The Transparency Act

Transparency Act 2022

130 million kroner

80

4human's work to act responsibly and ensure human rights and decent working conditions shall be a fully integrated part of 4human's management system. Among other things, 4human's risk assessment tool has been adapted and is actively used to assess the risk of breaches of accountability. 4human's tool for registering deviations/incidents is used as an internal channel for reporting/notifying deviations related to accountability. In addition, our ethical guidelines have been adapted to include expectations and requirements for accountability among our own employees.

4human also conducts regular stakeholder analyses and through this work obtains a good overview of the group's various stakeholders, especially business partners and suppliers, where matters related to the Transparency Act are subject to assessment in SWOT analyses.

All customers of 4human signs a data processing agreement and through this agreement it is transparent to customers who are the suppliers to 4human .

4Human shall be a positive social actor who shall follow the OECD guidelines for responsible business conduct which are compatible with the UN Guiding Principles on Business and Human Rights, and the UN Global Compact's 10 principles which deal with issues related to

• Human rights
• Decent work
• Preserving the climate and environment
• Anti-corruption

We respect the human rights of everyone who is affected or may be affected by our operations.

The Human Rights and Decent Work Policy (this document) is a guiding document for our business. All employees, suppliers and partners must be aware of this and the document is available on our website. 4human .no

The policy is rooted in 4human its board of directors and management team.

All three 4human -production companies in Norway are ISO-certified according to ISO 9001, Quality Management Systems. In addition, 4human HRM and its subsidiary 4human TQM ISO-certified according to ISO 27001/27002, Information security management systems, ISO 27018, Security measures for personal data in cloud solutions and ISO 27701, Data protection management systems. 4human uses DNV as an independent certification company. In its internal control work, it uses 4human their own software.

For the board of directors 4human has the security around the data 4human processing on behalf of customers has always been at the top of the priority list. And from 2022, the Transparency Act has also been a topic for management and the board.

We map our suppliers, subcontractors and business partners and maintain an overview on an ongoing basis. Through overall mapping, we get an overall risk picture of our portfolio, and can prioritize risk areas for more thorough mapping and possible measures. An overview of the mapping is included in our quality system.

The following products and services are relevant to our business:

• Purchase of software licenses
• Purchase of development services
• Purchase of electronics and ICT services
• Purchase of banking and insurance services
• Renting office space in Oslo, Tønsberg, Skien and Gdansk.

Existing and new suppliers of these product categories are examined based on the following parameters:

• Geographic risk
• Risk at the business level related to governance, known history regarding human or labor rights, information on guidelines for responsible business, etc.

4human's due diligence assessments in 2024 for our suppliers and subcontractors show that no negative consequences or significant risk of negative consequences have been identified that we can influence in matters related to: human rights, employment, environment and climate, anti-corruption, consumer interests, competition and tax.

4human's most important operating equipment is PCs and we do not have much influence when it comes to vulnerable components in PCs. All purchases of PCs in 4human goes through the operating partner Advania Vestfold. The risk factors related to human rights are present in the supplier chain for PCs and this is followed up with Advania Vestfold.

Our suppliers of essential purchases

• Advania Vestfold AS

Provides office support, provides support, handles discarded PCs, and operates and hosts several of 4human's cloud solutions.

The due diligence assessments show no actual negative consequences or significant risk of negative consequences with regard to the safeguarding of personal data in our systems related to the services that Advania delivers to 4human .

4human finds no risk of human rights or labor rights violations related to either industry or geography. Advania is a Norwegian supplier and labor within ICT is in high demand. 4human's due diligence assessments also show no negative consequences or significant risk of negative consequences in the working conditions at Advania.

Risks associated with e-waste:

In 2022, Advania created a program for "Responsible e-waste management". This system for handling e-waste will, among other things, help ensure that disposal takes place in a socially responsible and sustainable manner. This is a work 4human monitors through our supplier follow-up of Advania. 4human's due diligence assessments show no actual negative consequences or significant risk of negative consequences when handling e-waste.

Advania's sustainability report for 2023: Sustainability Report 2023

• Xebia sp. Z o.o. (Poland)

Provides development services, application management and 4th line support to 4human's customers.

4human purchases development services from Xebia. All the developers in Xebia who 4human uses is located in Poland. Xebia's (PGS') self-declaration and 4human's due diligence assessments show that fundamental human rights and decent working conditions are safeguarded at Xebia.

4human due diligence assessments show that the confidentiality of the personal data Xebia processed on behalf of 4human was taken care of in a good way. There are therefore no negative consequences or significant risk of negative consequences from Xebia's work for 4human .

Like Norway, Poland is covered by the General Data Protection Regulation and there are no negative consequences or significant risk of negative consequences of the work taking place in Poland.

• AWS

Platform for some of 4human's cloud solutions

Product risk:

• In 4human's due diligence assessments of software vendors, the vendor's relationship with information security and privacy is given the highest priority. And 4human's work with AWS shows that AWS takes this very seriously. 4human cannot find actual adverse consequences or significant risk of adverse consequences from AWS's efforts to preserve the confidentiality, integrity, and availability of personal data.

• The servers on which some of 4human's cloud solutions are located are in Ireland. And Ireland has the same privacy requirements as Norway.

4human's due diligence shows no actual negative consequences or significant risk of negative consequences for human rights or working conditions.

Amazon Global Human Rights Principles

• Microsoft (MS Azure)

Platform for some of 4human's cloud solutions.

Product risk:

• In 4human's due diligence assessments of software vendors, the vendor's approach to information security and privacy weighs heavily. And 4human's work with MS Azure shows that Microsoft takes this very seriously.

• 4human's solutions at Microsoft are located in various data centers within the EU.

• 4human finds no actual negative consequences or significant risk of negative consequences from Microsoft Azure's efforts to preserve the confidentiality, integrity, and availability of personal data.

4human's due diligence shows no actual negative consequences or significant risk of negative consequences for human rights or working conditions.

Microsoft Corporate Social Responsibility

• contribute to fair and good working conditions
• prevent discrimination in employment and employment
• contribute to freedom of association, freedom of association and the right to strike
• Workplace health and safety and decent working conditions
• contribute to the follow-up of ethical guidelines in our supply chain

If our due diligence assessments reveal potential or actual negative impact or damage, this must be reported to our quality system TQM Enterprise so that it can be handled according to our established process for non-conformance management.

Our requirements and expectations for suppliers, subcontractors and business partners are set out in the document “Ethical Guidelines for Suppliers and Business Partners”, which is available on our website. Both existing and new suppliers and business partners receive the guidelines upon signing a contract.

4human has notification options through both its management system TQM Enterprise and the various solutions' support systems if someone discovers violations of basic human rights and decent working conditions. 4human also has its own privacy officer with contact information available on 4human's website.

Mapping our suppliers, subcontractors and business partners is an ongoing process. The results of the risk assessments are documented in the supplier overview in our management system TQM Enterprise.

Adopted by the Board of Directors in 4human Invest AS, December 12, 2024