The Code of Conduct serves as guidance for the principles that should direct employees, suppliers, service providers, customers, and all other stakeholders with whom Grupo K1 conducts business, ensuring that all activities are based on honesty, ethics, integrity, respect, social responsibility, sustainability, and transparency. This is a major commitment, one that is only possible with everyone’s participation, and an important step for Grupo K1 in strengthening its identity management and corporate governance practices.

A company-wide campaign to reinforce adherence to the Code of Conduct was carried out across all operations in March 2025. In addition, a copy of the Code is provided during the onboarding of every new employee.

Grupo K1 makes every effort to raise awareness and ensure excellence and integrity from everyone. To support this commitment, the company maintains an active Ombudsman Channel, where users can submit feedback (complaints, compliments, and suggestions), identify issues, and propose solutions for processes and procedures. The channel acts as a space for mediation and transparency within the organization whenever there is any suspicion of non-compliance.

Grupo K1’s Ombudsman is called “We Want to Hear You” and can be contacted through the following channels:

• Email: ouvidoria@grupok1.com.br
• Telefones: (51) 3635-8800 | (51) 2500-7800
• Site: www.grupok1.com.br, under the “OMBUDSMAN” section
• In person, through the “We Want to Hear You” boxes available in strategic locations throughout the company.

Although there is no specific policy that consolidates all human rights topics into a single document, these matters are addressed in the company’s Code of Conduct. In addition, several actions are carried out to ensure the protection of human rights:

• Health and Safety: Grupo K1 follows a rigorous system designed to protect the health and well-being of employees across all operations.
• Freedom of Association and Collective Bargaining: All employees are covered by collective agreements. In addition, the Code of Conduct guarantees all employees the freedom to join labor unions.
• Diversity and Inclusion: Procedures are in place for handling reports of harassment and discrimination through the Ombudsman Channel. Training sessions, lectures, and discussion circles are among the tools used to address this topic within the organization.
• Mentorship Program for People with Disabilities (PwD): Aims to support and promote the inclusion of people with disabilities.
• Supply Chain: The Code of Conduct outlines the company’s commitment to establishing minimum human rights standards for its suppliers.
• Forced Labor and/or Child Labor: Through its Code of Conduct, the Group rejects any practice related to forced labor or child labor.
• Environmental Protection: The Group conducts assessments of environmental aspects and impacts, prioritizes them, and records all incidents and corrective actions to prevent or mitigate environmental impacts.

Operational Continuity and Information Security

The organization maintains structured procedures for the recovery of essential computing environments, which are periodically evaluated by internal audit. These procedures include simulations that test restoration timeframes, data reliability, and the preservation of corporate information.

Monitoring and Vulnerability Assessment

The company continuously monitors its infrastructures exposed to the global network, implementing preventive fixes for identified vulnerabilities. The corporate strategy adopts as technical references the standards ISO 27001, the Brazilian Internet Civil Framework, LGPD, GDPR, CISP, and NIST, ensuring data protection, integrity, accessibility, and authenticity, as well as promoting unified management of administrative and operational environments.

Communication Channels for Security Incidents

Employees have established mechanisms for reporting adverse events, security breaches, or atypical behavior. Notifications can be made through the “phishing alert” feature in the email system, by directly contacting the specialized Cybersecurity team, or through the official channel: dpo@grupok1.com.br. Proactively, other events are managed by the Security Information and Event Management (SIEM) system. Relevant incidents are reported to the Executive Committee and, when necessary, escalated to the Board through the designated committees.