Code of Ethics

INTRODUCTION

You are in front of Controller BMS’s Code of Ethics. This document is intended for employees, clients, suppliers, and other stakeholders with whom the company interacts, and it depicts how Controller BMS conducts its business.

The Code of Ethics guides the rules governing Controller BMS’s operations, reinforcing concepts and guidelines to direct the behaviors to be adopted in each situation. Ethical conduct strengthens Controller BMS as an integral and trustworthy company, and maintaining this position is a duty for all.

Therefore, reading and acknowledging this Code of Ethics are essential. Understanding corporate ethics and applying them in everyday life are actions that add value to the organization, its image, and its impact on society.

TABLE OF CONTENTS

1. Ethical Principles.
1.1 – Key Company Interaction Rules and Best Practices.
1.2 – Primary Ethical Obligations.
1.3 – Violation of the Code of Ethics.
2. GDPR (General Data Protection Regulation).
2.1 – Data Sharing.
2.2 – Data Security and Confidentiality.
2.3 – Termination of Data Processing.
2.4 – Data Subject Rights.
2.5 – Data Retention Period.
2.6 – Confidentiality.
2.7 – Use of Confidential Information.
3. Anti-Corruption Law 12.846/2013.
4. Corporate Social Responsibility.
4.1 – How We Operate Internally?.
4.2 – Small Changes Make Big Impacts.
4.3 – E-Waste Disposal.
4.4 – A New Life: Uniforms and People.
4.5 – Creating Opportunities – Project Grão.
4.6 – Respect for Human Capital: A Controller BMS Value.
5. Conclusion.

1. ETHICAL PRINCIPLES

Controller BMS, guided by ethical principles, directs the professional conduct of all its employees, regardless of their position or role in the company.

1.1 – MAIN RULES AND GOOD COMPANY INTERACTION PRACTICES:

I. Behave honestly and cordially with colleagues, clients, service providers, and suppliers.
II. Maintain relationships based on professionalism and mutual respect.
III. Neither practice nor tolerate acts of prejudice and/or any form of harassment.
IV. Create a harmonious, positive, and healthy work environment.
V. Ensure health and safety throughout the workplace.
VI. Ensure quality in the services provided to the company’s clients.

1.2 – PRIMARY ETHICAL OBLIGATIONS:

I. When selecting suppliers and/or service providers, economic-financial indicators, commercial conditions, and the quality of the proposed products/services should be considered. These pieces of information are crucial to the company’s business, so integrity in production, delivery, and order administration is essential while maintaining the ethical confidentiality of information and established commercial conditions.

II. Employees must respect the contractual and commercial conditions negotiated with suppliers and clients and maintain the confidentiality of the business information
.
III. Acceptance of gifts/giveaways of small added value, distributed for institutional advertising purposes or exceeding 20% (twenty percent) of the employee’s salary, must be reported to the department supervisor. Receiving gifts or giveaways at home is prohibited.

Exceptions will be made for gifts/giveaways requested for partnership purposes for raffles during the annual SIPAT week, and for Educational Campaigns such as “Pink October,” “Movember,” and others. These raffles are held for employees who participate in activities, lectures, training, plays, etc.

** Exceptions will also be made for employees’ participation in conferences, training, and seminars offered by suppliers and business partners, subject to analysis and approval by the Board of Directors.

*** The rules in point “III” do not apply to sponsorship by suppliers and business partners for events that are essentially educational and related to the business, such as: transportation, accommodation, invitations, and educational materials for conferences, training, and seminars. This sponsorship must be disclosed and approved by the Board of Directors at least one week in advance.

IV. Purchasing relationships with suppliers of products/services who are relatives, such as parents, spouse, children, siblings, grandchildren, grandparents, in-laws, and first-degree cousins, directly related to the area of competence and responsibility, shall only occur with prior approval from the Board of Directors.

V. The image of Controller BMS and its trademarks must be preserved by all employees, suppliers, service providers, and clients. Any individual or collective action or attitude that compromises the reputation and credibility of this image will be considered a serious violation and may result in the sanctions provided for in this Code.

VI. All employees within the target audience of this code must compulsorily adhere to the rules, norms, policies, procedures, and internal and external regulations, regardless of their issuing authority.

1.3 – VIOLATION OF THE CODE OF ETHICS
Any violation of the Code of Ethics through action or omission may result in disciplinary sanctions. In situations of doubt regarding the Policies and Practices of this Code, the employee should contact their immediate supervisor. For reporting actions contrary to the company’s ethical principles, Controller BMS provides a Reporting Channel: denuncias@controllerbms.com.br.

LGPD (General Data Protection Regulation)
Controller BMS declares that it processes personal data and sensitive personal data in accordance with the General Data Protection Law No. 13,709/2018 (LGPD) and adopts appropriate technical and organizational measures to protect personal data and sensitive personal data against unauthorized or unlawful processing, accidental loss, alteration, disclosure, or access, as well as against accidental or unlawful destruction or damage.
It is the employee’s duty to maintain in confidence all personal information (personal data and/or sensitive personal data) that they become aware of during the course of their activities or through other means. This includes any information related to Controller BMS’s clients, partners, and suppliers, provided formally or informally, in writing, orally, in tangible or intangible form, by anyone associated with Controller BMS, such as its administrators, directors, employees, contractors, clients, or users of clients.

Every employee, in the performance of their duties, must comply with the provisions of the General Data Protection Law and adhere to the rules established in Controller BMS’s Internal Data Protection Policy. For this purpose, it is understood that:

Personal Data: Any information that makes an individual identifiable.

Sensitive Personal Data: Personal data that reveals racial or ethnic origin, religious belief, political opinion, membership in a trade union or religious, philosophical, or political organization, health or sexual life data, genetic or biometric data, when linked to a natural person.

Processing: Any operation or set of operations using confidential information, especially personal data and/or sensitive personal data, including but not limited to data collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, or control of information, modification, communication, transfer, dissemination, or extraction.

Database: A structured set of data established in one or more locations, in electronic or physical form.

Data Subject: A natural person whose information – Personal Data and/or Sensitive Personal Data – is subject to processing. In some situations, this can also be equated with the Disclosing Party.

2.1 – DATA SHARING
Controller BMS, as the data controller, may share employee’s personal data with other data processing agents, respecting the principles of good faith, including purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability.

We may transfer your personal data in the following situations:
a) To clients for whom we provide services;
b) With service providers (medical and dental assistance, insurance brokers, insurers, professional advisors);
c) Public and government authorities;
d) Third parties related to a potential corporate or commercial operation; such third parties may be located in other countries. Before doing so, we will take the necessary precautions to ensure that your personal data will have adequate protection as required by relevant data privacy laws and Controller BMS’s internal policies.

2.2 – DATA SECURITY AND CONFIDENTIALITY
Controller BMS adopts security measures for processing data according to best security practices, based on the Information Security Policy, to ensure the protection of data subjects’ data during service provision, complying with all applicable legal provisions. In the event of security incidents that may pose a relevant risk or harm to data subjects, we will communicate within a reasonable timeframe, as defined by the National Data Protection Authority.

2.3 – TERMINATION OF DATA PROCESSING
As the “controller” of data, Controller BMS may retain and use the data subject’s personal data throughout the contractually agreed-upon period for the purposes outlined in this document and even after the termination of the contract to comply with legal obligations or those imposed by regulatory bodies, in accordance with Article 16, Clause I of Law No. 13,709/2018.

2.4 – DATA SUBJECT RIGHTS
In cases of doubts and if the employee wishes to request confirmation of data processing, access to data, correction of incomplete, inaccurate, or outdated data, among other rights provided for in Article 18 of the General Data Protection Law No. 13,709/2018, they may contact us via email: dpo@controllerbms.com.br or by written letter sent to the headquarters address.

2.5 – RETENTION PERIOD OF COLLECTED DATA
The data subject is aware that the company, as the “controller,” must retain their data for the minimum period required by labor and social security legislation, as well as those related to health and safety at work, even after the employment relationship has ended, to fulfill legal obligations.


2.1 – DATA SHARING
Controller BMS, as the data controller, may share employee’s personal data with other data processing agents, respecting the principles of good faith, including purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability.

We may transfer your personal data in the following situations:
a) To clients for whom we provide services;
b) With service providers (medical and dental assistance, insurance brokers, insurers, professional advisors);
c) Public and government authorities;
d) Third parties related to a potential corporate or commercial operation; such third parties may be located in other countries. Before doing so, we will take the necessary precautions to ensure that your personal data will have adequate protection as required by relevant data privacy laws and Controller BMS’s internal policies.

2.2 – DATA SECURITY AND CONFIDENTIALITY
Controller BMS adopts security measures for processing data according to best security practices, based on the Information Security Policy, to ensure the protection of data subjects’ data during service provision, complying with all applicable legal provisions. In the event of security incidents that may pose a relevant risk or harm to data subjects, we will communicate within a reasonable timeframe, as defined by the National Data Protection Authority.

2.3 – TERMINATION OF DATA PROCESSING
As the “controller” of data, Controller BMS may retain and use the data subject’s personal data throughout the contractually agreed-upon period for the purposes outlined in this document and even after the termination of the contract to comply with legal obligations or those imposed by regulatory bodies, in accordance with Article 16, Clause I of Law No. 13,709/2018.

2.4 – DATA SUBJECT RIGHTS
In cases of doubts and if the employee wishes to request confirmation of data processing, access to data, correction of incomplete, inaccurate, or outdated data, among other rights provided for in Article 18 of the General Data Protection Law No. 13,709/2018, they may contact us via email: dpo@controllerbms.com.br or by written letter sent to the headquarters address.

2.5 – RETENTION PERIOD OF COLLECTED DATA
The data subject is aware that the company, as the “controller,” must retain their data for the minimum period required by labor and social security legislation, as well as those related to health and safety at work, even after the employment relationship has ended, to fulfill legal obligations.

2.6 – CONFIDENTIALITY
I. Considering that Controller BMS processes confidential information, personal data, and sensitive personal data of data subjects;
II. Considering that access to confidential information may occur as part of their duties or accidentally disclosed or accessed when there was no need;
III. Considering that Controller BMS assumes, on its behalf and on behalf of its employees, agents, and collaborators, the obligation to maintain confidentiality regarding the confidential information it receives or becomes aware of during and after the termination of a contract;
IV. Considering that it is in the interest of Controller BMS that provided confidential information remains confidential;
V. It is the employee’s duty to maintain in confidence all personal (personal data and/or sensitive personal data), technical, administrative, operational, commercial, and/or legal information that they become aware of during the course of their activities or through other means. This includes any information related to business models, projects and their scopes, documents, and negotiations of Controller BMS’s network of clients, partners, and suppliers, provided formally or informally, in writing, orally, in tangible or intangible form, in the form of models, samples, access to computer programs, trade secrets, or know-how, including, but not limited to, information being processed by Controller BMS and its clients, as well as any information disclosed, provided, or communicated (verbally or in writing, electronically, in text, drafts, drawings, photographs, graphics, designs, plans, or any other form) by anyone associated with Controller BMS, such as its administrators, directors, employees, contractors, clients, or users of clients. In short, all information will be treated as confidential and private.

2.7 – USE OF CONFIDENTIAL INFORMATION
The employee is subject to the stipulations and obligations adopted by the company and agrees to maintain the utmost confidentiality and secrecy of any confidential information they may access. They must take the necessary precautions to prevent any confidential information from being disclosed to third parties.

The employee acknowledges the confidential nature of the confidential information and agrees not to disclose any confidential information they have access to to any other person, whether physical or legal entity. They also agree not to use, modify, or tamper with any such information for their own or third-party benefit, present or future. The employee acknowledges that they have no rights or expectations of rights regarding the confidential information they access and cannot appropriate it for themselves or others. This information is the exclusive property of Controller BMS and the data subject, and the employee should only use it for the sole purpose of providing their services to meet, to the extent possible, the needs and goals of Controller BMS.

The employee acknowledges that they must use confidential information exclusively for the purposes and needs for which the information is intended, committing to carry out the minimum necessary processing for the achievement of its purposes, with data coverage being relevant, proportionate, and not excessive in relation to the purposes of processing.

Violations that involve illegal activities or may result in harm to Controller BMS hold the employee responsible, both civilly and criminally, for breaching any of the provisions established here, including the obligation to compensate for the damages and losses incurred by the company and injured third parties.

The commitment to confidentiality and the obligations recognized in this agreement take immediate effect and will continue after the termination of the existing employment relationship with Controller BMS, regardless of the reason for termination.

The employee will remain prohibited from disclosing, making available, using, trading, or giving any destination to confidential information without prior express authorization from Controller BMS, for an indefinite period.

3. ANTI-CORRUPTION LAW 12.846/2013
Controller BMS requires its employees or service providers to fully comply with the provisions of Law 12.846/2013, expressly prohibiting, in dealings with public agents or national or foreign public administration agencies or individuals related to them:

I. To promise, offer, or give, directly or indirectly, undue advantage or bribes to a public agent or a third party related to them;
II. To finance, cover, sponsor, or in any way subsidize the practice of illicit acts as provided by the law;
III. To use an intermediary natural or legal person to conceal or disguise one’s real interests or the identity of beneficiaries of the acts performed;
IV. To hinder the activities of investigation or inspection carried out by government entities, agencies, or public agents or to interfere in their actions, including within the scope of regulatory agencies and inspection bodies.

In dealings with suppliers, competitors, or customers, any employee or service provider is also prohibited, directly or through third parties, from obtaining personal advantages by leveraging their position in the company or accepting or offering bribes or any type of economic benefit, such as money, gifts, etc.

Definitions:

Fraud: Any deceitful, misleading, or malicious act with the intention of harming or deceiving others, or of not fulfilling a specific duty. Examples include the falsification of certificates or any personal or professional documents.

Corruption: It is the practice of promising, offering, or paying any amount of money or other favors (ranging from a bottle of beverages to hotel and airplane tickets for a vacation) to an authority, government official, public servant, or private company professional so that they act unethically in their professional duties in exchange for a benefit or advantage promised by the offering party.


4. SOCIAL AND ENVIRONMENTAL RESPONSIBILITY

Controller BMS actively participates in “Green Building” concepts, prioritizing intelligent resource and waste management in both construction and daily building operations. We deliver the best solutions to ensure these developments operate with maximum energy and water efficiency, sustainability, and often in compliance with LEED and AQUA certifications.
In addition to installation, we maintain the full operation of these developments’ systems through our Central Automation, Remote or Local, ensuring resource optimization and environmental commitment for each of our clients. This aligns our business niche as a significant contribution to the environment.

4.1 – HOW DO WE ACT INTERNALLY?

Internally, we take actions to minimize waste production and practice conscious disposal of all waste generated in our daily activities at work. Through this “Social and Environmental Responsibility” section of the Code of Ethics, you will learn about these actions and should collaborate to ensure they not only continue but become increasingly appropriate and effective. We are all responsible for the environment we are in and the world we want to leave for the future.

4.2 – SMALL CHANGES CREATE BIG IMPACTS

Disposable items, while convenient, pose several environmental problems due to their highly toxic components and long decomposition times, which can range from 50 to 400 years depending on environmental conditions, while their useful life is only about 13 seconds after leaving the display.

With this in mind, when you join our company, every new employee receives a welcome kit that includes a non-disposable mug/cup or squeeze for personal use. We encourage you to prioritize the use of these items over disposable plastic cups for beverages. If it becomes necessary to use a plastic cup, please ensure proper disposal in designated locations for plastic waste, facilitating recycling.

4.3 – E-WASTE DISPOSAL

When we talk about electronic waste, known as “e-waste,” we refer to broken, damaged, or no longer useful electrical and electronic products, which are common in Controller BMS due to our business niche. Considering this, our Procurement department manages this disposal through a specific, legal, and documented process in collaboration with specialized companies that handle the transport, handling, and recycling of these wastes.

In addition to managing our waste as a company, we also act as a bridge between our employees’ e-waste and specialized companies. Therefore, if you need to dispose of batteries, cables, and other electronic items, please contact our IT department, which will collect these e-wastes and direct them to the warehouse for safe and responsible processing.

4.4 – A NEW LIFE: FOR UNIFORMS AND PEOPLE

Here at Controller BMS, the disposal of uniforms is relatively low, and their life cycle is renewed with care and responsibility. After receiving a uniform that is no longer suitable for use or due to an employee’s departure, the Health and Safety at Work department assesses the condition of the pieces and directs them for various forms of reuse. The intention is to extend the lifespan of these pieces, delaying their final disposal.

Pieces in good condition are de-characterized and donated to institutions that distribute them to individuals in vulnerable situations. Those whose fabrics are still in good condition but not suitable for wear are transformed into new items, such as fabric bags, cleaning cloths, or even pet clothing, which are donated to employees and other members of society.

When we developed this uniform reuse program, the company realized that it would make even more sense if the workforce involved in this process promoted some form of inclusion for less fortunate people. Therefore, we partnered with seamstresses from disadvantaged communities, offering them the opportunity to build a new future.

This initiative inspired us to take a closer look at what more we could do and how we could act to promote social inclusion and contribute to the development of our society. And that’s how the “Grão Project” was born.

4.5 – GENERATING AN OPPORTUNITY – PROJECT GRÃO
Just as a seed, when properly nourished, germinates and gives rise to a new life, people can also undergo transformation when provided with knowledge. We believe in education not only as a source of opportunities for entering or re-entering the job market but also as a means of inclusion. Thus, the Grão Project is based on the principle of promoting qualification and enabling professional integration, whether in partnership with educational institutions or not, through technical and behavioral courses offered free of charge to people who are outside the formal job market. This contributes socially and economically by creating opportunities for qualification and development.

4.6 – RESPECT FOR HUMAN CAPITAL: A CORE VALUE OF CONTROLLER BMS
Controller BMS aligns itself with the principles of the Universal Declaration of Human Rights and, therefore, the company neither practices nor associates with suppliers or third parties who intentionally or unintentionally violate these principles or employ forced or slave labor. We also do not engage with suppliers or third parties who employ child labor, with the exception of apprenticeships, and in accordance with the principles of the Declaration of the Rights of the Child.

We are against all forms of discrimination and intolerance, whether based on race, gender, color, ethnicity, religion, nationality, sexual identity, social class, or political stance. Our company does not develop any specific diversity programs precisely because we understand that all differences are natural and enrich our daily interactions.

We believe in building an environment composed of individuals, regardless of their characteristics and choices, which should always be respected within our premises and by everyone who is part of our organization.

5 CLOSING

This Code of Ethics was developed by the Internal People and Organizational Culture Committee. It is the responsibility of this Committee not only to structure but also to review and implement this Code to ensure it remains up-to-date.

In addition to serving as a guiding instrument for employees in decision-making, the Code of Ethics outlines expected behaviors by Controller BMS and those that are expressly prohibited, providing clear and practical guidance on employees’ responsibilities to contribute to the credibility and solidity of our organization.

The principles and guidelines outlined in the Controller BMS Code of Ethics should be carefully observed, with a sense of responsibility and a commitment to dissemination, as the responsibility for its application and dissemination lies with all of us.