PROCEDURE FOR REPORTING VIOLATIONS AT ALOKAI Sp. z o.o.

I. PURPOSE OF THE PROCEDURE

1. The purpose of this procedure is to ensure the receipt and thorough review of reports regarding violations of the law and internal regulations of the Company, with guarantees of confidentiality, protection of the identity of Whistleblowers, and mechanisms preventing retaliatory actions. It also enables employees, collaborators,

suppliers, and other individuals to report such matters.

2. Individuals professionally associated with the Company who are aware of a Violation or have witnessed one should report it in accordance with this Procedure. This does not

exclude the possibility of using the official chain of command.

3. Reporting information on Violations covered by this Procedure is an obligation of the Company's employees and collaborators.

4. This Procedure complies with the Act of June 14, 2024, on the protection of whistleblowers, and in matters not regulated by the Procedure, the provisions of the

aforementioned Act shall apply.

5. The Procedure also applies to Alokai Inc., headquartered in California, USA, which is a member of the capital group to which Alokai Sp. z o.o., headquartered in Warsaw,

belongs. The administrator of personal data processed in accordance with the Procedure remains Alokai Sp. z o.o.

II. GLOSSARY OF TERMS

1. Company – Alokai sp. z o.o., headquartered in Warsaw, at Przeskok 2, 00-032 Warsaw.

2. Compliance Officer – an impartial internal organizational unit or person within the Company's organizational structure authorized, in particular, to receive Reports, verify

them, and conduct investigative proceedings.

3. Alternative Contact Unit – an impartial internal organizational unit or person within the Company's organizational structure authorized to perform the duties of the Compliance

Officer under the Procedure in the event of a Report concerning the actions or omissions of the Compliance Officer.

4. Violation – an act or omission by persons associated with the Company in the scope of their professional activities or related to them, which violates legal regulations, the provisions of the Company's internal regulations, or external regulations to which the Company has committed to adhere.

5. Person Concerned by the Report – a natural person identified as the perpetrator of the Violation or a person associated with the perpetrator.

6. Person Assisting in the Report – a natural person who assists the Whistleblower in submitting the Report and whose assistance should not be disclosed.

7. Person Associated with the Whistleblower – a natural person who may experience retaliatory actions, including a co-worker or a close person to the Whistleblower.

8. Procedure – this Procedure for reporting information on violations in Alokai sp. z o.o.

9. Act – the Act of June 14, 2024, on the protection of whistleblowers.

10. Whistleblower – a natural person who has submitted a Report.

11. Report – information about an event that may constitute a Violation or a suspicion thereof.

12. Internal Report – a report submitted to the Company through internal reporting channels.

13. External Report – a report submitted to external bodies, such as the Commissioner for Human Rights or other public authorities.

III. SUBJECTIVE SCOPE

1. This Procedure applies to all natural persons who report or publicly disclose information about a Violation, including, in particular:

a. employees (including temporary employees),

b. persons performing work on a basis other than an employment relationship, including under civil law contracts,

c. persons conducting business activity on a self-employed basis,

d. members of the Company's governing bodies,

e. persons performing work under supervision and direction, in particular contractors, subcontractors, or suppliers (including under civil law contracts),

f. interns, volunteers, and trainees,

g. former employees, interns, trainees, and collaborators,

h. persons applying for employment or the provision of services.

IV. OBJECTIVE SCOPE OF THE REPORT

1. The Procedure concerns the reporting of Violations, in particular such as:

a. violations of the Company's internal regulations,

b. corruption,

c. breaches of ethical norms and standards, e.g., unequal treatment, harassment, bullying, discrimination, violations of integrity principles, bribery, fraud.

2. A Report may concern both violations of applicable legal regulations and internal regulations in force within the Company.

V. REPORTING USING INTERNAL REPORTING CHANNELS

1. All channels for receiving Reports guarantee confidentiality, covering the identity of the Whistleblower, the content of the Report, and the very fact of its submission.

2. Anonymous Reports will not be considered; however, the Company reserves the right to decide to review an anonymous Report if its content reveals significant issues related to a violation of the law that should be reported.

3. Reports may be submitted orally or in writing and can be made through:

a. an email sent to:

i. ethics@alokai.com, managed by the Compliance Officer,

ii. acu_ethics@alokai.com, managed by the Alternative Contact Unit.

b. a phone call to the number +48 570 865 888, managed by the Alternative Contact Unit.

4. An oral Report is documented in the form of a conversation protocol that accurately reflects the course of the discussion. The Whistleblower may review, correct, and approve the protocol by signing it.

5. The Report should describe the event that, in the Whistleblower's opinion, constitutes a Violation, including the date and location of the event. The Report may also include the details of individuals who may have information about the Violation or evidence confirming the Violation.

VI. CONFIDENTIALITY OF INFORMATION PROVIDED IN THE REPORT

1. The Company ensures adequate measures to maintain confidentiality, meaning that the personal data of the Whistleblower and other information that could reveal their identity will not be disclosed to unauthorized persons, unless with their explicit prior consent, subject to the exception outlined in point 2 below.

2. The Company may disclose the Whistleblower's data without their explicit consent only in cases where it is necessary to disclose such data to competent public authorities or

courts for the purposes of proceedings related to the Report.

3. The confidentiality protection extends not only to the identity of the Whistleblower but also to the identity of the Person Assisting in the Report and any third party mentioned in the Report.

4. Access to personal data and information contained in the Report will be granted exclusively to individuals authorized to process such data, strictly to the extent

necessary to carry out actions related to handling the Report and conducting the investigative proceedings. These individuals must hold written authorization and commit to maintaining the confidentiality of all information obtained in connection with the Report and during the investigative proceedings.

VII. ACCEPTANCE OF INTERNAL REPORTS

1. The Compliance Officer:

a. is obligated to confirm to the Whistleblower the receipt of the Report within 7 days from the date of its submission;

b. registers the Report in the register of reports;

c. contacts the Whistleblower if the Report requires supplementation, specifying a deadline for completing the Report.

2. The information referred to in point 1(a) and (c) is sent to the Whistleblower, provided that the Whistleblower has left contact details enabling the delivery of such information.

3. If the Report is submitted to the Alternative Contact Unit, this entity performs the actions specified in point 1 or immediately forwards the Report to the Compliance

Officer if it does not concern the actions or omissions of the Compliance Officer.

4. A clause regarding the processing of the Whistleblower's personal data, the template of which is included as Annex 1 to the Procedure, is attached to the confirmation of receipt of the Report.

5. The Compliance Officer, immediately upon receiving the Report, pseudonymizes the Whistleblower's data and assigns them an identifier (e.g., numerical), which will be

used during the investigative proceedings. Pseudonymization includes all types of information that allow direct or indirect identification of the Whistleblower, with

particular attention to whether the content of the Report itself reveals the Whistleblower's identity. Pseudonymization is not performed if the Whistleblower has explicitly and unequivocally consented to the disclosure of their data.

6. The Compliance Officer verifies the Report to determine whether it is clearly unfounded. If the Report is deemed clearly unfounded, the Compliance Officer provides appropriate feedback to the Whistleblower and closes the case related to the Report.

7. If the analysis conducted by the Compliance Officer does not reveal the Report to be clearly unfounded, the Compliance Officer initiates an investigative proceeding.

8. The investigative proceeding is also closed if the information contained in the Report does not allow for the continuation of the investigation, and the Whistleblower has not responded to clarifying questions or has not provided contact details.

9. The Compliance Officer has the right to initiate an investigative proceeding that is not based on a Report submitted by a third party but on information obtained by the Compliance Officer in the course of performing their duties.

VIII. RULES FOR CONDUCTING INVESTIGATIVE PROCEEDINGS AND FOLLOW-UP ACTIONS

1. Investigative proceedings are conducted by the Compliance Officer or another person authorized by the Company.

2. Investigative proceedings are carried out with due diligence and objectivity, particularly by determining the actual facts and protecting the personal data of participants in the proceedings.

3. The Whistleblower's data must remain confidential and cannot be disclosed during the proceedings to the parties or participants without the explicit and unequivocal consent

of the Whistleblower. A template for the Whistleblower's consent to disclose their identity is provided in Annex 2 to the Procedure.

4. If necessary, the Compliance Officer may seek the support of an external or internal expert.

5. The Person Assisting in the Report is informed of the initiation of investigative proceedings at an appropriate time, taking into account the need to secure evidence

and protect the interests of the Whistleblower and other involved parties. In justified cases, informing this person may be omitted, e.g., if the report is clearly unfounded. The information about the initiation of investigative proceedings includes a data processing information clause for the Person Assisting in the Report, the template of which is provided in Annex 3 to the Procedure.

6. During the investigative proceedings, the Compliance Officer is authorized to interview witnesses and request the submission of documents or information. Every person

working for or cooperating with the Company is obligated to comply with the Compliance Officer's requests. The Compliance Officer is required to provide witnesses and other third parties mentioned in the Report with an information clause regarding the processing of their personal data, the template of which is provided in Annex 3 to the Procedure. The information clause is delivered in a manner that allows the Company to demonstrate compliance with its informational obligations, at an appropriate time, taking into account the need to gather evidence without interference, prevent the destruction or concealment of evidence, and protect the interests of the Whistleblower, as well as the provisions of Articles 13 or 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).

7. While fulfilling the informational obligation regarding the processing of personal data of the Person Assisting in the Report, individuals mentioned in the Report, or other persons involved in the investigative proceedings, the Compliance Officer must not disclose the source of their personal data unless the Whistleblower:

a. did not have reasonable grounds to believe that the information in the Report was true at the time of submission and that it constituted information about a Violation;

or

b. has previously given explicit consent to disclose their identity.

8. The parties to the proceedings (the Whistleblower and the Person Assisting in the Report), witnesses, external and internal experts, and legal representatives of the participants in the proceedings are required to sign a written commitment to maintain the confidentiality of all information they learn in connection with the ongoing proceedings. This obligation does not apply in situations where the disclosure of information is required by applicable law.

9. Upon the conclusion of the investigative proceedings, the Compliance Officer prepares a report containing findings regarding the reported Violation, any other violations identified during the proceedings, and recommendations for further actions. The report is submitted to the Management Board, excluding the personal data of the Whistleblower, unless the Whistleblower has consented to their disclosure.

10. The Whistleblower receives feedback from the Compliance Officer within 3 months of the Report's acceptance or, in the absence of confirmation of acceptance, within 3 months of the expiration of 7 days from the submission of the Report. This feedback may include the outcome of the proceedings, actions taken based on the findings, or information about ongoing proceedings if they have not yet been concluded.

11. The Company's Management Board takes actions to address identified irregularities and prevent their recurrence, delegating their implementation to the Compliance Officer. The Management Board is not bound by the report.

12. In the event of a Violation committed by an employee, the Management Board may take appropriate disciplinary measures, including imposing penalties or terminating the employment relationship in accordance with the provisions of the Labor Code. For individuals cooperating on a basis other than an employment relationship, measures provided for in contracts or legal regulations may be applied, including the termination of cooperation.

IX. PROTECTION OF THE WHISTLEBLOWER AND OTHER PERSONS AGAINST RETALIATION

1. The Company protects the Whistleblower against retaliation. Engaging in retaliation, as well as attempts or threats to undertake retaliatory actions, is prohibited, and any violation of this prohibition will result in disciplinary or contractual liability. The prohibition of retaliation will be strictly enforced. Retaliatory actions not only harm the interests of the Whistleblower but also the interests of the Company.

2. Retaliatory actions are defined as direct or indirect actions or omissions caused by the Report that violate or may violate the rights of the Whistleblower or cause or may

cause unjustified harm to the Whistleblower.

3. The provisions of the Procedure regarding protection against retaliation apply accordingly to the Person Assisting in the Report and the Person Associated with the

Whistleblower, provided they are in a professional relationship with the Company.

4. The Company prohibits obstructing Reports or attempting to obstruct them, particularly through violence, threats, or deceit.

5. Exercising the rights specified in the Procedure cannot serve as a basis for unfavorable treatment or result in any negative consequences. In particular, it cannot justify the

termination of an employment relationship by the employer, termination without notice, or the end of cooperation within a relationship other than employment with the Company.

6. The Whistleblower is protected against retaliation, provided they had reasonable grounds to believe that the information contained in the Report was true at the time of submission and that such information constituted information about a Violation.

7. Regardless of protection against retaliation, the Whistleblower may be held accountable to the appropriate extent, particularly for employee liability, if they participated in the Violation themselves.

8. In the case of knowingly submitting false information or assisting in making such a submission, the individuals involved are not entitled to the protection described in this chapter. The Company may initiate disciplinary proceedings or use available legal measures against individuals who knowingly submitted false information or assisted in

making such a submission.

X. REPORTS CONCERNING VIOLATIONS COMMITTED BY THE COMPLIANCE OFFICER

1. In cases where the Report concerns the actions or omissions of the Compliance Officer, the Report should be submitted using the reporting channel provided by the Alternative Contact Unit. In such cases, the Compliance Officer does not receive information about the content of the Report or even the fact of its submission.

2. In the event of a Report concerning the actions or omissions of the Compliance Officer, the duties of the Compliance Officer under the Procedure are performed by the Alternative Contact Unit.

3. The provision in point 2 also applies in cases where the Whistleblower is the Compliance Officer.

XI. REGISTER OF INTERNAL REPORTS

1. The Compliance Officer maintains a register of reported Violations, the template of which is provided in Annex 4 to the Procedure.

2. The register mentioned in point 1 is maintained in compliance with the principles of personal data protection and with consideration of the obligation to maintain the

confidentiality of information. The administrator of the data collected in the register is the Company.

3. Access to the register mentioned in point 1 is granted exclusively to individuals who have signed a confidentiality statement and possess written authorization to process personal data.

XII. SECURITY MEASURES, RETENTION PERIOD, AND OBLIGATION TO DELETE INFORMATION AND PERSONAL DATA RELATED TO THE IMPLEMENTATION OF THE PROCEDURE

1. The Compliance Officer ensures the protection of information and personal data (including documentation) related to the implementation of the Procedure, in particular by applying the following measures:

a. Information and personal data processed in paper form are stored in a locked cabinet, accessible only to individuals authorized to process data related to ongoing proceedings;

b. Access to IT systems where information and personal data are processed is restricted to authorized users, and all actions on the data (access, editing, deletion, etc.) are logged;

c. Information and personal data transmitted electronically are encrypted and/or pseudonymized beforehand;

d. Information and personal data that are no longer needed are irreversibly deleted from IT systems, and paper data is destroyed using a shredder.

2. Personal data processed in connection with the receipt of a Report, the conduct of investigative proceedings, or the undertaking of follow-up actions, as well as documents related to the Report, are retained by the Company for a period of 3 years after the end of the calendar year in which the Report was submitted to the competent public authority for follow-up actions or follow-up actions were completed, or after the conclusion of proceedings initiated by those actions.

3. The Compliance Officer deletes personal data and destroys documents related to the Report after the retention period has expired. The Act of July 14, 1983, on the national archival resource and archives (Journal of Laws of 2020, item 164) does not apply.

4. A formal note in document form is prepared to record the deletion or destruction of personal data and documents related to the Report.

XIII. EXTERNAL REPORTS

1. In any case of observed legal violations, the Whistleblower may submit an external Report without prior submission of an internal Report.

2. External Reports are received by the Commissioner for Human Rights or another public authority competent to undertake appropriate follow-up actions related to the

subject of the Report. In applicable cases, external Reports may also be submitted to institutions, bodies, or organizational units of the European Union. The rules and procedures for submitting such external Reports are specified in Chapter 4 of the Act.

3. If the legal violation can be effectively addressed within the Company's organizational structure, it is recommended to submit an internal Report before making an external Report. This allows for the immediate implementation of preventive measures regarding the reported violation and safeguards the Company's organizational structure against similar violations in the future, e.g., through the introduction of additional control mechanisms or the strengthening of communication and training activities.

4. The Commissioner for Human Rights and the public authority are separate data controllers with respect to the personal data provided in the external Report that has been received by these authorities.

XIV. FINAL PROVISIONS

1. This Procedure does not infringe upon or limit in any way the rights of the Whistleblower or the rights of other individuals arising from generally applicable legal regulations.

2. The Procedure enters into force 7 days after the internal communication to employees and collaborators, in the manner customarily adopted in the Company, regarding the adoption of the Procedure by the Management Board.

3. The Procedure is subject to periodic review every two years.