Compliance at Greenstep

The parent company of the Greenstep Group is the privately owned Greenstep Oy, headquartered in Espoo, Finland. Greenstep operates through group entities in multiple countries. Information on Greenstep’s legal entities and contact details is available here.

Greenstep’s operations are guided by its values, and in compliance activities developing ourselves, and our collective knowledge plays an important role. Greenstep’s company values are available here.

Greenstep’s mission is to support organisations in their growth by providing high-quality services that help them reach their full potential. Guided by strong values, teamwork, and a commitment to sustainability, Greenstep seeks to create positive impact for clients, colleagues, and the wider community. The Code of Conduct reflects these values and defines how trust, respect, professionalism, and quality are upheld in everyday work and communication. In particular, the Compliance and Commitment to Quality sections play an especially important role.  

Greenstep’s Code of Conduct is available here.

Sustainability is a central element of how Greenstep operates and delivers its services. It guides our internal ways of working and how we support our clients in building sustainable and responsible businesses. Greenstep has published its sustainability reports for several years, most recently in 2025. Learn more about our sustainability work here.

Greenstep’s client relationships are governed by clear and well‑defined contractual principles that support transparent and reliable cooperation. Our services are primarily delivered under Greenstep’s general contract terms, which set out the main rights, responsibilities, and practices applicable to most client engagements. 

For software products and SaaS solutions, we apply dedicated software‑specific terms that complement the general terms and address matters such as product use, responsibilities, service scope, and related requirements.

Certain software‑specific terms are available via the links below. For other applicable terms, please contact your contact person at Greenstep.

• BI Book – Terms of Service
• Bezala – Terms of Service

Greenstep’s legal obligation and commitment to responsible business 

Greenstep operates within applicable anti‑money laundering (AML) and sanctions frameworks in the countries and contexts where such requirements apply to our operations. These laws form an important part of responsible business conduct and aim to prevent money laundering, terrorist financing, and dealings with sanctioned individuals or entities.

Where required by law, Greenstep carries out customer due diligence (CDD), including know‑your‑customer (KYC) measures, as part of providing our services. These requirements support transparency, legal compliance, and the responsible delivery of our professional services.

In accordance with applicable laws, Greenstep entities are registered with local authorities’ money laundering monitoring registries where required. We fulfil all registration, reporting, and supervision obligations relevant to our activities.

Why customer due diligence is required 

AML legislation requires companies to understand with whom they are doing business. In line with this, Greenstep seeks to identify and verify its clients and, where applicable, their ownership and control structures.

Customer due diligence and KYC processes help us assess and manage financial‑crime‑related risks and support the lawful establishment and continuation of client relationships.

How we comply with AML and sanctions regulations 

Greenstep applies a risk‑based approach in accordance with applicable AML and sanctions regulations. This means that the scope and depth of CDD and KYC measures depend on the nature of the client relationship, the services provided, and the associated risk level.

For clients, this approach ensures that information requests and screening measures are proportionate, relevant to the engagement, and typically conducted at the beginning of the client relationship. Where required by law or risk considerations, information may be updated during the course of the engagement.

What CDD and KYC measures include 

To comply with AML legislation, our CDD and KYC measures may include: 

• Verification of client identity 

• Identification and assessment of beneficial owners and control structures 

• Sanctions and restricted‑party screening 

• Ongoing monitoring of client relationships and transactions where required

When and where these requirements apply 

Greenstep follows AML and sanctions legislation, as well as guidance issued by relevant authorities, in countries where we operate. Legal requirements may vary between jurisdictions, and clients and partners are encouraged to consult local authorities for detailed regulatory guidance, if needed.

Relevant authorities include: 

• Finland – Finnish Supervisory Agency 

• Sweden –  Penningtvättsbrott | Ekobrottsmyndigheten 

• Norway – Money laundering and financing of terrorism – Finanstilsynet.no 

• Estonia – Prevention of money laundering in general | FSA 

Greenstep collaborates only with pre-approved vendors who share our commitment to quality, sustainability, and information security.

• All vendors are approved before collaboration begins and operate under a signed written agreement. 

• Vendors must comply with all applicable laws and regulations and must not be listed on any sanctions lists. 

• Vendor selection is based on business value, reliability, security practices, and alignment with Greenstep’s values. 

• Information security, data protection and data governance are key priorities for us, in line with ISO/IEC 27001, NIS2, GDPR and AI/Data Act requirements. 

• As a general rule, personal data must be processed within the European Union (EU)/ European Economic Area (EEA). Transfers outside the EU/EEA are permitted only in exceptional cases and subject to GDPR‑approved safeguards.  

• Software, SaaS, and cloud service providers are subject to enhanced security requirements, including transparency regarding data locations and subprocessors. 

• Vendor performance and compliance are reviewed regularly, and audits may be conducted when agreed. 

• Vendors are expected to promptly report any security incidents or data breaches that may affect Greenstep, our clients, or our personnel.

By working with Greenstep, vendors commit to collaborating with us to maintain high standards of information security and service quality and responsible protection of Greenstep’s and our clients’ information assets.

Greenstep Hub is a secure platform designed to simplify collaboration between Greenstep and our clients. It brings communication, file sharing, and automation together in one trusted environment – built with security and compliance at its core.

Greenstep Hub enables safe client communication and document sharing through a platform developed by Greenstep specifically for secure professional use.

Key features include: 

• Single Sign-On (SSO) enforced for all users 

• Strictly controlled and fully logged administrator access 

• ISO 27001-certified cloud service providers 

• Continuous data backups 

• Data stored within the EU/EEA

Greenstep promotes responsible business practices and an ethical way of working. We take all suspected illegal, unethical, or guideline breaking conduct seriously and encourage employees, partners, clients, vendors, and other stakeholders to raise concerns whenever misconduct is suspected.

As a primary option, concerns can be raised with a relevant contact person at Greenstep. If this is not possible or appropriate, reports may be submitted through our confidential whistleblowing reporting channel. Reports do not require conclusive evidence but must be made honestly and in good faith. Deliberately false reporting is not permitted.

Reports may be submitted with or without personal contact details. The reporting channel supports anonymous reporting and automatically removes metadata from attachments. Please avoid including unnecessary personal or sensitive information, as reports containing information prohibited by law may not be processed.

The whistleblowing service is operated by an external service provider, which is responsible for the service and the lawful processing of reports. After submitting a report, you will receive a unique token enabling continued anonymous communication. All reports are handled confidentially and investigated according to established procedures, with access limited to those involved in the investigation.

You may submit a report via the whistleblowing channel here.

Greenstep is committed to protecting personal data and respecting the privacy of individuals. Personal data is processed in accordance with applicable data protection legislation, including Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR), and other relevant national data protection laws.

Greenstep as a data controller 

Greenstep acts as a data controller when it determines the purposes and means of processing personal data, including processing related to its operations, service and business development, communications, and compliance obligations.

Each Greenstep legal entity acts primarily as a data controller on its own behalf and is mainly responsible for compliance with applicable data protection requirements.

Personal data is processed lawfully, fairly, and transparently in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR). Compliance risks are addressed through defined policies, controls, and processes that support responsible and transparent operations.

Greenstep as a data processor 

 In the context of the services it provides, Greenstep acts as a data processor on behalf of its clients. In this role, Greenstep processes personal data solely in accordance with the documented instructions of its clients, who act as the data controllers.

Greenstep processes personal data in compliance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR), and in line with the data processing agreements (DPAs) in place with its clients.

Data security and confidentiality 

Whether acting as a data controller or a data processor, Greenstep implements appropriate technical and organizational measures to maintain a high level of data security. These measures are designed to safeguard confidentiality, integrity, and availability of personal data throughout the entire processing lifecycle and to ensure ongoing compliance with applicable data protection requirements.

Under maintenance

Greenstep’s designated Data Protection Officer (DPO) can be contacted by e-mail security@greenstep.com.

Greenstep has been ISO/IEC 27001 certified since 2023, demonstrating that our information security management practices meet  internationally recognized standards expected of professional consultancy and system-based services.

Information security is embedded in both our service delivery and the systems used to support our clients. This is reflected in key policies covering information security, access control, data protection and privacy, business continuity, vendor management, and confidentiality.

Our systems and service processes are designed to support secure and reliable operations. Information security risks are identified, assessed, and managed throughout the lifecycle of our services, internal systems, and client engagements.

Compliance with these policies is implemented through defined controls aligned with the ISO/IEC 27001:2022 framework and is independently audited on an annual basis. 

Greenstep ISO27001 Certificate

In addition, Greenstep follows the requirements of the NIS2 Directive (Directive (EU) 2022/2555), which aims to achieve a high common level of cybersecurity across the European Union. In practice, NIS2 for data and systems security plays a role similar to that of the General Data Protection Regulation (GDPR) for personal data protection. The NIS2 Directive has been transposed into local legislation in 2025, and Greenstep Oy is registered as an operator under NIS2.

What does this mean for our clients: 

• Reliable and secure delivery of consultancy and system supported services 

• Strong protection of client data and confidential information 

• Continuity and resilience of services, even in disruption scenarios 

• Compliance with recognized international standards and EU cybersecurity regulation 

• Increased transparency and trust in how information security risks are managed