may be a disciplinary matter.
• Conduct investigations where the conduct of detriment (retaliation) so requires and take reasonable measures to prevent injury or contain the identified injury to avoid further injury.
• Take appropriate disciplinary action against any person who is responsible for harmful conduct (e.g., bad faith complaints).
• Practical support (encouraging and reassuring) will be given to the whistleblower about the value of reporting irregularities and taking steps to help their welfare.
• Protection and support should be ensured as soon as a report of irregularities (complaint) is receive and continued during and after the complaint process.
• Establish remediation initiatives for persons who have suffered harmful conduct
• The complainant will have quarterly follow-up with the Compliance Officer to ensure that he has not had retaliation in any form.
• In the event of any breach by retaliation protection, they can be reported to internal audit.

Sophos considers SERIOUS MISCONDUCT the failure to comply with the Anti-Bribery and Anti-Corruption Management System, the Corporate Transparency and Ethics Program, the Anti-Bribery and Other Forms of Corruption Policy, the Gift Policy, Hospitality and Other, the failure or failure to comply with the Code of Ethics, the Internal Labor Regulations, the Employment Contract and any of the controls, handling of information or other guidelines defined here for the prevention, detection and control of activities that would be contrary to the fight against acts of Bribery and Corruption, without prejudice to applicable legal sanctions. As a serious breach and a breach of the employee's duties towards the Company, the Company will therefore take disciplinary and/or legal action.

In the case of Sophos employees, the sanction procedure to be followed is that determined in the section “SCALE OF MISDEMEANORS AND DISCIPLINARY SANCTIONS” of the Internal Labor Regulations, without prejudice to the applicable legal sanctions. For those connected to the company, the penalties established in the contracts and/or in the law as appropriate will be taken into consideration.

Legal sanctions against bribery and corruption are severe and may involve fines, administrative or criminal sanctions, such as imprisonment for the persons involved, as stipulated by international law, which prescribes prison terms of 7 to 10 years and/or unlimited fines.

In addition, Sophos Solutions could face severe fines or other criminal penalties for bribery and corrupt activities by third* parties. However, Sophos will investigate any activity that violates this Policy and, where appropriate, inform the competent authorities of any event of fraud or corruption and will undertake and accompany the appropriate legal actions, in addition to taking appropriate disciplinary measures and penalties that may involve even termination of the employment or business relationship.

Ignorance or inadequate understanding of this policy does not empower its recipients to breach it.

“Sophos Solutions S.A.S. reserves the right to modify this document according to the changes that arise within the company.”

*Article 2 (Law 1778/2016) Administrative liability of legal persons who, through one or more employees, contractors, administrators, associates, or any subordinate legal person.