Terms and Conditions

1. Introduction and Definitions

These terms and conditions of use ("Terms") govern access to and use of the software-as-a-service (SaaS) whistleblowing platform called "Whistlesblow" ("Platform" or "Service"), provided by True Solutions S.r.l., a company with registered office at Foro Buonaparte 59, 20121 Milan (MI), Italy, VAT number 14288140966, registered in the Companies Register of Milan (MI) n. 2772480 ("Provider", "we", "our"). Whistlesblow is a trade name of True Solutions S.r.l. Use of the Platform is subject to full and unreserved acceptance of these Terms. If the user does not accept these Terms, they may not access or use the Platform.

1.1 Definitions

For the purposes of these Terms, the following shall mean: (a) "User" or "Client": the natural or legal person who accesses and uses the Platform; (b) "Account": the user account created on the Platform to access services; (c) "Content": all data, information, documents, reports and materials uploaded or entered into the Platform by the User; (d) "Report": the communication of violations or unlawful acts made through the Platform in accordance with EU Directive 2019/1937; (e) "Service": the SaaS whistleblowing platform provided by the Provider; (f) "Data": all personal and non-personal information processed through the Platform.

2. Acceptance of Terms

Access to and use of the Platform implies full and unreserved acceptance of these Terms and the conditions contained therein. The User declares that they have read, understood and accepted these Terms before using the Platform. If the User does not accept these Terms, they must immediately cease using the Platform. Acceptance of these Terms constitutes a binding agreement between the User and the Provider. The User guarantees that they have the legal capacity necessary to accept these Terms and are authorized to represent the entity or organization on whose behalf they access the Platform, where applicable.

3. Service Description

Whistlesblow provides a software-as-a-service (SaaS) platform for managing whistleblowing reports, compliant with EU Directive 2019/1937 on the protection of persons who report breaches of Union law. The Platform allows Users to:

• Send reports of violations or unlawful acts in anonymous or identified form, in compliance with the provisions of EU Directive 2019/1937
• Manage the entire whistleblowing process, from receipt of reports to their management and follow-up
• Ensure protection of the reporter's identity and confidentiality of information, in compliance with applicable regulations
• Ensure regulatory compliance with EU Directive 2019/1937, GDPR and other applicable regulations on personal data protection
• Configure and customize the Platform according to the specific needs of the organization
• Access reporting, analysis and report management features through a secure web interface

4. Registration and Account

To use the Platform, the User must create an account by providing accurate, complete and up-to-date information. The User is responsible for: (a) maintaining the confidentiality of their access credentials (username and password); (b) all activities that occur under their account; (c) immediately notifying the Provider of any unauthorized use of their account or any other security breach; (d) ensuring that information provided during registration is truthful, accurate and complete. The Provider reserves the right to refuse registration or suspend/terminate the account of any User who violates these Terms or provides false or misleading information.

5. User Obligations

The User undertakes to use the Platform in compliance with these Terms, applicable regulations and best practices. In particular, the User undertakes to:

• Provide truthful, accurate, complete and up-to-date information during registration and use of the Platform
• Use the Platform exclusively for legitimate purposes and in compliance with EU Directive 2019/1937 and applicable regulations
• Respect the privacy, rights and dignity of all persons involved in the whistleblowing process
• Maintain the confidentiality of their access credentials and not share them with third parties
• Not attempt to access unauthorized accounts, systems or areas of the Platform
• Not interfere with the operation of the Platform or attempt to compromise its security
• Use the Platform in compliance with all applicable laws, regulations and standards
• Immediately notify the Provider of any security breaches or unauthorized uses

6. Prohibited Uses

It is expressly prohibited to use the Platform for:

• Sending false, slanderous, defamatory reports or reports made in bad faith, solely for the purpose of harming third parties
• Violating the privacy, intellectual property rights or other rights of third parties
• Spreading, uploading or transmitting viruses, malware, harmful code or other elements that may compromise Platform security
• Attempting unauthorized access to systems, networks or data of the Provider or other users
• Using the Platform for unauthorized commercial purposes, advertising, spam or unsolicited marketing communications
• Collecting or attempting to collect personal information of other users without their consent
• Using the Platform in a manner that violates any applicable law, regulation or standard
• Interfering with or disrupting the operation of the Platform or connected servers and networks

7. Intellectual Property

All intellectual property rights in the Platform, including but not limited to software, source code, design, logos, trademarks, content and documentation, are the exclusive property of the Provider or its licensors. The User acknowledges that the Platform is protected by copyright, registered trademarks and other intellectual property laws. The User does not acquire any ownership rights in the Platform through use of the Service. The User may use the Platform exclusively for purposes permitted by these Terms. It is prohibited to copy, modify, distribute, sell, license or create derivative works from the Platform without the written consent of the Provider. Content uploaded by the User to the Platform remains the property of the User. However, the User grants the Provider a non-exclusive, worldwide, royalty-free and transferable license to use, reproduce, modify, adapt and distribute the Content exclusively to provide the Service. The license does not apply to content relating to whistleblowing reports, which are processed exclusively for report management purposes, in compliance with EU Directive 2019/1937 and GDPR.

8. Privacy and Personal Data Protection

The processing of personal data through the Platform is governed by the Whistlesblow Privacy Policy, available at /privacy-policy, and Regulation (EU) 2016/679 (GDPR). The User acknowledges that they have read and understood the Privacy Policy and accepts the processing of their personal data as described therein. For data processed in the context of whistleblowing reports, the client company is the Data Controller pursuant to Art. 4(7) GDPR. True Solutions S.r.l. acts as Data Processor pursuant to Art. 28 GDPR, according to the appointment available at /nomina-responsabile. The Client may request the signing of the data processor appointment contract pursuant to Art. 28 GDPR. The updated list of sub-processors is available at /subresponsabili. The Provider guarantees that the identity of the reporter, any persons involved and the content of the report are protected in accordance with EU Directive 2019/1937. Access is permitted exclusively to authorized subjects designated by the Client. The Provider never accesses the content of reports, except when strictly necessary for legal obligations or for technical reasons related to system security, and in any case only with prior authorization from the Client. Report retention is governed by the Report Management Procedure published at /procedura and varies according to the subscription plan (from 6 months to 5 years). Technical logs are retained for the period strictly necessary for security (max 24 months). The Platform provides tools to enable the Client to comply with legal obligations regarding confirmation within 7 days and response within 3 months in accordance with EU Directive 2019/1937. The User is responsible for ensuring that the processing of personal data through the Platform complies with applicable regulations and that all necessary consents have been obtained.

9. Limitation of Liability

The Provider provides the Platform "as is" and "as available", without warranties of any kind, express or implied. To the maximum extent permitted by applicable law, the Provider shall not be liable for:

• Direct, indirect, incidental, consequential or punitive damages arising from use or inability to use the Platform
• Loss of data, information or Content, even if the Provider has been advised of the possibility of such damages
• Temporary or permanent interruptions of the Service due to maintenance, updates, technical failures or force majeure
• Damages arising from improper use of the Platform by the User or violations of these Terms
• Damages arising from cyber attacks, viruses, malware or other security threats
• Damages arising from decisions or actions based on information or Content present on the Platform

The total liability of the Provider to the User, for any reason and in any form, shall not exceed the total amount paid by the User to the Provider in the twelve (12) months preceding the event that gave rise to the liability. The above limitations of liability do not apply in case of willful misconduct or gross negligence of the Provider, nor in case of violation of mandatory legal provisions.

10. Service Availability and Maintenance

The Provider undertakes to ensure maximum availability and reliability of the Platform, while reserving the right to make temporary interruptions for maintenance, updates, improvements or technical reasons. The Provider undertakes to: (a) notify Users in advance, when possible, of scheduled Service interruptions; (b) minimize the duration of interruptions; (c) ensure a Service availability level of at least 99.5% on a monthly basis (excluding scheduled maintenance interruptions). The Provider guarantees adequate technical and organizational measures as described in the "Data Processor Appointment" document and the "Incident Management Procedure". These documents form an integral part of these Terms. The Provider has implemented daily backup and disaster recovery procedures, according to what is described in the DPIA and internal security measures. The Provider shall not be liable for interruptions or malfunctions due to force majeure, including but not limited to: natural disasters, wars, terrorist attacks, pandemics, strikes, interruptions of communications or electricity, or other events beyond the reasonable control of the Provider.

11. Modifications to Terms and Service

The Provider reserves the right to modify these Terms at any time, in particular to reflect changes in applicable legislation, Service features or for other legitimate reasons. Substantial changes to the Terms will be communicated to Users through appropriate channels (for example, by notice on the Platform or by email) at least thirty (30) days before they take effect. Continued use of the Platform after the changes take effect constitutes acceptance of the modified Terms. If the User does not accept the changes, they must cease using the Platform and may request termination of their account. The Provider also reserves the right to modify, suspend or discontinue any aspect of the Service, including but not limited to features, content or availability, at any time and without notice.

12. Termination and Suspension

The User may terminate their account at any time by contacting the Provider or using the account deletion features available on the Platform. The Provider may suspend or terminate the User's access to the Platform immediately and without notice in case of: (a) violation of these Terms; (b) fraudulent, illegal or unauthorized use of the Platform; (c) request by competent authorities; (d) closure or cessation of the User's business; (e) any other legitimate reason. In case of termination, the User will lose access to their account and Content stored therein, except as otherwise provided by law or specific agreements. The Provider reserves the right to retain data for periods required by law or for regulatory compliance purposes. Provisions of these Terms that by their nature should survive termination, including but not limited to intellectual property, limitation of liability, privacy and applicable law, will continue to apply after termination.

13. Applicable Law and Jurisdiction

These Terms are governed and interpreted in accordance with applicable international and European Union law. Any dispute arising from or relating to these Terms, including their validity, interpretation, performance or termination, will be subject to the exclusive jurisdiction of competent courts. For consumers resident in the European Union, the legal provisions that guarantee consumer protection apply, including the provisions on competent jurisdiction provided by Regulation (EU) No. 1215/2012. The parties undertake to attempt to resolve any disputes amicably before resorting to legal proceedings.

14. Contact

For any questions, requests or reports relating to these Terms and Conditions or the use of the Platform, you can contact the Provider: