Code of Ethics and Conduct

1) Purpose and area

The Code establishes mandatory ethical standards and rules of conduct for employees, managers, contractors and temporary workers. It applies to all locations and jurisdictions of presence, including telecommuting and public communications.

2) Our values (supports)

1. Honesty and legality. We comply with the law and the terms of licenses.
2. Respect and equal opportunity. Zero tolerance for discrimination/harassment.
3. Protecting players and society. Responsible play, compliance and safety.
4. Privacy and data. We protect personal and commercial information.
5. Zero corruption. Prohibition of bribes, kickbacks, undeclared gifts.
6. Responsibility and courage to speak. Anyone can safely report a violation.

3) Roles and Responsibilities (RACI)

All employees - know the Code, undergo training, report violations. (R)

Managers - a personal example, prevention of violations, support for message channels. (A/R)

HR/L & D - training and recording of read confirmations. (R)

Compliance/Legal/DPO/InfoSec - interpretation of rules, investigations, code updates. (R/C)

Internal Audit - independent verification of compliance. (C)

Eches/Council - "tone from the top," resources and sanctions. (A)

4) Standards of conduct (base)

Respectful communication, no aggression/bullying/bullying.
Professional communications in instant messengers/social networks; not disclose inside information.
Prohibition of substance use during work/duty.
Zero tolerance for conflict of interest and corruption.
Compliance with occupational health and safety regulations.

5) Conflicts of interest

Conflict - a situation where personal gain affects (or looks like affecting) decisions in the interests of the company or players.

• Relatives/loved ones at the supplier/affiliate you do business with.
• External employment with partner/competitor.
• Personal investments that can influence decisions.
• Requirements: immediate disclosure in CoI form, Legal/Compliance approval; if necessary - withdrawal from solutions.

6) Gifts, invitations, entertainment expenses

Prohibited: cash, cash equivalents, gifts/entertainment in exchange for a solution, gifts during the tender period.
Limits: symbolic gifts within reasonable limits, according to local policy (recorded in the register).
Required: transparency, pre-approval of expenses, documentation in the system.

7) Anti-corruption and interaction with government agencies

Prohibition of bribes, "simplified payments," hidden commissions, fictitious contracts.
Intermediaries/agents - only after KYB verification and contracts with anti-corruption clauses.
Any contacts with regulators - through designated responsible persons; complete, truthful and timely information.

8) Privacy and data

PII minimization, "minimum necessary" access.
Prohibit forwarding PII on open channels; masking screenshots.
DSARs and law enforcement requests - through DPO/Legal on approved procedures.
Storage and deletion - as part of the retention policy.

9) Information security and company assets

MFA, strong passwords, prohibition of sharing credentials are required.
We use only approved devices/software, we immediately report phishing/incidents.
Company assets (data, code, equipment, software licenses) are used strictly for business purposes.

10) Ethical Marketing, Affiliates and Advertising

Misleading statements, hidden conditions, targeting of minors/vulnerable groups are prohibited.
Advertising complies with local standards (age filters, disclaimers, prohibition of "aggressive" rhetoric).
Affiliates are required to comply with our standards: KYB, creative policy, monitoring and sanctions for violations.

11) Responsible play (RG) and player protection

Compliance with limits/self-exclusions, correct communication scripts.
Prohibition of pressure/manipulation; transparency of bonus/win rules.
For signs of vulnerability, actions according to the RG procedure, escalation and documentation.

12) AML/CFT and sanctions - behavioral norms

Prohibition of tipping-off (the fact of suspicion/SAR cannot be disclosed to the client).
Correct signal escalation, complete evidence base in cases.
Zero tolerance for "help" in circumventing rules/verification.

13) Equal opportunity and inclusion

Prohibition of discrimination on any grounds, including when hiring/paying/evaluating.
Quick reaction to harassment, microcoarseness, toxic behavior.
Reasonable conditions for employees with special needs.

14) Communications with the media and in social networks

Authorized persons act on behalf of the company.
In personal accounts - an indication that the "opinion is personal," without disclosing internal information/PII/trade secrets.

15) Work with contractors and suppliers

Mandatory code for suppliers (anti-corruption, labor standards, data security).
The right to audit and terminate cooperation in case of violations.

16) Whistleblowing

Channels: anonymous line/mail, form on the intranet, direct contact with Compliance/IA.
Protection from repression. Retaliatory measures against bona fide applicants are prohibited.
Procedure: registration, initial assessment, investigation, feedback within a reasonable time.

17) Disciplinary action

Range from coaching/warning to termination and regulatory/authority notification (if required).
Principles: fairness, proportionality, documentation.

18) Training and confirmation

Onboarding: mandatory completion of the Code course, test ≥ 85%.
Annual recertification and e-sign.
Add-ons for managers and sensitive roles.

19) Scenarios (correct/incorrect)

A) Request full export of client data "for fast analytics."

Correct: offer aggregates/pseudonymization, request via DPO/Legal.
Incorrect: send CSV with PII to chat/mail.

B) Gift from affiliate (tickets + dinner) during the negotiation period.
Correct: waiver/declaration, escalation to manager/Compliance.
Wrong: Accept and sign the contract the next day.

C) The client asks about the output delay (AML check).

That's right: "There is a standard payment security check, we will notify you of the result."

Wrong: "We have a suspicion of laundering, wait."

D) A social media comment about an internal incident.
That's right: don't comment; redirect media to PR/Comms Lead.
Wrong: Reveal details, blame teams.

20) "Do/Don't Do" (cheat sheet)

Do: respect colleagues, use official channels, mask PII, declare conflicts, ask if in doubt.
Do not: do not accept gifts with conditions, do not put pressure on players, do not share secrets, do not bypass the rules for the sake of KPI.

21) Documents and storage

Code (current version), acknowledgements of familiarization, training logs, register of conflicts of interest, register of gifts/expenses, investigation reports - stored according to the retention and access policy (RBAC).

22) Governance

Versioning: vMAJOR. MINOR. PATCH; revision at least 1 times a year or after major regulatory/organizational changes.
Owner: Head of Compliance (with Legal/DPO/InfoSec/HR).
Communications: mailing list, intranet, Q&A sessions, posters.

23) Checklists

Before releasing a new version

• Updated policy references (AML/RG/GDPR/PCI/Ads).
• Localization to key languages.
• You have set up courses and confirmations in the LMS.
• Assigned whistleblowing channel owners.
• Posters/1-page "What to do tomorrow" prepared.

For the team manager

• Conducted 15-min "key risks" brief.
• Conflict of interest declarations have been adopted.
• Checked gift/expense history.
• CS/marketing scripts approved (responsible game/no tipping-off).

24) Performance Metrics

Coverage:% of employees with up-to-date confirmation.
Training Pass Rate: Average score/retests.
Whistleblowing Activity: accesses, reaction/closure time.
Repeat Findings: Recurring Violations/Learning Topics.
Culture Pulse: Ethical Climate Surveys, Channel Trust Index.

25) 30-day implementation plan

Week 1

1. Appoint the owner of the Code and stakeholders (Legal/DPO/InfoSec/HR/Comms).
2. Reduce local market requirements; collect links to policies.
3. Prepare draft v1. 0 and "tone from above" (Exec letter/video).

Week 2

4. Localize content; prepare 1-pages/posters.
5. Set up LMS: course, test, acknowledgement.
6. Open channels for messages (anonymous, processing rules).

Week 3

7. Pilot on 2-3 teams; Q&A sessions; fixation of feedback.
8. Include manager checklists; run gift/conflict registers.
9. Update CS/marketing scripts (RG/AML/advertising).

Week 4

10. Release v1. 0, required confirmation before date X.
11. Launch awareness campaign (posters/bot quizzes).
12. Report to management (coverage, questions, first signals).

• Staff compliance awareness
• AML training and employee training
• Compliance dashboard and monitoring
• Incident playbooks and scripts
• Regulatory reports and data formats
• Internal Audit and External Audit
• Audit checklists and reviews
• License renewals and inspections
• Regulatory changes by region