WSO2 LLC, a Delaware limited liability company (the “Company”), is committed to conducting business with integrity and in compliance with the letter and spirit of the law. The Company takes very seriously all complaints and concerns (“Concerns”) regarding potential violations of its information and data security and/or breaches in the Company’s information security networks that in any way affect the Company’s business (collectively, “Breaches”).
The Company, together with the Board of Directors (the “Board”), has adopted this Information Security Reporting Policy (this “Policy”) to provide its personnel and third party users of the Company’s products and/or platform (collectively, “Reporting Persons”) with a confidential and anonymous reporting system to raise Concerns of potential Company activities, controls and processes that are susceptible or vulnerable Breaches. Reporting Persons may report a good faith complaint or concern regarding the foregoing in accordance with this Policy. The Company urges any person reporting a good faith Concern under this Policy to do so as quickly as possible. The Company strives to encourage open communication so that such Concerns may be raised without fear of retaliation in any manner.
Reporting Persons should submit Concerns regarding potential Breaches (confidentially and anonymously, if they wish, in the United States, and in any other jurisdiction to the fullest extent legally permitted in such other jurisdiction) in one of the following ways:
WSO2 LLC
Attn: Vice President of Legal Affairs
3080 Olcott St Suite C220
Santa Clara, CA 95054
REPORTING OF ANY CONCERNS PURSUANT TO ANY OF THE ABOVE METHODS WILL BE KEPT CONFIDENTIAL BY THE COMPANY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.
All complaints submitted via any means will be forwarded to the VP Legal for coordination of their treatment as set forth below.
All Concerns received will be entered on a concerns matters log, which will include, among other things: (a) information regarding the date the Concern was received; (b) a description of the Concern; (c) the submitter (if provided); and (d) the status and disposition of an investigation of the Concern. Receipt of the Concern will be acknowledged to the sender, within a reasonable period following receipt, if appropriate information for response is supplied.
The VP Legal will report immediately to the Board: (a) Concerns related to the Company’s executive officers and (b) such other matters as the VP Legal deems significant. The Board will direct and oversee an investigation of such Concerns, as it determines to be appropriate. The Board may also delegate the oversight and investigation of such Concerns to the appropriate members of the Company’s management.
All other Concerns will be reviewed under the direction and oversight of the SVP Engineering , who will involve such other parties as deemed appropriate in order to analyze the risk of Breaches and how those risks may impact the Company’s business objectives and commitments to its customers. The SVP Engineering will provide the Board with a quarterly report of all material Concerns received and an update of pending investigations. The Board may request special treatment for any Concern and may assume the direction and oversight of an investigation of any such complaint.
Confidentiality will be maintained to the fullest extent possible, consistent with the need to conduct an adequate review. Access to reports and records of complaints may be granted to regulatory agencies and other parties at the discretion of the Board. Documents that are covered by the attorney-client communication and/or work-product privileges will not be disclosed unless the VP Legal has consented in writing to a waiver of privilege.
In all cases, prompt and appropriate corrective action, if necessary, will be taken by management, as determined and overseen by the Board.
Reprisal, threats, retribution or retaliation in any way against any Reporting Person who has in good faith made a complaint or reported a Concern, or against any person who assists in any investigation or process with respect to such a complaint or concern, is prohibited. Employees or other service providers of the Company who believe that they have been subjected to any discrimination, retaliation or harassment for having submitted a complaint under this Policy, or for participating in an investigation relating to such a complaint, should immediately report the concern to the VP Legal. Any complaint that such discrimination, retaliation or harassment has occurred will be promptly and thoroughly investigated. If such a complaint is substantiated, appropriate disciplinary action will be taken, up to and including termination of employment (if applicable) for those individuals that engaged in the harassment or retaliation.
The VP Legal or the Board will report the results of any investigation regarding a Concern, including any corrective actions taken, to the person making the Concern, if appropriate information for response was supplied, maintaining the anonymity of the Reporting Person making the complaint to the fullest extent possible.
The VP Legal will retain written Concerns, the concern matters log and all related documentation as required under applicable law.
The Company endeavors to operate on a highly transparent and ethical basis and wants to be made aware of any alleged, threatened or potential Breach in order to address it as soon as possible. We encourage you to first address your concerns by following the procedures outlined herein for reporting to or through the Company, so that the Company may conduct its own internal investigation and take corrective action as quickly as possible.
The Company may modify this Policy at any time without notice. Modification may be necessary, among other reasons, to maintain compliance with applicable laws, rules and regulations and to accommodate organizational changes.