Supply Chain Policy

It applies in cooperation with:

• SCANDIC ASSETS FZCO, Dubai Silicon Oasis DDP Building A1/A2, Dubai, 342001, United Arab Emirates
• SCANDIC TRUST GROUP LLC, IQ Business Centre, Bolsunovska Street 13 – 15, Kyiv — 01014, Ukraine
• LEGIER BETEILIGUNGS GESELLSCHAFT MIT BESCHRÄNKTER HAFTUNG, Kurfürstendamm 14, 10719 Berlin, Federal Republic of Germany

This policy applies to the SCANDIC brand ecosystem, in particular to the following brands and services:

as well as for all structures held or supported by SCANDIC FINANCE GROUP LIMITED, insofar as they enable or support financial, fiduciary, payment, investment, security, health, real estate or other services and product offerings within the group.

The policy is designed to be applicable in global legal transactions and to ensure compliance with international, supranational (in particular European Union) and national legal standards.

2.1 Purpose

The purpose of this guideline is to establish a uniform, transparent and legally compliant supply chain management system that:

• controls all relevant supply chain processes (planning, procurement, production, service provision, distribution, return and disposal)
• systematically implements human rights, labour law, environmental and principle-based requirements,
• ensures compliance with global legal frameworks (including those of the European Union, national legal systems and international standards) and
• ensures end-to-end traceability and controllability through a digital image as a "digital twin" and a central control and monitoring point for the supply chain.

2.2 Scope

This policy applies to:

• to all organisational units and brands of SCANDIC FINANCE GROUP LIMITED worldwide,
• to all group companies and associated companies, insofar as they act on behalf of SCANDIC FINANCE GROUP LIMITED or provide services for the SCANDIC brand ecosystem,
• to all suppliers, subcontractors, service providers, distribution partners, cooperation partners and other third parties who are directly or indirectly involved in the provision of services or products.

The basic requirements of this policy must be contractually incorporated into the cooperation with suppliers and partners.

1. Planning

• Strategy, planning and coordination of capacity, demand, liquidity and campaigns across all brands (SCANDIC PAY, SCANDIC ESTATE, SCANDIC TRADE, SCANDIC FLY, SCANDIC YACHTS, SCANDIC DATA, SCANDIC TRUST, SCANDIC SEC, SCANDIC HEALTH and others).
• Planning scenarios for legal changes, crises and peaks in demand.

2. Procurement

• Selection, qualification and onboarding of suppliers and partners, including identification checks based on the "know your customer" principle, money laundering prevention and determination of beneficial owners.
• Drafting contracts, agreeing service levels, sustainability and human rights clauses.

3. Manufacturing, conversion, provision of services

• Provision of services, project management, content creation, development and operation of systems, medical services, security services, financial and trading services.
• Ensuring quality and compliance with legal requirements, approval processes.

4. Delivery and operation

• Logistics, hosting, operation of platforms, aviation and shipping services, digital distribution, customer service, billing and payment processing.
• Ensuring availability, performance and compliance with transparency and information requirements, in particular towards consumers and supervisory authorities.

5. Withdrawal and response

• Handling complaints, grievances, removal and blocking requests, dealing with incidents in the areas of security, data protection, medicine and operations.
• Evaluating experiences, creating quality cycles and implementing corrective and preventive measures.

6. Enabling functions

• Operation of data centres, identity and access management, security control centres, management of master data and ontologies, financial control, legal and compliance departments, internal auditing.

6.1 SCANDIC PAY, SCANDIC COIN and SCANDIC FINANCE (payments, financing, digital assets)

• Incoming and procurement: project initiators, investors, payment service providers, card programmes, digital asset issuers, banks.
• Conversion and services: Project and customer checks, listing of projects and digital assets, orchestration of payment processes, technical and legal mapping of digital assets, implementation of the Regulation on Markets in Crypto-Assets, the Regulation on Information Accompanying Transfers of Funds and Certain Transfers of Crypto-Assets, the Second Payment Services Directive and the Directives on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing.
• Delivery and operation: operation of platforms, monitoring of money laundering risks, reporting to supervisory authorities, payouts to investors, compliance with data protection and information obligations.

6.2 SCANDIC ESTATE (property development and real estate brokerage)

• Incoming and procurement: land, real estate properties, developers, construction and service companies, authorities, capital partners.
• Transformation and services: Project development, valuation, marketing, contract drafting, review of environmental, social and governance aspects, compliance with building and energy efficiency regulations.
• Delivery and operation: handover and aftercare, property management, management of space and properties, communication and logistics structures.

6.3 SCANDIC TRADE (trading in financial instruments, foreign exchange, crypto assets, commodities and emission allowances)

• Input and procurement: market data providers, stock exchanges, liquidity partners, clearing houses, supervisory authorities.
• Transformation and service: order management, risk management including risk measurement, portfolio and financial control functions, trading in traditional financial instruments and digital assets, implementation of the Markets in Financial Instruments Directive, the Markets in Financial Instruments Regulation, the Market Abuse Regulation, the Prospectus Regulation and the regulations on sustainability-related disclosures in the financial services sector.
• Delivery and operation: settlement, reporting, transparency reports, customer interfaces, end-to-end monitoring.

6.4 SCANDIC FLY (private jet charter and special flights)

• Inbound and procurement: aircraft operators, aircraft fleets, crews, airports, ground handling companies, security and compliance partners.
• Conversion and service: flight planning, route optimisation, slot management, safety and evacuation concepts, compliance with European Aviation Safety Agency and aviation authority requirements.
• Delivery and operation: execution of charter flights, customer service, handling of delays, handling of compensation claims and complaints.

6.5 SCANDIC YACHTS (yacht brokerage and charter)

• Acquisition and procurement: shipyards, yacht owners, classification societies, insurers.
• Conversion and services: valuation, mandating, marketing, examination of ownership and legal relationships, handover processes.
• Delivery and operation: yacht management, crew planning, coordination with ports, logistics, charter processing in compliance with regulations for recreational craft, port and ship safety, and passenger rights.

6.6 SCANDIC DATA (data centre and digital platforms)

• Receipt and procurement: content from editorial offices, brand and customer data, telemetry data, partner data streams.
• Transformation and services: processing, integration, storage and analysis of data, development of digital services, high-performance computing, use of artificial intelligence methods.
• Delivery and operation: Operation of data centres, connection of edge locations and distribution networks for content, monitoring of systems, data backup and disaster recovery in accordance with data protection, data, cyber and platform regulations.

6.7 SCANDIC TRUST and SCANDIC GROUP (trust, asset protection, succession planning)

• Intake and procurement: clients, family assets, legal and tax framework conditions.
• Conversion and services: structuring of assets, establishment of trust mandates, succession planning, consideration of environmental, social and governance objectives, compliance with regulations on beneficial owners and cross-border tax arrangements.
• Delivery and operation: management of trust assets, reporting, cooperation with payment, trade, real estate, yacht and aviation sectors.

6.8 SCANDIC SEC (physical and digital security services)

• Intake and procurement: threat analyses, properties, locations, persons and assets requiring protection.
• Transformation and service: Creation of security concepts, planning and implementation of protective measures, detection and response to cyber attacks, compliance with requirements for critical facility resilience and network and information security.
• Delivery and operation: Operation of security control centres around the clock, planning and implementation of security measures for travel and events, crisis, emergency and evacuation planning.

6.9 SCANDIC HEALTH (medical services, in particular ear, nose and throat medicine)

• Intake and procurement: Clinics, practices, medical devices and products, patient flows.
• Transformation and services: Diagnostics, therapy, surgical procedures, quality and hygiene processes in accordance with the requirements for medical devices, in vitro diagnostics and health data.
• Delivery and operation: Medical care, telemedicine, billing, protection of patient rights and compliance with data protection and data security requirements.

7.1 Governance structure

• The Board of Directors of SCANDIC FINANCE GROUP LIMITED has overall responsibility for compliance with and further development of this policy.
• A group-wide central control and monitoring point for the supply chain will be established, with round-the-clock monitoring, risk management, incident coordination, data and ontology management, security operations, legal and compliance functions, and financial control.
• Each brand will appoint a person responsible for the supply chain ("Supply Chain Manager") who will ensure the implementation of this policy in their respective area.

7.2 Roles and responsibilities

• The persons responsible for the supply chain in the brands and the respective operational process owners are accountable.
• The management of SCANDIC FINANCE GROUP LIMITED is accountable.
• The legal department, compliance, data protection, information security, internal audit and other specialist departments are consulted.
• All relevant functions and parties involved, including suppliers, partners and, where applicable, customers, must be informed.

7.3 Order of regulations

This supply chain policy is specified in more detail by specific subordinate policies and manuals, for example by a human rights policy, an environmental and climate policy, a data protection policy, an information security policy and a third-party management policy.

In the event of contradictions, the following applies:

1. Mandatory legal requirements take precedence.
2. Thereafter, this supply chain policy shall serve as a framework,
3. followed by the specific technical guidelines.

8.1 Minimum requirements

All suppliers and business partners must:

1. comply with all applicable laws in their jurisdictions, in particular those relating to human and labour rights, environmental, safety and data protection requirements,
2. strictly exclude forced labour, child labour, human trafficking, discrimination, harassment and other human rights violations,
3. implement effective measures to prevent corruption, fraud, money laundering and terrorist financing, and maintain transparent structures for beneficial owners,
4. observe environmental due diligence obligations, in particular with regard to deforestation-free supply chains, conflict minerals and the prohibition of products associated with forced labour,
5. ensure responsible data processing and an appropriate level of cyber security.

8.2 Checks before entering into a business relationship and during its continuation

A risk-based check is carried out before entering into a business relationship. This includes in particular:

• Establishing and verifying the identity of the contracting parties and their beneficial owners
• Checking against sanctions lists and for the presence of politically exposed persons
• assessing human rights, environmental and compliance risks,
• Checking the technical and organisational measures in place to protect personal, financial and confidential data.

8.3 Contract drafting

Contracts with suppliers and partners shall include, in particular:

• a binding reference to this policy and corresponding behavioural requirements for the supply chain,
• clauses expressly prohibiting forced labour, child labour, corruption, money laundering, tax evasion, cyber attacks and data protection violations,
• rights to carry out audits and inspections,
• regulated reporting mechanisms for violations and incidents,
• appropriate remedial measures and the right to terminate the contract without notice in the event of serious or repeated violations.

9.1 Risk management system

SCANDIC FINANCE GROUP LIMITED operates a group-wide risk management system that:

• identifies risks in the supply chain across all brands and regions,
• assesses risks qualitatively and quantitatively,
• defines appropriate preventive measures, mitigation measures and remedial measures,
• regularly reviews and updates risks, controls and measures.

9.2 Integration of legal requirements regarding due diligence and sustainability

These include in particular:

• the Directive on corporate due diligence with regard to sustainability,
• the Regulation on deforestation-free supply chains,
• the Regulation on conflict minerals,
• the Regulation on the prohibition of products associated with forced labour,
• the Directive on corporate sustainability reporting,
• Directives on the prevention of money laundering and terrorist financing,
• Regulations on registers of beneficial owners,
• the General Data Protection Regulation,
• the Directive on measures for a high common level of cybersecurity across the Union,
• the Regulation on digital operational resilience of the financial sector,
• the legislative act on cyber resilience,
• the Regulation on data governance,
• the Regulation on harmonised rules for access to and use of data,
• the Regulation on Digital Services and the Regulation on Digital Markets,
• sector-specific regulations in aviation, shipping, medicine, financial markets and payment transactions.

9.3 Measures to strengthen resilience

Examples of measures to strengthen resilience include:

• multiple data centre locations with redundant infrastructure, automatic failover in the event of failure, protection against attacks to overload services,
• structured monitoring of legal changes, ongoing training, technical capabilities for short-term adaptation of functions, complete logging of relevant activities,
• Establishment of alternative suppliers and operators, safeguard mechanisms in contracts, emergency capacities,
• automatic scaling of technical resources during peak demand and prioritisation of critical services,
• travel and event safety concepts, evacuation and crisis plans, protected communication channels and crisis teams.

10.1 Digital twin

The digital twin of the supply chain includes in particular:

• projects, transactions, assets, contracts, flights, ships and yachts, real estate properties, campaigns, customers, payments, orders, incidents and mandates,
• relationships between these entities,
• service levels, risks, controls and the origin of data.

10.2 Integration and data architecture

The data and integration architecture includes:

• an integration layer for event-driven processing and periodic batch processing,
• a semantic layer with a unified data model and ontology that defines entities, characteristics, relationships, and data protection and security labels,
• application interfaces for centralised monitoring and control of the supply chain with overviews, root cause analyses, instructions for action, simulations and approval processes,
• A comprehensive security and data protection concept with encryption, access restrictions, secret management and logging of all relevant accesses.

11.1 Key figures

Key figures are used for control and monitoring, for example:

• in payment and trading processes: approval rates, time to final settlement, chargeback rate, utilisation of risk and security margins,
• in the real estate sector: time to contract completion, duration of approval procedures, environmental, social and governance assessments, vacancy rates,
• in aviation and yacht operations: punctuality rates, frequency of safety-related incidents, utilisation, energy and carbon dioxide consumption,
• in the data and media sector: availability, delay times, timeliness of data, average time to resolution of incidents,
• in the areas of trust, security and health: compliance with service levels, audit results, frequency and severity of incidents, response times and satisfaction ratings.

11.2 Monitoring

• Continuous monitoring of relevant key figures and risks by the central control point for the supply chain,
• defined thresholds with automatic alerts and escalation paths,
• Regular reports to senior management and the responsible persons at the brands.

11.3 Public and regulatory reporting

• Fulfilment of all sustainability and supply chain reporting obligations, including those arising from the Corporate Sustainability Reporting Directive and national supply chain laws,
• fulfilment of reporting obligations in connection with digital services and markets, as well as other sector-specific reporting requirements.

15.1 Phases of implementation

15.2 Review and amendment of the policy

• This policy will be reviewed at least once a year and on special occasions such as significant legal changes, new business models or serious incidents.
• Amendments shall be decided by the Board of Directors of SCANDIC FINANCE GROUP LIMITED and announced throughout the Group.