Whistleblowing Policy

1. Our commitment

Virtual Era Ltd. is committed to maintaining a culture of openness, integrity, and accountability. We encourage employees, contractors, clients, suppliers, partners, and other stakeholders to report in good faith any concern about wrongdoing within Virtual Era or in connection with our activities, and we commit to investigating such reports fairly, confidentially, and without retaliation against the reporter.

2. Legal framework

This policy is anchored to Kosovo Law No. 06/L-085 on the Protection of Whistleblowers and to Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law. Where Virtual Era operates in Albania, North Macedonia, Montenegro, or any EU member state, the equivalent national whistleblower-protection legislation also applies. This policy reflects the higher of the protections available under any of these regimes.

3. Scope

3.1 Who may report

The internal reporting channel established by this policy is available to:

• Current and former Virtual Era employees, including interns and trainees.
• Job applicants who became aware of a concern during the recruitment process.
• Self-employed contractors and consultants engaged by Virtual Era.
• Members of management bodies of Virtual Era.
• Suppliers, sub-contractors, and their personnel.
• Clients, business partners, and their personnel.
• Any other person who acquires information about a relevant concern through a work-related relationship with Virtual Era.

3.2 What can be reported

Concerns appropriate for this channel include but are not limited to:

• Corruption, bribery, or facilitation payments.
• Fraud, financial misconduct, or accounting irregularities.
• Harassment, discrimination, or violations of human rights and dignity at work.
• Violations of health, safety, or environmental obligations.
• Violations of data protection, information security, or NIS2 obligations.
• Competition or anti-trust violations.
• Public procurement irregularities.
• Conflicts of interest not disclosed and managed.
• Retaliation against a person who has made or supported a prior report.
• Any other breach of law or of Virtual Era’s Code of Conduct that may cause harm to the public interest, to Virtual Era, to its personnel, or to third parties.

The channel is not appropriate for personal grievances that do not involve a public-interest concern or a breach of policy — these should be raised through normal HR or contractual channels.

4. Reporting channels

4.1 Internal channel (recommended first step)

The primary channel is the secure online form on this page (below). Reports may be submitted under your name or anonymously. The form is received only by the designated authorised handler, who is the Compliance Officer (or, where the report concerns the Compliance Officer, the Chair of the Audit Committee).

Alternative internal routes are available where you prefer a non-digital channel:

• By email to whistleblowing@virtualera.net — received by the same restricted group.
• By sealed post addressed to "Compliance Officer — Confidential" at the registered headquarters.
• By requesting an in-person meeting through the email channel above; the meeting will be arranged in a confidential setting.

4.2 External channels

You retain the right to report to competent public authorities at any time, with or without making an internal report first. External channels include:

• In Kosova: the competent authority designated under Kosovo Law No. 06/L-085 to receive external reports.
• In EU member states: the competent national authority designated under Directive (EU) 2019/1937.
• European Union institutions, bodies, offices, or agencies, where the concern falls within the scope of Union law and an EU-level channel applies.
• Public disclosure is permitted in the circumstances set out in Article 15 of Directive (EU) 2019/1937, including where internal and external channels have not produced an appropriate response within the prescribed time, or where there is an imminent or manifest danger to the public interest.

5. Confidentiality

The identity of the reporter and of any person mentioned in the report, and any other information from which their identity may directly or indirectly be deduced, are treated as strictly confidential. Access is restricted to the authorised handler and, where necessary for the investigation, to other persons explicitly authorised by the handler subject to confidentiality undertakings.

Confidentiality may be lifted only:

• Where the reporter has expressly consented;
• Where disclosure is a necessary and proportionate obligation imposed by law in the context of investigations by public authorities or judicial proceedings, in which case the reporter will be informed in advance unless that would jeopardise the investigation.

6. Anonymous reports

Anonymous reports are accepted and investigated to the extent that they contain sufficient information to allow a meaningful enquiry. If a person who reported anonymously is later identified, the protections of this policy and of applicable law continue to apply.

7. Protection from retaliation

Retaliation in any form against a person who has made a report in good faith, or who has supported or assisted a reporter, is strictly prohibited. Prohibited retaliation includes (without limitation): dismissal, suspension, demotion, withholding of promotion, transfer of duties, reduction in wages, change in working hours, negative performance assessments, denial of training, harassment, blacklisting, early termination of a contract for services, or any other detrimental treatment.

Where retaliation is alleged, the burden of proof falls on the person who took the adverse measure to demonstrate that it was based on duly justified grounds and not connected with the report (consistent with Article 21(5) of Directive (EU) 2019/1937).

A report made in bad faith — knowingly false, malicious, or vexatious — does not attract protection and may itself give rise to disciplinary or legal consequences.

8. How we handle your report

Once a report is received through the channels above, the authorised handler will:

• Acknowledge receipt within seven (7) days, unless this would jeopardise confidentiality or you have declined acknowledgement.
• Conduct an initial assessment to confirm whether the report falls within the scope of this policy and whether it warrants further investigation.
• Open a formal investigation where appropriate, conducted with diligence, fairness, and respect for due-process rights of all involved.
• Communicate the outcome and any actions taken to the reporter within three (3) months of acknowledgement, where the reporter is identifiable and reachable, subject to legal constraints and the integrity of the investigation.

The investigation may engage external advisers (legal, forensic, or specialist) under confidentiality obligations.

9. Personal data and retention

Personal data submitted in a report is processed only for the purposes of investigating and responding to the report, in accordance with our Privacy Policy. The legal bases are compliance with legal obligations and the legitimate interest of Virtual Era in maintaining the integrity of its operations.

Reports and related materials are retained for the period necessary to conclude the investigation and any consequent legal or disciplinary proceedings, and thereafter for the statutory limitation period applicable in the jurisdiction concerned. Reports are then anonymised or deleted.

10. Governance

This policy is owned by the Compliance Officer of Virtual Era and is reviewed at least every two (2) years, and at each material change in the underlying legal framework. The Compliance Officer reports periodically to the Audit Committee on the number and nature of reports received, investigation status, outcomes, and any thematic issues.

11. Contact

For questions about this policy: compliance@virtualera.net.
To submit a report: use the form below, or email whistleblowing@virtualera.net.