Document IIS-GOV-INC-001 • Version 1.0 • Effective 01 May 2026
This Procedure establishes a single, consistent intake-to-remediation workflow for all categories of incident and grievance raised by any internal or external person regarding Integrated IT Support Inc. (the “Company”). It operationalises Principle 31 of the United Nations Guiding Principles on Business and Human Rights and supports the Company's compliance with PIPEDA breach-notification, OHSA incident-reporting, and S-211 due-diligence obligations.
Incident: an event involving harm, damage, near-miss, or breach of policy or law — including data-security incidents, safety incidents, environmental incidents, and ethics breaches.
Grievance: a concern raised by any person about an actual or potential adverse impact of the Company's operations or business relationships — covering human rights, labour rights, discrimination, harassment, environment, community, or any compliance matter.
This Procedure is designed to be:
Legitimate: enabling trust from the stakeholder groups for whose use it is intended.
Accessible: known to all stakeholder groups and providing adequate assistance for those who may face barriers.
Predictable: clear and known timelines for each stage and the available outcomes.
Equitable: stakeholders have access to information, advice, and expertise required to engage on fair terms.
Transparent: keeping parties informed of progress and providing information about the mechanism's performance.
Rights-compatible: outcomes accord with internationally recognised human rights.
A source of continuous learning: drawing on lessons to identify improvements and prevent recurrence.
Based on engagement and dialogue: consulting affected stakeholder groups on its design and performance.
E-mail: ahmad.wasee@iisupp.net (monitored by the GRC Office).
Web intake: iisupp.net/ethics-grievance (anonymous reporting supported).
Telephone: +1 (647) 581-3182 — ask for the designated Human Rights Sponsor.
Postal: confidential mailing address available on request.
Direct contact: through any supervisor or the GRC Office in person.
Specialised channels: PIPEDA-related concerns to ahmad.wasee@iisupp.net; security incidents to ahmad.wasee@iisupp.net (auto-escalated to the CISO).
The GRC Office acknowledges receipt of every report. For anonymous reports, acknowledgement is published in the Company's quarterly transparency note where feasible.
Triage assesses severity, urgency, scope, irremediability, and applicable legal-reporting obligations. Categories include: Ethics; Human Rights; Labour; H&S; Information Security; Privacy; Environment; Community; Anti-Bribery; Other.
Investigations are conducted by the GRC Office with independent expertise as required. Where the matter involves the GRC Office itself, an external investigator is appointed. Investigators apply natural-justice principles and the standard of preponderance of evidence.
Where credible, immediate measures are taken to protect affected persons (e.g., separation of complainant and respondent, technical containment of security incidents, environmental spill containment, immediate cessation of contributing conduct).
Where harm is found, appropriate remedy is provided in accordance with the Remediation Framework set out in Section 17 of the Human Rights Policy (IIS-GOV-HR-001). Remedies may include apology, restitution, restoration, compensation, behavioural-change measures, and guarantees of non-repetition.
The complainant (if known and not anonymous) is informed of the outcome, the rationale, and any further recourse available, to the extent permitted by privacy and legal constraints.
Anonymised lessons are documented and shared with relevant teams; structural changes are integrated into the Company's policies and procedures.
Privacy breaches involving real risk of significant harm — Office of the Privacy Commissioner of Canada (PIPEDA) and affected individuals.
Critical workplace injuries / fatalities — Ontario Ministry of Labour and WSIB, in writing within 48 hours.
Suspected forced or child labour in supply chain — escalation pursuant to S-211 due diligence; co-operation with Public Safety Canada as required.
Bribery / corruption — Royal Canadian Mounted Police and other relevant authorities.
Securities-related insider issues — applicable securities regulator and Company counsel.
All incident and grievance records are retained for a minimum of seven (7) years from the date of closure, in accordance with the Company's Records Retention Schedule and applicable law (PIPEDA, S-211, CRA). Access to records is restricted on a need-to-know basis and protected per the Information Security Policy.
The Company prohibits, and will not tolerate, retaliation against any person who raises a concern in good faith. Retaliation is itself a serious breach of this Procedure and the Code of Conduct (IIS-GOV-COC-001), subject to disciplinary action up to and including termination.
The Company reports on grievance-mechanism performance — volume by category, mean time to close, remediation outcomes (in anonymised form), and lessons learned — in its annual Human Rights Due Diligence Report (iisupp.net/governance/human-rights) and to the Executive Leadership quarterly.
This Procedure is reviewed at least annually by the GRC Office in consultation with potentially affected stakeholders, and is updated to reflect operational lessons and changes in regulation, standards, or stakeholder expectations.
Approval and Authority
This document has been reviewed and approved by the Executive Leadership of Integrated IT Support Inc. and is issued under the authority of the Office of the Chief Executive Officer. The document is subject to periodic review and may be amended by the Approving Authority. Material amendments are communicated to all employees and key suppliers within thirty (30) days of issuance.
Signed for and on behalf of Integrated IT Support Inc.
Ahmad
Ahmad — Chief Executive Officer
Integrated IT Support Inc.
Date: 11 May 2026
Approved electronically by Ahmad, Chief Executive Officer, on 11 May 2026. This electronic signature is applied with the authority of the named signatory and is valid under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Ontario Electronic Commerce Act, 2000.