Graphisoft Whistleblowing Policy

Effective as of 20 February 2026

1. Purpose of the Policy
The purpose of this policy is to provide a safe and confidential channel for employees and other stakeholders who deals with Graphisoft in any way to report unlawful or unethical conduct experienced at Graphisoft, one of its subsidiaries, direct or indirect suppliers. It also aims to ensure the protection of whistleblowers from retaliation, in accordance with Act XXV of 2023 on Complaints, Public Interest Disclosures and Whistleblower Protection.
2. Scope
This policy applies to:

• Employees
• Service providers and other business partners, employees of customers and external consultants
• Any natural or legal person involved in Graphisoft’s business

3. What Can Be Reported
The internal whistleblowing system allows you to report information about violation of applicable laws or internal rules, violations of sustainability principles and ethical standards, such as:

• Breach of laws or regulations (e.g., corruption, bribery, fraud)
• Health and safety violations
• Environmental protection or human rights emergencies, violations of laws and regulations
• Data protection breaches
• Breach of the Code of Ethics
• Harassment, discrimination
• Financial misconduct or manipulation of records
• Prohibited anti-competition behaviour
• Conflicts of interest

4. What to do if you notice misconduct
The following channels are available for reporting.

• Email to [email protected] 
• Call 0036 1 437 3000 and Compliance team will contact you if you provide your availability
• In person at Graphisoft SE 1031 Budapest Záhony Street 7., where you can indicate your intention to file a complaint, and Compliance team will contact you for the details if you provide your availability
• Report it anonymously via the Nemetschek Group Whistleblowing system where you can directly submit reports to the Nemetschek Compliance Team

Nemetschek's group-wide internal digital Whistleblowing System offers the opportunity to report potential breaches of rules anonymously. Detailed information about how the Nemetschek Group Whistleblowing system works can be found in the FAQ section on the system's website.
All reports are treated as strictly confidential. Reports are only seen by authorised persons of Graphisoft and/or Nemetschek
5. Handling Reports

1. Acknowledgement:

Verbally reported cases will be documented in writing by Graphisoft and copy will be provided to the whistleblower for verification and signature.
Written reports will be acknowledged within 7 days, informing the whistleblower about the registration, next steps, procedure timeline, and their rights, including protection against retaliation.

2. Investigation:

Graphisoft will carry out an impartial investigation within 30 days, extendable by up to further 2 months if justified. After this, or in cases of ongoing misconduct, the whistleblower may notify authorities or the public. Reports may be rejected in legally defined cases.

• Outcome:

The whistleblower will be informed about the investigation, its outcome, any actions taken, or the reasons for rejection, unless disclosure is legally restricted.
If the matter is outside Graphisoft’s competence, it may be forwarded to the                  appropriate external authority.
6. Protection and Prohibition of Retaliation
Graphisoft is legally obliged to protect whistleblowers who:

• Act in good faith, and
• Report actual or suspected misconduct.

Retaliation is strictly prohibited, including dismissal, demotion, discrimination, or any other form of disadvantage.
7. Confidentiality and Data Protection

• All reports will be handled with full confidentiality.
• The identity of the whistleblower will not be disclosed without their explicit consent, except where disclosure is required by law.
• All records will be stored securely and processed in accordance with Hungarian and EU data protection laws (e.g., GDPR).
• Personal data is used only for investigation purposes.  Data irrelevant for the investigation is deleted immediately.

The Privacy Notice is available at the following link.
Privacy Notice on personal data processing relating to the Whistleblowing System

8. Abuse of the Whistleblowing System
Knowingly submitting false or malicious reports may result in disciplinary or legal action. However, whistleblowers who act in good faith are protected, even if their concern is not ultimately confirmed.

9. External Reporting Options
If whistleblowers don’t feel safe reporting internally, they can also contact external authorities, such as:

• Commissioner for Fundamental Rights (Ombudsman)
• National Authority for Data Protection and Freedom of Information (NAIH)
• Other relevant regulatory or law enforcement agencies depending on the case