G1 Business conduct

SoftwareOne is committed to adhering to all applicable laws and regulations affecting our operations.

We take the appropriate measures to ensure our employees understand the importance of honest and ethical conduct and consistently reflect this in their internal and external interactions.

Corporate culture is actively promoted and regularly evaluated through multiple formal communication and engagement channels. It is reinforced at company-wide townhalls, embedded in internal communications via SharePoint and employee newsletters, and further strengthened through mandatory Code of Conduct refresher trainings. These channels ensure that SoftwareOne’s values, expected behaviors and ethical standards are consistently communicated, understood and embedded across the organization, while also providing opportunities for feedback and continuous improvement.

Processes to identify material IROs

Through our Double materiality assessment, we assessed the impact and financial materiality of different business conduct issues related to our global operations. The material business conduct IROs that emerged are described throughout this section.

Please note that we have made entity-specific disclosures related to the following topics:

• Data privacy and information security.
• Responsible artificial intelligence.

The above issues are not covered in any way under the ESRS but are nevertheless relevant to SoftwareOne and emerged as material IROs in our DMA process.

In addition, where appropriate, we supplement ESRS-mandated disclosures with entity-specific data points for completeness of reporting (e.g., supplier relationship management).

Overall approach to business conduct and corporate culture

ESRS 2 GOV-4

Material impacts, risks, and opportunities related to general business conduct and corporate culture

Policies related to business conduct and corporate culture

SoftwareOne’s Code of Conduct provides instructions to our employees in areas such as commercial compliance, business integrity (e.g., anti-bribery, international sanctions), operational safety, information security, and data protection topics such as privacy and responsible AI. Our employees are required to complete mandatory online training on the Code of Conduct annually, and relevant business functions receive additional role-based targeted training.

Group Compliance regularly reports to the Audit Committee, sharing updates on cases and investigations and providing insights into the progress being made on the Compliance roadmap.

SoftwareOne’s Delegation of Authority (DoA) matrix provides a clear framework for assigning the authority to approve actions and undertake specific tasks. The DoA promotes employee autonomy and accountability, thereby supporting regulatory compliance and risk management.

The DoA defines the powers, responsibilities, and decision-making authority of management within the framework of the Organizational Regulations and Articles of Incorporation. It covers major governance areas including general management, financial planning, business activities, risk management, human resources, communications, and insurance. Approval authority is structured through a detailed matrix in which the Board approves strategic or high-value matters, while the Co-CEOs, CFO, Executive Board members, and regional or country leaders approve operational decisions within defined thresholds. Compliance is ensured through consultation and escalation rules, internal controls, audits, joint-signature requirements, and disciplinary measures for any deviation from the DoA.

In addition to the above, SoftwareOne’s enterprise risk management (ERM) framework plays a key role in identifying and managing material risks in relation to business conduct matters. It is designed to ensure integrity and quality in the management of business conduct and corporate culture risks across the global organization.

The ERM framework supports the identification, assessment, and management of material risks across strategic, operational, financial, legal & compliance, and commercial domains. Risks are identified through a formal enterprise risk assessment and among other methods, and are evaluated on both a gross and net basis, with mitigation strategies and controls applied accordingly. The consolidated enterprise risk register integrates risks across the organization and is reviewed by the Executive Board (EB) and Audit Committee at least annually. The EB and the Audit Committee are responsible for, and provide supervisory oversight of, the ERM framework. The company applies a three-lines-of-defense model, with ERM operating as a second-line function embedded across the business to ensure effective and integrated risk governance. Overall responsibility for the ERM framework lies with the Chief Financial Officer.

Internal employees are trained on these procedures through our Code of Conduct training, and awareness is reinforced through internal communication channels, and via our policies and public company webpage. All policies are accessible in a central repository on the company’s SharePoint and are cross-referenced with a link when appropriate, for example, in tools such as the Integrity Line, to promote transparency. In addition, all policies with external impact are posted on softwareone.com.

The Board of Directors and Executive Board collectively bring relevant expertise in legal, compliance, risk management and corporate governance matters that support effective oversight of ethical business conduct, including anti-bribery and corruption. Members of the BoD and executive management are included in Code of Conduct training as part of SoftwareOne’s broader governance and compliance program. This training requires an attestation (digital signing) of the Code of Conduct for completion.

Governance

SoftwareOne’s governance architecture and culture are shaped and driven by the Legal and Compliance departments with distinct mandates.

Board of Directors involvement

The Chief Legal Officer serves as the secretary to the Board of Directors (BoD) and has direct access to the chairpersons of the BoD and BoD-level audit committee to communicate developments related to integrity investigations. The BoD is regularly briefed by the Chief Legal Officer on matters regarding integrity, enterprise risk and changes to regulatory compliance. Investigations into anti-bribery and corruption cases are regularly reported to the BoD and the audit committee.

Executive Board’s  involvement

Supported by the Chief Legal Officer, SoftwareOne’s EB regularly reinforces the importance of ethics and integrity during town halls and other forums aimed at large groups of employees.

Internal audit

SoftwareOne’s Internal Audit team performs regular reviews of compliance processes and procedures as part of its standard audit program. While there is no dedicated or targeted compliance audit at present, compliance-related controls are assessed periodically within the scope of these broader audits.

Actions related to overall business conduct and corporate culture in 2025

Whistleblower channels

SoftwareOne operates a speak-up culture to ensure that our employees and external individuals feel comfortable raising any potential integrity concerns. Our whistleblowing approach is aligned and compliant with the EU Directive 2019/1937 (the Whistleblower Protection Directive) and is available for external reporting by the public.

Our Integrity Line is the internal reporting mechanism that allows employees and external third parties to report incidents confidentially and securely. Using the Integrity Line, employees and external third parties can report a wide range of issues, including bribery, corruption, discrimination, harassment, violence, conflicts of interest, theft, and health and safety violations.

The Integrity Line is operated via EQS, an external tool, to ensure anonymity and impartiality. External reporting telephone hotlines have also been established for various European countries. In addition, employees or third parties can report any potential misconduct directly to our dedicated compliance email address.

Email: Global.compliance@softwareone.com
Reporting system: SoftwareOne Integrity Line
The telephone numbers are found in our External Reporting Policy

A key objective of managing grievances is to learn from such cases and prevent their recurrence. The focus is on remediation and conflict resolution, along with prevention of adverse media exposure, reputational damage and involvement in court cases. Remediation processes are tailored to the specifics of each case, involving pertinent departments as required, including, but not limited to, People and Culture for disciplinary measures and Finance Compliance to address procedural flaws. Escalation to the BoD is also undertaken where appropriate.

Protection from retaliation

To protect whistleblowers and ensure their reports are investigated and addressed, we have internal procedures that comply with the European Union Whistleblower Directive (EU 2019/1937).

Retaliation against any employee who, in good faith, reports suspected compliance violations or who cooperates in an investigation is strictly prohibited. Our Codes of Conduct and Compliance Reporting Policies embrace the principle of nonretaliation, ensuring that individuals who report concerns in good faith are protected from any form of retaliation. Our remediation strategy includes developing new policies, sharing ad hoc learnings with business leaders, and incorporating real-life cases into our compliance training materials, reinforcing our commitment to continuous improvement and ethical business practices.

Confidentiality regarding employee concerns will be maintained at all times insofar as is legal and practical, with information shared only with those personnel who have a need to know.

Investigations

SoftwareOne is committed to investigating business conduct incidents promptly, independently, and objectively, leveraging a structured, hypothesis-driven methodology to enhance the integrity of our investigative processes.

SoftwareOne has an investigation policy which reinforces its investigative framework to systematically assess business conduct incidents, including corruption and bribery. This enhanced methodology integrates risk-based prioritization, root cause analysis, and evidence-based hypothesis testing to drive thorough and objective investigations.

After an issue has been reported through the Integrity Line, a comprehensive case management system is triggered which is designed to facilitate the logging, tracking, and resolution of reported cases. This includes interview notes, disciplinary actions and case outcomes. The Legal and Compliance teams are responsible for all investigations of cases raised through the Integrity Line.

Our investigatory mechanisms are accessible to both internal and external stakeholders, ensuring transparency and accountability.

Performance related to overall business conduct and corporate culture

Cases reported and referred for investigation

The number of reports received on the Integrity Line in 2025 increased by 5.5% compared to 2024. The increase in Integrity Line reports primarily reflects heightened organizational awareness and strengthened trust in our reporting mechanisms.

* The 4% financial crimes cases relate to cases reported by members of the public in Italy, where SoftwareOne’s name was misused in an internet scam. SoftwareOne was neither victim of this fraud nor otherwise involved.

Integrity Line cases 2025

Training and communication related to integrity and ethical conduct

Our Compliance team launches a Compliance, Data and Security Month Training Campaign every year in March/April. This training is mandatory for all existing employees. 72% of SoftwareOne employees were enrolled in this training campaign in 2025. SoftwareOne also requires its new employees to complete this same training when onboarding. Crayon is not yet covered by our Compliance, Data and Security training. However, Crayon employees received annual integrity awareness training, and Crayon also requires new employees to execute this same training when onboarding. Crayon employees will be included in our Compliance, Data and Security training in 2026.

This year we had five mandatory courses within Compliance Data and Security Month, which yielded excellent completion rates. From the 72% of employees enrolled, the following completion rates were achieved:

Compliance Data and Security Training Month Campaign Results

These metrics include SoftwareOne employees and 2025 new joiners; and only Crayon 2025 new joiners in the Global Code of Conduct and Cybersecurity and online habits training.

SoftwareOne business conduct and corporate culture training
(including training on ethics and integrity) based on our Code of Conduct

These metrics include SoftwareOne employees and 2025 new joiners and only Crayon 2025 new joiners.

Beyond ethics and integrity training, our training covers a wide range of topics related to business conduct and corporate culture. Upon completion of the training, final signoff is mandatory, with employees agreeing to comply with the Employee Code of Conduct and agreeing that breaches may result in disciplinary procedures.

The training is designed to empower our employees to uphold the highest standards of integrity in all business activities and relationships. In its entirety, the training covers the topics shown below.

Business conduct and corporate culture training content based on our Code of Conduct

Methodology

Approach

Individuals are automatically assigned to online training. The training includes checkpoints for knowledge validation in each theme and a final signoff of the SoftwareOne Employee Code of Conduct.

Reminders for completion are sent on a regular basis, and the escalation process includes intervention from direct managers and possibly other checks until completion.

Data sources

We rely on data from SoftwareOne’s human resources data management system for training statistics.

Scope

Reported metrics are global in scope, covering SoftwareOne’s operations worldwide unless otherwise stated. Crayon is not yet covered by our Compliance, Data and Security training. However, Crayon employees received annual integrity awareness training, and Crayon also requires new employees to execute this same training when onboarding. Crayon employees will be included in our Compliance, Data and Security training in 2026.

External validation

Metrics relating to business conduct and corporate culture are externally reviewed and validated by TÜV Süd within the framework of SoftwareOne’s annual external audit and certification cycle for: ISO 27001, ISO 27701, and ISO 37001 (for Brazil and Turkey and Crayon).

Targets

There were no 2025 targets related to overall business conduct and corporate culture.

All foundational components for Integrity have been laid through our annual mandatory training for existing employees and new joiners.

We may consider setting targets in the future if threats and vulnerabilities evolve further, or there is a change in the number of incidents related to business conduct.

Management of relationships with suppliers

ESRS 2 GOV-4

Material impacts, risks, and opportunities related to supplier relationship management

Policies related to supplier risk management

Supplier and business partner relationships are managed at group level through an integrated set of governance arrangements, contractual frameworks, and risk-based controls embedded within broader business, compliance, and risk management processes.

SoftwareOne’s Code of Conduct for Partners defines the ethical, compliance, and responsible business standards expected of suppliers and other third parties within its value chain, including distributors, resellers, contractors, and subcontractors.

The Code is communicated to relevant partners as part of the commercial framework and supported by terms of the contract. Partner adherence is assessed through due diligence, risk assessment, and ongoing relationship management processes. Based on risk criteria, the Compliance function may conduct additional due diligence and take appropriate actions, including exercising contractual rights such as termination, where potential violations are identified.

As part of supplier relationship management, suppliers and business partners are subject to risk-based checks covering compliance and integrity risks, including sanctions and trade restrictions, ownership and control structures, corruption and adverse media exposure, geographic and industry risk factors, financial stability, information security and data protection, operational risk, and sustainability-related risk indicators across environmental, social, and governance dimensions. These checks are applied equally to all suppliers to ensure a consistent baseline assessment. However, suppliers are subject to an internal ranking based on the nature, scope and strategic importance of the cooperation, which determines the depth and frequency of ongoing monitoring.

The scope and depth of these checks are applied proportionately based on the nature of the relationship and the assessed risk profile, with identified risks addressed through established internal governance and escalation processes. Metrics and evaluation criteria are applied consistently and in a standardized manner to avoid bias and ensure objective assessment across the supplier base.

Where risks related to ethical conduct, compliance, or sustainability are identified, these are addressed through existing governance mechanisms, including contractual arrangements, escalation processes, and, where appropriate, additional reviews or controls. Ongoing supplier relationship management aims to support transparency, enable the identification of potential issues, and facilitate proportionate and timely responses in line with established internal processes.

SoftwareOne’s systems to prevent, detect, investigate, and respond to bribery and corruption risks involving suppliers and business partners is based on three concrete components: sanctions and restricted-party screening tools; verification and monitoring platforms; and formal reporting and investigation systems, including whistleblowing channels and compliance case management with defined escalation and remediation procedures.

SoftwareOne does not have a formalized policy specifically dedicated to preventing late payments to suppliers, including small and medium-sized enterprises (SMEs). However, we manage payment practices within our broader financial management and credit risk framework. While no specific policy targeting late payments to SMEs is currently in place, SoftwareOne is committed to maintaining fair business relationships and responsible payment practices as part of its broader governance and financial management approach.

Alignment with international standards

The policy is aligned with the UNGPs, ILO conventions, and OECD Guidelines for Multinational Enterprises.

Governance

Responsibility for third-party integrity and compliance matters within supplier relationship management is shared across relevant assurance functions, including Compliance, Finance, Information Security, Data Protection, and ESG, in line with their respective areas of expertise. These functions act as subject matter experts and are responsible for assessing identified risks, supporting escalation, and applying appropriate follow-up actions within existing governance arrangements.

The initiation and management of third-party engagements are supported by the involvement of relevant subject matter experts, who ensure that applicable internal controls and approval requirements are considered when engaging suppliers and other business partners, taking into account the nature of the relationship and associated risk considerations.

These governance arrangements are intended to support consistent handling of third-party engagements and to enable effective identification, escalation, and management of integrity- and risk-related issues across supplier relationships.

Accessibility

The Code of Conduct for Partners is shared with prospective suppliers and business partners prior to onboarding, and affirms suppliers’ acknowledgement and adherence. The Code of Conduct for Partners is available on our internal SharePoint and the global corporate website.

Actions related to supplier relationship management in 2025

SoftwareOne is committed to supplier management across its global value chain through a structured, risk-based due diligence process. Business partners are assessed throughout the lifecycle of the relationship to identify, evaluate, and mitigate ESG risks. Key focus areas include environmental protection, energy management, data protection, anti-corruption, modern slavery, human rights, child labor, conflict minerals, health & safety, conflicts of interest, diversity & inclusion, quality management, and carbon footprint.

Our due diligence framework combines supplier questionnaires, ESG screening, and risk segmentation. Through the Integrity Next platform and internal tools, suppliers provide information on environmental, social, governance, and compliance topics. Suppliers are categorized based on spend, geography, sector, and inherent risk profile, enabling prioritization of higher-risk partners.

ESG criteria are part of how new suppliers are evaluated when the platform is used within SoftwareOne’s procurement or supplier onboarding process. The results support risk transparency, documentation and ongoing monitoring, and may inform procurement discussions and supplier engagement. However, SoftwareOne does not currently apply ESG criteria as a determining factor in whether to proceed or not proceed with a supplier. Commercial and operational considerations remain the primary basis for supplier selection decisions, with ESG assessments serving as a risk management and transparency tool.

Suppliers identified as higher risk undergo enhanced due diligence and follow-up actions, which may include additional assessments, remediation measures, or, where standards are not met, termination of the relationship. This approach enables SoftwareOne to proactively mitigate risks, address vulnerabilities, and ensure ongoing compliance. The process applies to both prospective and existing software publishers, vendors, and global suppliers.

Plans for 2026

In response to the continued increase in regulatory, customer, and stakeholder expectations related to ESG, integrity, international sanctions, security, and data protection, SoftwareOne plans to further strengthen its supplier relationship management approach in 2026. This includes an increased reliance on technology-enabled solutions to support more efficient and consistent screening, verification, and monitoring of suppliers and business partners.

In addition, SoftwareOne will continue to apply a differentiated, risk-based approach to supplier relationship management, with enhanced attention given to strategic and higher-risk suppliers. Engagement with such suppliers may include closer coordination, targeted risk assessments, and enhanced reviews focusing on integrity-related risks, including anti-bribery and corruption, as well as relevant social and environmental considerations across the value chain.

Performance related to supplier relationship management

The number of third-party risk assessments initiated in 2025 can be found in S2 Workers in the value chain.

Methodology

Category B¹⁰⁾ supplier relationship management disclosures are based on information collected through existing processes and systems used to support third-party screening, assessment, and oversight. Topics and disclosures included in this section reflect the outcomes of SoftwareOne’s double materiality assessment.

10) Category B suppliers have a revenue between EUR 500k–999K as defined by SoftwareOne’s internal framework.

Data sources

We rely on data from a third-party management system, and reports from our customer relationship management system (CRM).

Scope

Reported metrics are global in scope and cover SoftwareOne’s operations worldwide. Risk screening activities are conducted by both SoftwareOne and Crayon. While the underlying methodologies may currently differ, we are aligning the risk screening approaches to ensure a consistent framework across the combined organization.

Assumptions

All internal business relationship managers submit all assessment requests through the existing tools.

External validation

Supplier management metrics are externally reviewed and validated by TÜV Süd within the framework of SoftwareOne’s annual external audit and certification cycle for: ISO 27001, ISO 27701, and ISO 37001.

Targets

There were no 2025 targets related to supplier relationship management.

All foundational components for third party management (including suppliers) have been laid. We may consider setting targets in future if threats and vulnerabilities evolve further, or if there is a change in the number of incidents related to supplier management.

Prevention and detection of bribery and corruption

As a global multinational company, SoftwareOne operates across multiple jurisdictions with diverse regulatory environments, business practices, and cultural norms. This diversity increases exposure to bribery and corruption risks, including the risk of allegations of misconduct, whether substantiated or unsubstantiated. SoftwareOne recognizes that such allegations, even where ultimately disproven, may have legal, financial, and reputational implications and therefore require consistent preventive and responsive controls.

SoftwareOne’s approach to anti-bribery and corruption (ABC) is designed to identify, mitigate, and monitor these risks through a combination of governance structures, policies, and operational controls, applied across the organization and its entities.

Material impacts, risks, and opportunities related to anti-bribery and corruption

The risks set out above are considered within SoftwareOne’s broader enterprise risk management framework and are reviewed in the context of the company’s overall risk profile.

Functions at risk of bribery and corruption

SoftwareOne’s bribery and corruption risk profile is influenced by the nature of its operating model, including the use of third parties, engagement in complex commercial transactions, and interactions with both private and public sector counterparties across multiple jurisdictions. SoftwareOne identifies elevated bribery and corruption risks in functions where decision-making authority, financial discretion, and external interactions converge. At risk functions include recruitment and employment, sales and commercial negotiations roles, sales roles with engagements with public sector customers, and roles that involve the management of incentives, charitable contributions or sponsorships.

In these areas, risks are primarily driven by reliance on third parties, proximity to public procurement or public officials, potential conflicts of interest, and discretion over financial or non-financial benefits. Accordingly, these functions are subject to risk-based oversight, controls, and awareness measures proportionate to their assessed exposure. Training specific to functions at risk is scheduled to be rolled out in 2026. Currently, employees in these functions complete the standard Code of Conduct training.

ISO 37001 certification

SoftwareOne operates an anti-bribery management framework aligned with ISO 37001, supported by group-level governance, policies, and control principles. Within SoftwareOne, anti-bribery management systems in Brazil, Turkey and Crayon entities are certified in accordance with ISO 37001, providing independent assurance over the design and operation of defined anti-bribery controls. These specific SoftwareOne entities have aligned with ISO 37001 due to market and customer requirements. Oversight of the framework and related assurance activities is exercised by Group Compliance.

Across SoftwareOne, the anti-bribery management framework includes risk-based measures for preventing, detecting, and responding to bribery-related risks, including structured third-party vetting and monitoring processes designed to promote adherence to SoftwareOne’s anti-bribery standards.

Policies related to anti-bribery and corruption

SoftwareOne maintains a zero-tolerance approach to bribery and corruption and is committed to compliance with applicable anti-bribery and corruption laws across its operations, including legislation such as the UK Bribery Act and the US Foreign Corrupt Practices Act, as well as relevant industry standards.

SoftwareOne’s internal anti-bribery and corruption framework is supported by global policies applicable to senior leaders and employees, including the Anti-Bribery & Corruption Policy, the Gifts and Entertainment Policy, and the Conflict of Interest Policy. These policies establish principles and requirements designed to prevent, identify, and address bribery and corruption risks. Employees are required to acknowledge these policies as part of mandatory annual Code of Conduct training.

For external parties, SoftwareOne sets clear expectations through its Code of Conduct for Partners, which includes provisions related to ethical business conduct and anti-bribery and corruption measures. Partners and suppliers are also required to agree to contractual terms and conditions containing anti-bribery and corruption obligations appropriate to the nature of the relationship.

Together, these policies and standards provide guidance on key risk areas, including conflicts of interest, interactions with public officials, employment-related decisions, gifts and hospitality, sponsorships and donations, engagement of third-parties, and the application of financial and non-financial controls. Concerns or suspected breaches may be reported through established reporting channels and are assessed and addressed in accordance with SoftwareOne’s internal investigation and case-management processes.

Alignment with international standards

SoftwareOne’s anti-bribery and corruption framework is informed by internationally recognized standards for responsible business conduct, including the United Nations Guiding Principles on Business and Human Rights and relevant OECD guidance, and is designed to support compliance with applicable anti-bribery and corruption laws.

Governance

The governance of SoftwareOne’s anti-bribery and corruption framework is overseen by Group Compliance, with defined roles and responsibilities across relevant business and support functions. Group Compliance is responsible for maintaining the ABC framework, supporting its implementation, and providing guidance on the interpretation and application of related policies and standards.

Accessibility

The Code of Conduct for Partners and Code of Conduct for Employees are available on our corporate global website. The Anti-Bribery Policy is available here.

Independence and accountability related to anti-bribery and corruption measures

Responsibility for preventing and detecting bribery and corruption is embedded across SoftwareOne’s operations, with management and relevant functions accountable for implementing and operating controls within their respective areas of responsibility. This includes adherence to applicable policies, procedures, and risk-based controls designed to mitigate bribery and corruption risks.

The Compliance function provides independent oversight of the anti-bribery and corruption framework and is responsible for the assessment and investigation of reported concerns or suspected breaches, whether raised by employees or external parties. Reported cases and significant matters are escalated and communicated to the BoD in line with SoftwareOne’s risk methodology, enabling appropriate oversight and governance of bribery and corruption risks.

Based on this governance framework and SoftwareOne’s risk assessment, the company has identified key integrity-related risks associated with unethical behavior within its own workforce and with bribery and corruption involving third parties. These material risks, together with the corresponding mitigation measures, value-chain positioning, and time horizons, are summarised above at the beginning of this section.

Actions related to anti-bribery and corruption in 2025

We are dedicated to continually enhancing and advancing our anti-bribery management system. A critical component is the assessment of our business partners throughout the lifecycle of our relationships with them. From an anti-bribery and corruption perspective, SoftwareOne’s due diligence assessments emphasize crucial aspects such as employment practices, potential conflicts of interest, previous breaches or investigations and other financial or non-financial controls.

The anti-bribery management system is supported by dedicated resources across the Group Compliance, Finance Compliance, Global Procurement and Information Security function, which collaborate to ensure effective implementation, monitoring and control.

There were no breaches of procedures and standards related to anti-bribery and corruption in 2025.

Performance related to anti-bribery and corruption

SoftwareOne provides mandatory Code of Conduct training to all employees through an external learning platform. The training addresses core principles of ethical business conduct and includes a dedicated focus on anti-bribery and corruption topics relevant to SoftwareOne’s business activities, operating environment, and interactions with third parties.

The anti-bribery and corruption module is designed to establish clear guidelines for the identification and management of suspicious activities within the organization. It provides a structured approach to reporting and handling such incidents, ensuring consistency and compliance with regulatory standards. The module specifies procedures for promptly reporting suspicions, including the necessary documentation and communication channels. It emphasizes the importance of timely action to mitigate potential risks and protect organizational integrity.

Penalties for non-compliance or failure to adhere to the established procedures are clearly outlined, reinforcing accountability at all levels. Additionally, the module promotes policy awareness, ensuring that all employees are informed of the importance of vigilance in maintaining a secure environment.

SoftwareOne not in a position to disclose the percentage of each function at risk covered by the anti-bribery and corruption training program for the reporting period. This is because no function-at-risk–specific training was rolled out in 2025. During the year, employees, including those in identified functions at risk, were enrolled in the standard Code of Conduct training.  We achieved a 72% enrollment rate. Function-at-risk–specific training is planned for implementation from 2026 onwards, at which point coverage metrics will be tracked and reported accordingly.

Training participation and completion are monitored centrally to support consistent application of SoftwareOne’s ethical standards and anti-bribery and corruption framework. Members of the BoD and EB are included in Code of Conduct training as part of SoftwareOne’s broader governance and compliance program. Details of this training during the 2025 year are as follows:

Training coverage

These metrics include SoftwareOne employees and 2025 new joiners and only Crayon 2025 new joiners.

Convictions and fines

SoftwareOne was not convicted of any violation of anti-corruption and anti-bribery laws in 2025. SoftwareOne was not fined for any violation of anti-corruption and anti-bribery laws in 2025.

Methodology

Approach

Anti-bribery and corruption related performance information presented in this section relates to training activities and governance measures implemented as part of SoftwareOne’s Code of Conduct and compliance framework.

Data sources

Training-related metrics are derived from SoftwareOne’s learning management systems and human resources data sources used to monitor participation and completion.

Scope

Reported information covers SoftwareOne’s global operations for the reporting period. Crayon is not yet covered by our Compliance, Data and Security training, however, Crayon employees received annual integrity awareness training and Crayon also requires new employees to execute this same training when onboarding. Crayon employees will be included in our Compliance, Data and Security training in 2026.

External validation

Metrics relating to anti-bribery and corruption are externally reviewed and validated by TÜV Süd within the framework of SoftwareOne’s annual external audit and certification cycle for: ISO 27001, ISO 27701, and ISO 37001.

Targets

There were no 2025 targets related to anti-bribery and corruption.

All foundational components for anti-bribery and corruption are laid through annual mandatory training for existing employees and new joiners.

We may consider setting targets in future if threats and vulnerabilities evolve, or there is a change in the number of incidents related to bribery and corruption.

Data protection and information security

Entity-specific

SoftwareOne’s business operations and services entail data processing. For example, our managed and professional services require us to store and further process both business and personal data for customers around the world.

As a leading global provider of software and cloud solutions, SoftwareOne recognizes the inevitable rise in threats from cyberattacks and security events. Risk is heightened by the rapid speed at which the technology used to extract and process data is evolving in complexity and capability.

A breach of customer data could therefore have a negative impact on our customers and society at large, accompanied by significant financial and reputational ramifications for SoftwareOne.

We treat information security and data protection as core parts of our business. That is why principles of data protection and security as well as regulatory requirements are embedded in the way we develop and run our internal and customer-facing services.

Material impacts, risks, and opportunities related to data privacy and information security

Policies related to data protection and information security

SoftwareOne’s policies for information security and data protection are the Information Security Policy, Data Protection and Privacy Policy, and the Global Secured Productivity Policy. These policies bring together key regulatory requirements and present them in a clear and accessible format for all employees across the organization.

Supplementing these policies are additional policies and procedures on security, privacy and data protection. These are divided into two categories: role-based and requirement-based.

Role-based instructions outline specific requirements for relevant roles and teams across the organization.

Requirement-based instructions are tailored to the individual needs of employees, depending on the nature of their responsibilities.

This approach ensures that employees receive the information most relevant to their duties, without being overwhelmed by content that does not apply to their day-to-day work.

Governance

SoftwareOne’s Information Security program is led by SoftwareOne’s Chief Information Security Officer (CISO) who is responsible for managing the information security team, consisting of security analysts, engineers, governance and risk managers, security culture & awareness specialists and internal auditors.

The data protection program is led by SoftwareOne’s Group Data Protection Counsel, alongside the externally appointed Data Protection Officer (FIRST PRIVACY GmbH). There is also an internal independent Data Protection Officer who oversees the data protection program.

The SoftwareOne Information Security team and the Group Data Protection Counsel, have overall responsibility for the creation and maintenance of all policies relating to data protection and information security, including any associated instructions. They collaborate with all relevant stakeholders across the business to ensure that the policies and instructions are aligned with business requirements and the regulatory landscape.

Accessibility

All SoftwareOne policies, procedures, instructions and similar documents are available to all employees on an internal SharePoint site which is accessible to all employees.

Data protection principles

SoftwareOne safeguards the privacy of those individuals whose personal data we process. We use the European Union General Data Protection Regulation (EU GDPR) as our core foundation for the application of data protection requirements within SoftwareOne. However, as a global organization we also adhere to national legislation where local provisions require us to do so. This is all managed within our privacy information management system certified under ISO 27701.

We continuously track global privacy and data protection laws and regulatory trends to enhance SoftwareOne’s privacy practices and processes. In addition to harmonizing requirements, we integrate global privacy and data protection standards into comprehensive guidelines and customer briefings. These briefings detail how we handle personal information and other types of data, as well as the development and updating of our privacy policies and procedures.

We invest in advanced technology and maintain resilient technical and organizational measures to protect the personal data we process for our digital transformation services and support functions.

By collaborating with teams across the business, we ensure that the relevant data protection principles are embedded into all workstreams within SoftwareOne. This provides our customers, employees and other third parties with the assurances that their privacy rights and the data we process on their behalf are protected.

We provide input to product and service development teams and we conduct data protection and security reviews of products, software and services for both internal and external use.

A prime example of our preventative approach to data protection risks in service delivery is our data minimization review. This review is performed by SoftwareOne and our customers at the beginning of each data and AI project. Wherever possible, we use the results of these reviews and methods such as pseudonymization to process large amounts of data while avoiding or limiting personal data. We perform ongoing reviews and audits to continuously improve our security and privacy controls.

We ensure that supplier and partner agreements include appropriate data protection and security provisions. This includes assisting the SoftwareOne Data Protection Officer in updating data privacy agreement templates and enhancing privacy and security-focused addenda.

Our data protection certifications

ISO 27701 covers SoftwareOne entities in Colombia, India, Philippines, Singapore, and Switzerland.

Historically, SoftwareOne did not operate under a fully centralized governance structure for ISO 27001 and ISO 27701. Only certain sites are covered by specific ISO certifications to ensure that certification efforts are focused on operationally active entities that directly contribute to revenue generation, growth, and core business activities. These sites have implemented global policies and procedures and are subject to consistent governance and control frameworks, making them appropriate for inclusion. As individual countries were integrated into the centralized governance framework and achieved compliance with the relevant standards, they were progressively included within the certification scope. For Crayon, all sites are covered under ISO 27001 and ISO 27701 certifications.

Actions related to data protection in 2025

SoftwareOne maintained its ISO 27701 certification in 2025, with additional coverage in new regions achieved through the Crayon combination. We increased our transparency with customers, partners, and individuals, such as job applicants and office visitors, by improving our policies reflecting the changes in SoftwareOne following the combination with Crayon. Our measures encompassed clear policies and regular disclosures about data practices to build trust with stakeholders.

In 2025, we thoroughly reviewed and updated our records of processing activities to ensure strict adherence to data privacy principles, and finalized an intragroup agreement to facilitate personal data processing activities as part of the Crayon and SoftwareOne combination.

The effectiveness of our data protection program is measured through the successful recertification of ISO 27701, the timely review and update of data protection policies and the execution and ongoing implementation of the intra group agreement.

Performance is further assessed by monitoring regulatory engagement, including the number of complaints raised with supervisory authorities, with no complaints reported during this reporting period.

Additionally, we implemented robust technical policies for data storage to ensure the security and integrity of the data we do retain.

Plans for 2026

As we head into 2026, SoftwareOne will continue to improve its data protection and information security practices. We will consistently focus on identifying potential vulnerabilities and implement measures to mitigate these risks. This proactive approach helps maintain a strong privacy posture and ensures that we are prepared to address emerging threats.

We also plan to establish a network of privacy champions within our organization to advocate for privacy best practices and help ensure compliance with privacy policies. By fostering a culture of privacy awareness, we aim to strengthen our overall data protection efforts.

Security by default

In 2025 we delivered on our information security priorities, which were all geared towards a combination of efficiency, building scale and maturity, and compliance with internal and external requirements as the integration of Crayon and SoftwareOne progressed:

• Achieved certification against the latest version of ISO 27001.
• Updated ISMS to ensure compliance with NIS2 as countries implement legislation enforcing the directive.
• Ensured that appropriate security was maintained in line with regulatory and contractual obligations during the integration of Crayon and SoftwareOne into a single technology environment. Deployed technical data loss prevention controls associated with generative AI tools and services.

To further minimize the chances of SoftwareOne being used as a backdoor into customer environments, we continued to improve the security of our cloud solutions provider platform that has access to customer environments. We strengthened the team through the merging of the Crayon and SoftwareOne security teams into a unified team, leveraging their combined strengths to drive improvement. Collectively, our actions were geared towards ensuring we can scale efficiently and cost-effectively in line with business requirements.

Looking ahead to 2026, we will continue to identify and realize cost savings made possible through the combination of Crayon and SoftwareOne through removal of duplicate tooling and leveraging the use of AI and automation to drive efficiencies. This will further strengthen our internal security posture and deliver added value to SoftwareOne’s customers.

Training on data protection and information security in 2025

Training our employees is essential to equip them with the relevant skills and knowledge to prevent and manage inadvertent data breaches.

All employees worldwide were provided with mandatory online interactive training covering our information security and data protection topics, and we had a 95.8% completion rate in 2025.

In 2025, eight phishing simulation campaigns were conducted, covering all employees. Refresher training was provided to employees who engaged with the simulated phishing emails

In 2025, we delivered two global security awareness campaigns using a mix of communication channels. These focused on:

• The rising threat of fake CAPTCHAs, delivered through a global email and supported by a dedicated battlecard and a SharePoint article.
• Enhancements to Team Members’ email experience. Introduced during the March Town Hall, supported by two dedicated battlecards and a SharePoint article.

In addition, we launched a Viva Engage community and three series of posts:

• 9 posts during Cybersecurity Awareness Month focused on improving personal security posture online.
• 2 alerts highlighted emerging threats such as WhatsApp impersonations and fake Teams calls.
• 1 reinforcement post described key actions to stay safe online.

Throughout the year, we published 7 SharePoint articles, including other topics such as the launch of the updated Security Desk, the importance of reporting Security concerns, and the successful completion of ISO audits. We also produced 4 battlecards, providing detailed guidance on the threats posed by compromised NPM packages alongside the topics mentioned above.

Performance related to data protection and information security

In 2025, SoftwareOne’s information security team received a total of 268,684 security alerts, all of which were resolved. These alerts are notifications generated within SoftwareOne’s security tooling, or reports raised by employees or external third parties.

Resolution of these includes initial triage to determine the impact, containment of any threats, remediation and mitigation against root cause to prevent future recurrence.

These alerts are not classified as a data breach as SoftwareOne follows the GDPR definition of data breaches. A data breach is considered to be a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Each time a data breach is reported, the Data Protection Officer performs an evaluation of the data breach, looking at the impact and consequences on the individuals, and where such are significant, SoftwareOne notifies both data subjects and relevant authorities. For notifications, the materiality thresholds we set factor in what data was exposed, the sensitivity of the data, the volume of the exposed data and the possible negative consequences on the individuals.

Our 2025 performance metrics are presented in the table below:

Data protection performance

SoftwareOne and Crayon applied different methodologies and definitions when identifying data breaches. The table therefore presents the metrics for the combined company based on the available data from both organizations. We aim to implement a unified methodology and consistent definitions for identifying and reporting data breaches in the future. These metrics are optional, entity-specific data points that were previously reported. We have chosen to include and continue reporting on them for completeness of reporting.

Each data breach is subject to investigation and containment procedures, during which the root cause is identified and appropriate mitigation measures are implemented to reduce the likelihood of recurrence.

Methodology

Due to the entity-specific nature of the IROs and data points, our reporting on this topic is based on entity- specific disclosures. Data is collected through internal governance, risk and compliance systems, incident reporting tools such as ServiceNow and records maintained by the Data Protection Officer. Employee headcount data used to calculate training completion rates reflects active employees during the reporting period. Metrics rely on internal reporting processes; underreporting of incidents or complaints may affect completeness.

Definitions of key terms

• Data breaches: confirmed data breach of SoftwareOne data.
• Substantiated breaches of customer privacy and losses of customer data: confirmed data breach of customer data.
• Successfully managed security alerts: investigated, contained and remediated before causing a negative impact or escalating into a data breach.

Data sources

We rely on internal reports from employees and alerts generated by security tooling.

Scope

Reported metrics are global in scope, covering SoftwareOne’s operations worldwide.

External validation

Data protection and information security metrics are externally reviewed and validated by TÜV Süd within the framework of SoftwareOne’s annual ISO 27001, ISO 27701, ISO 37001 certification annual external audit cycle.

Targets

There were no 2025 targets related to data protection and information security. We may consider setting targets in future if threats and vulnerabilities evolve further, or there is a change in the number of incidents related to data protection.

Responsible AI

Entity-specific

SoftwareOne has developed strong capabilities in artificial intelligence through our Data & AI Center of Excellence and our long-standing experience supporting clients across public and private sectors. We help organizations modernize their data foundations, accelerate digital transformation, and deploy responsible, high-impact AI solutions. The trust our clients place in us remains one of our most important assets.

We promote responsible AI stewardship as a core principle and focus on delivering AI that creates positive outcomes for individuals, society, and the environment. Our services include data strategy and governance, machine learning development, generative AI adoption, cloud-based AI optimization, and the implementation of frameworks that ensure safe, compliant use of emerging technologies.

Within our Data & AI Center of Excellence, we are committed to designing systems that operate transparently, make fair and inclusive decisions, prioritize security in their handling of data, and contribute lasting value to society. We recognize that innovation must be guided by responsibility, and that technical progress without ethical foundations lacks direction. For this reason, we develop solutions that comply with regulations such as the EU AI Act and the GDPR, while also adhering to standards that exceed legal requirements. We consider not only what is permissible, but what is ethically sound and professionally responsible.

Responsible AI is more than a framework—it is a promise to our customers, partners, employees, and the wider society. Our goal is to ensure that all AI systems we design or support are technically robust, transparent, fair, secure, and future-proof.

SoftwareOne also integrates AI responsibly within our own operations. Governed and overseen by our Security Unit, internal AI adoption enhances the employee experience while protecting data integrity and organizational resilience. The internal use of AI provides a wide range of benefits, including improved efficiency, automation of repetitive tasks, and optimization of core business processes always within a framework that prioritizes safety, transparency, and compliance.

For SoftwareOne, responsible AI means developing and using AI systems that reflect ethical principles and societal values. It requires fairness, transparency, accountability, and security at every stage of the AI lifecycle. With a strong governance framework and clear values, SoftwareOne is committed to shaping tomorrow’s standards and ensuring that the AI solutions we develop, and the AI we help others adopt, are trustworthy and demonstrably responsible.

Material impacts, risks, and opportunities related to responsible AI

Policies related to responsible AI

SoftwareOne is committed to ethical and responsible and safe AI use, across all our services and internal productivity AI Systems. We prohibit the development or deployment of AI systems that could cause harm, exploit individuals’ vulnerabilities, or classify individuals based on sensitive or protected characteristics. Any AI system that may impact health, safety, or fundamental rights undergoes rigorous assessment, risk evaluation, and mitigation before deployment.

To ensure consistent, transparent, and accountable AI practices, we have established a comprehensive set of policies and governance mechanisms that oversee the adoption, use, and lifecycle management of AI technologies. The policies we have developed to govern the adoption and deployment of AI include:

• The AI 42001 Framework, which provides the overarching governance model for trustworthy and compliant AI.
• Our Security Productivity Policy, which ensures safe and secure integration of AI Systems in daily operations.
• The Data & AI Playbook, which provides practical guidance, best practices, and standards for responsible data and AI innovation across our customer-facing services.

ISO 42001 certification currently applies to two SoftwareOne sites, reflecting the limited areas where these activities are performed, namely the Group AI management and the customer delivery team based in Vienna.

Governance

The SoftwareOne Security Unit provides governance for the implementation of our AI management system and oversees the responsible internal use of AI. Together with the Data & AI team, we apply a unified governance to ensure that AI development, deployment and use is safe, transparent, and strategically aligned with our AI management system and certification requirements. It also reinforces our commitment to deploying AI in a way that protects our people, our customers, and our business.  It ensures we are compliant, ethically responsible, secure and in line with our strategy. It combines corporate governance, regulatory compliance and responsible innovation. This approach has proven itself and has also been recognised and confirmed as part of our certification.

We have separate but linked governance frameworks for the internal and external deployment of AI respectively.

Internal deployment of AI

SoftwareOne’s Security Unit holds end‑to‑end accountability for the internal deployment of artificial intelligence. This responsibility extends beyond technical oversight to ensuring that every AI system and workflow used within our ecosystem meets rigorous standards for security, privacy, and regulatory compliance. To achieve this, SoftwareOne’s Security Unit works in close partnership with Procurement, IT Operations, and other key support functions to evaluate, approve, and monitor AI systems before they are introduced into our environment.

External deployment of AI

SoftwareOne’s Security Unit provides overarching governance for all AI services delivered to customers and partners. Working closely with the Data & AI team, the Security Unit ensures that every solution meets our established standards and that all projects delivering AI comply with our ISO/IEC 42001‑aligned controls. All AI systems are evaluated and approved before use, ensuring that the solutions we provide are safe, compliant, and trustworthy. This governance model gives customers and partners confidence that their data, operations, and business outcomes are protected throughout the entire AI lifecycle.

Responsible AI governance is embedded within the overall corporate governance structure. Decision-making authority, escalation paths, and accountability are clearly defined to ensure transparency and traceability. Governance is applied uniformly across business units to avoid fragmentation and to ensure consistent standards.

Governance for Responsible AI (RAI) is ensured through three structures with the following responsibilities:

• Ethics Committee: Reviews AI projects for moral, ethical and social acceptability and provides guidance to ensure that our AI is in line with our values.
• RAI Working Group: Identifies challenges, develops solutions and implements measures for fair, transparent and safe AI.
• Governance Group: Ensures compliance with regulatory requirements and combine ethical aspects with our business objectives.

To ensure clear governance, regulatory compliance, and responsible use of AI systems, the following decision and control mechanisms apply:

1. Clear Decision Matrix contains explicit definition of decision types and responsibilities for:

• Governance-related decisions (mandatory four-eyes principle for sensitive data processing and high-risk AI solutions).
• Ethically critical decisions.
• Business-critical decisions.

2. Four-Eyes Principle mandatory for:

• The processing of sensitive or highly protected data.
• The development, deployment, or modification of high-risk AI models.

3. Mandatory and traceable documentation of:

• Architecture and design decisions.
• Origin, quality, and usage of training and reference data.
• Model evaluations, validations, and risk assessments.

4. Regular reviews and re-assessments, including:

• Formal compliance reviews.
• Regular re-assessments of models and use cases, particularly in the event of changes to data sources, intended use, or regulatory requirements.

Accessibility

Our CRAIG, Playbook and Governance procedures as well as the process description are available on our internal knowledge base.

Procedures related to responsible AI

Data & AI has established risk management, processes and procedures, organizational structures and documentation to ensure the trustworthy use of AI in line with operational implications.

SoftwareOne applies an AIRA that governs how AI is evaluated, deployed, and monitored across the organization. This framework ensures that all AI systems whether used internally or delivered to customers are safe, compliant, transparent, and aligned with our strategic objectives and AI Management System (ISO/IEC 42001:2023).

Data & AI’s Artificial Intelligence Risk Assessment (AIRA) is a mandatory part of the review process when onboarding new solutions. The AIRA assesses the risk of AI-driven tools, including generative AI. AIRA considers a range of factors such as context, accountability, data privacy and governance, technical robustness and security, transparency, explainability, diversity, non-discrimination and fairness. AIRA is designed to ensure that AI technology is used to increase productivity, efficiency and decision-making while complying with applicable law and maintaining privacy, confidentiality and data security.

Before each project starts, a risk assessment is carried out by the dedicated team (including the Ethics Committee, RAI Working Group and the Governance Group). The assessment considers the areas of application, impact, and risk categorization of the potential AI solution in accordance with the EU AI Act and GDPR. Subject to clear restrictions in accordance with the EU AI Act regarding prohibited practices, all possibilities and projects are reviewed before commissioning.

The AIRA is designed to ensure that AI technologies improve productivity, efficiency and decision-making while complying with applicable laws and respecting privacy, confidentiality and data security. By integrating these assessments, we demonstrate our commitment to the ethical use of AI and sustainable practices.

Actions related to responsible artificial intelligence in 2025

In 2025, SoftwareOne’s Security Unit, implemented a formal AI management system (AIMS) aligned with global responsible AI standards, established documented processes for AI risk management, monitoring, and continuous improvement, and demonstrated full compliance through independent third‑party certification.

We introduced comprehensive guidelines on the responsible use of AI solutions targeting all SoftwareOne employees as an integral part of our training program. The key principles covered in our guidelines include ethical considerations, privacy and data security, and human oversight.

The guidelines are designed to foster a culture of responsible AI use that enhances productivity, efficiency, and decision-making while safeguarding privacy and data security. Internal processes are reviewed on a regular basis:

• Implemented continuous monitoring of AI systems for misuse and policy violations, supported by clear escalation and remediation procedures for AI‑related incidents and reinforced through periodic reviews to ensure ongoing compliance with the AI management system.
• We applied responsible AI assessments to all customer‑facing projects and internal AI systems, provided transparent documentation on model purpose, limitations, and safeguards, and ensured every AI deployment was fair, secure, explainable, and aligned with regulatory expectations.
• We delivered targeted training and Master Classes that provide tailored, role‑specific content to ensure each target audience develops the knowledge and skills required for responsible and effective use of AI.

Reporting channels and employee empowerment

In 2025, we established clear processes and multiple reporting channels for our global workforce to raise questions or report concerns about AI use in the workplace. This initiative empowers our employees to inform us about any issues related to AI, ensuring that we can address these issues promptly and effectively.

Reporting channels included our internal Trust Desk. Using these channels, one query was lodged by a SoftwareOne employee in 2025 and resolved.

Governance framework and expert training

Data and AI is committed to the ethical and responsible use of AI. We prohibit AI systems that harm people, exploit vulnerabilities or classify individuals based on sensitive information. AI systems that pose risks to health, safety or civil rights are carefully evaluated and mitigated.

To this end, Data & AI has established risk management, processes and procedures, organizational structures, documentation and policies to ensure that AI is used in a trustworthy manner in line with the operational implications.

To ensure compliance, we conduct a prior assessment to determine whether any prohibited practice could be a part of and/or result from a solution. Regulatory compliance is a fundamental premise for us, and prohibited practices will never form part of the solutions we develop. To this end, we have established appropriate mechanisms.

Responsible AI governance is embedded within the overall corporate governance structure. Decision-making authority, escalation paths, and accountability are clearly defined to ensure transparency and traceability. Governance is applied uniformly across business units to avoid fragmentation and to ensure consistent standards.

AI-related decisions follow structured and documented decision processes during the stages of an business opportunity. When an opportunity arises, the Pre-Sales Team performs an initial pre-assessment in accordance with the EU AI Act and the organization’s Responsible AI (RAI) framework until the completion of an opportunity which ends with the handover to the customer.

Complying with the EU AI Act

Due to the stringent requirements of the EU AI Act and its significant impact on the technology sector and providers of AI solutions, companies that develop and/or deploy AI technologies must ensure that their solutions comply with applicable safety and legal requirements, especially for high-risk AI systems.

Data & AI’s dedicated teams have proactively monitored the development of the EU AI Act since its earliest drafts and have continuously worked to ensure full compliance with this regulation as well as other relevant legal and regulatory requirements. Recognizing the critical importance of responsible AI development and deployment, Data & AI committed early on to comprehensive training programs aimed at establishing AI competencies across the organization and equipping AI-specialized professionals with an advanced understanding of regulatory obligations and risk identification and assessment methodologies.

To further strengthen compliance, Data & AI continuously refines its internal standards, safeguards, and processes to enable the secure, transparent, and responsible development and deployment of AI solutions. This structured and systematic approach is further evidenced by the achievement of ISO/IEC 42001 certification, which confirms the effectiveness of the Data & AI management system and its high level of maturity in managing AI-related risks.

This approach ensures a balanced framework that combines rigorous risk monitoring, assessment, and mitigation with clear guidelines, efficient tools, and transparent communication with all relevant stakeholders. Data and AI views regulatory requirements not as constraints, but as an opportunity to foster responsible innovation and drive sustainable business growth by supporting customers in adopting trustworthy, compliant, and future-proof AI solutions.

We take our responsibility very seriously and our goal is to build trust, minimize risks and promote sustainable innovation.

Our responsible AI approach encompasses our efforts to develop and use artificial intelligence systems in a responsible manner and to create systems that have certain characteristics and capabilities, such as social or moral ones. This addresses issues such as explainable AI, trustworthy AI, data protection, reliability and security. It also lends its name to a research group with a corresponding focus.

To ensure that no conflicting or opposing risks arise, Data and AI has established dedicated, independent boards that review relevant cases from multiple professional and ethical perspectives and provide their assessments independently. These clearly defined, process-driven, and interest-independent governance mechanisms ensure that solutions are not only compliant with applicable regulatory requirements but also deliver sustainable value and remain fully aligned with Software One’s core values and the value proposition made to our customers.

Plans for 2026

In 2026, we will continue strengthening our responsible AI capabilities by expanding governance, deepening operational maturity, and scaling AI adoption across the organization and our customer engagements.

Key priorities include:

• Expand the AI management system (AIMS) to additional business units and integrate more automated controls for monitoring, documentation, and continuous improvement.
• Expand employee training and Master Classes to deepen AI literacy, safe‑prompting practices, and role‑specific responsible AI competencies across the company.
• Increase transparency in customer‑facing AI services by enhancing documentation, model explainability, and lifecycle support.
• Develop new responsible AI KPIs to measure governance effectiveness, risk reduction, and value creation.

Performance related to responsible AI

We track our performance on AI impact assessments and responsible AI breaches, as they are meaningful signifiers of our progress on the responsible AI journey.

Data & AI ensures the responsible development and use of AI solutions through an end-to-end responsible AI assurance framework covering the full lifecycle. This framework integrates impact assessments, governance decision-making, and quality assurance into all relevant development and deployment processes.

All AI opportunities related to our department are subject to a structured assessment prior to development, deployment, or material change. The assessment evaluates legal, ethical, societal, and technical impacts, including risk classification in line with applicable regulatory requirements.

This assessment process is embedded in the organization’s governance model and supported by defined mechanisms. Our assessment ensures consistent application through standardized assessment templates, documentation requirements, and role-based responsibilities. Quality control includes review and approval processes, the four-eyes principle for higher-risk use cases, and periodic re-assessments, as well as relevant approvals for further procedure.

Responsible AI breaches

This metric is reported for the combined company. These metrics are optional, entity-specific data points that have not previously been reported in our ESG disclosures.

Responsible AI breaches are measured through automated detection systems that continuously monitor our AI tools and systems, complemented by dedicated reporting channels available to both internal users and customers.

All incidents are reviewed and logged by the security team, to ensure no breaches go undetected or unreported. The combination of automated monitoring, independent verification, and accessible reporting mechanisms gives us strong confidence that the reported zero AI breaches during the period accurately reflects our operational reality.

As part of SoftwareOne’s commitment to responsible and ethical AI governance, a structured process is in place to evaluate AI solutions from vendors prior to internal adoption. AI Impact Assessments are conducted by the Security Unit, in coordination with the AI Work Group, to ensure that any AI tool or system considered for internal use is thoroughly reviewed against ethical, security, privacy, and compliance standards before deployment.

The assessment process examines key areas including data handling practices, transparency, fairness, potential risks to individuals, and alignment with applicable regulations and internal policies. This ensures that only AI solutions meeting SoftwareOne’s responsible AI principles are approved for internal use.

Depending on the identified risk level, proportionate mitigation measures and human oversight mechanisms are implemented and documented. Identified material risks are addressed through defined technical, organizational, or procedural controls.

Training on responsible AI

We provide comprehensive training programs to ensure AI literacy across the organization and provide our employees specialized in AI with an advanced understanding of legislative requirements and risk assessment methodologies.

The annual secured productivity training developed by the Security Unit which is aimed at all employees includes a module entitled Introduction to Responsible AI. Please refer to Performance relating to overall business conduct and corporate culture for metrics on the secured productivity training.

We review our training courses and improve them on a regular basis, and provide different training courses and master classes for the AI Solutions delivery team. These training courses provide specific content for the target group.

Methodology

Due to the entity-specific nature of the IROs and data points, our reporting on this topic is based on entity- specific disclosures. Data is collected through internal AI governance processes, risk management systems, compliance tracking tools, and training platforms. AI-related breaches are logged through established internal reporting channels.

Approach

Impact assessments evaluate both the potential negative and positive effects of deploying AI systems. Our current framework for impact assessments is consistent with ISO 42001.

Governance is not treated as a downstream control mechanism, but is ensured through clearly defined, mandatory processes that are applied consistently across the development and deployment lifecycle.

The following principles are ensured through our procedures:

• Privacy
• Security
• Ethics
• Explainability

Corresponding governance checks are formally embedded in:

• Architecture and design decisions
• Model training and validation
• Product approval processes
• Release and change management workflows

Data sources

We rely on data from the Security Unit’s internal reports.

Scope

Reported metrics are global in scope, covering SoftwareOne’s operations worldwide.

External validation

The AI metrics were not subject to validation by an external third party other than the provider of limited assurance on the sustainability statements.

Targets

There were no 2025 targets related to responsible AI. We may consider setting targets in future if threats and vulnerabilities evolve further, or there is a change in the number of incidents related to responsible AI.