Compliance Policy

Last updated: [01/10/2025]

Contents

• 1. Commitment to Compliance
• 2. Regulatory Compliance by Jurisdiction
  • 2.1 India – Local compliance
  • 2.2 European Union – GDPR
  • 2.3 Spain – European office
• 3. Comprehensive Compliance Program
  • 3.1 Organizational structure
  • 3.2 Risk assessments
  • 3.3 Training and awareness
• 4. Specific Compliance Policies
  • 4.1 Anti-corruption & Anti-bribery
  • 4.2 Data protection & Privacy
  • 4.3 Information security & Cybersecurity
  • 4.4 Competition & Antitrust
• 5. Monitoring & Auditing
  • 5.1 Continuous monitoring
  • 5.2 Internal audit
  • 5.3 External audits
• 6. Reporting & Escalation
  • 6.1 Reporting channels
  • 6.2 Investigation process
  • 6.3 Corrective & Disciplinary measures
• 7. Continuous Improvement
• 8. Communication & Culture
• 9. Contacts & Resources
• 10. Final Provisions

1. Commitment to Compliance

GOVISAN Solutions is committed to the highest legal, ethical and regulatory standards across all operations and jurisdictions. This policy applies to employees, directors, consultants, partners, suppliers, contractors, subsidiaries and affiliates.

Principles: Integrity, transparency, accountability and continuous improvement.

2. Regulatory Compliance by Jurisdiction

2.1 India – Local compliance

• Data protection: DPDP Act 2023, IT Act 2000, IT (Reasonable Security Practices) Rules 2011.
• Commercial: Companies Act 2013, FEMA 1999, GST Act 2017, Contract Act 1872.
• Sectoral: TRAI; BIS for telecom equipment; EIA requirements.
• Labor: EPF Act, Payment of Wages Act, Industrial Disputes Act, SHWW Act 2013.

2.2 European Union – GDPR compliance

• GDPR, ePrivacy Directive, and national DP laws; EU representative (Art. 27) and ROPA (Art. 30).
• International transfers via SCCs, TOMs and transfer impact assessments where required.

2.3 Spain – European office

• LOPDGDD, Spanish Civil Code (commercial contracts), VAT Law, Capital Companies Law.
• Commercial registry, municipal licenses, AEPD registrations as applicable.

3. Comprehensive Compliance Program

3.1 Organizational structure

• Chief Compliance Officer (CCO): reports to CEO; authority to investigate.
• Compliance Committee: Legal, HR, IT, Operations; quarterly; reports to Board twice a year.
• Compliance Champions: local points in each department; quarterly training.

3.2 Risk assessments

• Annual comprehensive assessment; ad-hoc for new markets/products; quarterly emerging risk reviews.
• Regulatory, data protection/cyber, corruption/bribery, antitrust, environmental and sustainability risks.
• Method: inherent risk, control assessment, residual risk, mitigation plans.

3.3 Training and awareness

• Mandatory induction; role-based modules; knowledge check before duties.
• Annual refresh; specialized modules for high-risk roles; regulatory alerts.
• Resources: internal portal, compliance@govisan.com, quarterly Q&A.

4. Specific Compliance Policies

4.1 Anti-corruption & Anti-bribery

• Prohibited: bribes, facilitation payments, inappropriate gifts, undeclared conflicts.
• Controls: partner due diligence; pre-approval for gifts > $100; annual COI declarations; expense audits.
• Procedures: agent selection/monitoring; political donations (generally prohibited); charitable guidelines; government-official protocols.

4.2 Data protection & Privacy

• Principles: lawfulness, fairness, transparency; purpose limitation; minimization; accuracy; storage limitation; integrity/confidentiality; accountability.
• TOMs: encryption at rest/in transit; RBAC; pseudonymization; secure backup & recovery.
• Org measures: DPO designation; DPIAs; breach response; DPAs with processors.

4.3 Information security & Cybersecurity

• Framework: ISO 27001, NIST CSF; regular VA; annual third-party pentests; incident response plan.
• Access: MFA; quarterly reviews; least privilege; privileged monitoring.
• Vendors: security assessments; contractual clauses; third-party risk monitoring; secure offboarding.

4.4 Competition & Antitrust

• No price-fixing, market/customer allocation, or exchange of sensitive information.
• Guidelines for competitor interactions; association participation; M&A protocols; sales/marketing training.

5. Monitoring & Auditing

5.1 Continuous monitoring

• KPIs: violations reported/resolved; resolution time; % staff trained; audit results.
• Tools: compliance system; risk alerts; real-time dashboards; automated regulator reports.

5.2 Internal audit

• Annual program audit; quarterly thematic audits; semi-annual follow-ups.
• Policy/procedure review; control testing; staff interviews; record reviews.
• Executive and detailed reports; corrective plans with timelines.

5.3 External audits

• Regulatory inspections: full cooperation, preparedness, documentation, follow-up.
• Third-party audits: ISO (27001/9001/14001), client audits, partner due diligence, ESG assessments.

6. Reporting & Escalation

6.1 Reporting channels

• Email: compliance@govisan.com
• Phone: [24/7 hotline]
• Secure web form (anonymous option)
• Physical mailbox in main offices

Guarantees: confidentiality, non-retaliation, impartial investigations, feedback when appropriate.

6.2 Investigation process

• Receipt & register (24h) → Initial assessment (72h) → Detailed investigation (15–30 days) → Determination & corrective (7 days) → Follow-up & closure (30–60 days).
• Principles: presumption of innocence; right to be heard; proportionality; full documentation.

6.3 Corrective & Disciplinary measures

• Coaching/training → warnings → suspension → termination → legal action.
• Factors: severity, intent, history, cooperation, impact.

7. Continuous Improvement

• Annual control effectiveness review; regulatory adequacy; process efficiency; staff satisfaction.
• Benchmarking: industry best practices, working groups, expert consultation, international standards.
• Innovation: AI for anomalies, blockchain traceability, automation, predictive risk analytics; design thinking, gamification, microlearning, behavioral insights.

8. Communication & Culture

• Internal: portal, quarterly newsletters, town halls, departmental sessions.
• External: code of ethics on website, compliance statements in proposals, sustainability reports, sector events.
• Culture: everyone’s responsibility, speak-up, ethical recognition, leadership by example.

9. Contacts & Resources

• Chief Compliance Officer: cco@govisan.com — Bengaluru, India
• European Compliance: eu-compliance@govisan.com — Barcelona, Spain
• Data Protection Officer: privacy@govisan.com (24/7 for critical incidents)
• External counsel: [India firm], [EU advisory], jurisdiction specialists as needed
• Regulators: India (MeitY / Data Protection Board), Spain (AEPD), EU (EDPB)

10. Final Provisions

• Validity & updates: effective on [Date]; annual review or upon regulatory changes.
• Authority & approval: approved by Board of Directors; binding across the organization.
• Languages: available in English, Spanish and Hindi; English version prevails in case of discrepancies.

Approved by: Board of Directors  |  Approval date: [Date]  |  Next review: [Date + 1 year]  |  Version: 1.0