Sustainability policies and guidelines

Attendo’s Code of Conduct is a central document outlining the company’s values and principles and applies to all employees. Attendo’s Supplier Code of Conduct sets out corresponding expectations for business partners and suppliers.

As care services are highly regulated, the Group policies provide overarching guiding principles applicable across all markets and segments. All Group policies have a designated policy owner, are reviewed annually and updated when necessary, and are approved by Attendo’s Board of Directors. Attendo’s guidelines have designated responsible owners and are updated on a regular basis.

Code of Conduct

Attendo’s mission is to empower the individual, which means to see, support and strengthen every person in our care to an independent and meaningful life. We do this based on our values - care, commitment and competence - in a way that is characterized by openness and continuous learning. Our mission and values are both long-term goals and daily tools to realize our high ambitions. By anchoring our daily work in our mission and our values, we will succeed with our strategic goal – to be the most attractive choice in Nordic care.

Attendo’s Code of Conduct is based on our core values and our promises to customers and relatives, to our colleagues and to society. It provides a common foundation for how we act in our work. The code is meant to guide us and support our decisions and actions, especially when they are difficult or uncertain. The code is also an expression of Attendo's commitment to openness and for how we together create a culture based on responsibility, trust and team spirit.

The Code of Conduct contains extensive information on how Attendo managers and employees should act. In the daily work, each employee should be guided by the below principles – these principles reflect the approach that should be the basis for everything we do at Attendo.

The Code of Conduct is aligned with the United Nations 2030 Agenda for Sustainable Development, the UN Guiding Principles on Business and Human Rights, the OECD Guidelines for Multinational Enterprises on Responsible Business Conduct, and the ILO Declaration on Fundamental Principles and Rights at Work. The Code of Conduct declares respect for human rights and establishes zero tolerance for discrimination, harassment, child labour and forced labour. It also upholds employees’ rights to freedom of association and collective representation, as well as whistleblower protection and freedom of expression.

Supplier Code of Conduct

Attendo sets high standards for responsibility, quality and sustainability, not only in its own operations but also among its suppliers. The company’s Supplier Code of Conduct outlines the fundamental principles that all suppliers and business partners are expected to follow as part of Attendo’s procurement requirements. Attendo expects its suppliers to actively work to reduce their environmental and climate impact and to safeguard confidential information and personal data. Compliance with the Code is followed up through dialogue and, where necessary, through assessments.

Through clear requirements and close collaboration, Attendo works together with its suppliers to promote a responsible and sustainable supply chain.

The supplier Code of Condut is based on respect for human rights, good working conditions, environmental responsibility and sound business ethics. Suppliers are expected to comply with applicable legislation as well as international standards, including the UN Guiding Principles on Business and Human Rights and the ILO Declaration on Fundamental Principles and Rights at Work. Child labour, forced labour, discrimination and corruption are not accepted. Employees must be provided with safe working conditions and fair terms of employment.

Sustainability policy

Attendo’s is firmly committed to sustainable business practices, and to contribute to sustainable social development. This policy aims to specify responsibilities and provide the principles to guide the organisation on how to conduct the business in accordance with Attendo’s overarching and long-term objectives across the Social, Governance and Environmental (ESG) dimensions.

The Sustainability policy regulates Attendo’s long-term goals and ESG commitments. The policy also states that Attendo shall evaluate in what ways the company co-exists with and materially impacts its context and its stakeholders on a recurring basis. The result from the analysis should guide Attendo’s work with addressing impacts, risks and opportunities across the environment, social and governance dimensions. The document also describes the continuous monitoring mechanisms that are in place. The policy also regulated different roles and responsibilities, as well as Sustainability reporting.

Environmental policy

Attendo strives to ensure that its operations are conducted with responsibility and consideration also for the environment and climate. This policy aims to specify responsibilities and provide principles to guide the organisation towards making sustainable choices in key areas from an environment and climate impact perspective.

The environmental policy regulates Attendo’s material environmental impacts, and the monitoring responsibilities related to Attendo’s work.

Quality policy

Attendo’s employees provide care to more than 30,000 clients. Attendo strives to be the natural choice within the care sector, with a commitment that ensures clients are seen as individuals and that their relatives can feel confident and secure. Quality is deeply integrated into Attendo’s core operations and is one of our most important strategic focus areas. This policy shall be considered in the development of all areas of operation within Attendo and shall permeate all processes and activities.

Attendo’s Quality Policy is based on Attendo’s Code of Conduct. The Quality Policy describes Attendo’s group-wide objectives and focus areas, the overarching framework that governs the management, leadership, and development of quality work within the company, as well as the roles and responsibilities related to Attendo’s quality work.

HR-policy

Attendo has 33,000 employees, whose engagement and participation are crucial to the company’s quality, culture, and development. Attendo strives to be the employer of choice within the care sector and offers an inclusive and stimulating workplace for everyone who wants to grow, contribute to the development of care, and make a real difference in many people’s everyday lives.

The Group Human Resources Policy aims to specify and reinforce HR related responsibilities and commitments and to provide guidance to leaders and employees throughout the organisation. The policy covers common HR matters for Attendo. The policy includes all employees in Attendo group.

The HR policy is based on the Code of Conduct for employees and covers several areas that are common across the Group. The policy states that all new employees participate in a mandatory onboarding program, encourages skills development, and emphasizes the importance of personal growth in the workplace. Furthermore, it outlines how systematic work environment management is governed, and highlights that equality and diversity are seen as strengths. The policy establishes a zero-tolerance approach to discrimination and harassment, affirms each person’s right to freedom of association, and states that the company works to maintain good cooperation with trade unions representing its employees.

Anti-corruption and bribery guidelines

In addition to Attendo's Code of Conduct, there are several internal guidelines that regulate issues to maintain confidence in Attendo and Attendo's care services. These apply from the perspectives of Attendo’s employees, customers, suppliers, cooperation partners, and commissioning authorities.

Attendo’s guidelines on bribery and corruption describe the responsibility of Attendo employees to act in a manner that fosters strong trust in the company among customers and relatives. They set out the risks associated with gifts and benefits in the course of work and how one should act if such a situation arises. The guideline defines bribes, gifts, rewards, and other forms of benefits. Employees are not permitted to accept or offer personal gifts, rewards, or benefits that could undermine objectivity, influence business transactions or decisions, or create a dependency on a customer or any other third party. Any form of gift or hospitality must be given purely as a courtesy, be of modest value, follow accepted business practice, and must never influence decision‑making. Gifts to public officials are prohibited.

Attendo’s guidelines on freedom of expression and duty of loyalty describe the meaning of both whistleblower protection and the duty of loyalty, as well as how concerns and complaints should be raised. The guidelines also describe Attendo’s whistleblowing service and how it is used.

Attendo’s guidelines for procurement and supplier follow-up are based on the procurement policy and regulate how procurements are conducted, how collaboration with suppliers takes place, and how supplier follow-up is performed.

Whistleblower guideline

Within Attendo, it is a given that we always strive to provide safer and more secure care with our clients at the center, and that we work as a team to create a culture of transparency, openness, and trust. It is also self-evident that A and all our employees must act in accordance with laws, regulations, Attendo’s Code of Conduct, and other applicable policies and frameworks. Attendo encourages openness, transparency, and communication—even when dealing with difficult situations. A has an internal whistleblowing policy that applies to all employees within the Group and provides instructions and information on how to report suspected misconduct related to Attendo’s operations.

The policy describes the available reporting channels and provides a detailed description of the whistleblowing function. It explains when the whistleblowing function should be used, how it works, the right to report anonymously, and the process in place for handling whistleblowing cases. The policy also describes the right to protection of sources and freedom to communicate information.

Attendo’s whistleblowing channel is available in local languages and can be accessed 24 hours a day, every day. The number of reports received through the whistleblowing function, as well as the number of qualified whistleblowing cases in accordance with Directive (EU) 2019/1937, is reported in the Annual and Sustainability Report.

Information Security Policy

Our Commitment to Information Security

Attendo operates in a sector where the protection of sensitive personal information is not just a regulatory obligation — it is fundamental to the trust placed in us by the individuals we care for, their families, and our partners. Information security is therefore a strategic priority at Attendo, and we maintain a comprehensive, structured approach to managing and protecting our information assets.

Attendo’s systematic, formalized, and risk-based Information Security Management System (ISMS) is based on and built in alignment with internationally recognized standards (ISO 27001:2022, Information security, cybersecurity and privacy protection- Information Security Management System) and encompasses governance, risk management, and a broad set of operational security controls. The ISMS applies across the Attendo group and covers all employees, systems, and processes.

Data protection and integrated into ISMS: ISMS extended to include data protection and NIS2.

Governance and Organisation

Information security at Attendo is governed through a clearly defined organisational structure. The board of directors holds ultimate accountability, supported by an Information Security Council that provides strategic oversight and coordinates security work across all business areas.

Reporting of Attendo’s information security work is done yearly to Attendo’s board of directors. The entire ISMS should be reviewed at least annually by the Council for Information Security. Internal controls shall be performed as part of the group’s internal control framework. The results of the internal control review shall be assessed and reported to the Board of Director’s Audit & Risk Committee. The scope of each year's internal control review is decided by the council for information security.

Responsibilities are clearly assigned at both group and business area level. Dedicated roles, including Information Security Officers, a group-level Data Protection Officer (DPO), and Data Protection Manager (DPM), ensure that security and privacy requirements are embedded in day-to-day operations. Our governance model includes regular reporting to the board and group management and defined escalation paths.

All employees receive role-appropriate security training and awareness regularly. A structured communication and competence development program ensures that security knowledge is maintained and updated across the organisation.

Risk Management and Asset Classification

We take a risk-based approach to information security. All information assets, including data, systems, and business processes, are inventoried, classified according to their sensitivity and business criticality, and assigned to named owners. Classification outcomes directly determine the level of protection required.

Risk assessments are performed regularly at both the management system level and for individual information assets. Our risk tolerance and appetite are formally defined, and identified risks are tracked and managed through a structured process. Internal controls are conducted on an annual basis, covering the full scope of the ISMS over a three-year cycle.

Legal and Regulatory Compliance

Attendo maintains a dedicated compliance framework covering our obligations under GDPR, NIS2, and relevant national legislation across our operating countries. We have defined processes for assessing both new and changed personal data processing activities, managing data subject rights, responding to personal data breaches, and reporting to supervisory authorities.

Our records management processes ensure that information is retained, protected, and destroyed in accordance with applicable requirements.

Operational Security Controls

Our operational security framework addresses the full range of technical and organisational controls required to protect information in use, at rest, and in transit. Key areas include:

• Access control: Access to systems and data is granted on a risk-based, need-to-know basis, with formal provisioning, regular reviews, and specific controls for privileged access and cloud services.
• Equipment and device management: Company-issued and personal devices are governed by clear acceptable use requirements, with controls over mobile devices, removable media, and physical equipment security.
• Cryptography: Encryption is applied based on classification and risk, with defined standards for algorithms, key management, and specific requirements for email, remote access, and data storage.
• Operations security: IT operations are governed by controls covering change management, malware protection, backup and recovery, system logging, and vulnerability management.
• Communication security: Requirements cover both electronic messaging (including acceptable use of email and messaging tools) and network infrastructure design, segmentation, and monitoring.
• System acquisition and development: Security requirements are embedded in all system acquisitions and development activities, with supplier evaluation processes, secure development standards, and structured acceptance testing.
• Self‑assessment and external audit: An annual self‑assessment of critical IT systems is conducted to ensure that internal controls remain accurate and effective. In addition, an external financial auditor performs a yearly ITGC audit related to financial reporting.

Supplier and Third-Party Management

We recognize that third-party suppliers can represent a significant risk to our information security posture. Our supplier management framework requires due diligence before contracting, formal documentation of security and data protection requirements in all agreements, and ongoing monitoring of supplier performance. Cloud service providers and sub-processors are subject to specific additional controls.

Incident Response and Business Continuity

Attendo maintains a prepared and practiced capability to respond to information security incidents. Our incident management process covers classification, response, regulatory reporting, and post-incident learning. A trained incident response team is in place, with procedures to ensure timely regulatory reporting when necessary.

Business continuity planning addresses the availability and resilience of critical information assets. We conduct business impact analyses and risk assessments to identify dependencies and prioritize recovery. Continuity plans are maintained for key information systems and reviewed regularly.

Continuous Improvement

Information security at Attendo is not static discipline. Our ISMS is designed for continuous improvement: nonconformities are systematically identified and addressed, performance data is analysed and reported to leadership, and the system is regularly reviewed and updated to reflect changes in the threat landscape, regulatory environment, and our own operations. We are committed to maintaining a high standard of information security, not only to meet our legal and contractual obligations, but because it is the right thing to do for the individuals who trust us with their care and their data.

Data Protection Policy & Privacy 

Our Commitment and Approach to Data Privacy 

Attendo is committed to protecting the privacy of everyone who has a relationship with our organisation. We recognise data privacy and data protection not merely as legal obligations, but as a cornerstone of trust between Attendo and the individuals we serve. Attendo always provides up-to-date information about its processing activities in a clear and transparent manner on its website for each respective business area, through Attendos Data Privacy Notice. 

Attendo applies a risk-based approach while upholding individuals' fundamental rights to privacy. Any processing of personal data by Attendo shall be conducted in a sincere and ethical manner.  

Key Principles 

Attendo's data protection work is guided by four principles: putting the individual's perspective at the centre; ensuring all personal data processing is preceded by a compliance review including privacy analysis and data protection impact assessments; maintaining high awareness across the organisation; and embracing innovative thinking within the legal framework. 

Attendo’s Data Privacy Organisation 

Attendo has a Data Protection Policy in place that applies to all entities within the group and all Attendo employees. The Data Protection Policy is enacted by Attendo’s board of directors and annually revised. The Data Protection Policy sets out the internal governance structure related to data privacy and protection. 

According to the Data Protection Policy Attendo applies a three-lines-of-defence model. Day-to-day data handling is managed at the operational level by all Attendo staff members being involved in the processing of personal data, the information owner with support provided by the business area’s DPM (first line). Oversight and risk management is provided by the group and business area legal functions including the DPO (second line). Independent verifications are carried out by internal control function (third line).  

The Data Protection Manager 

The DPM is responsible for supporting and coordinating the business area’s day-to-day data protection work. This includes implementing processes to ensure compliance with the ISMS and other policies, such as handling of data subject requests, drafting privacy awareness communications to employees when needed, maintaining register over processing activities, as well as conducting data protection impact assessment and operational reviews. 

The DPM serves as the primary contact point for Attendo employees with questions regarding handling of personal data. The DPM is also responsible for regular reporting to the Council for Information Security on the ongoing data protection work at the business area, as well as reporting of significant issues, including data breaches, to the DPO.  

Data Protection Officer 

Attendo has appointed a group-level DPO to inform and advise Attendo and its employees on their obligations under the data protection laws, including particularly data protection impact assessment upon request. The DPO also monitors Attendo’s compliance with the data protection laws, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and related audits. The DPO reports annually to the management and the board of directors on the privacy-related work conducted by Attendo. 

In addition, the DPO acts as the contact point for the supervisory authorities and data subjects on issues relating to processing.  

Personal data incidents 

Attendo maintains an internal incident reporting process to enable early detection, swift handling, and timely reporting of information security incidents, including personal data breaches. This enables Attendo to minimise negative impact, support business continuity, and ensure compliance with legal and regulatory reporting obligations. 

Data Protection Training Program 

All Attendo employees are required to participate in the mandatory data protection trainings that covers among other things Attendo’s data processing principles and organisation, personal data incidents routines, and aspects related to information security when handling personal data. The mandatory trainings must be conducted upon start of the individual’s employment and annually thereafter.