The Transparency Act
A. General information
Organization
4human consists of four companies where the parent company is the holding company. The other three companies produce software for the Norwegian and international markets.
4human HRM AS creates HRM systems as cloud solutions (SaaS). This means that 4human HRM processes large amounts of personal data.
4human TQM AS is a wholly owned subsidiary of 4human HRM and TQM creates systems for quality, HSE and external environment as a cloud solution (SaaS).
4human QM365 AS is also a 100% owned subsidiary of 4human HRM and QM365 creates systems for quality, HSE and external environment installed on the customer's own MS365 Sharepoint.
Software for quality, HSE and the external environment also involves the processing of personal data on a larger scale than is usual.
In connection with the delivery of the various cloud solutions, 4human also provides consulting services.
Revenue in the reporting year 2022
97 million kroner
Number of employees
70
Due diligence and management system
4human's efforts to act responsibly and ensure human rights and decent working conditions shall be a fully integrated part of 4human's management system. Among other things, 4human's risk assessment tools have been adapted and are actively used to assess the risk of breaches of responsibility. 4human's tool for registering deviations/incidents is used as an internal channel for reporting/notification of deviations related to accountability. In addition, our ethical guidelines have been updated to include expectations and requirements for accountability among our own employees.
4human also carries out regular stakeholder analyses and through this work gains a good overview of the group's various stakeholders, especially its business partners and suppliers.
Together with the stakeholder analysis, SWOT and PESTEL analyses are also conducted.
All customers of 4human sign a data processing agreement and through this agreement it is transparent to customers who are suppliers to 4human.
Certifications
All three production companies in the group are ISO certified according to ISO 9001, Quality Management Systems. In addition, 4human HRM and its subsidiary 4human TQM are ISO-certified according to ISO 27001/27002, Management systems for information security, ISO 27018, Security measures for personal data in cloud solutions and ISO 27701, Management systems for privacy. 4human uses DNV as an independent certification company. In the internal control work, 4human uses its own software.
In December 2019, it became an absolute requirement from the board that 4human should go for ISO certification in quality, information security and privacy. In May 2022, 4human was ISO certified and the 3
methodical and continuous work on quality, information security and privacy was officially put in place.
Anchoring the work on the Transparency Act with the board and management
For the Board of Directors of 4human, the security of the data 4human processes on behalf of its customers has always been at the top of the priority list. And from 2022, the Transparency Act has also been a topic for management and the board.
B. Negative consequences and risks
Mapping and 4human impact on people and society
The greatest risk for 4human in relation to fundamental human rights is if the personal data 4human processes in the cloud solutions on behalf of its customers goes astray, i.e. a breach of the confidentiality of the personal data.
As a result, 4human prioritizes the assessment of conditions related to safeguarding the confidentiality of personal data in the group's cloud solutions and working conditions at 4human's most important suppliers, with regard to safeguarding personal data. In addition, 4human's own operations have also been assessed, including the supplier of ICT equipment. Here, 4human has also assessed the risk of negative impact in connection with the handling of e-waste. This is because this is closely linked to the risk of child labor, generally poor working conditions and a major impact on the external environment.
Due diligence (risk assessments)
Internal risk in 4human
4human's assessments of information security and privacy in the group's products show no actual negative consequences or significant risk of negative consequences.
In the risk assessment carried out in line with the OECD guidance, some risk was identified related to a lack of systematic work on activity assessments. Several measures have already been implemented, see letter A, and more measures are planned, see letter C. 4human's activity assessments in 2022 do not show that there are actual negative consequences or a significant risk of negative consequences in relation to HSE at 4human. Subsequently, 4human sees that it should work somewhat more with systematic HSE work. Description of measures under letter C.
Risks related to purchasing
4human's most important operating materials are PCs and telephones. In 2022, the supply situation, especially for PCs, was such that we had to buy what was available. 4human has no influence when it comes to vulnerable components in PCs and phones. 4human has a policy for purchasing PCs and phones, but due to the delivery situation it was not possible to follow this policy in 2022. All purchases of PCs in 4human go through the operating partner, Advania. The risk factors related to human rights are certainly present. In 2022, 4human did not do anything related to this risk. But will follow up on this in 2023.
Risks related to e-waste
In 2022, 4human had 70 employees. The average lifespan of a PC in 4human is 6 years. This means that we dispose of about 12 PCs a year. We have outsourced the disposal of PCs to our operating partner Advania (see more under Advania).
Supply chain information
Advania Norge 46 AS
Delivers office support, provides support, operates and hosts several of 4human's cloud solutions.
The risk assessments show no actual negative consequences or significant risk of negative consequences with regard to the safeguarding of personal data in our systems related to the services that Advania provides to 4human.
4human finds no risk of human rights or labor rights violations related to either industry or geography. Advania Norway is a Norwegian supplier and labor within ICT is in high demand. Nor do 4human's due diligence assessments reveal any negative consequences or significant risk of negative consequences of working conditions at Advania.
Risks related to e-waste
In 2022, Advania established a program for "Responsible e-waste management". Among other things, this system for handling e-waste will help ensure that disposal takes place in a socially responsible and sustainable manner. This is a work that 4human monitors through our supplier follow-up of Advania. 4human's business assessments show no actual negative consequences or significant risk of negative consequences when handling e-waste.
Advania's sustainability report for 2022:
Xebia sp. Z o.o. (former PGS sp. Z o.o. was acquired by Xebia in 2022), Poland
Provides development services, application management and 4th line support to 4human's customers.
4human buys development services from Xebia. All Xebia developers used by 4human are based in Poland. Xebia's (PGS') self-declaration and 4human's due diligence show that fundamental human rights and decent working conditions are safeguarded in Xebia.
4human's due diligence shows that the confidentiality of the personal data Xebia processed on behalf of 4human was safeguarded in a good way. Thus, there are no negative consequences or significant risk of negative consequences of Xebia's work for 4human.
Like Norway, Poland is covered by the General Data Protection Regulation and there are no negative consequences or significant risk of negative consequences of the work taking place in Poland.
AWS
Platform for some of 4human's cloud solutions
Product risk
In 4human's due diligence assessments of software vendors, the vendor's relationship with information security and privacy weighs heavily. And 4human's work with AWS shows that AWS takes 5
this with the utmost seriousness. 4human cannot find any actual negative consequences or significant risk of negative consequences of AWS's efforts to preserve the confidentiality, integrity and availability of personal data.
The servers on which some of 4human's cloud solutions are located are in Ireland. And Ireland has the same privacy requirements as Norway.
4human's due diligence shows no actual negative consequences or significant risk of negative consequences for human rights or working conditions.
Amazon Global Human Rights Principles:
https://sustainability.aboutamazon.com/society/human-rights/principles
Microsoft (MS Azure)
Platform for some of 4human's cloud solutions.
Product risk
In 4human's due diligence assessments of software vendors, the vendor's approach to information security and privacy weighs heavily. And 4human's work with MS Azure shows that Microsoft takes this very seriously.
4human's solutions at Microsoft are located in various data centers within the EU.
4human finds no actual negative consequences or significant risk of negative consequences of Microsoft Azure's efforts to preserve the confidentiality, integrity and availability of personal data.
4human's due diligence shows no actual negative consequences or significant risk of negative consequences for human rights or working conditions.
Microsoft Corporate Social Responsibility:
https://www.microsoft.com/en-us/corporate-responsibility/human-rights
C. Measures
A high level of information security and good data protection has been a priority for 4human for many years. Information security and privacy are considered to be well safeguarded.
4human has both through its management system and the various solutions' support system notification possibilities if anyone should discover violations of basic human rights and decent working conditions. 4human also has its own data protection officer with contact information available on 4human's website.
Ongoing and planned measures
4human's processes for purchasing and evaluating and following up suppliers are being updated to ensure, among other things, that the assessment of the responsibility of 4human's suppliers and business associates is adequately assessed before entering into new contracts and purchases from new suppliers, as well as in the event of major changes to existing suppliers. Going forward, the work on due diligence will thus be an integral part of 4human's management system.
Renewed focus on internal HSE work is also a priority area in 2023.
Assessment of the effect of implemented and planned measures
Evaluation of 4human's work with responsibility will, in the same way as other areas, be followed up via already established processes in 4human's management system, such as internal audits and management reviews.
Adopted in board meeting 4human Invest AS, July 3, 2023