The Transparency Act

97 million kroner

70

4human's efforts to act responsibly and ensure human rights and decent working conditions shall be a fully integrated part of 4human's management system. Among other things, 4human's risk assessment tools have been adapted and are actively used to assess the risk of breaches of responsibility. 4human's tool for registering deviations/incidents is used as an internal channel for reporting/notification of deviations related to accountability. In addition, our ethical guidelines have been updated to include expectations and requirements for accountability among our own employees.

4human also conducts regular stakeholder analyses and through this work obtains a good overview of the group's various stakeholders, especially business partners and suppliers.

Together with the stakeholder analysis, SWOT and PESTEL analyses are also conducted.

All customers of 4human signs a data processing agreement and through this agreement it is transparent to customers who are the suppliers to 4human .

All three production companies in the group are ISO certified according to ISO 9001, Quality Management Systems. In addition, 4human HRM and the subsidiary 4human TQM ISO certified according to ISO 27001/27002, Information security management systems, ISO 27018, Security measures for personal data in cloud solutions and ISO 27701, Data protection management systems. 4human uses DNV as an independent certification company. In its internal control work, it uses 4human their own software.

In December 2019, it became an absolute requirement from the board that 4human was to go for ISO certification in quality, information security and privacy. In May 2022, 4human ISO certified and the 3

methodical and continuous work on quality, information security and privacy was officially put in place.

For the board of directors 4human has the security around the data 4human processing on behalf of customers has always been at the top of the priority list. And from 2022, the Transparency Act has also been a topic for management and the board.

Risk internal to 4human

4human's assessments of information security and privacy in the group's products show no actual negative consequences or significant risk of negative consequences.

The risk assessment, which was carried out in line with the OECD guidelines, identified some risks related to the lack of systematic work with due diligence assessments. Several measures have already been implemented, see letter A, and several measures are planned, see letter C. 4human's due diligence assessments in 2022 do not show that there are actual negative consequences or a significant risk of negative consequences in matters affecting HSE in 4human . In hindsight 4human that more work should be done on systematic HSE work. Description of measures under letter C.

Risks related to purchasing

4human's most important operating equipment is PCs and phones. The supply situation, especially for PCs, in 2022 was such that they had to buy what was available. 4human has no influence when it comes to vulnerable components in PCs and phones. 4human has a policy for purchasing PCs and phones, but due to the delivery situation it was not possible to follow this policy in 2022. All purchases of PCs in 4human goes through the operating partner, Advania. The risk factors related to human rights are certainly present. 4human did not do anything related to this risk in 2022. But will follow up on this in 2023.

Risks related to e-waste

4human had 70 employees in 2022. The average lifespan of a PC in 4human is 6 years. This means that we discard approximately 12 PCs a year. We have outsourced the disposal of PCs to our operating partner Advania (see more under Advania).

Advania Norge 46 AS

Delivers office support, provides support, operates and hosts several of 4human's cloud solutions.

The due diligence assessments show no actual negative consequences or significant risk of negative consequences with regard to the safeguarding of personal data in our systems related to the services that Advania delivers to 4human .

4human finds no risk of human rights or labor rights violations related to either industry or geography. Advania Norway is a Norwegian supplier and labor within ICT is in high demand. 4human's due diligence assessments also show no negative consequences or significant risk of negative consequences in the working conditions at Advania.

Risks related to e-waste

In 2022, Advania created a program for "Responsible e-waste management". This system for handling e-waste will, among other things, help ensure that disposal takes place in a socially responsible and sustainable manner. This is a work 4human monitors through our supplier follow-up of Advania. 4human's due diligence assessments show no actual negative consequences or significant risk of negative consequences when handling e-waste.

Advania's sustainability report for 2022:

https://25168988.fs1.hubspotusercontent-eu1.net/hubfs/25168988/Com/Documents/Advania%20Group%20Sustainability%20Report%202022.pdf

Xebia sp. Z o.o. (former PGS sp. Z o.o. was acquired by Xebia in 2022), Poland

Provides development services, application management and 4th line support to 4human's customers.

4human purchases development services from Xebia. All the developers in Xebia who 4human uses is located in Poland. Xebia's (PGS') self-declaration and 4human's due diligence assessments show that fundamental human rights and decent working conditions are safeguarded at Xebia.

4human due diligence assessments show that the confidentiality of the personal data Xebia processed on behalf of 4human was taken care of in a good way. There are therefore no negative consequences or significant risk of negative consequences from Xebia's work for 4human .

Like Norway, Poland is covered by the General Data Protection Regulation and there are no negative consequences or significant risk of negative consequences of the work taking place in Poland.

AWS

Platform for some of 4human's cloud solutions

Product risk

In 4human's due diligence assessments of software vendors, the vendor's relationship with information security and privacy weighs heavily. And 4human's work with AWS shows that AWS takes 5

this in the greatest seriousness. 4human cannot find actual adverse consequences or significant risk of adverse consequences from AWS's efforts to preserve the confidentiality, integrity, and availability of personal data.

The servers on which some of 4human's cloud solutions are located are in Ireland. And Ireland has the same privacy requirements as Norway.

4human's due diligence shows no actual negative consequences or significant risk of negative consequences for human rights or working conditions.

Amazon Global Human Rights Principles:

https://sustainability.aboutamazon.com/society/human-rights/principles

Microsoft (MS Azure)

Platform for some of 4human's cloud solutions.

Product risk

In 4human's due diligence assessments of software vendors, the vendor's approach to information security and privacy weighs heavily. And 4human's work with MS Azure shows that Microsoft takes this very seriously.

4human's solutions at Microsoft are located in various data centers within the EU.

4human finds no actual negative consequences or significant risk of negative consequences from Microsoft Azure's efforts to preserve the confidentiality, integrity, and availability of personal data.

4human's due diligence shows no actual negative consequences or significant risk of negative consequences for human rights or working conditions.

Microsoft Corporate Social Responsibility:

https://www.microsoft.com/en-us/corporate-responsibility/human-rights

4human's processes for purchasing and evaluating and following up suppliers are being updated to ensure, among other things, that the assessment of the responsibility of 4human's suppliers and business associates is adequately assessed before entering into new contracts and purchases from new suppliers, as well as in the event of major changes to existing suppliers. Going forward, the work on due diligence will thus be an integral part of 4human's management system.

Renewed focus on internal HSE work is also a priority area in 2023.

Evaluation of 4human's work with responsibility will, in the same way as other areas, be followed up via already established processes in 4human's management system, such as internal audits and management reviews.

Adopted in board meeting 4human Invest AS, July 3, 2023