Purpose: The purpose of this policy is to establish a fair and transparent disciplinary process for addressing misconduct, policy violations, or non-compliance with the company's standards, particularly in relation to information security, confidentiality, and the handling of sensitive data and systems. This policy aims to protect the integrity, availability, and confidentiality of information assets while maintaining a professional and ethical workplace across our distributed and remote team.

Scope: This disciplinary policy applies to all employees, contractors, consultants, and partners working with or for MOSTLY AI, irrespective of their location.

Key Principles:

  1. Fairness and Consistency: The disciplinary process will be applied fairly, impartially, and consistently, regardless of location or position within the company.

  2. Confidentiality: All disciplinary proceedings will be handled with strict confidentiality to protect the privacy and integrity of individuals involved and sensitive business information.

  3. Proportionality: Disciplinary measures will be proportionate to the severity of the violation or misconduct, considering the potential risks to the company's information security and business interests.

  4. Compliance: The process is designed to comply with local labor laws and regulations in the countries where our employees and contractors reside.

Disciplinary Process:

The disciplinary process follows a structured approach to ensure that all cases are addressed promptly and effectively. The steps involved are as follows:

1. Identification of Misconduct or Violation

Misconduct or a violation of company policies (including security, confidentiality, etc) may be identified through various channels such as:

  • Automated security systems.

  • Reporting by managers, colleagues, or clients.

  • Internal audits or reviews.

  • External audits or regulatory findings.

Examples of disciplinary issues may include, but are not limited to:

  • Unauthorized access to sensitive data or systems.

  • Mishandling or misuse of data.

  • Sharing confidential information outside of authorized channels.

  • Circumventing security protocols, such as encryption or authentication requirements.

  • Failure to comply with information security controls.

  • Misuse of company communication tools.

  • Unauthorized software installation.

  • Failure to report security incidents.

2. Initial Investigation

Once a violation is reported or detected, an internal investigation is initiated. This involves:

  • Gathering evidence: Security logs, system reports, interviews, or other relevant information.

  • Involving the Chief Information Security Officer (CISO): For cases related to security breaches, non-compliance with information security policies, or technology-related incidents.

  • Consulting with HR: To ensure that any actions taken comply with labor laws and internal company policies.

Outcome: If the initial investigation suggests a policy breach, a formal disciplinary process is initiated.

3. Notification to the Employee

The individual involved will be notified of the investigation and the nature of the alleged violation. This communication will:

  • Be conducted privately via a secure communication channel.

  • Include the specific details of the violation, the evidence gathered, and a timeline for the next steps.

  • Allow the individual the opportunity to provide their side of the story and respond to the allegations.

4. Formal Disciplinary Meeting

A formal meeting will be scheduled between the individual involved, their direct manager, a representative from HR, and, where applicable, the CISO.

Agenda:

  • Present the findings of the investigation.

  • Allow the individual to present their case.

  • Discuss potential mitigating factors.

  • Agree on the next steps or any corrective actions.

Note: The individual has the right to bring a representative or support person to this meeting.

5. Decision and Disciplinary Actions

After the disciplinary meeting, a decision will be made on the appropriate course of action. Disciplinary actions may include, but are not limited to:

  • Verbal or written warning: For minor, first-time offenses or unintentional breaches.

  • Mandatory retraining: Focused on security policies, proper data handling, or use of systems.

  • Temporary suspension or restriction of system access: For serious security violations.

  • Performance improvement plan: To address persistent issues or recurring non-compliance.

  • Termination of contract or employment: For severe or repeated violations that jeopardize company security, data integrity, or compliance with legal standards.

The decision will be documented and communicated to the individual in writing.

6. Appeal Process

If the individual believes the disciplinary action was unjust or disproportionate, they have the right to appeal the decision. The appeal process includes:

  • Submitting a formal written appeal to the HR department within 7 business days of the decision.

  • An appeal meeting with a different panel (including senior management or external advisors) to review the case and the disciplinary decision.

  • A final decision will be communicated in writing following the appeal review. The decision of the appeal process is final.

Escalation and Reporting

  1. Reporting to the CISO: Any violations involving information security, systems, or data privacy must be immediately reported to the CISO. The CISO is responsible for ensuring any security incidents are properly logged, investigated, and remediated according to the Information Security Management System.

  2. Reporting to Regulatory Authorities: If a security breach or data incident triggers legal or regulatory obligations (e.g., GDPR or other data protection laws), the company will comply with the reporting requirements and notify relevant authorities within the prescribed timelines.

Records and Documentation

All disciplinary actions and related documentation will be securely stored in accordance with the company's document management and retention policy.

This includes records of investigations, meetings, decisions, and appeals.

Access to these records will be restricted to authorized personnel only.

Approval and Review

This policy will be reviewed and updated annually or as required, to ensure continued alignment with the evolving legal or business requirements.