1. DUE DILIGENCE ON MARFEEL’S REGULATORY COMPLIANCE.
1.1 Background and regulatory environment.
In the wake of the serious global financial and economic corruption scandals that occurred at the beginning of this millennium which led to significant social repercussions; public opinion called for radical responses at a legislative level that reflected a zero-tolerance policy of this type of behaviour.
In response to this situation, in 2010, Spain introduced, as a major change, the possibility of legal persons being held criminally liable. Hence, the Organic Law 5/2010 reform of the Criminal Code introduces a regime of criminal liability of legal persons, the essential foundations of which are set forth in article 31 of the Criminal Code.
The criminal liability of legal persons serves to reinforce individual liability, because its aim is that legal persons will take organisational measures to prevent the commission of criminal offences and, where appropriate, to enable the uncovering and reporting thereof to the authorities.
In this regard, Organic Law 1/2015 of 30 March undertakes a significant modification in this field (article 31 bis), introducing the release of legal persons from liability if they include suitable and adequate surveillance and control measures aimed at preventing actions that constitute crimes.
Furthermore, and as a fundamental interpretative tool, it is worth highlighting and taking into account the Circulars published by the Attorney General’s Office:
- Circular 1/2011 concerning the criminal liability of legal persons under the Criminal Code reform through Organic Law 5/2010.
- Circular 1/2016 on the criminal liability of legal persons under the Criminal Code reform through Organic Law 1/2015.
Finally, this document is an updated version of the Compliance Programme drawn up by the Company in October 2016.
1.2. Aim and characteristics of the programme: Tone at the top
The aim of this crime prevention programme is for the Company to adopt an organisational and management model that identifies and diagnoses beforehand the possible criminal risks to which the organisation may be exposed, i.e., in the Company MARFEEL SOLUTIONS, S.L. (hereinafter, MARFEEL), putting in place suitable surveillance and control measures to prevent these crimes from being committed.
Since it is MARFEEL that must prove that this programme is effective (i.e., MARFEEL is the organisation that bears the burden of proof), it oversees the organisation, documentation, implementation, control and updating, if necessary, of the aforementioned programme.
It may be said that the programme’s primary objective is to prevent an event or occurrence from having a reputational and/or economic impact on an organisation, while working to instil a corporate culture of compliance throughout the organisation.
In order to make this corporate culture a reality, it is important to deploy the necessary and sufficient economic and human resources, so the economic investment in compliance must, in any case, be reasonable and proportional to the required result.
The final objective of this procedure is for MARFEEL to be able to demonstrate that its mission as a company is not only to prevent criminal conduct, but also to comply with current law, reinforcing the corporate ethical culture.
1.3. Methodology used. Phases of the programme.
In order to draw up this programme, in addition to the aforementioned criminal law and circulars of the Public Prosecutor’s Office, ISO 19600 is used as a reference framework for the implementation of a CMS (Compliance Management System).
1.4. Description of MARFEEL’s business processes
1.4.1. MARFEEL’s activity.
Marfeel is a technology company that develops software solutions under the Software as a Service (SaaS) model, primarily aimed at digital publishers. Its mission is to help these publishers maximize the performance of their digital properties through the use of advanced tools for audience analytics, editorial automation, and intelligent content distribution.
1.5. Control procedures identified:
1.5.1. Financial and economic process.
a) Company Accounts
Since 2019, MARFEEL has filed the customary profit and loss accounts (previously, summarised annual accounts were filed). The accounts are filed at the Commercial Registry and the books are legally authenticated. Since 2013, accounts have been audited annually by the private firm, Deloitte, as well as being submitted on a monthly basis in the Board’s report.
b) MARFEEL’s Revenue
MARFEEL’s revenue comes from its analytics and monetization platform which works on a subscription basis. Publishers pay a recurring monthly or annual fee based on:
(i) Number of page views / traffic tier; and/or
(ii) Feature sets or modules activated (e.g., Amplify, Copilot, Monitoring, Experiences & Recommender)
The Company does not receive subsidies of any kind.
c) Company’s methods of payment
Marfeel typically receives client payments via bank transfer, which is the standard method. However, alternative options such as credit card payments are also supported through secure platforms including Stripe and Payoneer.
For payments made to Marfeel’s service providers, the preferred methods are bank transfer and credit card. In limited cases, PayPal may also be used when necessary.
d) Tax settlement
MARFEEL has an external agency entrusted with the settlement of taxes, which, in any case, is overseen by the Company.
e) Accounting and budgeting
The company´s accounting is carried out externally, by a consultancy firm, which sends MARFEEL the balance sheets. MARFEEL then reports this information to its shareholders.
The Company’s budgets are drawn up and approved internally.
f) Invoicing and traceability
The Financial Department is responsible for managing MARFEEL’s invoicing, which is carried out in an automated manner and must be subsequently supervised.
Through a technological platform, the automatic system enables clients to view the data on the number of clicks that their ads receive, as well as the advertising that is hosted on their website, along with other information. They can also download their invoices or modify the bank account. The bank account can only be modified by the client, by the co-founders of the Company, by the system architect or by the Finance Department.
1.5.2. Decision-making process
The company’s business processes differ from one department to another. In the financial department, business processes are strictly documented. In the rest of the departments, the technical and business processes are documented in a platform called Community. Marfeel maintains a centralized platform called Community, designed to facilitate transparency and access to business-related information across the organization and externally. This portal serves as a hub for multiple areas such as company product information, updates, policies, operational matters, employee queries, etc. Certain sections of the platform are publicly accessible, while others are restricted to internal use and available exclusively to Marfeel employees.
Furthermore, a team meeting is held every morning, called a “stand up”, after which the tasks are loaded into a software application called “Jira”.
Resolutions at a hierarchical level are passed by the Company´s General Meeting and the Board of Directors. Decisions at this level require a quorum and are documented. The founders and officers empowered by the Board perform functions of an executive nature. In addition, the C - Level meets once a week.
1.5.3. Information management and security process
Company employees are subject to the Information Systems Use Policy.
Furthermore, the Company has the necessary documentation for compliance with data protection regulations, with a Security Document, a Record of Activities and a book of best practices.
Furthermore, the Company has the necessary security protocols in place in the event of loss, theft or pilfering of the equipment.
1.5.4. Technological innovation process and confidentiality.
MARFEEL owns the brand “Marfeel” and it is registered in the US and EU.
There is no evidence from MARFEEL that employees or collaborators are using software or software fragments for which the owner has not obtained permission. Open-source software is used regularly in the Company.
In this regard, it is worth mentioning that MARFEEL, as a company developing technological innovation, has not protected its technology through mechanisms that provide MARFEEL with protection and reaction tools, such as the Intellectual Property Registry or notarial deposit or escrow.
1.5.5. HR management process.
At the beginning of the employment relationship, the employees sign a confidentiality agreement and sign the Rules for the Use of Information Systems, as well as the annexes related to the Protection of their Personal Data within the context of the employment relationship with the Company.
On the other hand, employees who began their employment relationship with the Company prior to the entry into force of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016, have signed an Annex in respect of the protection of their personal data within the context of the employment relationship with the Company.
It is stated that MARFEEL has adopted a distribution of competences of the personnel that is documented both in the contract and in Personio, the platform used by the Company´s human resources department. Furthermore, it is confirmed that MARFEEL has adopted a policy to hire personnel on the basis of indefinite contracts, except in the case of interns.
Finally, it is hereby recorded that a Code of Conduct has been drawn up to serve as a guide to what constitutes ethical behaviour within working hours, and to provide employees with certainty about the behaviour expected by the Company.
1.5.6. Processes for procuring products and services.
The decision process for the procurement of products and services is the responsibility of a member of MARFEEL’s team and is in all cases supervised and verified by the Finance Department.
A contract is signed with all providers, which in the case of content providers includes a confidentiality clause. In addition, the Company signs the relevant clauses and agreements to regulate relations with suppliers that process personal data, such as data processors. In the case of international data transfers, compliance with the requirements established in the relevant regulations is verified.
1.5.7. Sales and marketing management process.
The process begins with lead acquisition through event marketing, manual prospecting, online advertising, and automated lead recycling. Once a publisher shows interest, Marfeel presents a demo, performs a technical evaluation, agrees on a business model, and signs a contract. The GoLive protocol then unfolds in structured phases: contract validation, discovery and inventory planning, foundations (initial product version review), ad operations (ad setup validation), implementation of custom features, optional extras, and final activation. At each stage, specific teams (Sales, Customer Success, Platform) are responsible for coordinating with the publisher to ensure expectations are met and the platform is tailored to their needs.
After activation, Marfeel conducts a follow-up to confirm publisher satisfaction and begins continuous engagement to support performance and retention. The process emphasizes clear communication, precise execution of technical and business requirements, and a strong focus on publisher satisfaction and long-term partnership.
1.6. Parties that could result in criminal liability of MARFEEL
In accordance with the provisions of Article 31 (ii) of the Penal Code, MARFEEL will be held criminally liable, for actions performed for direct or indirect benefit by (1) its legal representatives or those who have powers of organisation and control within it (2) those authorised to take decisions on behalf of MARFEEL (3) persons subject or subordinated to those described in point 1 and 2.
2. DELIMITATION OF CRIMES SUBJECT TO REVIEW
Not all crimes in the criminal code can be committed by legal persons; the legislator has included a fixed number of crimes that can be committed by legal persons.
In this analysis, MARFEEL’s criminal risk matrix is presented. In drafting it, the inherent risk of the industry and MARFEEL’s activity were taken as starting points. The objective of identifying these risks is not only to avoid the penal impact but also the reputational impact.
The operational areas in which MARFEEL is most exposed to criminal offences are:
*Contracting with clients and regulatory compliance.
*Transactions with third parties and money-laundering.
*Situations with possible conflicts of interest.
*Illegal distribution of content covered by intellectual property.
*Processing of data and confidential information.
*Obligations to the Inland Revenue and Social Security Agency.
In order to delimit and identify these risks, MARFEEL develops the aforementioned policies.
3. IDENTIFICATION OF RISKS AND CONTROL TOOLS.
3. 1. Whistleblowing Channel
In order to achieve an adequate implementation of the crime prevention programme, it is necessary to provide MARFEEL with a tool that can offer possible whistle-blowers a means of communicating the offences or crimes they detect. With this objective, MARFEEL has set up a Whistleblowing Channel through which it is possible to internally report irregularities and legal and regulatory breaches committed within the company or its scope of action.
The Whistleblowing Channel is managed by the Compliance Officer who is the recipient of complaints made regarding possible non-compliance through the Whistleblowing Channel, and will also be responsible for investigating, deliberating and, if the veracity of the complaint is verified, proposing a penalty to the Management.
The data provided to the whistleblowing channel are stored for a period of three months from the reporting thereof.
The whistleblowing channel does not accept anonymous complaints: the complainant must duly and sufficiently identify himself/herself. However, his/her confidentiality and protection against all types of retaliation are guaranteed without exception. Thus, the communication of a complaint guarantees the complainant that the sanctions system set forth in this procedure will not be applied to him/her in relation to the facts reported.
Any report received through the whistleblowing channel will be handled in such a way that all investigations and inquiries that are reasonably appropriate for the clarification of the facts will be carried out, provided that it is demonstrated that there are reasonable grounds to believe there has been possible inappropriate behaviour. Communications received through the whistleblowing channel must be sufficiently justified and substantiated.
All MARFEEL workers and personnel of contractors and third parties that have business or potential relationships of any kind with MARFEEL that observe or perceive an actual or potential breach of the rules described herein, of any law or legal regulation in force, or any other improper conduct, either by MARFEEL personnel or other persons related to MARFEEL, related to crimes, are bound to report it in a timely manner, through the whistleblowing channel indicated in this section and, subsequently, to collaborate in the investigation thereof.
3.2 Setting up of the Compliance Officer body.
In order to ensure adequate compliance with the Crime Prevention Programme, a Monitoring and Control Committee has been set up and is headed by a single-member body (Compliance Officer), who is the Chief Financial Officer (CFO).
The organisation presents the customary profit and loss account and therefore, as set forth in Article 31.3 (ii) of the Criminal Code, the supervision of the operation and compliance with the prevention model implemented must be entrusted to a body of the legal person with autonomous powers of initiative and control or which is legally entrusted with the function of overseeing the effectiveness of the legal person´s internal controls.
In the event that the CFO finds himself/herself in a situation of conflict of interest between his/her role within the Supervisory and Control Committee and his/her tasks within the company, he/she shall have a duty to disclose this in order for the necessary steps to be taken to ensure his/her independence.
The Compliance Officer has autonomy and independence in the day-to-day running of the company.
He/she works as a watchdog within MARFEEL, which covers the following areas:
-
Pre-infringement control: consisting of preventing the commission of infringements.
-
Post-infringement monitoring: this consists of detecting any infringements that have occurred.
-
The Compliance Officer may propose sanctions in the event of the commission of irregularities within the organisation, which must, in all cases, be confirmed by the administrative body.
4.3. Disciplinary regime
A fundamental aspect in the success of the present Crime Prevention Programme is the disciplinary sanctions system put in place by MARFEEL for possible breaches of the prevention model. As previously mentioned, the body in charge of proposing the sanctions will be the CRIME COMMITTEE, without prejudice to the fact that the Management will have the final word on implementing the sanction.
The disciplinary sanctions system shall be determined by the provisions of labour law and, in particular, by the Workers’ Statute and any applicable collective agreements. In no case shall disciplinary regimes be imposed that are contrary to employment law.
The sanctions that may be imposed in respect of employees are without prejudice to the fact that illegal conduct may be referred to the competent courts when the offence committed may constitute a criminal offence or misdemeanour.
4.4. Communication and Dissemination.
For the Crime Prevention programme to be effective, it is of the utmost importance that it is accessible to all MARFEEL members and can be understood by them. In order to promote the dissemination of the programme, the company’s policies have been included on the Intranet, announcing the existence of an ethics channel and the responsible party to report to or Compliance Officer.
4.5 Periodic reviews and updating of the procedure.
In accordance with Article 31 (ii) 5.6, and in response to the changing reality of MARFEEL and its environment, regular reviews and updates of the Crime Prevention Programme shall be carried out to ensure its effectiveness at all times. Accordingly, this document constitutes the third version of the Compliance Programme, which was initially drawn up in October 2016 and later updated in September 2020.