Governance

Data privacy and information security

With digitization comes a multitude of regulations, requirements, and complications that Tawuniya continues to address regularly. Protecting the personal data and privacy of employees, customers, and partners remains one of Tawuniya’s top corporate governance priorities. The Company constantly seeks to strengthen its security measures to keep pace with evolving risks.

Tawuniya recently implemented a data classifier program across all web, email, and network traffic. With its identity and access management system, the Company introduced an authentication and authorization process that enables its IT department to work hand-in-hand with functional and business teams.

Furthermore, Tawuniya’s comprehensive governance framework defines access to data with a rule-based protocol consisting of four different classifications:

• Internal
• Confidential
• Public
• Restricted

These classifications prevent unauthorized access to data by screening access requests based on credentials. With a dedicated Chief Data and Analytics Officer overlooking a growing internal team working on data security, Tawuniya further strengthened the privacy of its stakeholder data during the reporting period, secured against any potential data breaches.

A Company-wide Data Leak Prevention (DLP) program, which includes a software that actively analyses the IT systems to find weaknesses and potential data deficiencies, has enabled Tawuniya to be transparent with its data security compliance measures. The Company’s current system for data privacy and information security includes more than 190 controls and procedures, and is fully aligned with current Saudi National Disaster Management Office (NDMO) and Saudi Data and Artificial Intelligence Authority (SDAIA) standards.

Tawuniya also enhanced its customer data protection in alignment with the Kingdom’s Personal Data Protection Law (PDPL), and is preparing to introduce a more comprehensive data protection policy similar to the EU’s General Data Protection Regulation (GDPR), should such legislation be introduced in the Kingdom.

Tawuniya has retained a positive track record of zero incidents involving the breach, leak, theft, or loss of data over the past few years. There have also been no complaints from regulatory bodies concerning breaches of customer privacy.

Business ethics

Tawuniya promotes a culture of ethical behavior across the Company through a comprehensive set of policies, thereby upholding company ideals through clearly defined acceptable and unacceptable behaviors. They are considered important tools for promoting integrity among employees and building trust with key stakeholders. These policies include:

• Anti-Money Laundering Policy
• Gift Policy
• Whistleblower Policy
• Bribery and Anti-Corruption Policy
• Grievance Policy
• General Code of Conduct

The Company is currently in the process of updating each of these policies, and plans on implementing a dedicated ethics training course for employees to create further awareness among employees.

Anti-Money Laundering and Combatting of Terrorism Financing Practices

As a Company with high ethical standards, Tawuniya remains committed to preventing money laundering in all its forms, introducing the anti-money laundering risk charter for the prevention of criminal activities. The Company has a dedicated team in place to observe and track Company finances, while performing checks on all potential clients and partners to assess potential money laundering risks. In addition, a corrective plan to address and comply with all requirements related to anti-money laundering regulation in the Kingdom of Saudi Arabia has also been developed and implemented by Tawuniya.

The anti-money laundering team has worked with all business teams to integrate “know your customer” forms across internal systems. Additionally, Tawuniya also contracted Thomson Reuters to validate the Company’s customer and sanction lists to ensure it is in line with national and international standards. Tawuniya has robust control mechanisms in place to minimize the risk of criminal money laundering, which are complemented by awareness sessions to educate employees on risks of money laundering and other financial crimes. The percentage of employees that have attended this training has been steadily increasing over the past few years.

Whistleblower Policy

Tawuniya has established safe channels for reporting violations—both internal policy violations and regulatory or legal violations through its Whistleblower Policy, safely connecting the party reporting a violation to the unit responsible for investigating and addressing it. This unit receives and processes all violation notification reports in areas involving embezzlement, corruption, and illegal, immoral, or unprofessional conduct. All complaints are investigated thoroughly.

The whistleblower contributes towards developing a culture of accountability, integrity, and responsibility at Tawuniya, and applies to all Tawuniya employees and stakeholders.

Grievance Policy

Tawuniya applies its Grievance Policy to address the grievances and complaints of employees, and to resolve any disputes in a conciliatory, cordial, effective, and efficient manner. While the Company aims to resolve all grievances at operational level, a dedicated grievance committee is activated for issues that cannot be simply resolved. The committee has full authority to investigate grievances through interviews with employees, as well as other forms of research. If necessary, the committee can also make a recommendation to the CEO. While Tawuniya encourages individuals to disclose their identity along with the complaints they make, the option to anonymously activate the grievance process is also provided.

Compliance

Tawuniya has a compliance program to implement and comply with all relevant regulations from SAMA, CMA, CHI, and other regulatory bodies. Developments and requirements announced and implemented by these bodies are continuously screened and proactively acted on to prevent non- compliance. The Company uses a high-level compliance system to gather information about regulations, news, and messages, to ensure compliance with deadlines, and to gain insight into blind- spots and areas for improvement.

The Company evaluates its compliance processes against the SAMA guideline, with the compliance evaluation performed by the internal compliance department, which regularly checks for issues and aligns Tawuniya operations and processes with the most current regulations. The compliance team also advises on compliance requirements by assigning compliance goals to the relevant departments, and meeting with relevant stakeholders to develop action plans and clarify the required steps. The team follows up with the departments until all tasks from the action plan have been completed, and also delivers awareness messages to employees, such as announcing any updates to the Company’s ethics policies.

The Company also performs a compliance assessment based on its compliance plan, and reports any non-compliance issues to the Audit Committee through the quarterly compliance report. The role of the compliance team is not to discover violations, but to support all departments by giving them sound compliance advice, thereby mitigating potential risks to us.

The compliance team also continuously reviews all internal policies and procedures. These policies are checked to ensure that there are no non-compliance issues, and that they reflect all current regulations. In addition, the compliance team is represented on the Product Committee to ensure that any newly released and updated products are fully compliant with regulations. Finally, the compliance team ensures that contract outsourcing is carried out in a compliant way, and that all material contracts are studied and approved by them before the SAMA approval is obtained.