Sophos Whistleblowing Policy

1.0 The Sophos Whistleblowing Policy

1.1 The Sophos Group Companies, including Sophos Intermediate II Limited UK and its respective subsidiaries, (collectively, the “Company” or “Sophos”) embraces and adopts the Sophos Whistleblowing Policy (the “Policy”), which promotes, encourages, requires, and provides the means for employees, vendors, suppliers, and customers to come forward with credible information about suspected wrongdoing, illegal conduct, or violations of Sophos policies, Sophos contracts, or the Sophos Code of Conduct for the purpose of creating a transparent and responsible corporate environment. This Policy provides that the Company will investigate credible reports, will act on credible information, and will protect any reporting individual from retaliation.

2.0 Policy Objective

2.1 Sophos employees have a duty to report suspected wrongdoing when it occurs or when the employee first learns about it. All reported concerns will be treated as confidential information, will be taken seriously, will be tracked to conclusion, will be investigated appropriately, and where appropriate will result in appropriate remedial action. In all instances, the confidentiality of each whistleblowing report and the identity of the individual employee who provided the report will be protected.

3.0 Policy Background

3.1 Whistleblowing is encouraged because it is necessary to create transparency in a work environment, which promotes honesty, accountability, trust, and productivity. Equally important, whistleblowing is required when a Sophos employee has information about wrongdoing because employees are expected to act in the best interests of the Company and to adhere to the Sophos Code of Conduct.

3.2 Understandably, whistleblowers often take on high personal risk when making a report. Protecting whistleblowers from unfair treatment, including retaliation, discrimination, or disadvantage, encourages the reporting of wrongdoing and increases the likelihood that wrongdoing is uncovered and ended. For these reasons, people in possession of information regarding suspected wrongdoing must report it and their confidentiality will be protected. 

3.3 The Company is committed to dealing responsibly and professionally with all genuine concerns. We expect all Sophos employees to maintain high standards of behavior in accordance with the Sophos Values. Further, Sophos adheres to the Code of Conduct of the Responsible Business Alliance, specifically Section D. Ethics (Section 6-Protection of Identity and Non-Retaliation) andSection E. Management Systems (Section 8-Worker Feedback, Participation, and Grievance) in its administration of this Policy. Further, this Policy complies with the EU Whistleblowing Directive (2019/1937) (23 October 2019) and will be updated from time to time to remain consistent with this Directive.

4.0 What is Whistleblowing

4.1 Whistleblowing occurs when an individual or individuals (the whistleblower) report(s) information about wrongdoing.  For a matter to be a whistleblowing concern, an individual who makes a whistleblowing report must reasonably believe two things:

First, the reporting individual has credible information that shows past, present, or likely future wrongdoing, which may fall within one or more of the following categories:

  • criminal offense
  • failure to comply with the law or regulations
  • endangering one’s health
  • endangering one’s safety
  • damage to the environment
  • failure to comply with Sophos corporate policies, including anti-slavery, anti-corruption, Global Trade Compliance Policy, Global Privacy Policy, the Sophos Code of Conduct, the Sophos Group Privacy Notice, and other policies identified by the Company
  • covering up the wrongdoing in any of the above categories

Second, the reporting individual is acting in the best interest of the Company.

Wrongdoing need not fit into any of the above categories to be a proper subject for a whistleblowing report.  Any individual who reasonably believes that a matter should be the subject of a whistleblowing report should file a report. All reports are investigated, and the whistleblower will be protected from retaliation, even if the subject of the report is not an actionable matter.

5.0 Who is a Whistleblower

5.1  A whistleblower is any individual who has credible information about suspected wrongdoing, potential violation of the law, or potential violation of Company polices, including unethical behavior.

5.2 Whistleblowers can be employees or third parties. Typically, whistleblowers are individuals who are Company employees because they may be involved in Company functions that may require this reporting. However, the Sophos Whistleblowing Policy embraces all individuals who may have knowledge of matters that require reporting, including third parties, such as Sophos vendors, suppliers, customers, and end users.  

6.0 When to Act as a Whistleblower

6.1 Any individual, including Sophos employees, who has credible information that comprises suspected wrongdoing, potential violation of the law, or potential violation of Company policies must report that information. Sophos encourages whistleblowing in the spirit of transparency.

6.2 Sophos employees must report conduct that violates or may violate the law or Company Policy. This Policy is not voluntary. The high standards of the Sophos Code of Conduct and Sophos Values, as expressed in the Sophos Employee Handbook, require whistleblowing reporting when an employee has credible information as described.

7.0 How to Report as a Whistleblower

7.1 An individual considering a whistleblowing report may provide their information in one of two ways:

  1. In person: you can speak with your line manager about your concerns. They will help you to complete the “Speak Out Reporting Form” or visit the web portal and help you to raise your concern this way.
  2. Online: Visit the Sophos Speak Out web portal and complete the form online. A notification will be sent to the Compliance Team who will review and assign for a response, investigation, or action, where appropriate. When whistleblowing reports are filed online, the reporting individual may elect to remain anonymous, which will be protected by the reporting means (the OneTrust reporting portal) and the Compliance Team investigating the report.

8.0 How Whistleblowing Reports Are Managed

8.1 Within seven (7) days after the whistleblowing report is made, a response will be sent to acknowledge its receipt to the reporting individual. The reporting individual is encouraged to visit the OneTrust Whistleblower and Ethics page where the whistleblowing report was submitted to check for communication, updates, status, additional information, and ask questions. If a reporting individual has elected to remain anonymous, this will be the only means of communication regarding the report.

8.2 The report will be reviewed and assigned for investigation. The person assigned to the case will maintain contact with the reporting individual to ensure clear communication regarding progress. Limited people are involved in the investigation and are held to the strictest confidentiality regarding the matter. These individuals have oversight from senior management.

8.3 In line with the EU Whistleblowing Directive (Section 67) reported matters are expected to be resolved within 3 months (or 6 months for exceptional cases).

8.4 A personal meeting with the reporting individual may be scheduled if requested by the reporting individual.

8.5 Relevant FAQs regarding Whistleblowing Reporters:

Who will see my report?

Reports are managed by the Compliance Team and the General Counsel. Whistleblowing reports that are filed online anonymously cannot and will not reveal the identity of the reporting individual.

Who should report?

In the spirit of transparency, Sophos employees are encouraged to raise whistleblowing matters directly to their line manager, Human Resources via  Notify HR or via the “Speak Out” reporting page. If a Sophos employee has credible information that comprises a whistleblowing matter (e.g., What is Whistleblowing, as above), they are required to submit a whistleblowing report.

Further, this Policy covers all employees, officers, consultants, contractors, casual workers, agency workers, and third parties who do business with Sophos, such as Sophos customers, vendors, suppliers, and end users.

What happens to my report after the matter has been concluded?

All reports are maintained by the Compliance Team through the “Speak Out” database via OneTrust for 12 months after resolution. All personal information, if any, is protected consistently with the Sophos Global Privacy Policy and the Sophos Whistleblowing and Data Processing Confidentiality Notice.

What if I have questions?

Sophos “Speak Out” FAQs (Frequently Asked Questions) are available here to Sophos employees and contractors. Also, a reporting individual may ask questions via the Speak Out portal when a report is submitted.

9.0 How Whistleblowers Are Protected

9.1 It is Sophos policy to protect the identity, role, position, and function of an employee who files a whistleblowing report. Reporting individuals who choose to file anonymous whistleblowing reports will not be asked for their identity and neither the means of reporting nor the nature of the investigation will reveal their identity as the matter proceeds.

9.2 As a matter of law, reporting individuals may not be the subject of disciplinary action or termination, when the reporting individual provides a whistleblowing report in good faith with credible information about suspected wrongdoing, as described. Reporting individuals are also protected from discharge, demotion, suspension, threats, intimidation, harassment, or hostile work environment.

9.3 Conversely, it is Sophos Policy to encourage transparency through whistleblowing reporting by creating a work environment that supports employees who provide credible information about suspected wrongdoing.

Sophos Whistleblowing Data Processing and Confidentiality Notice

REMINDER: Sophos whistleblowing reports may be submitted anonymously at the discretion of the Sophos team member submitting the report. This Notice identifies how personal data is processed if personal data is part of the report or if the team member submitting the report provides their own personal data. For this reason, personal data may not be involved in all reports.In this policy, “Sophos”, “we” or “us” refers to the Sophos group entity that employs you.

You should read this information before submitting a report via the whistleblowing portal.

Sophos Whistleblowing Data Processing Information

What personal data we process and store: When you raise a whistleblowing report, we will record your name and contact details unless you raise your report anonymously. Some of the information you provide in your report may also be considered personal data relating to you or to other people mentioned in the report .

For the purposes of processing your whistleblowing report, we may collect the following personal data:

  • name
  • manager’s name
  • employee ID
  • any identifying information you provide in open text fields for the purpose of making your report

For what purpose is personal data used: the personal data and information you provide will be processed to comply with our legal obligations, including compliance with applicable whistleblowing legislation, and to the extent not covered by our legal obligations, as necessary to pursue our business legitimate interest to investigate alleged violations of Sophos Code of Conduct or other Sophos polices as set out inthe Sophos Whistleblowing Policy , defend our legal rights and protect the interests, privacy, or safety, of customers or any other person.

Who accesses your data and where it is processed from: the personal data and information you provide, if any, may be accessed, processed, and used by the relevant personnel of Sophos, including Human Resources, Finance, Internal Audit, Legal, Corporate Compliance, management, external advisors (e.g., legal advisors), or, in limited circumstances, by technical staff at Convercent, the independent thirty party providing the whistleblowing portal. These individuals may be working at Sophos entities different to the one employing you and be located in the United States or elsewhere. Whenever we transfer personal data outside of the United Kingdom, the European Economic Area or Switzerland, we ensure that appropriate safeguards are in place such as approved Standard Contractual Clauses.

How long your personal data is stored: The personal data you provide, if any, will be kept until 12 months after the resolution of the whistleblowing report.

Your right to access and rectification: You have the right to request access, correction, or erasure of personal data or to object to the processing of it, including receiving a copy of the personal data held through this service. Any such request should be directed to the Privacy Team (dataprotection@sophos.com) to preserve the confidentiality of the service and your report. The rights mentioned above are not always applicable or may be limited under applicable law.

Your right to complain: You have the right to lodge a complaint about the processing of your personal data, should you provide any, with the relevant supervisory authority, which may vary based upon your location.Details of such authorities can be obtained from the Privacy Team (dataprotection@sophos.com).Sophos would welcome the opportunity to address any complaint directly. You can lodge a complaint directly with Sophos by contacting the Privacy Team at the email address above.

Confidentiality and anonymity

All reports are treated with strict confidentiality subject to the limited condition below. (See 1: Confidentiality Exclusion for Legal Obligation). If your report is filed anonymously, we will not ask you for your name or refer to your gender in your report. Anonymous reporting is not permitted for a limited set of issues in some jurisdictions; details below. (See 2: Reporting Limitations.)

1: Confidentiality Exclusion for Legal Obligation:

We may transfer or disclose your personal data (including the content of a report you have submitted) to any government department, agency, court, or other official bodies where we believe disclosure is required: (i) as a matter of applicable law or regulation (such as in response to a subpoena, warrant, court order, or other legal process); (ii) to exercise, establish, participate in, or defend our legal rights, or limit the damages we sustain in litigation or other legal dispute; or (iii) to protect your vital interests, privacy, or safety, or those of our customers or any other person.

2: Reporting Limitations

In the following countries, Limitations exist along with matters covered in the Directive:

Belgium, Czech Republic, Denmark, Estonia, Finland, France, Germany, Hungary, Ireland Italy, , Netherlands, Poland, Slovakia Spain, Sweden, and, United Kingdom Further information can be found HERE

Whistleblowing is not legally permitted in China.

3: Local Reporting & Investigation

Where required, Sophos provides reporting individuals the option to report locally through the existing whistleblowing portal via OneTrust or by speaking with one’s local line manager or a company representative about their concerns. In either instance, the reporting individual will receive assistance to complete the “Speak Out Reporting Form” to provide credible information about suspected wrongdoing. When local reporting occurs, the whistleblowing matter will be investigated, handled, and managed locally by team members from the local entity.