Whistleblowing policy

1. Premise CheckSig S.r.l. Benefit Company (hereinafter, “CheckSig” or the “Company”) intends to strengthen the Corporate Governance system within its organization. CheckSig’s daily commitment is to guarantee a working environment based on mutual respect for the dignity, honor and reputation of each member, legality and transparency. However, it may happen that in some cases, despite efforts, behaviors are carried out, including omissions, which are not in line with the values ​​and the Code of Ethics adopted by the Company, do not comply with the laws in force and may significantly damage the interests of CheckSig. Functional for this purpose is the adoption of a Whistleblowing policy (hereinafter also “policy”) which regulates the reporting of violations by organizational members. This policy was drawn up in compliance with the legislation referred to in Legislative Decree 24/2023, which implemented EU Directive 2019/1937 concerning the protection of persons who report violations of Union law and containing provisions regarding the protection of persons who report violations of national regulatory provisions. The provisions of this policy do not prejudice or limit in any way the right or obligation to report to the competent regulatory, supervisory or judicial authorities.
2. General aspects of the document 2.1. Purpose of the policy The purpose of this document is to define the so-called communication channels, the analysis and processing of reports of possible violations and the protection standards for whistleblowers or whistleblowers. The identity of the Whistleblowers must always be kept confidential and the Whistleblowers must not incur any liability, whether civil, criminal, administrative or employment, for having reported a violation in good faith through the established communication channels. In particular, the policy aims to: I. define the reporting management principles; II. identify the company functions involved in the reporting management process and define the tasks assigned to them; III. inform recipients about the channels, methods and times for managing reports; IV. the reporting activity. It is worth remembering that retaliation, direct or indirect, against anyone who reports potential violations is prohibited, providing for appropriate sanctioning measures in this regard. At the same time, CheckSig intends to react promptly against those who, with intent or gross negligence, report violations that turn out to not exist. 2.2. Recipients of the document and its update This document is brought to the attention of CheckSig’s employees and collaborators (external consultants, interns, etc.), as well as members and, in general, all those who work directly or indirectly with the Company (for example, suppliers, commercial partners, customers, etc.). This document is published on the company drive at the following address Operational Guides and on the CheckSig institutional website. This policy is prepared by the Legal and Compliance function and approved by the Board of Directors, also responsible for its correct implementation, as a signal of corporate commitment. The same is subjected to periodic review also taking into account any updates necessary from time to time. It is the responsibility of all company functions involved in the management of reports to report to the Legal and Compliance function any situations that cannot be managed based on the principles of the policy and the related proposals for intervention and modification. The Legal and Compliance function, however, reports to the Board of Directors any needs to update the policy in relation to external regulatory developments or following changes in the internal organizational or procedural structure. 2.3. Responsabile delle segnalazioni The Board of Directors decided to assign the role of reporting manager or Whistleblowing Officer to the Legal and Compliance function. In particular, in order to guarantee maximum independence and neutrality in the analysis and evaluation of reports, the responsibility for dealing with reports is entrusted to the manager of the aforementioned Legal and Compliance function. The Whistleblower Officer is equipped with the necessary skills to manage reports, also through dedicated training, and has adequate financial and organizational resources available annually for the correct carrying out of the activities envisaged by this policy. The Whistleblower Officer can also make use of the support of adequately qualified external consultants to carry out the examination and evaluation of reports. 2.4. Reference legislation

• EU Regulation 2023/1114 of the European Parliament and of the Council of 31 May 2023 relating to crypto-asset markets (“MiCAR”);
  • ESMA “Technical Standards specifying certain requirements of the Markets in Crypto Assets Regulation (MiCAR)”;
  • Law n. 179/2017 “Provisions for the protection of the authors of reports of crimes or irregularities of which they have become aware in the context of a public or private employment relationship”;
  • Legislative Decree 10 March 2023, n. 24 - implementation of EU directive 2019/1937;
  • Legislative Decree 11 April 2006, n. 198 - Code of equal opportunities between men and women.

3. Management of reports All recipients of this policy are invited to report violations through the procedure set out in the following paragraphs. The term violations means actions, behaviors or omissions that have occurred, which can reasonably be assumed to have occurred or which are very likely to occur, as well as attempts to conceal such actions or omissions i) which constitute or may constitute an offense or irregularity with respect to the applicable laws and regulations or to the values ​​and principles established in the Code of Ethics and in the other policies of the Company; ii) that cause or may cause damage (economic, security or reputational) to CheckSig, its employees and third parties with which the Company operates; iii) of which the Whistleblower became aware at the workplace and/or during the performance of his duties. Violations include, but are not limited to:
4. violation of anti-money laundering legislation;
   1. violation of the MiCAR regulation or other special regulations applicable to the Company;
   2. administrative, accounting, civil or criminal offences;
   3. the relevant illicit conduct pursuant to Legislative Decree 231/01;
   4. offenses that fall within the scope of application of European Union or national acts relating to the following sectors: public procurement; financial services, products and markets and prevention of money laundering and terrorist financing; product safety and compliance; transport safety; environmental protection; radiation protection and nuclear safety; food and feed safety and animal health and welfare; public health; consumer protection; protection of privacy and protection of personal data and security of networks and information systems;
   5. acts or omissions detrimental to the financial interests of the Union;
   6. acts or omissions concerning the internal market, including the dissemination of inside information and/or violations of competition rules and unfair commercial practices, as well as violations concerning the internal market connected to acts that violate tax rules or mechanisms the purpose of which is to obtain a tax advantage which defeats the object or purpose of the applicable legislation;
   7. acts or behaviors that nullify the object or purpose of the provisions set out in Union acts;
   8. acts or behaviors that constitute a violation of the Policy against harassment and violence in the workplace adopted by the Company, as well as a violation of the Gender Equality Policy adopted by the Company and/or discrimination based on gender. Complaints or mere complaints of a personal nature from the Whistleblower or claims and requests which fall within the discipline of the employment relationship and which concern relations with the hierarchical superior or with colleagues, for which reference must be made to the competent figures in personnel management matters, are not considered reports. Reports based on mere suppositions and/or suspicions and/or personal opinions of the Whistleblower and/or any third parties indicated by him are also excluded. In general, the principles that guide CheckSig’s reporting process are: I. confidentiality: of the reporters or Whistleblowers, of the reports and the information contained therein; II. proportionality: the investigations conducted by CheckSig are adequate, necessary and commensurate to achieve their purpose; III. impartiality: the analysis and processing of reports are carried out without subjectivity, regardless of the opinions and interests of the people responsible for managing the reports; IV. good faith: the protections for the Whistleblower are applicable even in cases where the report turns out to be unfounded, if it was made in good faith, i.e. the Whistleblower had well-founded reasons to believe that the information relating to the violation(s) was true at the time of the report and that the information fell within the scope of the policy. 3.1. Reporting channels The Whistleblower can submit a report through the following channels: I. internal canal; II. external channel (managed by ANAC); III. public disclosure; IV. report to the judicial or accounting authority. The use of the internal channel is favored as a priority and, only when one of the conditions referred to in the art. 6 of Legislative Decree 24/2023, it is possible to make an external report to ANAC at the following link https://wb.anticorruzione.it/#/. Only the management methods of the internal channel are illustrated in this policy, while for the other methods, reference is made directly to the regulations indicated in Legislative Decree 24/2023. CheckSig’s reporting channels are as follows:
5. email all’indirizzo whistleblowing@checksig.com;
   1. anonymous message via online form https://forms.gle/rfBTQNfGaCou3DyN9. Anyone who receives a report that falls within the scope of this policy outside of the reporting channels indicated, for any reason and by any means must:
6. guarantee the confidentiality of the information received, having the obligation not to disclose the identity of the Whistleblower nor of the person reported or of any other person mentioned in the report, nor any information that would allow them to be identified, directly or indirectly; 2. direct the Whistleblower to comply with the procedure for forwarding the report using the channels expressly established in this policy, taking care to inform the Whistleblower that only those reports benefit from the protections provided by the law and this policy; 3. forward the report to the Whistleblower Officer within 7 days of receipt, simultaneously giving the Whistleblower notice of the transmission, and following confirmation of receipt of the report by the Whistleblower Officer, delete any information related to the report; 4. refrain from undertaking any independent analysis and/or in-depth initiative. 3.2. Content and sending of reports Recipients of this policy who become aware of violations are encouraged to report the events and circumstances promptly, in good faith and provided they have reasonable grounds to believe that such information is true. The reports must be as detailed as possible in order to allow effective verification of the validity of the events reported. To this end, the report must include: I. the name of the Whistleblower and contact details for further communications (anonymous reports are not permitted, i.e. without any element that allows - in the cases provided for by law - to identify the author); II. a detailed description of the events that occurred, including date and location, and how the Whistleblower became aware of them; III. such as law, internal regulation, etc. are believed to have been violated; IV. the name of the person reported and the information that allows him to be identified; V. the name and role of any other parties who may report on the reported events; YOU. any documents or other elements that can prove the events reported. Reports that omit one or more of the elements indicated above will be taken into consideration if they are sufficiently detailed to allow effective verification of the facts reported. 3.3. Verification of reports CheckSig ensures that the processing of reports is carried out in a timely and accurate manner and in compliance with the principles referred to in the previous paragraph. 3 and through the use of specialized personnel. The Whistleblower Officer provides the Whistleblower with confirmation of receipt of the report and the expected timing for the investigation activities within 7 days of receiving the report. The Whistleblower Officer conducts a preliminary analysis to determine whether there are sufficient elements for a potential or actual violation (so-called “plausibility check”) and, based on the outcome, classifies them into:
7. relevant, for which the internal investigation phase will be started and the report will be further investigated;
   1. not relevant, for which the report will be archived and the Whistleblower will be notified that the report does not fall within the scope of this policy and, at the same time, will be referred to other relevant company channels or procedures;
   2. in bad faith, for which the possible initiation of a sanctioning procedure will be assessed. 3.3.1. The internal investigation phase The investigation phase consists of carrying out targeted checks on the report and which allow the elements that confirm the reliability of the facts reported to be identified, analyzed and correctly evaluated. During the investigation the Whistleblower Officer may ask the whistleblower to provide further supporting information. The whistleblower has the right to complete or correct the information already provided to the Whistleblower Officer, in compliance with the principle of good faith. The Whistleblower Officer may also conduct interviews or request information from other persons who may have knowledge of the reported events. All requests for information and/or meetings organized with the Whistleblower and other people involved in the report must be documented! The lack of information and/or the reluctance of the Whistleblower to cooperate may be a reason for the Whistleblowing Officer to decide that there are no concrete reasons to proceed. The Whistleblower Officer can make use of the support of the company functions competent from time to time and/or specialized external consultants, guaranteeing the confidentiality of the information and making as much personal data anonymous as possible, to conduct some or all of the activities to verify the report. In any case, the Whistleblower Officer remains responsible for monitoring compliance with the principles set out in this policy, the formal correctness of the process and the adequacy of subsequent actions. If it is possible to believe that the facts contained in the report constitute a crime, the Whistleblower Officer evaluates, in agreement with the Board of Directors, whether and when the information contained in the report should be notified to the competent judicial authorities. The persons reported are guaranteed the right to defense and/or to be informed of the outcome of the investigation. 3.3.2. The results of the investigation Once the investigation phase is completed, the Whistleblower Officer prepares a report summarizing the investigations carried out, the methods used, the results of the plausibility check and/or investigation, the supporting elements collected and recommendations for an action plan. If the report is archived, the reasons will be specified in the report. The report is then shared, based on the results, with the Company’s Board of Directors and with the corporate functions involved, on the basis of the “need to know” principle (including the possibility of sharing an anonymized version of the document), in order to determine which measures to adopt, including any disciplinary measures against employees. The Whistleblower Officer must provide feedback to the Whistleblower on the outcome of the internal investigation within 3 months of the report. If, for objective reasons linked to the complexity of the internal investigation, it is not concluded within this deadline, the Whistleblower Officer will still provide the Whistleblower with feedback on the activities in progress and the first results of the investigation, reserving the right to provide further feedback when the activities are concluded. In any case, the content of such feedback must not prejudice any actions that may be taken as a result of the investigation. 3.4. Language used to process the report The Company allows recipients of the policy to submit reports in Italian and English. CheckSig will respond to the complaint using the language used by them, provided that it falls within one of the above hypotheses.
8. Recording of reports The Whistleblower Officer, who is responsible for dealing with reports, is also responsible for keeping the appropriate register where the essential elements of each report received are noted. In particular the Whistleblower Officer:
9. records the report using an identification code/name;
   1. classifies reports into irrelevant, bad faith and relevant. The Company allows recipients of the policy to submit reports in Italian and English. CheckSig will respond to the complaint using the language used by them, provided that it falls within one of the above hypotheses.
10. Confidentiality and Retention of Reports CheckSig encourages all recipients of this policy to promptly report any violation and, to encourage collaboration, guarantees the confidentiality of each report and the information contained therein, including the identity of the Whistleblower, the person reported and any other person involved. Their identities will not be disclosed to anyone other than the Whistleblower Officer except in the following cases:
11. have given their explicit consent or intentionally disclosed their identity in other areas;
    1. communication is a necessary and proportionate obligation in the context of investigations or proceedings by the judicial authority. Information contained in reports that constitute trade secrets may not be used or disclosed for purposes other than those necessary to resolve the report. In the event that a Whistleblower has made a report in good faith, and it turns out that he or she was mistaken about its relevance or that the person who made the report did not fully comply with the procedural requirements established by this policy, such Whistleblower will still be guaranteed the expected protections. With reference to data retention, the reports will be kept for five years starting from the date of communication of the final outcome of the reporting procedure. The reports are archived by the Whistleblower Officer in a drive accessible only to the Legal and Compliance function.
12. No retaliation CheckSIg does not tolerate any form of threat, retaliation or discrimination, attempted or actual, against Whistleblowers, those reported or anyone who collaborated in the investigations to prove the validity of the report. CheckSig attempts to eliminate, where possible, or offset the effects of any retaliation against the above-mentioned individuals. For this reason, the Company reserves the right to take appropriate action against anyone who carries out, or threatens to carry out, acts of retaliation against the subjects listed above, without prejudice to the right of the parties involved to legally protect themselves if criminal or civil liability linked to the falsity of what has been declared or reported has been found. CheckSig may take the most appropriate disciplinary and/or legal measures, to the extent permitted by applicable law, to protect its rights, assets and image, against anyone who has made false, unfounded or opportunistic reports in bad faith and/or for the sole purpose of slandering, defaming or causing harm to the reported person or to other people involved in the report.
13. Information on reports received CheckSig continuously analyzes the data relating to the reports received, to identify any critical issues regarding the effectiveness of this policy. In this context, the Whistleblower Officer annually, on the occasion of the presentation of the report by the head of the Compliance function, provides the Board of Directors with an update on the number and type of reports received and on the outcome of the activities conducted during the year for the appropriate assessments, guaranteeing the anonymity of the subjects involved.
14. Data protection Pursuant to and for the purposes of EU Regulation 2016/679, in short GDPR, the Data Controller of the personal data collected through the reporting process, regulated in this policy is CheckSig S.r.l. Benefit Company (hereinafter, the “Owner”). The Data Controller processes the personal data contained in the reports for the purposes identified by this policy, within the limits of the obligations established by law, i.e. for the collection, management and analysis of the reports received. For the pursuit of the purposes indicated, the personal data contained in the reports will be collected, processed and managed by the Whistleblowing Officer, as the function responsible for this policy, as well as by any external consultants that the Whistleblowing Officer uses to carry out the activity. These subjects have been duly identified by the Data Controller and trained on the methods and purposes of the processing and will act as data controllers on the basis of a specific agreement concluded pursuant to art. 28 GDPR. The Data Controller may communicate, as long as it is necessary to pursue the purposes of the processing, the personal data collected to the competent Authorities who will act as independent data controllers. 8.1. Data protection rights of the Whistleblower and others involved in the report Pursuant to and for the purposes of the GDPR, the Whistleblower, the reported party and the other subjects involved in the report (hereinafter, ”interested party” or jointly ”interested parties”) are granted specific rights:
15. the right to request access to your personal data together with indications relating to the purpose of the processing, the category of personal data processed, the subjects or categories of subjects to whom they have been or will be communicated (with indication of the possibility in which such subjects are located in third countries or are international organisations), when possible the period of retention of the personal data or the criteria used to determine this period, the existence of your rights to rectification and/or cancellation of personal data, to limit the processing and to oppose the processing, to your right to lodge a complaint with the supervisory authority, the origin of the data, the existence and the logic applied in case of automated decision-making. If you exercise this right and unless otherwise indicated by the interested party, the latter will receive an electronic copy of their personal data which is being processed; 2. il diritto di ottenere la rettifica dei propri dati personali, qualora gli stessi risultino inesatti o incompleti; 3. the cancellation of your personal data, if one of the conditions referred to in the art. 17 of the GDPR (for example: the personal data of the interested party are no longer necessary with respect to the purposes for which they were collected, the interested party decides to revoke consent to the processing - where this represents the legal basis - and there is no other legal basis for the processing itself, the interested party objects to the processing and no other legitimate interest of the Data Controller prevails, the personal data are processed unlawfully); 4. the limitation of the processing of personal data i) for the time necessary for CheckSig to verify the accuracy of the personal data of the interested party (in the event that he has contested it), or ii) if the processing of personal data is unlawful and the interested party requests, instead of the cancellation of his personal data, the limitation of the relevant processing, or iii) when CheckSig no longer needs the personal data of the interested party but the same are for the interested party necessary to ascertain, exercise or defend a right in court, or, finally, 4) for the time necessary to evaluate the possible prevalence of the legitimate reasons of the Data Controller with respect to those of the interested party, if the latter has opposed the processing of their personal data pursuant to point c) below; 5. the right to object to the processing of your personal data, if such processing is carried out pursuant to art. 6.1 letter e) (i.e. for the execution of a task of public interest to which the Data Controller is subject) or letter. f) (i.e. to pursue a legitimate interest of the Data Controller) of the GDPR, unless there are compelling legitimate reasons for the Data Controller to proceed with the processing, pursuant to art. 21 of the GDPR;6. if you are not satisfied with the processing of your personal data carried out by CheckSig, you can lodge a complaint with the Guarantor for the Protection of Personal Data, following the procedures and instructions published on the official website of this authority www.garanteprivacy.it.

Report an offense (form)