Sanctions compliance policy

1. Purpose

This document establishes mandatory requirements for HLD Group personnel, contractors, and third parties with access to HLD Group systems, facilities, or data. It supports our information security management system (ISMS), regulatory obligations, and customer contractual commitments.

Compliance with this policy is a condition of access to company resources. Exceptions require documented approval from the Chief Information Security Officer (CISO) or delegate and must include compensating controls.

2. Scope

This policy applies globally to all HLD Group employees, contractors, consultants, interns, and agency staff ("Personnel"). It covers all information assets owned, leased, or processed by HLD Group, including cloud services, customer environments under our management, development systems, corporate IT, and removable media.

Where a customer contract or applicable law imposes stricter requirements, the stricter requirement prevails. Customer-specific security addenda form part of the compliance baseline for assigned personnel.

• Corporate and production information systems
• Endpoints, mobile devices, and removable media used for company business
• Collaboration tools, email, and messaging platforms
• Source code repositories, CI/CD pipelines, and artefact stores
• Physical offices, co-working facilities, and data centre space under our control

3. Definitions

• Information asset — any data, system, application, or service that stores, processes, or transmits information
• Sensitive data — confidential, restricted, regulated, or customer data requiring heightened protection
• Privileged access — administrative or elevated rights that can alter security configuration or access unrelated data
• Security incident — a confirmed or suspected breach of policy, loss of confidentiality, integrity, or availability
• Compensating control — alternative safeguard that achieves equivalent risk reduction when a primary control cannot be met

4. Programme

Ongoing screening of entities and individuals against OFAC, UN, EU, and Australian sanctions lists for sales and vendor onboarding.

5. Escalation

Potential matches escalated to compliance before transaction proceeds.

Roles and responsibilities

Enforcement, exceptions, and review

Violations may result in access suspension, disciplinary action up to termination, contract remedies for third parties, and referral to law enforcement where appropriate.

Exception requests must be submitted in writing, include business justification, risk assessment, expiry date, and compensating controls. Exceptions are reviewed at least quarterly.

This policy is reviewed at least annually and upon significant regulatory, organisational, or technology changes. Version history is maintained in the compliance repository.