Sophos Group Anti-Slavery and Human Trafficking Policy

1.1 Modern slavery is a crime and a violation of fundamental human rights. It takes various forms, such as slavery, servitude, forced and compulsory labour and human trafficking1 , all of which have in common the deprivation of a person's liberty by another in order to exploit them for personal or commercial gain.

1.2 We have a zero-tolerance approach to modern slavery and we are committed to acting ethically, transparently and with integrity in all of our business dealings and relationships and to implementing and enforcing effective systems and controls to ensure modern slavery is not taking place anywhere in our own business or in any of our supply chains.

1.3 This policy applies to our third party supply chain, including hardware manufacturers and suppliers, the logistic fulfilment centres responsible for the distribution of our products, procurement vendors and recruitment and employment agencies from whom Sophos employees may be sourced (each a Supplier and together the Sophos Supply Chain), and to all persons working for us or on our behalf in any capacity, including employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, agents, contractors, external consultants, third-party representatives and business partners.

1.4 This policy does not form part of any employee's contract of employment and we may amend it at any time.

2. RESPONSIBILITY FOR THE POLICY

2.1 The Board of Directors has overall responsibility for ensuring this policy complies with our legal and ethical obligations, and that all those under our control comply with it.

2.2 The Group’s existing structure of risk management provides the framework to support the Group’s compliance with the requirements of the Act, primarily through oversight and assurance from the Risk and Compliance Committee (the RCC) concerning the processes in place for implementing this policy, monitoring its use and effectiveness, ensuring that managers and employees receive adequate training, and auditing internal control systems and procedures to ensure they are effective in countering modern slavery.

2.3 Management at all levels are responsible for ensuring those reporting to them understand and comply with this policy. Managers will remain alert to indicators of modern slavery and will respond appropriately if they find or are informed of any indication of modern slavery.

1 The definitions of these terms are as follows. Slavery: exercising powers of ownership over a person. Servitude: the obligation to provide services is imposed by the use of coercion. Forced or compulsory labour: work or services are exacted from a person under the menace of any penalty and for which the person has not offered themselves voluntarily. Human trafficking: Arranging or facilitating the travel of another person with a view to their exploitation.

3. RISKS

3.1 The principal areas in which Sophos faces risks related to modern slavery include:

  1. the Sophos Supply Chain and outsourced activities and in particular those Suppliers located in overseas jurisdictions identified through our human development risk index management tool as higher risk, in accordance with the principles set out by Transparency International, the Global coalition against corruption;

  2. recruitment in our own business, particularly recruitment through agencies; and

  3. any Supplier that is identified through the Human Trafficking Risk index (the HTR Index) which provides Sophos with insights into where potential human trafficking may exist deep within the Sophos Supply Chain. This HTR Index uses external corporate databases – the world’ largest with more than 250 million records and incorporates data from the International Labor Affairs Bureau and the U.S. Department of State. The HTR Index creates an automated, repeatable, closed-loop process to proactively monitor the Sophos Supply Chain for potential human trafficking violations.

4. COMPLIANCE WITH THE POLICY

4.1 You must ensure that you read, understand and comply with this policy.

4.2 The prevention, detection and reporting of modern slavery in any part of our business or supply chains is the responsibility of all those working for us or under our control. You are required to avoid any activity that might lead to, or suggest, a breach of this policy.

4.3 You are encouraged to raise concerns about any issue or suspicion of modern slavery in any parts of our business or supply chains of any supplier tier at the earliest possible stage. There is no typical victim and some victims do not understand they have been exploited and are entitled to help and support. However, the following key signs could indicate that someone may be a slavery or trafficking victim. This list is not exhaustive:

  1. the person is not in possession of their own passport, identification, travel documents or bank account;

  2. the person is acting as though they are being instructed or coached by someone else;

  3. they allow others to speak for them when spoken to directly;

  4. they are dropped off and collected from work;

  5. the person is withdrawn or they appear frightened;

  6. the person does not seem to be able to contact friends or family freely; and

  7. the person has limited social interaction or contact with people outside their immediate environment.

4.4 If you believe or suspect a breach of this policy has occurred or that it may occur, you must notify compliance@sophos.com as soon as possible.

4.5 If you are unsure about whether a particular act, the treatment of workers more generally, or their working conditions within any part of our business or tier of the Sophos Supply Chain constitutes any of the various forms of modern slavery, you should raise it with compliance@sophos.com

4.6 We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken. We are committed to ensuring no one suffers any detrimental treatment as a result of reporting in good faith their suspicion that modern slavery of whatever form is or may be taking place in any part of our own business or in the Sophos Supply Chain. All notifications received, together with the identity of the notifier, will be treated as confidential.

5. PROCEDURES

5.1 Annual Anti-Slavery Statement: under Section 54 of the Modern Slavery Act, commercial organisations that carry on a business in the UK, supply goods and services and have a total annual turnover of £36 million or more, are required to publish within six months of the end of each financial year, an annual statement. This must set out the steps (if any) that the organisation has taken during the financial year to ensure that modern slavery is not taking place in any of its supply chains and in any part of its own business. The statement must be signed by a Director and published on its website with a clear link on the homepage. This applies to Sophos Limited in the UK. Sophos Limited’s annual statement will, with respect to it, and all entities in the Sophos Group plc global structure, set out the actions that it and they have taken to prevent slavery in their operations.

5.2 Supply Chains: we take one or more of the following actions in respect to each Supplier:

  1. we ensure that we can account for each step of our hardware manufacturing processes and that we know who is providing the hardware to us that we resell. This is done by using BOMcheck. BOMcheck is an industry-wide regulatory compliance tool which is offered by ENVIRON, and defines companies that are part of the Sophos extended supply chain. These being companies that supply components for our hardware products to our immediate Suppliers. Once identified these companies are then run through our human trafficking index management tool. This provides the business with extended supply chain information and data sources, to support our modern slavery controls;

  2. we inform our Suppliers that we are not prepared to accept any form of exploitation in their business or any part of their supply chain by publishing our policy and statement on our website;

  3. we complete Live Monitoring on all companies in the Sophos Supply Chain, and any anti-bribery or modern slavery changes for a specific Supplier will trigger an immediate review and business assessment / investigation;

  4. our standard supply chain contract templates and contracts that we negotiate with high-risk Suppliers contain anti-slavery provisions which prohibit Suppliers and their employees and sub-suppliers from engaging in modern slavery;

  5. we conduct regular risk assessments of our Sophos Supply Chain. In cases of high-risk, we audit the Supplier and, as appropriate, we require them to take specific measures to ensure that the risk of modern slavery is significantly reduced; and

  6. in cases where modern slavery is actually identified in our business or in the Sophos Supply Chain, we require that immediate action is taken to address it, and we provide appropriate support to this end. In the event of failure to resolve the situation with a Supplier rapidly and satisfactorily, we will terminate the contract.

5.3 Recruitment: we take the following actions:

  1. We always ensure all staff have a written contract of employment and that they have not had to pay any direct or indirect fees to obtain work;

  2. We always ensure staff are legally able to work in the country in which they are recruited;

  3. We check the names and addresses of our staff (a number of people listing the same address may indicate high shared occupancy, often a factor for those being exploited);

  4. We provide information to all new recruits on their statutory rights including sick pay, holiday pay and any other benefits they may be entitled to;

  5. If, through our recruitment process, we suspect someone is being exploited, the HR department will follow our reporting procedures; and

  6. We conduct due diligence checks on any recruitment agency that we use to ensure that it is reputable and conducts appropriate checks on all staff that they supply to us.

6. COMMUNICATION AND AWARENESS OF THIS POLICY

6.1 Training on this policy, and on the risk our business faces from modern slavery in the Sophos Supply Chain, will be provided to new and existing employees, prioritising those in relevant departments including, but not limited to those set out in the Schedule to this policy, and regular training updates or refreshes will be provided as necessary. If you are unclear which is a relevant department you should contact compliance@sophos.com

6.2 Our zero-tolerance approach to modern slavery should be communicated to Suppliers at the outset of our business relationship with them and reinforced as appropriate thereafter.

7. BREACHES OF THIS POLICY

7.1 Any employee who breaches this policy will face disciplinary action, which could result in dismissal for misconduct or gross misconduct.

7.2 We may terminate our relationship with Suppliers and other third parties if they breach this policy.

8. REVIEWING THIS POLICY

8.1 This policy is reviewed at least annually. We will provide information and/or training on any changes made as a result.



SCHEDULE

RELEVANT DEPARTMENTS