QUADIENT - 2019 Universal Registration Document

5 NON-FINANCIAL PERFORMANCE STATEMENT Social, societal and environmental information

Protect data entrusted to Quadient against internal and external

The protection of its systems and infrastructure is one of the major concerns. In response, the Company has defined security policies that detail the requirements for correct and secure use of its own data and that entrusted to Quadient by its stakeholders such as staff, customers, suppliers and other partners. These security policies have been rolled-out in all countries in which Quadient operates. They are mandatory and apply to all the entities, employees, service providers and consultants working on company sites or to anyone with access to company systems. A governance body has been put in place to manage the applicable policies on information security. It consists of a Chief Information Security Officer, a network of experts across the Company’s various sites. Its role is to monitor the roll-out of security policies, analyze security incidents and performance and adapt these policies accordingly. A network made up of local experts led by the Information • Security Officer and digital operation. Analysis of security incidents, security performance and the • progress of security-related projects during quarterly security reviews. 5 entities are ISO 27001 certified (covering 22 % of staff), 2 of • them also have ISO 27018 certification (Cloud) and meet the OpenSAMM security standards. 25 security audits carried out in 2019 covering MRS, CXM and • BPA. Implementation of the personal data protection policy and • procedures that meet the requirements of the regulation. Maintaining a global organization with a data protection • officer at Company level (a member of the Company's Executive Committee), from the regions to local level with coordinators present at each site. Implementing new CCPA requirements in North America; • 2 compliance audits conducted at Quadient France and • Quadient UK. The Company has also updated the incident management procedure. Training was given to those business units most at risk and which handle customer and employee personal data. The entire process must be audited to ensure it is operational and effective. Two compliance audits were already conducted in 2019 at Quadient France and Quadient UK . 2019 Results

In addition to smart equipment designed to handle physical mail, the Company’s offer also includes software solutions enabling digital communication between a company and its customers via different channels (mail, email, web applications, mobile applications, etc). Other software solutions for handling and tracking parcel shipments complete Quadient's offer. Vast amounts of confidential and non-confidential data pass through the systems and infrastructures every day, over the Internet and through the cloud. Threats from cyber-attacks, negligence or obtaining illegal access could result in the corruption, theft, loss or leakage of all or part of the Company’s data or personal data or lead to business disruption.

Objectives

Initiatives

Extend information security management system to all our activities

Organizing a network of security officers at Corporate, business unit and site level

ISO 27001 certification program

Ensure that data is received, used and managed responsibly

Program of internal and external audits in 2019 on the Company’s systems and applications Personal data protection program complying with the GDPR and CCPA (1)

ISO 27001 CERTIFICATION PROGRAM Quadient is currently rolling out a certification program based on the ISO 27001 standard, primarily covering sites whose business is the development of software solutions, infrastructures and their support. In 2019, five entities were ISO 27001 certified, and two of them were also ISO 27018 certified.

COMPLIANCE WITH DATA PRIVACY REGULATIONS GDPR compliance (2)

Actions already carried out: include the update of the data processing register that helps to map all the personal data as well as their processing methods and use, the addition of clauses in customer and supplier contracts and the establishment of questionnaires/recommendations for more effective management of the database of potential leads.

(1)

California Consumer Privacy Act.

(2)

General Data Protection Regulation.

110

UNIVERSAL REGISTRATION DOCUMENT 2019