EdifiXio Code of Conduct
June 2018

POLICY BRIEF & PURPOSE

Our Employee Code of Conduct company policy outlines our expectations regarding employees’ behavior towards their colleagues, supervisors and overall organization.

We promote freedom of expression and open communication. But we expect all employees to follow our code of conduct. They should avoid offending, participating in serious disputes and disrupting our workplace. We also expect them to foster a well-organized, respectful and collaborative environment.


SCOPE

The Code consists of a set of requirements with a particular focus on security.
This policy applies to all our employees regardless of employment agreement or rank.


POLICY ELEMENTS

What are the components of an Employee Code of Conduct Policy?

Company employees are bound to follow our Employee Code of Conduct while performing their duties. We outline the components of our Code of Conduct below:

Compliance with law

All employees must protect our company’s legality. They should comply with all environmental, safety and fair dealing laws. We expect employees to be ethical and responsible when dealing with our company’s finances, products, partnerships and public image.

Protection of Company Property

All employees should treat our company’s property, whether material or intangible, with respect and care.


Employees:

Employees should protect company facilities and other material property from damage and vandalism, whenever possible.


PRESERVE CONFIDENTIALITY

Confidential Information

Make sure that information that is classified as “Need to Know” or “Confidential” in EdifiXio’s Data Classification Guidelines is handled in accordance with those Guidelines and EdifiXio’s Data Security Policy. At times, a particular project or negotiation may require you to disclose Need to Know or Confidential information to an outside party: Disclosure of that information should be on an “only as needed” basis and only under a non-disclosure agreement. In addition, EdifiXio policy may require a prior security assessment of the outside party that is to receive the confidential information. Be sure to conduct the appropriate due diligence and have the appropriate agreement in place before you disclose the information.


And don’t forget about pictures you and your guests take at EdifiXio: it is up to you to be sure that those pictures don’t disclose confidential information.

Finally, some of us will find ourselves having family or other personal relationships with people employed by our competitors or business partners. As in most cases, common sense applies. Don’t tell your significant other or family members anything confidential, and don’t solicit confidential information from them about their company.


EdifiXio Partners

Just as you are careful not to disclose confidential EdifiXio information, it’s equally important not to disclose any confidential information from our partners. Don’t accept confidential information from other companies without first having all parties sign an appropriate Non-disclosure Agreement approved by your manager. Even after the agreement is signed, try only to accept as much information as you need to accomplish your business objectives.

Outside Communications

You probably know that our policy is to be extremely careful about disclosing confidential proprietary information. Consistent with that, you should also ensure your outside communications (including online and social media posts) do not disclose confidential proprietary information or represent (or otherwise give the impression) that you are speaking on behalf of EdifiXio unless you’re authorized to do so by the company. The same applies to communications with the press. Finally, check with your manager before accepting any public speaking engagement on behalf of the company.

Intellectual Property

Intellectual property rights (our trademarks, logos, copyrights, trade secrets, “know-how”, and patents) are among our most valuable assets. Unauthorized use can lead to their loss or serious loss of value. You must respect all copyright and other intellectual property laws, including laws governing the fair use of copyrights, trademarks, and brands. You must never use EdifiXio’s (or its affiliated entities’) logos, marks, or other protected information or property for any business or commercial venture without pre-clearance from the Marketing team. We strongly encourage you to report any suspected misuse of trademarks, logos, or other intellectual property.

Likewise, respect the intellectual property rights of others. Inappropriate use of others’ intellectual property may expose EdifiXio and you to criminal and civil fines and penalties. Please seek advice from your manager before you solicit, accept, or use proprietary information from individuals outside the company or let them use or have access to EdifiXio proprietary information. You should also check with your manager if developing a product that uses content not belonging to EdifiXio.


A word about open source – EdifiXio is committed to open source software development. Consistent with our policy of respecting the valid intellectual property rights of others, we strictly comply with the license requirements under which open source software is distributed. Failing to do so may lead to legal claims against EdifiXio, as well as significant damage to the company’s reputation and its standing in the open source community. Please seek guidance from your manager and the Open Source Programs Office before incorporating open source code into any EdifiXio product, service, or internal project.


CYBERSECURITY

It is important that our products and services are safe for our customers, protect their data, and are designed with security in mind.


Maintaining information security

As we develop and offer products and services, we understand the role of cybersecurity in protecting our customers, their data, and our company :

Professionalism

All employees must show integrity and professionalism in the workplace:

Personal appearance

All employees must follow our dress code and personal appearance guidelines.

Corruption

We discourage employees from accepting gifts from clients or partners. We prohibit briberies for the benefit of any external or internal party.

Job duties and authority

All employees should fulfill their job duties with integrity and respect toward customers, stakeholders and the community. Supervisors and managers mustn’t abuse their authority. We expect them to delegate duties to their team members taking into account their competences and workload. Likewise, we expect team members to follow team leaders’ instructions and complete their duties with skill and in a timely manner.

Conflict of interest

We expect employees to avoid any personal, financial or other interests that might hinder their capability or willingness to perform their job duties.

Collaboration

Employees should be friendly and collaborative. They should try not to disrupt the workplace or present obstacles to their colleagues’ work.

Communication

All employees must be open for communication with their colleagues, supervisors or team members.

Respect in the workplace

All employees should respect their colleagues. We won’t allow any kind of discriminatory

behavior, harassment or victimization. Employees should conform with our equal opportunity policy in all aspects of their work, from recruitment and performance evaluation to interpersonal relations.

Benefits

All employees should read and follow our company policies. If they have any questions, they should ask their managers or Human Resources (HR) department.


DATA PROTECTION REQUIREMENTS

Protecting personal information

As controller:

The controller must ensure that personal data is processed lawfully. Processing is lawful only if certain conditions apply. Except where required to comply with law, the processor may process personal data only on documented instructions from the controller (GDPR Art 28(3)(a)).

As processor:

The processor will process personal data in accordance with the customer's instructions.

We are committed to respecting the privacy of individuals, including employees and customers. We follow globally recognized privacy principles and strive to implement reasonable and appropriate practices in our collection, use, and sharing of personal information about individuals. These principles and practices ensure that:

Contractual terms and conditions:

Processing by a processor shall be governed by a written contract that is binding between the processor and the controller and that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. The contract may be in electronic form. (GDPR Art 28(3)).

Sub-processing:

The processor shall not engage another processor without specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of the intended changes giving the controller the opportunity to object (GDPR Art 28(2)).

The processor must impose the same obligations as required under applicable EU data protection law in the contract with its controller with its sub-processors. The processor must remain fully responsible to the controller for the performance of their sub-processor's obligations (GDPR Art 28(4)).

Transfer of personal data to third countries requirement:

Both controller and processor must ensure that any transfer of personal data undergoing processing to a third country shall take place only if certain conditions under applicable EU data protection law are complied with (GDPR Art 44).

We will implement or otherwise make available to customers a recognized compliance standard under applicable EU data protection law for the lawful transfer of personal data to the relevant country (including, for example, the EU Standard Contractual Clauses, Binding Corporate Rules).

We must put in place operational arrangements in respect of its sub-processor to provide an equivalent level of data protection to the level of data protection under the Service Agreement. EdifiXio must be able to demonstrate to the customer through appropriate documentary evidence that it has taken such measures.

Security requirement:

Both controller and processor must, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (GDPR Art 32(1)).

We are engaged in a continuous improvement process and conducts internal security audits on a regular basis to steer this process.

Data subject request

Taking into account the nature of the processing, the processor must assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising data subject's rights (GDPR Art 28(3)(e)).

We are committed to supporting its customers and providing all useful information to carry out data subject requests.

EdifiXio personnel requirement

Processors must ensure that persons authorized by the processor to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Art 28(3)(b)).

Confidentiality:

We will impose appropriate contractual obligations regarding confidentiality on any personnel authorized by EdifiXio to access customer data.

Deletion or return

At the controller's option, the processor must delete or return all personal data to the controller (and delete existing copies) at the end of service provision (GDPR Art 28(3)(g)).

Access controls:

We will implement and maintain access controls and policies in order to restrict personnel processing customer data. When personnel no longer need to process customer data, we will promptly revoke that personnel's access privileges.

Data breach

Processors must notify a data breach to the controller without undue delay after becoming aware of it (GDPR Art 33(2)).

Taking into account the nature of the processing and the information available to the processor, the processor must assist the controller in ensuring compliance with its obligations to notify data breach to the supervisory authority and data subjects (GDPR Art 28(3)(f)).

We are committed to doing everything possible to minimize risks and provide all the necessary information in the event of a security breach.

Demonstrating compliance

The processor must make available to the controller all information necessary to demonstrate the processor's compliance with its data protection obligations and allow for audits, including inspections, conducted by the controller or an auditor mandated by the controller (GDPR Art 28(3)(h)).

We are committed to providing all relevant information to demonstrate EdifiXio’s compliance.


DISCIPLINARY ACTIONS

Our company may have to take disciplinary action against employees who repeatedly or intentionally fail to follow our code of conduct. Disciplinary actions will vary depending on the violation.

Possible consequences include:

We may take legal action, according to relevant local law, in cases of corruption, theft, embezzlement or other unlawful behavior.