Whistleblower and Ethics Reporting Policy
Document owner: General Counsel
Version: 3.0
Effective date: January 1, 2026
Last updated: January 15, 2026
Classification: Public — Trust Center
Review cadence: Annual, and upon material regulatory changes
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA
Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com
1. Executive Summary and Purpose
This Whistleblower and Ethics Reporting Policy ("Policy") establishes Acme Cloud, Inc.'s ("Company," "we," "us," or "our") formal framework for receiving, investigating, and addressing reports of suspected wrongdoing. This Policy is designed to encourage employees, contractors, vendors, and other stakeholders to report concerns about illegal, unethical, or unsafe conduct without fear of retaliation.
Policy Objectives:
| Objective | Description | Benefit |
|---|
| Safe Reporting | Provide secure, accessible channels for reporting concerns | Encourages early identification of problems |
| Confidentiality | Protect reporter identity to maximum extent possible | Reduces fear of reporting |
| Non-Retaliation | Prohibit and address any retaliation against reporters | Creates trust in reporting system |
| Thorough Investigation | Ensure all reports are investigated fairly and completely | Substantiates or clears allegations |
| Appropriate Action | Take proportionate corrective action based on findings | Demonstrates accountability |
| Regulatory Compliance | Meet legal requirements for whistleblower programs | Satisfies SOX, EU Directive, state laws |
| Continuous Improvement | Learn from reports to improve controls and culture | Prevents future issues |
Commitment Statement:
Acme Cloud is committed to the highest standards of ethical conduct, legal compliance, and corporate accountability. We recognize that our employees and stakeholders are often the first to identify potential problems. This Policy ensures that anyone with concerns about wrongdoing can report them safely and that all reports receive appropriate attention.
The Board of Directors, through its Audit Committee, exercises oversight of this Policy and the ethics program. Executive leadership is accountable for fostering a culture where ethical conduct is expected and concerns are welcomed.
2. Definitions
For purposes of this Policy, the following terms shall have the meanings set forth below:
| Term | Definition |
|---|
| Whistleblower | Any individual who reports, in good faith, suspected violations of law, regulation, or Company policy through channels established by this Policy or through external regulatory authorities. |
| Good Faith | An honest belief that the reported information is true based on the reporter's knowledge at the time, regardless of whether the report is ultimately substantiated. Good faith does not require certainty or proof. |
| Retaliation | Any adverse action taken against an individual because of their reporting activity, investigation participation, or exercise of rights under whistleblower protection laws. |
| Adverse Action | Any action that would dissuade a reasonable person from engaging in protected activity, including but not limited to termination, demotion, suspension, harassment, denial of benefits, negative evaluation, or hostile work environment. |
| Protected Activity | Reporting suspected violations, participating in investigations, refusing to participate in illegal conduct, or exercising rights under whistleblower laws. |
| Reportable Concern | Any suspected violation of law, regulation, Company policy, or ethical standards that falls within the scope of this Policy. |
| Anonymous Report | A report submitted without identifying the reporter, using channels that do not require identity disclosure. |
| Confidential Report | A report where the reporter's identity is known to the receiving party but protected from broader disclosure. |
| Substantiated Finding | An investigation conclusion that the reported concern is supported by evidence and constitutes a violation. |
| Unsubstantiated Finding | An investigation conclusion that insufficient evidence exists to confirm the reported concern constitutes a violation. |
| Corrective Action | Remedial measures taken in response to substantiated findings, including disciplinary action, policy changes, control improvements, and referrals to authorities. |
| External Reporting | Reports made to government agencies, regulators, or law enforcement rather than through internal Company channels. |
3. Scope and Applicability
3.1 Who May Report
This Policy applies to reports from any individual with information about potential wrongdoing:
| Reporter Category | Covered | Notes |
|---|
| Full-time employees | ✅ Yes | All provisions apply |
| Part-time employees | ✅ Yes | All provisions apply |
| Contractors and consultants | ✅ Yes | All provisions apply |
| Temporary workers | ✅ Yes | All provisions apply |
| Board members | ✅ Yes | Special procedures for executive concerns |
| Former employees | ✅ Yes | Anti-retaliation protections continue |
| Vendors and suppliers | ✅ Yes | May report via ethics channels |
| Customers | ✅ Yes | May report via trust@acmecloud.com |
| Business partners | ✅ Yes | May report via ethics channels |
| Job applicants | ✅ Yes | Hiring-related concerns |
| Public | ✅ Yes | May report via ethics portal |
3.2 Reportable Concerns
The following categories of concerns may be reported under this Policy:
| Category | Description | Examples |
|---|
| Financial Misconduct | Fraud, theft, embezzlement, accounting irregularities | Falsified expense reports, revenue manipulation, unauthorized transactions |
| Securities Violations | Insider trading, disclosure failures, market manipulation | Trading on material non-public information, misleading investor communications |
| Bribery and Corruption | Bribes, kickbacks, improper payments, conflicts of interest | Payments to government officials, vendor kickbacks, undisclosed relationships |
| Legal Violations | Violations of laws and regulations | Export control violations, sanctions violations, antitrust issues |
| Security and Data Protection | Unauthorized access, data breaches, privacy violations | Customer data mishandling, security control bypass, unreported incidents |
| Discrimination and Harassment | Violations of equal opportunity, harassment, hostile environment | Discriminatory hiring, sexual harassment, bullying |
| Health and Safety | Workplace hazards, unsafe conditions, safety violations | Unreported injuries, hazardous conditions, safety policy violations |
| Environmental | Environmental law violations, sustainability commitment breaches | Pollution, waste disposal violations, false environmental claims |
| Quality and Safety | Product safety issues, quality control failures | Known defects, quality data manipulation, safety testing bypass |
| Human Rights and Labor | Labor law violations, modern slavery concerns, human rights abuses | Supply chain labor issues, wage violations, forced labor |
| Retaliation | Adverse action against reporters or investigation participants | Termination, demotion, harassment of whistleblowers |
| Policy Violations | Significant violations of Company policies | Code of Conduct breaches, vendor policy violations |
| Obstruction | Interference with investigations or audits | Document destruction, witness intimidation, false statements |
3.3 What Is Not Covered
| Excluded Matter | Appropriate Channel | Notes |
|---|
| Routine HR complaints (scheduling, personal conflicts) | HR Business Partner | Unless pattern suggests systemic issue |
| Performance feedback disagreements | Manager, HR | Standard performance process |
| Benefits administration questions | HR, Benefits team | Unless suggesting fraud |
| Customer service complaints | Support channels | Unless suggesting misconduct |
| Product feature requests | Product feedback | Not ethics matter |
| General policy questions | Appropriate department | Unless suggesting violation |
4. Reporting Channels
4.1 Internal Reporting Channels
| Channel | Contact | Availability | Anonymity | Languages | Best For |
|---|
| Ethics Hotline (Primary) | +1-800-555-0199 | 24/7/365 | Yes | English, Spanish, French, German | All concerns, especially sensitive matters |
| Ethics Web Portal | ethics.acmecloud.com | 24/7/365 | Yes | English, Spanish, French, German | All concerns, document attachment |
| Ethics Email | ethics@acmecloud.com | Business hours monitored | Partial (email visible) | English | Non-anonymous reports |
| General Counsel | legal@acmecloud.com | Business hours | No | English | Legal matters, executive concerns |
| Chief People Officer | people@acmecloud.com | Business hours | No | English | HR-related concerns |
| CISO | security@acmecloud.com | Business hours | No | English | Security concerns |
| Chief Privacy Officer | privacy@acmecloud.com | Business hours | No | English | Privacy concerns |
| Board Audit Committee | audit-committee@acmecloud.com | Monitored | Confidential | English | Executive officer concerns |
| Direct Manager | Direct conversation | Business hours | No | — | Initial concerns, immediate issues |
4.2 External Reporting Options
Reporters may also report directly to relevant government agencies:
| Agency | Jurisdiction | Concern Types | Reporter Protections |
|---|
| SEC (Securities and Exchange Commission) | US | Securities fraud, accounting violations | SOX Section 806, Dodd-Frank bounty program |
| DOJ (Department of Justice) | US | Federal criminal violations | Various federal protections |
| OSHA (Occupational Safety and Health Administration) | US | Workplace safety, SOX retaliation | OSHA 11(c), SOX Section 806 |
| State Attorneys General | US states | Consumer protection, state law violations | State whistleblower laws |
| National competent authorities | EU member states | EU Directive reportable matters | EU Whistleblower Directive |
| Data Protection Authorities | EU/UK | Privacy and data protection | GDPR Article 77 |
| FTC (Federal Trade Commission) | US | Consumer protection, unfair practices | Federal protections |
Acme Cloud Position on External Reporting:
Acme Cloud encourages internal reporting first but recognizes reporters' right to report externally. We will not retaliate against any individual who makes a good-faith report to a government agency. Internal reporting is not a prerequisite for external reporting protections.
4.3 Hotline Provider Information
| Element | Detail |
|---|
| Provider | NAVEX Global |
| Independence | Third-party operated, not Acme Cloud employees |
| Technology | Secure telephony and web portal |
| Caller ID | Blocked for anonymous calls |
| IP Tracking | Disabled for web portal |
| Follow-up System | Anonymous two-way communication via case number |
| Interpreter Services | Available for additional languages |
| Security Review | Annual security assessment |
5. Report Handling Procedures
5.1 Initial Receipt and Triage
| Step | Timeline | Action | Responsible Party |
|---|
| 1 | Immediate | Report received and logged in case management system | Ethics hotline / receiving party |
| 2 | 2 business days | Acknowledgment sent to reporter (if identity known) | Compliance Officer |
| 3 | 2 business days | Initial triage and categorization | Compliance Officer |
| 4 | 3 business days | Severity assessment and investigator assignment | Compliance Officer / General Counsel |
| 5 | 5 business days | Interim protective measures determined (if needed) | General Counsel / CHRO |
| 6 | 5 business days | Investigation plan developed | Assigned investigator |
5.2 Triage Criteria
| Factor | Assessment Questions | Impact on Handling |
|---|
| Severity | What is the potential harm? | Determines urgency and escalation |
| Credibility | Does the report contain specific, verifiable information? | Determines investigation depth |
| Urgency | Is there ongoing harm or imminent risk? | May require immediate interim action |
| Scope | How many people or systems are potentially affected? | Determines investigation resources |
| Subject Level | Does the report involve senior executives? | May require external investigator |
| Legal Implications | Are there potential legal or regulatory violations? | Determines legal involvement |
| Retaliation Risk | Is the reporter at risk of retaliation? | Determines protective measures |
5.3 Investigation Process
| Phase | Timeline | Activities | Documentation |
|---|
| Planning | Days 1–5 | Scope definition, evidence identification, interview planning | Investigation plan |
| Evidence Gathering | Days 5–25 | Document collection, system reviews, data analysis | Evidence log, chain of custody |
| Interviews | Days 10–35 | Witness interviews, subject interview (if appropriate) | Interview notes, recordings (with consent) |
| Analysis | Days 30–40 | Evidence evaluation, fact finding, legal analysis | Analysis memorandum |
| Findings | Days 40–45 | Conclusion development, recommendation formulation | Investigation report |
| Review | Days 45–50 | Legal review, quality assurance | Reviewed report |
| Closure | Days 50–55 | Corrective action implementation, reporter notification | Closure documentation |
Standard Investigation Timeline: 15–45 business days
Complex Investigation Timeline: Up to 90 business days (with interim updates)
5.4 Investigation Standards
| Standard | Requirement | Quality Control |
|---|
| Impartiality | Investigator has no conflict with subject or reporter | Conflict screening before assignment |
| Thoroughness | All reasonable evidence sources examined | Supervisor review of investigation plan |
| Fairness | Subject given opportunity to respond before adverse action | Due process procedures |
| Confidentiality | Information shared only on need-to-know basis | Access controls on case files |
| Documentation | All investigation steps documented | Case file completeness review |
| Timeliness | Investigation completed within standard timelines | Milestone tracking |
| Legal Compliance | Investigation conducted in compliance with applicable law | Legal oversight |
5.5 Special Investigation Procedures
| Scenario | Special Procedure | Authority |
|---|
| Executive officer as subject | External investigator; Board Audit Committee oversight | Board Audit Committee |
| Board member as subject | External investigator; independent directors oversight | Lead Independent Director |
| Accounting/audit matters | External forensic accountant involvement | Board Audit Committee |
| Potential criminal conduct | Legal privilege preservation; law enforcement coordination | General Counsel |
| Cross-border matters | Multi-jurisdiction legal compliance | General Counsel + local counsel |
| Retaliation allegations | Expedited investigation (5-day initial assessment) | General Counsel |
6. Confidentiality and Anonymity
6.1 Confidentiality Protections
| Information Type | Protection Level | Disclosure Circumstances |
|---|
| Reporter identity | Highest | Only if legally required, necessary for investigation (with notice if possible), or reporter consents |
| Report content | High | Need-to-know for investigation and corrective action |
| Witness identities | High | Need-to-know for investigation |
| Investigation findings | High | Need-to-know for corrective action and legal compliance |
| Corrective actions | Moderate | May be disclosed in aggregate for program reporting |
6.2 Anonymous Reporting
| Element | Procedure |
|---|
| Availability | Anonymous reporting available via hotline and web portal |
| Two-way communication | Reporters receive case number for follow-up without identity disclosure |
| Limitations | Anonymous reports may be harder to investigate; reporters encouraged to provide detail |
| No pressure | Reporters never pressured to disclose identity |
| Investigation quality | Anonymous reports investigated to same standard as identified reports |
6.3 Identity Disclosure Scenarios
| Scenario | Disclosure Required | Notice to Reporter |
|---|
| Legal process | Court order, subpoena | Yes, unless prohibited |
| Criminal prosecution | Witness in criminal case | Yes |
| Regulatory requirement | Required by regulator | Yes, unless prohibited |
| Defense of claims | Necessary for Company defense | Yes, with opportunity to discuss |
| Investigation necessity | Cannot investigate without disclosure | Yes, reporter may withdraw |
7. Anti-Retaliation Protections
7.1 Prohibited Retaliation
Acme Cloud strictly prohibits retaliation against any person who, in good faith:
| Protected Activity | Protection |
|---|
| Reports a concern through any channel (internal or external) | Full anti-retaliation protection |
| Participates in an investigation as witness | Full anti-retaliation protection |
| Provides documents or information in investigation | Full anti-retaliation protection |
| Refuses to participate in activity reasonably believed to be illegal | Full anti-retaliation protection |
| Exercises rights under whistleblower protection laws | Full anti-retaliation protection |
| Files a complaint with a government agency | Full anti-retaliation protection |
| Testifies in legal proceedings | Full anti-retaliation protection |
7.2 Types of Prohibited Retaliation
| Category | Prohibited Actions |
|---|
| Employment Status | Termination, suspension, layoff, demotion, failure to hire, failure to promote |
| Compensation | Pay reduction, denial of bonus or raise, benefit reduction |
| Work Conditions | Reassignment to less desirable duties, changed schedule, relocation, changed reporting |
| Career Development | Negative evaluation, denial of training, removal from projects |
| Workplace Treatment | Harassment, intimidation, threats, bullying, isolation, exclusion |
| Reputation | Negative references, blacklisting, defamation |
| Subtle Retaliation | Micromanagement, excessive scrutiny, cold shoulder, meeting exclusion |
7.3 Retaliation Response Process
| Step | Timeline | Action | Responsible Party |
|---|
| 1 | Immediate | Report suspected retaliation via ethics channels | Reporter |
| 2 | 2 business days | Acknowledgment and initial assessment | Compliance Officer |
| 3 | 5 business days | Expedited investigation initiation | General Counsel |
| 4 | 15 business days | Investigation completion (expedited) | Investigator |
| 5 | 5 business days | Findings and corrective action | General Counsel / CEO |
| 6 | Ongoing | Monitoring for additional retaliation | HR, Compliance |
7.4 Reporter Support Resources
| Resource | Description | Access |
|---|
| Employee Assistance Program | Confidential counseling support | EAP provider |
| Ethics Ambassador | Informal support from trained volunteer | Internal directory |
| HR Business Partner | HR support for employment concerns | HR contact |
| Legal consultation | Company-provided legal consultation for reporters (limited scope) | General Counsel referral |
| External resources | Information about external whistleblower support | Ethics portal resources |
8. Regulatory Framework Compliance
8.1 Applicable Whistleblower Laws
| Law/Regulation | Jurisdiction | Key Requirements | Acme Cloud Compliance |
|---|
| Sarbanes-Oxley Act Section 806 | US (public company readiness) | Confidential reporting channels; anti-retaliation | Hotline, portal, anti-retaliation policy |
| Dodd-Frank Act | US | SEC bounty program; anti-retaliation | External reporting rights disclosed |
| EU Whistleblower Directive 2019/1937 | EU | Secure channels, 7-day acknowledgment, 3-month feedback, anti-retaliation | Compliant channels and timelines |
| California Labor Code § 1102.5 | California | Broad whistleblower protection | Comprehensive protection |
| New York Labor Law § 740 | New York | Expanded whistleblower protection | Comprehensive protection |
| UK Public Interest Disclosure Act | UK | Protected disclosures; anti-detriment | UK-compliant procedures |
| Irish Protected Disclosures Act | Ireland | Transposition of EU Directive | Irish-compliant procedures |
| GDPR (reporter data) | EU | Lawful processing of reporter personal data | Privacy-compliant handling |
8.2 EU Whistleblower Directive Compliance
For reporters in EU member states, Acme Cloud complies with EU Directive 2019/1937:
| Directive Requirement | Acme Cloud Implementation |
|---|
| Secure reporting channels | Ethics hotline, web portal with security controls |
| Written and oral reporting | Phone hotline and web form |
| Acknowledgment within 7 days | 2-day acknowledgment (exceeds requirement) |
| Feedback within 3 months | Standard 45-day investigation + 10-day notification |
| Confidentiality of identity | Strict confidentiality with limited exceptions |
| Prohibition of retaliation | Comprehensive anti-retaliation policy |
| External reporting rights | Disclosed; not discouraged |
| Reverse burden of proof (retaliation) | Company must prove non-retaliatory basis |
| Effective remedies | Reinstatement, damages available |
8.3 Data Protection for Reporter Information
| Data Element | Legal Basis | Retention | Access |
|---|
| Reporter identity | Legitimate interest / legal obligation | Investigation duration + 7 years | Need-to-know only |
| Report content | Legitimate interest / legal obligation | Investigation duration + 7 years | Need-to-know only |
| Investigation records | Legal obligation | 7 years from closure | General Counsel, Compliance |
| Corrective action records | Legal obligation | Per HR retention policy | HR, Legal |
Reporter rights under GDPR and applicable privacy laws are maintained, including access, rectification, and erasure (subject to legal retention requirements).
9. Roles and Responsibilities
9.1 Organizational Roles
| Role | Primary Responsibilities | Authority |
|---|
| General Counsel | Policy ownership, investigation oversight, regulatory compliance, Board reporting | Full ethics program authority |
| Chief People Officer | Training, culture, HR integration, retaliation monitoring | Workforce ethics authority |
| Compliance Officer | Day-to-day operations, case management, metrics, hotline administration | Operational authority |
| Board Audit Committee | Program oversight, executive-level concerns, independence assurance | Board-level oversight |
| Investigators | Conduct investigations per standards | Delegated investigation authority |
| Ethics Ambassadors | Promote ethics culture, informal resource (12 volunteers) | Advisory only |
| All Managers | Foster reporting culture, no discouragement, no retaliation | Team-level responsibility |
| All Employees | Report concerns, cooperate with investigations | Individual responsibility |
9.2 Board Audit Committee Responsibilities
| Responsibility | Frequency | Documentation |
|---|
| Review ethics program effectiveness | Annual | Written assessment |
| Receive metrics summary | Semi-annual | Metrics report |
| Approve Policy updates | As needed | Meeting minutes |
| Oversee executive-level investigations | As needed | Confidential reports |
| Assess anti-retaliation effectiveness | Annual | Assessment report |
| Review external hotline provider | Annual | Provider assessment |
9.3 Manager Obligations
| Obligation | Requirement | Consequence of Failure |
|---|
| Encourage reporting | Actively foster environment where concerns are welcomed | Performance impact |
| Never discourage | Never discourage reporting or minimize concerns | Disciplinary action |
| Escalate appropriately | Report concerns shared with them to appropriate channels | Disciplinary action |
| Protect confidentiality | Maintain confidentiality of reports shared | Disciplinary action |
| Prevent retaliation | Ensure no retaliation in their teams | Disciplinary action |
| Support investigations | Provide access and cooperation | Disciplinary action |
| Complete training | Complete ethics management training | Required for role |
10. Training and Communication
10.1 Required Training
| Training | Audience | Frequency | Content |
|---|
| Ethics Onboarding | All new personnel | At hire | Policy overview, reporting channels, non-retaliation |
| Annual Ethics Refresher | All personnel | Annual | Updates, case studies, reinforcement |
| Manager Ethics Training | People managers | At promotion + annual | Enhanced obligations, retaliation prevention |
| Investigator Training | Assigned investigators | Initial + annual | Investigation standards, documentation, interviews |
| Board Member Training | Board Audit Committee | Biennial | Oversight responsibilities, current issues |
10.2 Communication Methods
| Method | Frequency | Audience | Content |
|---|
| Ethics portal | Always available | All | Policy, resources, reporting channels |
| All-hands mention | Quarterly | All employees | Culture reinforcement, reporting reminder |
| Manager communications | Semi-annual | Managers | Guidance, expectations |
| Poster displays | Permanent | Office locations | Hotline number, policy summary |
| Intranet homepage | Permanent | Employees | Ethics link, hotline number |
| New hire materials | At hire | New personnel | Policy, acknowledgment |
| Annual certification | Annual | All personnel | Policy acknowledgment, conflict disclosure |
10.3 Ethics Ambassador Program
| Element | Detail |
|---|
| Purpose | Promote ethics culture; serve as informal resource |
| Selection | Volunteers from diverse departments and levels |
| Current ambassadors | 12 across Engineering, Sales, Finance, Operations, Support |
| Training | Advanced ethics training (8 hours initial, 4 hours annual) |
| Activities | Office hours, team meetings, new hire orientation support |
| Reporting | Not formal reporting channel; refer to formal channels |
11. Program Metrics and Reporting
11.1 FY2025 Program Metrics
| Metric | Value | Trend | Industry Benchmark |
|---|
| Total reports received | 23 | +4 YoY | Expected for company size |
| Reports via hotline | 12 (52%) | Stable | Healthy channel mix |
| Reports via web portal | 8 (35%) | +3 YoY | Growing preference |
| Reports via other channels | 3 (13%) | Stable | — |
| Anonymous reports | 9 (39%) | Stable | Industry: 30–50% |
| Substantiated findings | 8 (35%) | Stable | Industry: 30–40% |
| Unsubstantiated findings | 11 (48%) | Stable | Expected |
| Under investigation at year-end | 4 (17%) | Stable | Within normal range |
| Retaliation claims | 2 | -1 YoY | Target: 0 |
| Retaliation claims substantiated | 0 | Stable | Target: 0 |
| Average investigation time | 22 business days | -3 days YoY | Below 45-day target |
| Reporter satisfaction (surveyed) | 4.2/5.0 | +0.3 YoY | Above benchmark |
11.2 Report Categories (FY2025)
| Category | Count | Percentage | Substantiation Rate |
|---|
| HR/Workplace conduct | 8 | 35% | 38% |
| Policy violations | 5 | 22% | 40% |
| Financial/accounting | 3 | 13% | 33% |
| Conflicts of interest | 3 | 13% | 67% |
| Safety/security | 2 | 9% | 50% |
| Vendor/procurement | 1 | 4% | 0% |
| Other | 1 | 4% | 0% |
| Total | 23 | 100% | 35% |
11.3 Board Reporting
| Report | Frequency | Content | Recipient |
|---|
| Summary metrics | Semi-annual | Report volume, categories, investigation outcomes, time-to-resolution | Board Audit Committee |
| Material findings | As needed | Significant substantiated findings, corrective actions | Board Audit Committee |
| Executive-level reports | Immediately | Reports involving executive officers | Board Audit Committee Chair |
| Program assessment | Annual | Effectiveness evaluation, benchmarking, improvement plans | Board Audit Committee |
12. Corrective Action Framework
12.1 Corrective Action Types
| Action Category | Examples | Determination Factors |
|---|
| Individual Discipline | Warning, suspension, termination | Severity, intent, prior history |
| Organizational Remediation | Policy update, process change, additional training | Systemic issues identified |
| Control Enhancement | New controls, monitoring, auditing | Control gaps identified |
| External Referral | Law enforcement, regulators | Criminal conduct, regulatory violations |
| No Action | Unsubstantiated finding, insufficient evidence | Investigation conclusion |
12.2 Disciplinary Guidance
| Finding Severity | Examples | Typical Range |
|---|
| Minor | Inadvertent policy deviation, minor conflict | Coaching, training |
| Moderate | Negligent policy violation, repeated minor issues | Written warning, probation |
| Serious | Intentional misconduct, significant impact | Final warning, suspension, termination |
| Critical | Fraud, violence, intentional harm, retaliation | Immediate termination, legal referral |
12.3 Corrective Action Review
| Scenario | Review Required | Approving Authority |
|---|
| Termination of any employee | General Counsel review | VP + General Counsel |
| Termination of director+ | CEO review | CEO |
| Termination of VP+ | Board Audit Committee notification | CEO + Board notification |
| Executive officer discipline | Board Audit Committee oversight | Board Audit Committee |
| External referral | General Counsel review | General Counsel |
13. SOC 2 and ISO 27001 Control Mapping
13.1 SOC 2 Trust Services Criteria Mapping
| Control ID | Control Description | Policy Implementation |
|---|
| CC1.1 | Demonstrates commitment to integrity and ethical values | Ethics reporting program, anti-retaliation |
| CC1.2 | Board exercises oversight responsibility | Audit Committee oversight of ethics program |
| CC1.3 | Management establishes structure and reporting lines | Ethics organization, clear responsibilities |
| CC1.4 | Demonstrates commitment to competence | Investigator training, quality standards |
| CC1.5 | Enforces accountability | Corrective action framework |
| CC2.2 | Communicates internally | Training, communications, ethics portal |
| CC2.3 | Communicates externally | External reporting rights, stakeholder channels |
| CC3.1 | Specifies objectives and identifies risks | Risk-based triage and investigation |
| CC4.1 | Monitors and evaluates | Metrics, Board reporting, program assessment |
| CC4.2 | Evaluates and communicates deficiencies | Investigation findings, corrective action |
13.2 ISO 27001:2022 Annex A Control Mapping
| Control | Control Title | Policy Implementation |
|---|
| A.5.1 | Policies for information security | Whistleblower policy as governance control |
| A.5.4 | Management responsibilities | Management oversight of ethics program |
| A.5.36 | Compliance with policies and standards | Reporting mechanisms for violations |
| A.6.4 | Disciplinary process | Corrective action framework |
| A.6.8 | Information security event reporting | Security concern reporting channels |
Related Trust Center documents
code of conduct, corporate governance, dei report, modern slavery, privacy policy, vendor code of conduct, security overview
Document revision history
| Version | Date | Author | Summary of changes |
|---|
| 1.0 | 2024-06-01 | Legal & Compliance | Initial Trust Center publication |
| 2.0 | 2025-03-15 | GRC Program | SOC 2 Type II alignment refresh; expanded subprocessors |
| 2.5 | 2025-09-01 | Security Engineering | Encryption standards update; ISO 27001 mapping |
| 3.0 | 2026-01-15 | Trust Center Program | Full procurement-grade expansion; 34-document set |
Contact
Acme Cloud, Inc.
1200 Market Street, Suite 400
San Francisco, CA 94103, USA
14. Investigation Quality Assurance
14.1 Quality Standards
| Standard | Requirement | Verification |
|---|
| Independence | Investigator has no conflict of interest | Conflict screening documented |
| Competence | Investigator trained and experienced | Training records, assignment review |
| Thoroughness | All reasonable leads pursued | Supervisor review of investigation plan |
| Documentation | Complete contemporaneous records | File completeness checklist |
| Timeliness | Milestones met per timeline | Progress tracking |
| Fairness | Due process for subjects | Process documentation |
| Confidentiality | Need-to-know access only | Access log review |
| Legal compliance | Compliant with applicable law | Legal review |
14.2 Quality Review Process
| Review Point | Reviewer | Focus |
|---|
| Investigation plan | Compliance Officer | Scope, methodology, resources |
| Mid-investigation | Compliance Officer | Progress, emerging issues |
| Draft findings | General Counsel | Legal sufficiency, conclusions |
| Final report | General Counsel | Completeness, recommendations |
| Closure | Compliance Officer | Documentation, lessons learned |
14.3 External Investigator Criteria
| Criterion | Requirement |
|---|
| Independence | No prior relationship with subject or Acme Cloud leadership |
| Experience | 10+ years corporate investigation experience |
| Credentials | Attorney, CPA, CFE, or equivalent professional credential |
| References | Verified references from similar engagements |
| Insurance | Professional liability insurance |
| Confidentiality | NDA and conflict attestation |
15. Policy Governance
15.1 Policy Review and Updates
| Review Type | Frequency | Trigger | Approver |
|---|
| Scheduled review | Annual | Calendar (January) | General Counsel, Board Audit Committee |
| Regulatory update | As needed | New law or regulation | General Counsel |
| Post-incident review | As needed | Significant investigation outcome | General Counsel |
| Benchmark update | Biennial | Industry benchmarking | General Counsel |
15.2 Policy Distribution
| Audience | Distribution Method | Acknowledgment |
|---|
| All employees | Ethics portal, training, certification | Annual certification |
| Contractors | Contract incorporation, portal access | Contract acknowledgment |
| Board members | Board materials, portal access | Annual certification |
| External stakeholders | Trust Center publication | N/A |
15.3 Contact Information
16. External Benchmarking and Program Assessment
16.1 Benchmarking Sources
| Source | Assessment | Result |
|---|
| Ethisphere World's Most Ethical Companies | Criteria assessment | Self-assessment completed Q4 2025 |
| DOJ Evaluation of Corporate Compliance Programs | Guidance alignment | Meets expectations |
| NAVEX Global benchmarking data | Industry comparison | Above median for SaaS 200–500 employees |
| EU Directive compliance assessment | External legal review | Compliant |
16.2 FY2026 Program Improvement Initiatives
| Initiative | Target | Status |
|---|
| Reduce average investigation time to 20 days | Q2 2026 | In progress |
| Achieve 100% manager ethics training | Q1 2026 | 88% current |
| Implement case analytics dashboard | Q2 2026 | Planned |
| Expand ethics ambassador program to 18 | Q3 2026 | 12 current |
| Conduct external program assessment | Q4 2026 | Planned |
| Achieve zero substantiated retaliation | Ongoing | On track |
This Policy is effective as of January 1, 2026. Acme Cloud is committed to maintaining a strong speak-up culture where concerns are welcomed and addressed. Questions about this Policy may be directed to legal@acmecloud.com or trust@acmecloud.com.
Visit EthicPages