Whistleblowing Policy Template — Ireland

WHISTLEBLOWING (PROTECTED DISCLOSURES) POLICY

Riverstone Technologies Limited · Version 2.0 · Effective 15 May 2026

ORGANISATION

This Policy enables workers and others connected with the Organisation to raise concerns about relevant wrongdoing (within the meaning of s.5 of the Act) through secure, confidential and accessible channels. The Organisation is committed to addressing such reports promptly, fairly and without retaliation, and to providing the statutory protections of the Act to every reporting person.

This Policy applies to the following persons (each a "Reporting Person"): (a) current employees, officers and workers of every grade and contract type (full-time, part-time, fixed-term, casual); (b) independent contractors, consultants, agency workers and other persons providing services under or in connection with a contract; (c) volunteers, trainees and interns (whether paid or unpaid); (d) former workers in respect of information acquired during their relationship with the Organisation; (e) job applicants and others in pre-contractual negotiations; (f) shareholders and members of administrative, management and supervisory bodies (including non-executive directors and trustees).

A Reporting Person may make a protected disclosure about information that, in the reasonable belief of the Reporting Person, tends to show that one or more of the following relevant wrongdoings has occurred, is occurring or is likely to occur: (a) the commission of a criminal offence; (b) failure to comply with a legal obligation (other than under the Reporting Person's own contract of employment); (c) a miscarriage of justice; (d) endangerment of the health or safety of any individual; (e) damage to the environment; (f) unlawful or improper use of public funds; (g) oppressive, discriminatory, grossly negligent or grossly mismanaged acts or omissions by a public body; (h) breaches of EU law falling within the scope of Directive (EU) 2019/1937 (including financial services, anti-money laundering, product safety, transport safety, environmental protection, food safety, public health, consumer protection and data protection); or (i) the concealment or destruction of information tending to show any of the above.
A motive for making the disclosure is not relevant — the Act protects disclosures made on any motive, provided the reasonable-belief threshold is met.

The Organisation operates the following secure internal reporting channels, each of which preserves the confidentiality of the identity of the Reporting Person and of any person referred to in the report:
Email (primary): speakup@riverstone.ie
Telephone: +353 1 555 0199
Secure online portal: https://speakup.riverstone.ie
Post (marked "Confidential"): Designated Person — Confidential, Riverstone Technologies Ltd, PO Box 442, Dublin 2
In person: On request, the Designated Person will arrange an in-person meeting within 5 working days at a confidential location.
All channels are operated under the control of the Designated Person identified in clause 5 below.

The Designated Person responsible for receiving, acknowledging, following up on and providing feedback in respect of protected disclosures is:
Aoife Murphy, Head of Ethics and Compliance
Direct contact: aoife.murphy@riverstone.ie / +353 1 555 0190
Alternate Designated Person: Conor Fitzgerald — conor.fitzgerald@riverstone.ie / +353 1 555 0191
The Designated Person has sufficient independence and authority to perform the role free from conflict of interest, has received specialised training, and is bound by enhanced confidentiality obligations.

(a) The Designated Person will acknowledge receipt of every report in writing, within 7 days of receipt. (b) Initial feedback on the action taken or proposed in response to the report will be provided to the Reporting Person within a reasonable period not exceeding 3 months from the acknowledgement, and at subsequent intervals of 3 months on request. (c) The Organisation will follow up diligently and impartially, and where appropriate will commission an independent investigation. (d) The Reporting Person will be informed of the final outcome of the investigation to the extent that disclosure is consistent with the confidentiality and procedural rights of any person referred to in the report.

The identity of the Reporting Person, and of any third party referred to in the report, will not be disclosed without the Reporting Person's consent, save where disclosure is a necessary and proportionate obligation imposed by law in the context of investigations by competent authorities or judicial proceedings, in which case the Reporting Person will (where possible) be notified in advance, with a written explanation of the reasons. Breach of confidentiality by any person in the Organisation is a disciplinary matter and may constitute a separate offence under s.16 of the Act.

Penalisation of a Reporting Person for having made a protected disclosure (or for being suspected of having done so, or for assisting a Reporting Person, or for being connected with a Reporting Person) is strictly prohibited under s.12 of the Act. "Penalisation" includes: suspension, dismissal, demotion, withholding of promotion, transfer, disciplinary action, threats, harassment, discrimination, withholding of references, blacklisting, change of duties, change of place of work, change of working hours, financial penalty, and denial of training. A Reporting Person who is dismissed for having made a protected disclosure may apply to the Circuit Court for interim relief pending the determination of an unfair-dismissal claim, and is entitled to compensation of up to 5 years' remuneration on a successful claim (Schedule 2 Part 1 of the Unfair Dismissals Acts 1977-2015 as amended). The burden of proof reverses: it is for the Organisation to show that any detrimental act was not connected with the protected disclosure.

Anonymous reports may be submitted via the SpeakUp Portal at https://speakup.riverstone.ie using a self-generated case token. The portal allows two-way communication with the Designated Person without disclosing identity.
The statutory 7-day acknowledgement required by the Act will be delivered to anonymous reporters by a portal case token shown in the reporter's session, which the reporter retains to view the statutory 7-day acknowledgement and all subsequent updates. An anonymous Reporting Person who is subsequently identified retains the full statutory protections of the Act from the date of identification.

A Reporting Person may also make a protected disclosure directly externally without first using the internal channel. External pathways include: (a) a prescribed person under SI 367/2020; (b) the Office of the Protected Disclosures Commissioner at the Workplace Relations Commission, the central authority that may receive any protected disclosure and transmit it to the appropriate prescribed person; (c) in limited circumstances, a relevant Minister, a legal practitioner, or by public disclosure where the s.10 conditions are met (imminent or manifest danger to public interest, retaliation feared, or no effective channel exists). Reports made via any of these external pathways receive the same statutory protections as internal reports.
Sector-relevant prescribed persons: Data protection: Data Protection Commission. Health and safety: Health and Safety Authority. Tax: Revenue Commissioners.
Workplace poster summary: You can report suspected wrongdoing to the Designated Person, OR directly to the Office of the Protected Disclosures Commissioner at protecteddisclosures.ie, OR to a prescribed person under SI 367/2020. You enjoy the same legal protection in each case.

All reports and follow-up actions are recorded in a secure, restricted-access register maintained by the Designated Person and retained for 5 years from the date of closure of the report (recommended baseline). Processing of personal data is conducted in accordance with the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act 2018, with lawful basis Article 6(1)(c) (legal obligation) and, where special-category data is revealed, Article 9(2)(g) (substantial public interest). The Data Protection Officer is Niamh O'Reilly (dpo@riverstone.ie). Reports concerning the data-protection rights of any individual may also be made to the Data Protection Commission.

Workers receive policy training annually, coordinated by People and Culture Director, supplemented by induction briefings for new joiners. A summary of the channels and protections is displayed in worker-accessible locations and intranet/extranet pages. The Designated Person reports anonymised statistics to the governing body at least annually. This Policy is reviewed annually by the governing body and updated to reflect material legal, regulatory or operational change.

Non-compliance with this Policy or with the Act is a serious matter and may constitute a category 2 criminal offence under s.18 of the Act, with fines on conviction of up to €75,000 for an individual and €250,000 for a body corporate. Directors and senior officers who consent to or connive in such an offence may be held personally liable and disqualified from acting as directors. Internal disciplinary action will also be taken against any worker who penalises a Reporting Person, breaches confidentiality, or otherwise frustrates the operation of this Policy.

This Policy is governed by the laws of Ireland. Any question of interpretation will be resolved by reference to the Protected Disclosures Act 2014 (as amended), the WRC Code of Practice on Protected Disclosures, and the Office of the Protected Disclosures Commissioner.