Code of Ethics

(In force since 1 July 2024, last update 11 November, 2024)

Index

Glossary

DATAFLOW Group

(hereinafter also referred to as «DATAFLOW») Part of it are the DATAFLOW SECURITY SRL company, the Spanish DATAFLOW SPAIN company, the US DATAFLOW FORENSIC company, and the DATAFLOW US company.

Recipients of the Global Code of Conduct
The provisions of the present Global Code of Conduct apply to all members of the Social Bodies of all DATAFLOW Group Companies, personnel (employee and non-employee), and all those who, directly or indirectly, permanently or temporarily, establish relations with DATAFLOW and operate to pursue its objectives (e.g. suppliers, researchers, external consultants, contractual parties in general).

Supervisory Body
The Supervisory Body, the Audit Company, and any other control body equivalent to that provided for by different national legislation, even in disjunction, are intended.

Ethics Committee
An autonomous body with control and monitoring powers, entrusted with the responsibility of overseeing the correct functioning and appropriate observance of the Global Code of Conduct. It is the recipient of the reports of violations of the Global Code of Conduct. In particular, with reference to DATAFLOW SECURITY SRL, which has adopted the Model of organization, management, and control ex D.Lgs. n. 231/2001, the Ethics Committee is represented by the Vigilance Body.

Report
Any piece of information pertaining to presumed irregularities, breaches, behaviors, and facts censurable, or any practice not conforming to what is established in the Global Code of Conduct.

Disciplinary System
The set of disciplinary measures whose application is provided for in case of violation of the Global Code of Conduct.

1. Introduction

The DATAFLOW Group is an international reality operating in a multiplicity of technological, institutional, economic, social, and cultural contexts in rapid evolution. The complexity of the situations in which the Group operates makes it necessary to clearly explicate the set of values that DATAFLOW recognizes, accepts, and shares, as well as the responsibilities of the Group towards the inside and the outside.

The «Global Code of Conduct» represents DATAFLOW’s «constitutive charter», encompassing a set of principles and rules of fundamental importance for the proper functioning, reliability, and reputation of DATAFLOW, placing the respect of laws and regulations of the countries in which the Group operates, as well as the respect of procedures and company protocols, at the center of attention, in the conviction that ethics, in conducting business, is to be pursued as a condition of success of entrepreneurial action.

The present document takes inspiration from the principles contained in the «OECD Guidelines for Multinational Enterprises» (OECD (2023), OECD Guidelines for Multinational Enterprises on Responsible Business Conduct, OECD Publishing, Paris), together with the most up-to-date principles and standards of «responsible business» recognized within the OECD and at the international level. The present document takes inspiration also from the principle contained in the «UN guiding principles for business and human rights» that applies to «all States and to all business enterprises, both transnational and others, regardless of their size, sector, location, ownership and structure».

2. Scope of application of the Global Code of Conduct

The Global Code of Conduct applies to any level of the Organization of all DATAFLOW Group Companies, wherever they may reside and/or operate. In case of misalignments between the principles expressed in the Global Code of Conduct and local regulations, the most restrictive provisions apply.

The provisions, principles, and reference values of DATAFLOW’s Global Code of Conduct represent the company’s corporate culture and are binding for all Recipients.

DATAFLOW implements the necessary measures to verify and monitor the actual implementation of the Global Code of Conduct.

Violation of any provision of the Global Code of Conduct adopted by DATAFLOW entails the application of the measures provided for by law and/or the disciplinary system specifically approved by each DATAFLOW Group Company.

3. Principles of conduct and reference values

3.1. Principle of legality

DATAFLOW informs its action to the principle of legality, a principle that requires Companies to conduct their activity in full respect of laws and regulations, so that every manifestation of it is lawful and conforming to the legal norms of the countries of residence and countries in which DATAFLOW Group Companies operate.

DATAFLOW, in relation to the nature and size of the Organization and the type of activity performed, provides measures to ensure that the activity of each Company is carried out in respect of the law.

The principle of legality binds all Recipients of the Global Code of Conduct: subjects interacting with DATAFLOW are required to always, in any case, and everywhere respect all legal norms, whether of legislative or regulatory origin, affecting DATAFLOW’s activity.

DATAFLOW informs its internal action to the principle of legality, binding it to the relationships between superiors and subordinates, between subordinates and superiors, and also between peers. Employees must be aware of the laws and the consequent behaviors; therefore, DATAFLOW must inform them in case of doubts on the matter.

DATAFLOW informs its internal and external action to the principle of legality, binding it to the relationships with researchers, clients, suppliers, contractual parties, national and foreign, Public Institutions, and Supervisory Authorities, third parties in general.

Each subject interacting with DATAFLOW must act to eliminate or, at least, reduce to the minimum the risk of non-observance or violation of legal norms.

Each subject interacting with DATAFLOW promptly reports to the Body entrusted with monitoring the observance of the provisions of the Global Code of Conduct any illegal act, any anomaly, any incongruity, certain or even merely presumed.

The report assumes the modalities provided for in Paragraph 6 of this Global Code of Conduct.

3.2. Respect for the person

DATAFLOW informs its action to the principle of respect for the person, physical and cultural integrity, and does not accept compromises, even at the cost of an increase in costs and constraints for the Companies.

DATAFLOW implements measures to ensure the safety of the person. The personnel working for DATAFLOW are guaranteed safe and healthy working conditions through information, continuous training, and direct responsibility of all in the application of safety procedures – which are subject to prompt updating to support organizational changes and the evolution of technical and regulatory matters – and in constant and vigilant preventive action.

DATAFLOW protects and promotes the value of human resources, fosters personal and professional growth, guaranteeing equal opportunities, with the aim of improving and increasing the assets and complementarity of the skills possessed. The selection of resources and professional growth are motivated by criteria of competence, merit, professionalism, and adherence to the Group’s values.

DATAFLOW promotes the effective collaboration of its resources and a culture of feedback, fosters a climate of respect for the dignity and reputation of everyone, banning any violent or detrimental behavior to the person’s dignity.

DATAFLOW considers “diversity” as a characteristic of the organization to be promoted and exalted, with determination and courage, eliminating, in all stages of the employment relationship, any possibility of direct or indirect discrimination based on individual characteristics, such as gender, different abilities, age, marital status, ethnic or social origin, faith, sexual or political orientation. In any country in which it operates, DATAFLOW rejects the exploitation of work and opposes any form of abusive recruitment and irregular employment of workers or employees.

3.3. Respect for free and fair competition

DATAFLOW considers free competition a good to be protected and an essential element for any operation and phase of negotiation.

DATAFLOW recognizes that fair and honest competition affects the Group’s reputation and is functional to the development of the market in which it operates. In line with Antitrust legislation, DATAFLOW refrains from behaviors aimed at favoring the conclusion of business to its advantage in violation of laws or existing regulations, and is committed to always respecting any interlocutor, including competitors.

3.4. Environmental respect

DATAFLOW is committed to respecting the environmental legislation of each country in which it resides and/or operates and implements preventive measures to avoid or, at least, minimize the environmental impact; in particular:

• adopts measures aimed at limiting and, if possible, nullifying the negative impact of economic activity on the environment not only when the risk of harmful or dangerous events is demonstrated, but also when it is not certain whether and to what extent the activity exposes the environment to risks;
• gives priority to the adoption of measures aimed at preventing any prejudice to the environment, rather than waiting for the moment of repairing a damage already realized. In particular, DATAFLOW promotes environmental sustainability through the collection and disposal of waste in accordance with the principles of differentiation and recycling. DATAFLOW also programs an accurate and constant monitoring of the scientific progress and the evolution of environmental regulation.

3.5. Public safety protection

DATAFLOW rejects any initiative, activity, and relationships with organizations aimed at disturbing or subverting democratic order and respect for the law.

DATAFLOW refrains from any initiative, activity, and relationship that may benefit, even indirectly, Groups or subjects involved in illegal activities, terrorist or criminal activities.

DATAFLOW refrains from maintaining any relationship, of any nature, direct or indirect, or through an intermediary, with individuals or legal entities that are known or suspected of being part of or carrying out, in Italy or abroad, activities of any kind in support of criminal organizations of any nature, including those of a mafia-like nature, those engaged in human trafficking or child labor exploitation, or arms trafficking, as well as subjects or groups that operate with the aim of terrorism, considering as such conducts that may cause serious damage to a country or an international organization, committed with the aim of intimidating the population or forcing public powers or an international organization to perform or refrain from performing any act or destabilize or destroy the fundamental political, constitutional, economic, and social structures of a country or an international organization.

4. Corporate governance and relationships with stakeholders

4.1. Correctness and completeness of information, also financial

Truthfulness, accuracy, traceability, completeness, clarity of information, in compliance with existing legislation and company procedures, in accounting recording, as well as in all activities aimed at the formation of documents and social communications to stakeholders, represent fundamental values for DATAFLOW.

DATAFLOW’s financial communication is characterized by comprehensibility, timeliness, exhaustiveness, and symmetrical information for all investors and is assigned to the specifically authorized functions.

DATAFLOW promotes a collaborative behavior in the legally attributed control activities to shareholders, other social bodies, including control bodies.

4.2. Management of financial resources and prevention of money laundering

DATAFLOW promotes respect for national and international legislation on money laundering crimes, also identifying modalities of financial resource management suitable to prevent the use of its economic-financial system for criminal purposes by Recipients. Before establishing any business relationship, DATAFLOW verifies the information available on the counterparty, to ascertain its legitimacy and respectability and refrains from maintaining relationships with counterparties that are believed to be involved in criminal activities in general, and in money laundering activities in particular.

DATAFLOW is particularly attentive to financial flows that do not fall within typical business processes, especially if they concern areas not adequately proceduralized and with characteristics of spontaneity and discretion. All those who operate for/with DATAFLOW, whatever the relationship, even temporary with the Group, must refrain from performing operations that may in any way hinder the identification of money, goods, or other benefits of illegal origin.

4.3. Conflict of interests

DATAFLOW promotes a culture aimed at avoiding all situations and activities in which a conflict with the Group’s interests may arise. Recipients must refrain from activities, acts, and behaviors incompatible with the obligations connected to relationships with Companies, or that may interfere with their ability to take, in an impartial manner, decisions in the best interest of Companies and in full respect of the norms of the Global Code of Conduct. Recipients must, furthermore, refrain from benefiting personally from business opportunities of which they have become aware in the course of performing their duties. Recipients are required to provide DATAFLOW with information transparency regarding any situation that may constitute or determine a conflict of interests, even if related to personal and family activities.

4.4. Treatment and confidentiality of information

The protection of confidential information is a fundamental asset of DATAFLOW.

Recipients are required to maintain the confidentiality of information in their possession, adopting attentive and responsible behaviors aimed at avoiding unnecessary disclosure internally and protecting it externally, for purposes foreign or outside the exercise of their function.

DATAFLOW explicitly prohibits the dissemination of false or misleading information. The sharing with the outside of any confidential information and documents is permitted only to persons expressly authorized.

4.5. Industrial and intellectual property rights and author’s right

Property rights on industrial and/or intellectual products and/or knowledge developed within the work environment belong to DATAFLOW, which holds the right to exploitation in compliance with existing legislation. Similarly, DATAFLOW condemns any form of disturbance to the freedom of industry and commerce, and does not admit any form of fraud, abusive duplication or reproduction, counterfeiting, usurpation, or alteration of material and immaterial goods susceptible of deriving from a title of industrial or intellectual property belonging to itself or to third parties.

DATAFLOW promotes respect for the law by implementing measures to counter the production and commercialization of non-original products. Each Recipient is called upon to protect industrial and/or intellectual property rights in ownership or in use to DATAFLOW and not to use unlawfully goods protected by industrial or intellectual property rights.

4.6. Use of company assets and materials

Each Recipient, to the extent that they may be concretely allowed to use assets or other DATAFLOW resources, is required to safeguard the company’s assets, adopting responsible and coherent behaviors with the dedicated regulations for the use of the same.

In particular, each Recipient is responsible for the protection of assets and materials assigned to them within the scope of work activity, and is required to act with diligence in accordance with DATAFLOW’s directions (including, for Europe, those provided within the authorization to process personal data ex art. 29 Reg. UE 2016/679 and those provided in data processing agreements ex art. 28 Reg. UE 2016/679) as well as the law, in order to avoid thefts, losses, damage, unauthorized use by third parties, and unlawful or improper uses, taking into account the risk of damaging the image and reputation of the Group.

DATAFLOW explicitly prohibits the use of company computer systems that may represent a violation of existing laws, offense to freedom, integrity, and dignity of persons, especially minors. In order to pursue these objectives, DATAFLOW, in compliance with existing legislation, also labor law, adopts digital solutions and organizational procedures for the identification, management, and monitoring of these risks, without this entailing the control at a distance of employees (e.g. list of sites or links that are by design blocked in order to prevent their visit).

 4.7. Use of social networks and relationships with the media

DATAFLOW recognizes the opportunities related to the use of social media. Given the enormous resonance and reputational impact that information, statements, opinions, or judgments expressed in these areas (even through the “sharing” of contents) may have, DATAFLOW recommends Recipients to exercise the utmost attention in evaluating contents and materials to be disseminated. In particular, explicit prohibition is made to Recipients to disseminate information, statements, opinions, or judgments that may create confusion as to whether they do not represent strictly personal positions, but are attributable to DATAFLOW, as well as to use social media in violation of existing laws, or with modalities that may cause offense to freedom, integrity, and dignity of persons, especially minors. Relationships with the media are held by persons expressly authorized, and observe the principles of truth, correctness, transparency, and prudence of communication. External communication, including that aimed at disseminating the brand and image of DATAFLOW, respects the ethical principles of this Global Code of Conduct.

4.8. Relationships with suppliers and contractual parties

Suppliers and, in general, contractual parties of DATAFLOW operate in compliance with the general existing legislation, especially with regard to the protection of the person, health, and safety. DATAFLOW verifies with the utmost diligence the information available on all counterparties in order to ascertain their respectability and the legitimacy of their activity before establishing any business relationship.

DATAFLOW monitors the maintenance of the aforementioned requirements. Selection is guided by objective parameters such as effectiveness, quality, convenience, price, professionalism, competence, efficiency, and in the presence of adequate guarantees regarding the correctness of the supplier and the contractual party.

DATAFLOW rejects any type of relationship with counterparties that it believes may be involved in criminal activities of any kind, including money laundering.

DATAFLOW does not maintain business relationships with individuals or companies that have been included by the Public Administration in the lists of entities subject to embargo or restrictions and/or of doubtful reliability.

DATAFLOW adopts appropriate measures if, in the course of its activity with/for the Companies, the supplier or the contractual party adopts behaviors not in line with the contents of DATAFLOW’s Global Code of Conduct. Suppliers and contractual parties are informed of the existence of DATAFLOW’s Global Code of Conduct and its commitments through contractual clauses that require their respect.

4.9. Relationships with Public Institutions and Supervisory Authorities

In its relationships with the various Public Institutions and Supervisory Authorities, DATAFLOW relates with transparency, clarity, correctness, in compliance with existing legislation, in order not to induce partial, falsified, ambiguous, or misleading interpretations and in such a way as not to compromise the integrity and reputation of the involved parties. Relationships with the various Public Institutions and Supervisory Authorities are not aimed at obtaining undue benefits for the Group and respect the principle of traceability of relationships.

DATAFLOW identifies the authorized persons to deal with Public Institutions and Supervisory Authorities. In the context of relationships with Italian and foreign Public Institutions, DATAFLOW is committed to representing its interests and expressing its needs in a correct and transparent manner, in strict compliance with the principles of independence and impartiality of the Public Administration’s choices and in such a way as not to mislead it or influence its determinations. It is forbidden to give gifts or other benefits to public officials or public service incumbents, as well as to their relatives or persons related to them, even through an intermediary. If the Recipient receives gifts or other benefits or proposals of benefits from a public official, from a public service incumbent, or from an employee of Public Institutions and Administrations (Italian or foreign), they must report it without delay to the Ethics Committee. Explicit prohibition is made to the Recipients to promise/offered/accept money, gifts, or free benefits, even personally, in the conduct of any operation related to the corporate activity.

 4.10. Gifts, presents, and promotions of initiatives

In relationships with suppliers and third parties in general, DATAFLOW explicitly forbids promising/offering/accepting money, gifts, or free benefits, even personally, that may be interpreted as exceeding normal commercial practices or courtesy, or that are in any way directed at acquiring favorable treatment in the conduct of any operation related to the corporate activity. This rule of behavior does not admit derogations, not even in those countries where offering gifts of value to business partners is considered customary. Acts of commercial courtesy towards third parties, as well as their receipt, are allowed, provided they are of modest value and, in any case, do not compromise the integrity and reputation and do not influence the autonomy of judgment of the recipient. In any case, Recipients must refrain from performing practices not allowed by law and commercial usage, including all acts aimed at corrupt practices of any kind, pressures, recommendations, or reports towards third parties, both private and public. DATAFLOW adheres to the policies, procedures, and practices of the companies or entities with which it has relationships. In relationships with the various Public Institutions and Supervisory Authorities, DATAFLOW explicitly forbids Recipients to promise/offered/accept money, gifts, or free benefits, even personally, in the conduct of any operation related to the corporate activity.

 4.11. Sponsorship and donations

DATAFLOW undertakes initiatives of sponsorship of activities in line with the corporate mission and with the principles of the Global Code of Conduct.

DATAFLOW directs donations to beneficiaries whose purposes are not in conflict with the principles of the Global Code of Conduct, guaranteeing transparency in decisions and traceability of operations. Donations and sponsorships should not be intended to obtain undue benefits from entities directly or indirectly connected to their beneficiaries.

DATAFLOW explicitly forbids contributions to political parties or their representatives.

4.12. Data protection

DATAFLOW promotes and implements the treatment of personal data in a lawful and correct manner, according to the terms provided by the national and international legislation, avoiding improper or unauthorized uses, to protect the dignity, image, and privacy of every subject, whether internal or external to the Group.

5. Disciplinary system

The observance of the Global Code of Conduct is part of the conditions regulating relationships with the Group’s Companies, and any violation of the present Code represents – depending on the legal relationship established with the Group’s Companies – a disciplinary offense (with reference to workers employed on the basis of an employment contract), the violation of a fiduciary mandate (with reference to the representatives of the corporate bodies), or the violation of contractual obligations (for other Recipients, the observance of the Global Code of Conduct is an essential prerequisite for establishing and/or continuing the professional/collaborative relationship with DATAFLOW). Each Group Company applies specific disciplinary measures approved by the Board, in line with the relevant national legislation.

6. Reports of violations and illegal conducts

If a Recipient becomes aware, in the course of their duties, of irregularities, violations, behaviors, and facts censurable or any practice not conforming to what is established in the Global Code of Conduct to which Recipients are bound, they may report them to the relevant Ethics Committee, using the channels provided for this purpose. Assurance is given of the confidentiality of the identity of the notifier in the management of the report and of the maximum protection in order to avoid retaliatory attitudes or any form of discrimination or penalty against the person who makes the report. The protection measures are extended in accordance with the relevant national legislation. The violation of the obligation of confidentiality is a disciplinary offense, subject to further forms of liability provided for by law. If the report was made in good faith, DATAFLOW will not apply sanctions against the person who reported in the event that, following an investigation, the complaint proves to be unfounded. However, disciplinary sanctions will be applied in the event of reports made deliberately in bad faith or with the intention of causing harm.

7. Final provisions

The Global Code of Conduct is approved by the Board of each Company within the Group and enters into force following its dissemination. The Global Code of Conduct is timely updated when changes occur in the regulatory system, following the evolution of civil sensitivity or other. Any subsequent version of the present document must be approved by the Board and disseminated to all Recipients. This Global Code of Conduct may be integrated by Behavior Rules approved by the Board of the Company that prepares them. It is understood that said Behavior Rules cannot conflict with the content of this Global Code of Conduct. DATAFLOW ensures an adequate program of continuous training and sensitization on issues related to the Global Code of Conduct. For any need of clarification regarding the application of the Global Code of Conduct, it is possible to refer to the relevant HR Responsible.