Human Rights Policy

OUR HUMAN RIGHTS POLICY

More people than ever before enjoy their rights to privacy, freedom of opinion and expression enabled by strongly encrypted digital communication technologies. However, these technologies are also used by individuals to help plan, commit or conceal their involvement in serious crimes, including acts of terrorism. Under such circumstances, States may legitimately restrict the privacy rights of certain individuals in order to protect the human rights of others, including the fundamental rights to life, liberty and personal security, or in the interests of national security.

Osy Technologies S.à.r.l. together with its subsidiaries and affiliates (the “NSO Group”)© provides States the capacity to help protect the safety and security of the public. We work to save lives and create a safer world. Our communication interception products are specifically designed for responsible use by law enforcement and intelligence agencies. They are also used in official humanitarian search and rescue missions. Our products, by design, are threat-specific, and cannot be used for mass data and communication interception.

We license our products only to vetted and legitimate government agencies for the sole and exclusive use in preventing and investigating serious crime, including terrorism. We never use or participate in the use of our products and we have no access to personal data used in or generated from their use. Our goal is to ensure that our customers use our products only in accordance with their governing law and for necessary contracted purposes. Nevertheless, we are fully aware that if a customer misuses one of our products it could lead to the harm of the human rights of an individual not involved in serious crime or terrorism, particularly to such individual’s rights to enjoy privacy or freedom of opinion and expression.

We do not operate our products ourselves or on behalf of our customers; our role is limited to the provision of technical support and maintenance services to our customers. However, we fully understand the potential for our products to be misused by our customers, thereby resulting in adverse human rights impacts. Therefore, as responsible corporate citizens, we have committed ourselves to high ethical business standards, seeking to ensure that only vetted and legitimate government agencies will use our products and that we take all reasonable steps to prevent and mitigate the risks of adverse impact on human rights from their misuse. This extensive Human Rights Policy further embeds relevant human rights protections throughout our business and governance systems.

I. We publicly affirm our unequivocal respect for human rights. This Human
Rights Policy is fully endorsed by our senior management and board of directors, who have expressed their full commitment to adhere thereto, is binding on all our employees and stipulates our expectations for all our business partners and customers. We are committed to respecting human rights as enshrined in the International Bill of Human Rights and the principles concerning fundamental rights set out in the International Labor
Organization’s Declaration on Fundamental Principles and Rights at Work. The United Nations Guiding Principles on Business and Human Rights guide us in fulfilling our obligation to respect human rights throughout our business activities.

II. We always observe and comply with all laws applicable to our business and conduct frequent discussions with regulators to ensure ongoing strict compliance with those laws. We constantly seek ways to honor international human rights principles and will always seek to interpret laws in the manner that most accords with international human rights norms.

III. We integrate our human rights due diligence procedures into our business processes in order to identify, prevent and mitigate the risks of adverse human rights impact. We tightly interweave our human rights due diligence procedures into all functions of our business enterprise including product development, marketing, sales, delivery, training, technical support and maintenance. In our sales process, we thoroughly evaluate the potential for adverse human rights impacts arising from the misuse of our products by considering, among other factors, the specific customer, the proposed customer use case and the past human rights performance and governance standards of the country involved. Where we identify higher risks, we undertake enhanced due diligence and explore mitigants. If the risks are too great, we do not go forward.

IV. We include obligations to respect and protect human rights in our contractual agreements with our business partners and customers. Our standard agreements specifically require our customers to use our products solely for the prevention and investigation of serious crimes (including terrorism) and to ensure that the products will not be used to violate human rights. Our agreements also require our customers to fully comply with all related laws and regulations, and any other laws and regulations that are applicable to the use of the products. Our customers are required to notify us of any knowledge they may have regarding a misuse or potential misuse of the products which may result in human rights violations. We have an escalating set of remedies culminating in the termination of use of our products after a substantiated case of severe misuse, material breach of commitments or a refusal to co- operate in an investigation.

V. We purposely design our products to support effective governance of use and to prevent unauthorized or accidental misuse. Such mechanisms include controls authorizing product use, segregating duties during use, and allowing effective recording, monitoring, alerting, logging, storing and retrieving of information on use. Modifications, transfer or third-party use of our products are legally prohibited and, by design, technically prevented.

VI. We are committed to ongoing dialogue with all relevant stakeholders. This includes everyone who works for and with us as a business enterprise; State stakeholders both in their capacity as customers but also as designated protectors of human rights; and relevant civil society stakeholders, including organizations promoting the rights to privacy, freedom of opinion and expression.

VII. We are cognizant that some individuals or groups are at elevated levels of risk of arbitrary digital surveillance and communication interception on grounds such as their race, color, sex, language, religion, political or other opinions, national or social origin, property, birth or other status or their exercise or defense of human rights. We specifically address actual and potential human rights impact on these individuals or groups in our procedures and trainings.

VIII. We ensure internal adherence with this Human Rights Policy and related procedures through our governance framework including our compliance program. We are committed to a program of continuous improvement in the implementation of and adherence to this policy and related procedures, effectively addressing findings from our human rights due diligence and impact assessment. We seek to learn from our and from others’ experiences and aim to become global leaders in this field. Our procedures will be reviewed periodically by experienced external human rights compliance experts and updated based on their findings and recommendations. We track key performance indicators qualitatively and quantitatively, constantly assessing our effectiveness in the area of human rights. We conduct benchmarking with other leading companies in our field and related sectors to assess our performance.

IX. We are committed to provide appropriate training to our directors, managers, employees and other relevant stakeholders on this Human Rights Policy and related procedures and routinely check their adherence through our internal audit. Any suspected failures to adhere to, and suspected violations of this policy by a director, manager or employee shall be reported firstly to the compliance function. If a violation is found, the consequences may vary from a written reprimand to a recommendation to discharge the director, manager or employee in question.

X. We are committed to reporting publicly to the greatest extent possible on the principles and effectiveness of our Human Rights Policy and related procedures, taking into consideration the legal, contractual, security and commercial constraints which may limit our freedom to disclose specific information. We will communicate the principles under which we operate together with a summary of the supporting operational and governance procedures and the major public information sources that inform our decisions. We will also publish key information and indicators to demonstrate our effectiveness in meeting the obligations set out in this policy and how we are addressing our human rights challenges.

XI. We recognize the importance of the availability of effective grievance
mechanisms. We operate an internal whistle blowing framework through which all employees, managers, directors and business partners can notify us, without fear of retaliation, of a suspected misuse of our products. We also commit to provide a reporting mechanism for individuals who believe they may have been harmed as a consequence of a customer’s misuse of our products. Where there are grounds to proceed with an investigation, if feasible and necessary we will also engage directly with the individuals affected.

XII. We always investigate whenever we become aware of a well-founded report of alleged unlawful digital surveillance and communication interception that might involve a customer’s use of our products. If an investigation identifies actual or potential adverse impacts on human rights we will be proactive in addressing the most severe of these impacts when delayed action would make these irremediable. If appropriate or necessary, we suspend the customer’s use of the product as we have done in the past.

XIII. As States are responsible for the protection of human rights and it is State agencies – our customers – who use our products, it is the State that should bear ultimate responsibility for the remedy of any harm to human rights. We believe effective grievance and remediation mechanisms for our sector should primarily be administered by the relevant States involved. We always co- operate with all investigations by competent State agencies into alleged customer misuse of our products. After either our own investigation or a State investigation, if we have sufficient grounds to believe that our products may have been misused, we promptly take appropriate action. Ultimately, where necessary, we may suspend or terminate use of the product, or take other steps that may be warranted.