Compliance & Governance

To ensure the continuous effectiveness of our Information Security Management System (ISMS), Tiller conducts regular internal assessments of our policies and procedures. With input from the information technology and business management teams, reviews are undertaken to ensure information security processes are efficient, economical, and in compliance with the ISO/IEC 27001:2022 standard. These assessments covering all aspects of our management system takes place continuously, allowing for at a minimum all processes being covered within a one-year timeframe. Findings from these assessments, including any nonconformities, are documented and communicated to the management team, with action plans agreed upon for addressing identified issues.

We distinguish between observations, minor nonconformities (single lapses), and major nonconformities (significant breakdowns of the management system). All nonconformities are recorded in a Nonconformity and Corrective Action Log, where they are evaluated to determine their underlying cause, potential impact, appropriate corrective actions and those actions tracked to completion. This rigorous approach to assessments ensures that our ISMS remains robust, effective, and continuously improved.

At Tiller Technologies, effective risk management is a key part of our Information Security Management System (ISMS) and a core component of our commitment to compliance. Our risk assessment and treatment process align with international standards such as ISO/IEC 27001:2022 and ISO 31000, ensuring a consistent approach to identifying, analysing, and mitigating potential threats. We conduct risk assessments covering all information assets as part of our ISMS implementation and perform regular updates through our management review process, identifying changes to assets, threats, and vulnerabilities. This process is qualitative, classifying risks as high, medium, or low based on a calculated score derived from the likelihood and impact of an event.

For risks deemed unacceptable, we explore various treatment options, including applying controls to lessen likelihood and/or impact, or avoiding the risk. As a cloud service provider, the continuous assessment of risks and the application of comprehensive controls are vital to maintaining the confidence of our customers and fulfilling our obligations to protect Personally Identifiable Information (PII). This approach ensures that the risks faced in the day-to-day operation of our business are effectively managed and controlled.

Robust internal governance is the fundamental to our compliance framework, ensuring that our operations align with the highest standards of information security and data protection. Day-to-day execution of our policies and procedures, including change control, risk and incident management is overseen by our IT and Operations Committee. Our governance structure clearly defines roles, responsibilities, and authorities of this committee and its members as well as the individual employees who execute the procedures. The IT and Operations Committee itself reports to and is answerable to our Executive Committee (Exco). The Exco is responsible for reviewing and approving all key policies and procedures, ensuring that approved changes are consistently reflected across the organisation and in line with company strategy. This includes our Legal, Regulatory, and Contractual Requirements which outlines how we identify, assess, and incorporate legal and regulatory obligations.

Furthermore, we maintain a stringent Risk and Issue Escalation Process to ensure that newly identified risks and unanticipated issues are managed correctly and is necessary escalated to the appropriate management levels, including the Executive Committee, for expedited review and resolution. Through this comprehensive approach to internal governance, we demonstrate our commitment to transparency, accountability, and the continuous improvement of our security posture and compliance adherence

Our comprehensive approach to ethical behaviour is encapsulated in our Corporate Social Responsibility Policy, which aligns with the United Nations Global Compact's 10 principles. This commitment includes upholding human rights, ensuring fair labour practices (such as eliminating forced or child labour and discrimination), and promoting environmental responsibility through initiatives and eco-friendly technologies. We actively invest in research and development and maintain an open stance to new ideas, continuously striving to improve our operational practices as a socially aware and responsible business.

Human Rights

• Principle 1: Businesses should support and respect the protection of internationally proclaimed human rights; and

• Principle 2: make sure that they are not complicit in human rights abuses.

Labour

• Principle 3: Businesses should uphold the freedom of association and the effective recognition of the right to collective bargaining;

• Principle 4: the elimination of all forms of forced and compulsory labour;

• Principle 5: the effective abolition of child labour; and

• Principle 6: the elimination of discrimination in respect of employment and occupation.

Environment

• Principle 7: Businesses should support a precautionary approach to environmental challenges;

• Principle 8: undertake initiatives to promote greater environmental responsibility; and

• Principle 9: encourage the development and diffusion of environmentally friendly technologies.

Anti-Corruption

• Principle 10: Businesses should work against corruption in all its forms, including extortion and bribery.

Further reinforcing our ethical framework, we maintain a stringent Anti-Bribery and Anti-Corruption Policy, strictly prohibiting any form of bribery or corrupt practices, and requiring due diligence with all business partners. Our Conflicts of Interest Policy ensures that employees and boards avoid situations where personal interests might conflict with company or client duties, with clear responsibilities assigned for policy implementation and enforcement. Additionally, our Whistleblowing Policy fosters a culture of openness, enabling employees to report suspected wrongdoing—including criminal acts, financial malpractice, or legal non-compliance without fear of retaliation.

Finally, our Privacy and Personal Data Protection Policy, outlines our commitment to safeguarding Personal Identifiable Information (PII), upholding customer data rights, and treating their data with respect. These policies collectively underscore our dedication to operating with the highest ethical standards across all facets of our business.