Shopware Whistleblower Policy

At Shopware, we are committed to doing business with integrity and transparency, guided by our values of being open, authentic, and visionary. This Whistleblower Policy ensures that everyone connected to Shopware – from employees to customers, suppliers, and partners – has a safe and confidential way to report concerns and make disclosures about potential misconduct. We believe that a culture of openness builds trust and encourages responsibility. This policy is based on the EU Whistleblower Directive (2019/1937) as well as German national implementing laws: German Whistleblower Protection Act (HinSchG) and takes into account the rules of the General Data Protection Regulation (GDPR), as well as applicable United States laws.

Who Can Report?

This policy applies to all Shopware employees, former employees, applicants, customers, suppliers, shareholders, contractors, and partners. All those persons can be understood as a “Whistleblower” in the meaning of this policy. We want everyone to feel comfortable coming forward with concerns about behaviors that go against our values, legal obligations, or internal policies.

What Can Be Reported?

In general, whistleblowers are protected by law when they act in the public interest and disclose information about corrupt, fraudulent, dangerous or illegal activities.

We encourage you to speak up if you notice anything you believe may be dishonest, illegal, or that may otherwise go against our company values, and to report any actions or issues that could negatively impact Shopware, our community, or the public. Examples include:

• Financial wrongdoing or fraud

• Violations of laws, regulation or policies

• Risks to public safety or health

• Environmental harm

• Accessibility concerns

• Administrative offences

• Criminal activities (e.g., bribery, tax evasion)

• Breaches of GDPR or data protection rules

• Breaches of EU or US regulations

• Human rights violations

• Software security issues, like unpatched vulnerabilities

• Discriminatory outcomes in software, such as bias in algorithms

How to Report?

You may use the following secure and confidential channel to report any concerns:

• Anonymous external platform: you can make an anonymous report in writing or verbally using the external platform provided by Whistleblower Software by Formalize.

The reports shall be examined by the Reporting Office (Meldestelle) consisting in particular of the members of the P&C, Legal, ESG Teams. Insofar as possible according to the applicable laws, the members of the Reporting Office shall maintain the confidentiality of the Whistleblower and other involved parties. They shall be accountable for processing, investigating, and following up on reports.

If you feel an issue is not properly addressed or is in the public interest, external reporting options are available, including:

• German Federal Office of Justice (BfJ)

• Regulatory authorities (e.g. Bundeskartellamt)

• Labor authorities for workplace safety concerns (e.g., OSHA in the U.S.)

• Federal Office for Information Security (BSI)

• Data protection authorities for GDPR issues (e.g., LDI in Germany)

• Law enforcement for criminal matters

Response and Confidentiality

All internal reports will ordinarily receive an initial response within 48 hours on business days confirming receipt of the report.

The investigation and resolution process will be completed in accordance with Shopware's internal corporate governance rules and local regulations and requirements, and such investigations shall ordinarily not exceed two months from the date of the report to the date of resolution. The feedback which Shopware provides includes the notification of planned and already taken follow-up measures as well as the reasons for these. The identity of Whistleblowers will remain confidential, unless disclosure is required by law or is necessary to complete a thorough investigation. All personal data will be handled in compliance with the GDPR.

The Reporting Office ensures that no investigator has a conflict of interest. If a conflict of interest is identified, the case will be reassigned to an independent investigator or team. If this would not be possible, the Executive Board of shopware AG (Vorstand) shall decide.

Based on the investigation's findings, Shopware will take appropriate action, which may include:

• Corrective or disciplinary measures (e.g., policy revisions, employee sanctions).

• Reporting to external authorities if required by law or otherwise warranted.

Protection Against Retaliation

At Shopware, retaliation is never acceptable. Forms of prohibited retaliation include, for example, termination, reductions to compensation, poor work assignments, threats of harm, and other forms of adverse employment action. We protect everyone who raises concerns made with a reasonable, good faith belief that the information is true at the time of reporting, even if that information is later found incorrect. Anyone found retaliating against a Whistleblower will face serious consequences, including termination of employment or contract. Any Whistleblower who believes they are being retaliated against should contact a P&C or Legal representative immediately. The right for protection against retaliation does not include immunity for any personal wrongdoing that is alleged and investigated. Further, any Whistleblower employed by Shopware who intentionally submits a false report of discipline may be subject to discipline, up to and including termination.

Questions

Anyone with questions regarding this policy should contact compliance@shopware.com.

Policy Updates

As part of our visionary approach, we regularly review this policy to ensure it stays legally up to date, relevant to any legal changes and reflects the evolving needs of Shopware.