Whistleblowing (Speak-Up & Non-Retaliation) Policy

Bright Data Ltd.

Effective date: January 1st, 2026

Applies to: Employees, officers, directors, contractors, suppliers and other stakeholders worldwide.

  1. Purpose and scope
    Bright Data Ltd. (“Bright Data”) is committed to the highest standards of ethics, integrity,
    and compliance with applicable laws. This Policy sets out accessible, safe channels for
    raising concerns (“Reports”), the process for handling them, and our strict prohibition on
    retaliation against anyone who reports in good faith. This Policy applies globally to Bright
    Data’s employees, officers, directors, contractors, suppliers, and other stakeholders.
  2. What to report
    Report any suspected or actual misconduct, including:

    • Bribery, fraud, embezzlement, conflicts of interest, antitrust, sanctions breaches
    • Human rights, modern slavery, labour, or health and safety concerns
    • Data protection, privacy, information security, or responsible technology concerns
    • Harassment, discrimination, bullying, or workplace violence
    • Accounting, auditing, financial controls or reporting irregularities
    • Retaliation for raising a concern in good faith or assisting an investigation

    Reports may be made anonymously where permitted by law.

  3. Reporting channels (available 24/7)
    You may use any of the following channels (in any language, 24/7):

    • Email: [email protected]
    • Postal: LegalTeam, Bright Data Ltd., 4 Hamahshev St., Netanya 4250714, Israel

    If you prefer, you may speak with your manager or HR. Managers must promptly forward concerns to Legal.

  4. Confidentiality and non‑retaliation
    Confidentiality: Reports and reporter identities will be kept confidential to the
    extent feasible and permitted by law, shared only with those who need to know.
    Non‑retaliation: Retaliation (e.g., dismissal, demotion, threats, harassment)
    against anyone who in good faith reports or assists an investigation is strictly prohibited.
    Violations may result in disciplinary action, up to and including termination of employment or
    business relationship.
  5. Intake, triage, and investigation

    • Intake: Reports are received by Legal (or a designated case manager).
    • Triage: Reports are risk‑rated and routed to appropriate investigator(s); conflicts are screened.
    • Investigation: Impartial, professional investigations may include document review, interviews, and forensics.
    • Outcome: Where substantiated, Bright Data will take fair, appropriate remedial action (e.g., corrective measures, training, discipline, process changes, supplier remediation or termination). Where lawful and appropriate, Bright Data will provide outcome feedback to the reporter.
  6. Target timelines (service objectives, not contractual)

    • Acknowledgement: within two (2) business days (where contact details are available)
    • Triage/start of review: within five (5) business days
    • Target closure: within thirty (30) days where feasible (complex cases may require more time; Bright Data will act as promptly as reasonably practicable)
    • EU timing note: where EU member‑state whistleblowing laws apply, Bright Data will acknowledge receipt within seven (7) days and provide feedback within three (3) months, as required by local law.
  7. Records, privacy and data security
    Case records are retained securely for at least seven (7) years, or longer if required by law or
    litigation hold. Personal data is processed in accordance with applicable data protection laws and
    Bright Data’s privacy/security policies, and used only for handling the Report and related
    compliance requirements.
  8. Local law and conflicts
    Nothing in this Policy limits any rights to report to regulators or law enforcement, or to seek
    other protections provided by law.
  9. Questions
    Questions about this Policy may be addressed to
    [email protected].