About This Policy
1.1 The Sophos Modern Slavery Policy (“Policy”) is the anti-slavery policy applicable to the Sophos Group Companies, including Sophos Intermediate I Limited (UK), and its collective subsidiaries (collectively, the “Company” or “Sophos”) and its supply chain. It is derived from the U.K. Modern Slavery Act, 2015[1], the California Transparency in Supply Chain Act, 2012[2], the Australian Modern Slavery Act 2018,[3] and other similar requirements (the “Act”).
1.2 This Policy applies to our third party supply chain, including hardware manufacturers and suppliers, the logistic fulfilment centers responsible for the distribution of our products, procurement vendors, and the recruitment and employment agencies from whom Sophos employees may be sourced (each a “Supplier” and together the “Sophos Supply Chain”), and to all people working for us or on our behalf in any capacity, including employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, agents, contractors, external consultants, third-party representatives, and business partners.
1.3 Sophos also adheres to the Code of Conduct of the Responsible Business Alliance, specifically Section A. 1., Freely Chosen Employment, in its administration of this Policy. Generally, modern slavery is a crime and a violation of fundamental human rights. It takes various forms, such as slavery, servitude, forced and compulsory labor, and human trafficking[4] all of which have in common the deprivation of a person's liberty by another to exploit them for personal or commercial gain.
1.4 The Company has zero-tolerance of modern slavery and we are committed to acting ethically, transparently, and with integrity in all our business dealings and relationships, including the implementation and enforcement of effective systems and controls to ensure modern slavery is not taking place anywhere in our own business or in the Sophos Supply Chain.
1.5 Although child labor occurs in many countries, Sophos does not accept child labor and actively works against it. Sophos is committed to a consistent, long-term effort to create sustainable and broad-based solutions to ensure that products supplied to Sophos are not sourced from child labor. Sophos respects different cultures and values in countries where Sophos operates and sources its products, but Sophos does not compromise on the basic requirements regarding the Rights of the Child.
1.6 This Policy does not form part of any employee's contract of employment, and we may amend it at any time.
2. Responsibility for the Policy
2.1 The Sophos Ultimate Parent GP, LLC Board of Managers has overall responsibility for this Policy. Legal and Compliance are accountable for the implementation of this Policy across the Company.
2.2 The Company’s risk management framework supports this Policy through independent audit, assessment, training, and objective oversight. This includes monitoring the use and effectiveness of feedback from the Sophos Supply Chain, ensuring that Sophos managers and employees receive adequate notification and training, and auditing internal control systems and procedures to ensure these procedures effectively counter modern slavery.
2.3 Management at all levels is responsible for ensuring that those reporting to them understand and comply with this Policy. Managers will be vigilant of indicators of modern slavery and will respond appropriately if they find, or are informed of, any indication of modern slavery.
3. Risks
3.1 The principal areas in which the Company faces risks related to modern slavery include:
- Raw materials used to manufacture Sophos hardware that may be sourced in areas of high risk of modern slavery and child labor;
- The Sophos Supply Chain, particularly Suppliers who manufacture or assemble in high risk countries;
- Effective due diligence monitoring of the Sophos Supply Chain;
- Recruitment in our own business and recruitment through agencies;
- Appropriate training for employees; and
- Processes to monitor actions undertaken to ensure Sophos compliance with its own requirements.
4. Standard Operating Procedures
Under section 54 (9) of the UK Modern Slavery Act 2015, the Required Disclosures within the California Transparency in Supply Chains Act, and the Australian Modern Slavery Act 2018, the following requirements address the procedures carried out by the Company to meet designated requirements. Further, the Compliance Team will maintain standard operating procedures that detail the operational program for these requirements.
4.1 Annual Modern Slavery Statement: (the “Annual Statement”): under Section 54 of the Modern Slavery Act 2015, commercial organizations that carry on a business in the UK, supply goods and services, and have a total annual turnover of £36 million or more, are required to publish within six months of the end of each financial year, an annual statement. Under the Transparency in Supply Chains Act, the legislature declared the intent of the State of California to ensure that large retailers and manufacturers provide consumers with information regarding its efforts to eradicate slavery and human trafficking from their supply chains. Similar requirements are identified by the Australian Modern Slavery Act 2018, Part 2.
- The Annual Statement shall set out the steps, if any, that the organization has taken during the fiscal year to ensure that modern slavery is not taking place in any of its supply chains and in any part of its own business. The statement must be signed by a Director, published on its website with a clear link on the homepage, and will identify actions taken to prevent slavery in its operations.
4.2 Child Labor: Child Labor is prohibited. In this policy, Sophos embraces the United Nations Convention on the Rights of the Child (1989), which stipulates:
All actions concerning the child shall take full account of his or her best interests. Article 3. The right of the child to be protected from economic exploitation and from performing any work that is likely to be hazardous or to interfere with the child’s education, or to be harmful to the child’s 4 health or physical, mental, spiritual, moral or social development. Article 32.1.
In addition, this policy is based on the International Labor Organization (ILO) Minimum Age Convention no. 138 (1973). According to this convention, the word “Child” is defined as any person below fifteen (15) years of age, unless local minimum age law stipulates a higher age for work or mandatory schooling, in which case the higher age would apply. If, however, the local minimum working age is set at fourteen (14) years of age in accordance with exceptions for developing countries, the lower age will apply.
4.3 Sophos Supply Chain: we take one or more of the following actions with each Supplier:
- We have visibility into each step of the hardware manufacturing process performed by a Supplier and take appropriate steps to know-our-suppliers which are providing the products we sell;
- We require the annual completion of a risk assessments based on data provided and validated by each Supplier via the Slavery & Trafficking Risk Template (“STRT”)[5] to understand our Suppliers’ actions, training, reporting, and certification of their modern slavery awareness and prevention;
- We inform our Suppliers that we will not accept any form of exploitation in their business or in the business of their subcontractors and require our Suppliers’ adherence to our Policy as a condition of their engagement with Sophos;
- We require all Suppliers, annually, to sign the Sophos Modern Slavery Code of Conduct, including a current, updated identification of all third parties who provide parts or services to that Supplier for Sophos products;
- Our contracts with Suppliers include anti-slavery provisions which prohibit Suppliers, their employees, and sub-suppliers from engaging in modern slavery; We conduct regular risk assessments of our Sophos Supply Chain and, where appropriate, we audit the Supplier and require them to take specific measures to further reduce the risk of modern slavery;
- When modern slavery has been found, immediate action is taken to investigate and address it, including remedial actions by the Supplier and, as appropriate, termination of the Supplier’s agreement with Sophos;
- We monitor Suppliers through adverse media screening;
- We require that all suppliers abide by the requirements of the U.N. Convention on the Rights of the Child[6] and that the Suppliers comply with all relevant national and international laws, regulations, and provisions applicable in the country of production;
- If child labor is found in any place of production, we require the Supplier to implement a corrective action plan within an agreed time-frame. If the Supplier fails this action or if repeated violations occur, Sophos will terminate its agreement with that Supplier; and
- Through the general purchasing conditions for the supply of products, we have reserved our right to make unannounced visits at any time to all places of production, including those of sub-contractors, for goods intended for supply to Sophos, which may be performed by an independent third party, as necessary.
4.4 Recruitment: Sophos takes the following actions:
- We ensure all staff have a written contract of employment and that they have not had to pay any direct or indirect fees to obtain work; We ensure staff are legally able to work in the country in which they are recruited;
- We check the names and addresses of our staff (e.g., many people listing the same address may indicate high shared occupancy, often a factor for those being exploited);
- We provide information to all new recruits on their statutory rights including sick pay, holiday pay and any other benefits to which they may be entitled;
- If, through our recruitment process, we suspect someone is being exploited, the HR department will follow our reporting procedures; and
- We conduct due diligence checks on any recruitment agency that we use to ensure that it is reputable and conducts appropriate checks on all staff that they supply to us.
5. Compliance with the Policy
5.1 Employees must ensure that they read, understand, and comply with this Policy. Employees must validate receipt of annual training on modern slavery.
5.2 The prevention, detection, and reporting of modern slavery in any part of our business or supply chains is the responsibility of all those working for us or under our control. Employees are required to avoid any activity that might lead to, or suggest, a breach of this Policy.
5.3 Employees are required to raise concerns about any issue of modern slavery in any parts of our business or supply chains when they suspect any violation of this Policy has occurred. Suppliers are also encouraged to raise concerns and provide visibility to any suspected breach of this Policy. This reporting occurs through the Sophos Whistleblowing Policy and reporting portal.
- If a Sophos employee or a third party believes or suspects a breach of this Policy has occurred or that it may occur, either can raise an alert using the “Speak Out” web page. Alternatively, Sophos employees can notify their line manager or the Compliance Team at compliance@sophos.com as soon as possible.
- Sophos encourages openness and transparency in reporting, and we will support anyone who raises genuine concerns in good faith under this Policy, even if they turn out to be mistaken. We are committed to ensuring no one suffers any detrimental treatment as a result of reporting in good faith their suspicion that modern slavery in any form is or may be taking place in any part of Sophos or in the Sophos Supply Chain.
- All notifications received, together with the identity of the notifier, will be treated as confidential. See, the Sophos Whistleblowing Policy.
5.4 Employees are trained to be aware of following key signs, which may indicate that someone may be a slavery or trafficking victim. This list is not exhaustive:
- The person is not in possession of their own passport, identification, travel documents, or 6 bank account;
- The person is acting as though they are being instructed or coached by someone else; The person allows others to speak for them when spoken to directly;
- The person is dropped off and collected from work;
- The person is withdrawn, or they appear frightened;
- The person does not seem to be able to contact friends or family freely; and
- The person has limited social interaction or contact with people outside their immediate environment.
6. Communication and Awareness of This Policy
6.1 Training is provided to all Sophos employees regarding the risk our business faces from modern slavery annually through the Sophos learning platform. Updates and refreshers will be provided as necessary.
6.2 Our zero-tolerance approach to modern slavery will be communicated to Suppliers at the outset of our business relationship and audited periodically, as appropriate, during their tenure as a Sophos supplier.
7. Breaches of this Policy
7.1 Any employee who breaches this Policy will face disciplinary action, which may include dismissal for gross misconduct.
7.2 We may terminate our relationship with Suppliers and other third parties that breach this Policy. Details of such actions and resulting remediation will be published in the Company’s Annual Modern Slavery Statement. Sophos also may take any action required by the UK Modern Slavery Act 2015.
8. Reviewing This Policy
This Policy is reviewed and updated periodically by the Compliance Team, as required.
[1] http://www.legislation.gov.uk/ukpga/2015/30/section/54/enacted
[3] https://www.legislation.gov.au/Details/C2018A00153
[4] The definitions of these terms are as follows. Slavery: Slavery, in accordance with the 1926 Slavery Convention, is the status or condition of a person over whom all or any of the powers attaching to the right of ownership are exercised. Forced or compulsory labor: Forced or compulsory labor is defined in international law by the ILO’s Forced Labor Convention 29 and Protocol. It involves coercion, either direct threats of violence or more subtle forms of compulsion. The key elements are work or service exacted from any person under the menace of any penalty and for which the person has not offered voluntarily. Human trafficking: An offence of human trafficking requires that a person arranges or facilitates the travel of another person with a view to that person being exploited. “Transparency in Supply Chains etc. A practical guide” Guidance issued under section 54(9) of the Modern Slavery Act 2015 Annex A page 17
[5] The STRT is an open-source, industry standard template from the Social Responsibility Alliance for collecting and sharing slavery and human trafficking risk data from supply chains and specifically supporting the UK Modern Slavery Action 2015, California Transparency in Supply Chains Act (SB657), EU Non-Financial Reporting Directive, and other similar legislation. See Social Responsibility Alliance.
[6] (Resolution 44/25, 02 Sept 1990).