Conduct Risk Policy

1.Scope

This policy applies to every person acting on behalf of Better Quality Assurance S.R.L. ("BetterQA," "the company"), in every country we operate in: employees, contractors, freelancers, directors, the Administrator (Tudor Brad), and any agent or partner who delivers work in our name.

BetterQA is not a UK FCA-regulated firm and not directly authorised under EU MiFID II or DORA. We are a software testing services company. However, several of our clients are regulated financial services firms (consumer credit, payments, foreign exchange, regulated trading platforms). When we build, test, or operate any system on their behalf, the way we conduct ourselves can introduce conduct risk into their regulated operations. This policy exists to make sure that does not happen.

2.Our Position

Conduct risk, in our context, is the risk that something BetterQA does (or fails to do) leads to poor outcomes for end customers of our clients. That includes customers being unable to access funds because we missed a critical bug, being misled because we approved misleading copy in a UAT pass, being charged incorrectly because we signed off a calculation engine without sufficient evidence, or having their personal data exposed because we relaxed a test to "ship faster".

BetterQA treats customer outcomes seriously. We will not knowingly sign off, certify, or release work where we believe end users are likely to be harmed, financially disadvantaged, or misled, and we will escalate any pressure to do so.

3.Specific Obligations

Decision-making with the end customer in mind. For every test plan we agree, every sign-off we give, and every production release we approve on behalf of a regulated client, you must be able to answer: "if the end customer (the borrower, depositor, traveller, patient, employee) reads what we signed off, will they conclude they were treated fairly?" If the answer is uncertain, raise it before sign-off.

You must:

• Refuse to sign off on test passes that you know to be incomplete, inconclusive, or rushed beyond the point where defects can reasonably be detected
• Document the basis for every release recommendation - which tests passed, which were skipped, which risks remain open - so that the regulated client has an audit trail for their own conduct file
• Treat consumer-facing copy, error messages, financial calculations, and fee disclosures as high-conduct-risk areas requiring extra scrutiny during test design
• Flag, in writing, any pattern that could plausibly be characterised by a regulator as misleading, unfair, or hostile to the end customer, even if the client has formally accepted the design
• Comply with all client-specific conduct standards baked into the SOW or MSA (FCA Consumer Duty, EU Consumer Credit Directive, MiCA, DORA operational resilience requirements, PSD2 Strong Customer Authentication, GDPR) when working on systems within those regimes
• Escalate to the Managing Director if a regulated client puts pressure on you to certify work you do not believe is ready for production

You must not:

• Sign off a release on the basis of "we'll fix it in the next sprint" where the unfixed defect can foreseeably harm end customers
• Backdate test evidence to fit a release date
• Reduce the depth of regression coverage on a regulated system to win or retain commercial favour
• Use a regulated client's production data for testing without their explicit written approval and a documented purpose
• Accept training, certifications, or assertions about end-customer harm from a client at face value if your own testing contradicts them

4.Reporting Channel

If you become aware of a situation where BetterQA's conduct, or pressure on BetterQA from a client, could foreseeably harm the client's end customers, report it.

• Email: [email protected]
• Anonymous reporting permitted
• Acknowledgement within 7 days, outcome within 90 days, per EU Directive 2019/1937 and Romanian Law 361/2022
• Where the harm is imminent, raise it directly with the Managing Director by phone or in person; do not wait for the email channel

See the separate Whistleblowing Policy for full procedure and protections. Retaliation against anyone who raises a conduct concern in good faith is itself a breach of this policy.

5.Consequences

Breach of this policy is treated as serious misconduct. Consequences may include:

• Disciplinary action up to and including termination of employment or contract
• Removal from the engagement with the affected client
• Personal liability if the breach constitutes professional negligence or aiding a regulated client's regulatory breach
• Corporate consequences for BetterQA including contract loss, indemnity exposure, reputational damage, and possible action by the client's regulator
• Mandatory retraining and supervision for the remaining staff on the engagement

6.Review Cadence

This policy is reviewed at least annually by the Managing Director, or sooner if our regulated-client portfolio changes, if a relevant regulation changes (FCA Consumer Duty, DORA, EU AI Act, MiCA), or if any conduct incident is reported. The review considers the engagements running with financial services and other regulated clients, and whether the obligations in section 3 remain proportionate to the risk.

7.Owner