Whistleblower and Anti-Retaliation Policy

Version: 1.0 approved
Download PDF Controlled copy — valid on date of download only

Internal Use

Whistleblower and Anti-Retaliation Policy

Document Control

ItemDetails
Version2.2
CadenceAnnual
Policy OwnerChief Executive Officer
Approved ByBoard of Directors
DCF ReferencesDCF-13, DCF-14, DCF-32, DCF-33, DCF-35, DCF-36, DCF-38, DCF-39, DCF-40, DCF-72, DCF-73

1. PURPOSE AND SCOPE

1.1 Purpose

The purpose of this policy is to define clear rules for reporting compliance and information security violations and to prevent retaliation against reporters at Dispel.

1.2 Scope

This policy applies to:

  • The entire scope of the Information Security Management System (ISMS).
  • All Dispel employees and contractors (“Covered Persons”).

1.3 Regulatory and Framework Alignment

This policy defines Dispel’s approach to whistleblowing and protection against retaliation for good-faith reporting of concerns.

#Framework / StandardRelevant Control IDsAlignment Notes
1SOC 2CC1.1, CC1.2, CC1.3, CC2.1, CC2.2Supports Trust Services Criteria related to ethical values, governance, and communication of reporting channels.
2ISO/IEC 270015.1, 5.2, 5.3, 7.2Supports clauses for leadership, policy, roles, and awareness.
3NIST SP 800-53PS-8, PM-14, PM-17Aligns with controls for personnel sanctions, testing/training/monitoring, and protection of whistleblowers.
4IEC 62443IEC62443-2-1.5Supports personnel and organizational security in industrial environments.
5HIPAA164.308(a)(5)Supports Security Rule awareness and training expectations when PHI is in scope.

2. POLICY STATEMENTS

2.1 Management Commitment

Management Commitment Statement

Senior Management at Dispel is dedicated to the protection of our information assets, industrial control systems, and Protected Health Information (PHI). We assume full accountability for the effectiveness of our security program, ensuring it is integrated into all business processes and aligned with our strategic goals. To maintain compliance with ISO 27001, IEC 62443, HIPAA, and NIST 800-53, we formally commit to:

  • Resource Provisioning: Providing the necessary financial, technical, and human resources to sustain a robust security posture.
  • Risk-Based Governance: Approving security policies and overseeing a continuous risk management process that prioritizes both data privacy and operational safety.
  • Operational Resilience: Supporting the security of industrial automation and control systems (IACS) to ensure safety and reliability.
  • Continuous Oversight: Conducting regular management reviews to evaluate program performance, audit results, and opportunities for improvement.

2.2 Primary Policy Statement

Dispel SHALL protect Covered Persons who make good-faith reports of suspected violations or concerns from retaliation and SHALL investigate such reports in a fair and timely manner.

2.3 Secondary Policy Statements

At a minimum, Dispel SHALL:

  • Provide multiple channels for reporting compliance and information security concerns.
  • Protect the confidentiality or anonymity of reporters to the extent practicable.
  • Prohibit retaliation against any Covered Person for raising a concern in good faith.
  • Ensure any retaliation is investigated and subject to appropriate disciplinary action.

3. REQUIREMENTS

3.1 What is Whistleblowing?

Whistleblowing is the act of reporting, in good faith, suspected unsafe, unethical, or illegal activity within the organization, including discrimination or retaliation related to exercising legal rights.

Whistleblowing may include, but is not limited to, reporting:

  • Potential violations of law or regulation.
  • Significant breaches of information security policies or controls.
  • Fraud, corruption, or other unethical conduct.

3.2 Reporting Concerns (“When Things Are Out of Alignment”)

Dispel SHALL maintain a culture where Covered Persons can ask questions and raise concerns early.

  • Employees are encouraged to raise questions or concerns about unethical or unlawful behavior, including concerns about information security.
  • Concerns may relate to any part of the organization (e.g., divisions, individuals, senior team, or board).

3.3 Reporting Channels

Covered Persons MAY report concerns through any of the following:

  • Directly to their manager or another manager.
  • To Human Resources or the Compliance / Legal team.
  • Anonymously via email to legal@dispel.io.

Reports to legal@dispel.io are monitored by designated members of the executive team and addressed promptly.

3.4 Protection Against Retaliation

  • It is illegal and contrary to Dispel values to retaliate against a Covered Person for raising or reporting concerns or otherwise exercising their rights under applicable whistleblower protection statutes.
  • Protected activities may include:
    • Filing a report about a possible legal violation with OSHA or other government agencies.
    • Reporting a potential violation of law or policy to Dispel.
    • Reporting workplace injuries, illnesses, or hazards.
    • Refusing to conduct tasks that would violate the law.
  • Employees who believe they have experienced retaliation MUST have independent channels to report retaliation and the ability to elevate matters beyond the person they believe retaliated.

3.5 Responding to Reports

Dispel management SHALL:

  • Provide multiple channels for reporting compliance and information security concerns.
  • Protect the confidentiality or anonymity of reporters to the extent possible while allowing due process for accused parties.
  • Provide clear, accessible instructions on how to report concerns internally and externally.
  • Ensure the program does not restrict or discourage reporting to regulators or government agencies.
  • Provide opportunities for employees to share information informally and ask questions early.
  • Review and, if necessary, eliminate incentives that could encourage retaliation or discourage reporting.

4. ROLES AND RESPONSIBILITIES

4.1 CEO or Delegate

  • Owns this policy and ensures it is reviewed and updated at least annually.

4.2 Legal / Compliance

  • Manages whistleblowing channels (e.g., legal@dispel.io).
  • Coordinates investigations of reported concerns and alleged retaliation.
  • Ensures anti‑retaliation protections are implemented and enforced.

4.3 Managers and Supervisors

  • Encourage open communication within their teams.
  • Take reported concerns seriously and escalate as appropriate.
  • Refrain from and report any retaliatory behavior.

4.4 Covered Persons

  • Report concerns in good faith, providing factual information where possible.
  • Cooperate with investigations when requested.

5. PROCEDURES

5.1 Whistleblowing Procedure

  1. Submission

    • A Covered Person identifies a concern and chooses a reporting channel (manager, HR, Legal, or legal@dispel.io).

  2. Acknowledgement

    • Where feasible and appropriate, the reporter is acknowledged and informed that the matter will be reviewed (acknowledgement may not be possible for anonymous reports).

  3. Evaluation and Triage

    • Legal/Compliance or designated management reviews the report to determine scope, potential impact, and whether an investigation is warranted.

  4. Investigation

    • Investigators gather facts, interview relevant parties, and document findings.
    • Confidentiality is maintained to the extent possible while ensuring a fair process.

  5. Resolution

    • Verified violations result in corrective actions and, where appropriate, disciplinary measures.
    • Policies and procedures MAY be updated based on lessons learned.

  6. Protection Against Retaliation

    • Any indication of retaliation against the reporter is investigated and, if substantiated, results in appropriate disciplinary action.

6. MONITORING AND COMPLIANCE

6.1 Monitoring

Dispel SHALL monitor the effectiveness of this policy by:

  • Reviewing the volume and nature of reports received.
  • Tracking the outcomes and resolution times of investigations.
  • Monitoring for patterns of retaliation or harassment.

6.2 Non-Compliance

Non-compliance with this policy, including retaliation against whistleblowers or failure to report suspected violations, may result in disciplinary action up to and including termination, consistent with HR policies and applicable law.

7. EXCEPTIONS AND WAIVERS

Exceptions to this policy MUST:

  1. Be documented and justified.
  2. Be approved by Executive Management.
  3. Be time‑bound and reviewed regularly.

8. DEFINITIONS

Whistleblowing: The good-faith reporting of suspected unsafe, unethical, or illegal activity, or violations of policy or law.

Retaliation: Any adverse action taken against a Covered Person for raising or reporting concerns or exercising legal rights, including termination, demotion, harassment, or other negative treatment.

Good Faith: Reporting that is based on an honest belief in the truth of the allegations, even if they are later found to be incorrect.

9. REFERENCES

  • SOC 2 Trust Services Criteria (CC1.x, CC2.x)
  • ISO/IEC 27001 clauses 5.1, 5.2, 5.3, 7.2
  • NIST SP 800‑53 (PS-8, PM-14, PM-17)
  • IEC62443-2-1.5
  • HIPAA Security Rule 45 CFR §164.308(a)(5)
  • OSHA 3905 Recommended Practices for Anti‑Retaliation Programs

10. DOCUMENT HISTORY

VersionDateAuthorChanges
1.02022-01-21Ethan SchmertzlerInitial creation
2.02023-01-26Ethan SchmertzlerAnnual review and updates
2.12025-01-13Ethan SchmertzlerReviewed and versioned for current year
2.22025-12-17Stefan KristensenReviewed for relevance and aligned with template

11. APPROVAL SIGNATURES

RoleNameSignatureDate
Policy Owner
Security Officer
Compliance Officer

END OF POLICY

Framework Coverage

SOC 2 CC1.1 CC1.2 CC1.3 CC2.1 CC2.2
ISO 27001 5.1 5.2 5.3 7.2
NIST 800-53 PM-14 PM-17 PS-8

Document Provenance

Last ModifiedApril 6, 2026 at 12:37 -0400
Authorunknown
Signature Not signed
Commit547bdca View on GitHub
File HistoryAll changes