1. Purpose
This policy is designed to protect individuals who report privacy violations, data breaches, security concerns, or compliance issues in good faith. MayDay-IC is committed to maintaining the highest standards of ethical conduct, regulatory compliance, and data protection. We encourage all individuals to come forward with concerns without fear of retaliation or adverse consequences.
We recognize that individuals who report wrongdoing play a vital role in maintaining the integrity and security of our platform, protecting patient data, and ensuring compliance with applicable laws including HIPAA, state privacy laws, and other regulatory frameworks.
2. Scope
This policy applies to all individuals who discover or suspect a violation of law, regulation, or company policy in connection with MayDay-IC, including but not limited to:
- Employees of Blue Beard Solutions Inc., whether full-time, part-time, or temporary
- Contractors and consultants engaged by MayDay-IC
- Users of the MayDay-IC platform, including emergency responders, incident commanders, and administrative personnel
- Business Associates as defined under HIPAA, including service providers and subprocessors
- Any person who discovers or suspects a violation, including members of the public
This policy covers reports made internally through company channels as well as reports made to external regulatory agencies or law enforcement authorities.
3. Protected Activities
Individuals are protected when they report, in good faith, any of the following activities or concerns:
- Privacy violations — unauthorized collection, use, or disclosure of personal information in violation of our Privacy Policy or applicable privacy laws
- Data breaches — suspected or confirmed unauthorized access to, acquisition of, or disclosure of protected data
- HIPAA violations — any breach of the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule, including unauthorized access to Protected Health Information (PHI)
- Security vulnerabilities — technical weaknesses, misconfigurations, or design flaws that could compromise the security or integrity of the platform
- Fraud — financial fraud, billing fraud, grant fraud, or any other fraudulent activity conducted through or in connection with the platform
- Misuse of PHI — accessing, viewing, copying, or sharing patient health information without a legitimate purpose or authorization
- Unauthorized data access — accessing incident data, user accounts, or system resources without proper authorization or beyond the scope of assigned duties
- Non-compliance with policies — violations of MayDay-IC's Terms of Service, Acceptable Use Policy, Data Processing Agreement, or any other published company policies
- Regulatory non-compliance — failure to comply with applicable federal, state, or local laws and regulations
- Retaliation — adverse actions taken against any individual for making a protected report
4. How to Report
MayDay-IC provides multiple channels for reporting concerns. You may use whichever channel you are most comfortable with:
Email Reporting
Send a detailed report to info@maydayic.com. Include as much relevant information as possible, including dates, individuals involved, and any supporting documentation.
Anonymous Reporting
If you prefer to remain anonymous, you may submit a report to info@maydayic.com. We accept and investigate anonymous reports. While anonymity may limit our ability to follow up or provide updates, we will investigate all credible reports regardless of whether the reporter is identified.
In-App Security Reporting
The MayDay-IC application includes a built-in security reporting feature. Use this feature to report concerns directly from within the platform. Reports submitted through the app are encrypted in transit and at rest.
When submitting a report, please include as much of the following information as possible:
- A description of the suspected violation or concern
- The date(s) and time(s) of the incident(s)
- The individuals or systems involved
- Any evidence or documentation supporting the report
- Your contact information (unless reporting anonymously)
5. Confidentiality
MayDay-IC takes the confidentiality of whistleblower reports extremely seriously:
- Reporter identity protected: The identity of the reporter will be protected to the maximum extent permitted by law. We will not disclose the reporter's identity without their consent unless required by law or necessary to conduct the investigation.
- Designated compliance officer: Reports are investigated by the designated Compliance Officer and, where necessary, by qualified legal counsel. Access to report details is restricted on a strict need-to-know basis.
- Need-to-know basis: Information related to the report is shared only with those individuals who need to know in order to conduct a thorough investigation and implement appropriate remediation.
- Secure handling: All reports and related documentation are stored securely with access controls, encryption, and audit logging.
If a report involves a concern about the Compliance Officer, the report will be escalated to executive leadership or outside legal counsel to ensure an impartial investigation.
6. Non-Retaliation
MayDay-IC strictly prohibits retaliation against any individual who makes a good-faith report under this policy. No adverse action will be taken against any person for reporting a concern in good faith, regardless of whether the investigation ultimately substantiates the concern.
Federal Protections
Reporters are protected under multiple federal whistleblower statutes, including:
- Sarbanes-Oxley Act (SOX) Section 806: Protects employees of publicly traded companies and their subsidiaries from retaliation for reporting securities fraud, mail fraud, wire fraud, or violations of SEC rules
- Dodd-Frank Wall Street Reform Act Section 922: Provides enhanced whistleblower protections and financial incentives for reporting violations of securities laws
- HIPAA Anti-Retaliation Provisions (45 CFR 164.530(g)): Prohibits covered entities and business associates from intimidating, threatening, coercing, discriminating against, or retaliating against any individual who files a HIPAA complaint, participates in an investigation, or opposes any act made unlawful by HIPAA
State Protections
In addition to federal protections, reporters may be protected under state whistleblower protection laws, which vary by jurisdiction. Many states provide additional protections for employees who report violations of state privacy laws, healthcare regulations, or other statutory requirements.
Prohibited Retaliatory Actions
Retaliation includes, but is not limited to:
- Termination, suspension, demotion, or denial of promotion
- Reduction in hours, pay, or benefits
- Reassignment to less desirable duties or locations
- Harassment, intimidation, threats, or coercion
- Negative performance evaluations based on the act of reporting
- Exclusion from projects, meetings, or professional opportunities
- Restriction or revocation of platform access as a form of punishment
7. Investigation Process
All reports received under this policy will be investigated promptly and thoroughly according to the following timeline:
| Phase | Timeline | Description |
|---|---|---|
| Receipt Acknowledgment | Within 48 hours | The reporter (if identified) will receive confirmation that their report has been received and is being reviewed |
| Preliminary Assessment | Within 5 business days | The Compliance Officer will conduct an initial review to determine the nature, scope, and severity of the reported concern |
| Full Investigation | Within 30 days | A thorough investigation will be conducted, including interviews, document review, system log analysis, and any other necessary steps |
| Findings & Remediation | Upon completion | Investigation findings and any remediation actions will be communicated to the reporter (unless anonymous) and relevant stakeholders |
Investigations may take longer than 30 days in complex cases. If additional time is needed, the reporter will be notified of the expected timeline. All investigations will be conducted in an impartial and objective manner.
8. Retaliation Remedies
If retaliation occurs against a good-faith reporter, the following remedies are available:
Internal Remedies
- Disciplinary action against the retaliator, up to and including termination of employment or contract
- Reversal of any adverse actions taken against the reporter
- Restoration of position, benefits, and compensation
- Additional protective measures as appropriate
External Remedies
- OSHA Complaint: File a complaint with the Occupational Safety and Health Administration under applicable whistleblower protection statutes
- State Attorney General: File a complaint with the appropriate state Attorney General's office
- HHS Office for Civil Rights: File a HIPAA retaliation complaint with the Department of Health and Human Services
- Private Action: Pursue private legal action for damages and equitable relief under applicable federal and state laws
- SEC Whistleblower Program: For securities-related concerns, file a tip with the SEC and potentially receive financial awards
9. Good Faith Requirement
The protections provided by this policy apply to reports made in good faith. A good-faith report is one where the reporter genuinely and reasonably believes that a violation has occurred, is occurring, or is about to occur, based on the information available to them at the time of the report.
Good faith does not require that the report ultimately be substantiated. Reporters are protected even if the investigation determines that no violation occurred, provided the report was made honestly and without malicious intent.
This policy does not protect individuals who:
- Make knowingly false or fabricated allegations with the intent to harm another person or disrupt operations
- File reports in bad faith for personal gain or competitive advantage
- Use the reporting process to harass or intimidate others
Knowingly false reports may result in disciplinary action against the individual who filed the false report.
10. Record Retention
All whistleblower reports, investigation records, findings, and related documentation will be retained for a minimum of six (6) years in accordance with our compliance requirements and applicable regulations. This retention period applies to:
- The original report and any supplementary information provided by the reporter
- Investigation notes, interview records, and evidence gathered
- Findings, conclusions, and recommendations
- Remediation actions taken
- Communications with the reporter (where applicable)
- Any related disciplinary actions
Records are stored securely with access restricted to authorized compliance and legal personnel. After the retention period, records will be securely destroyed in accordance with our Data Retention Schedule.
11. Regulatory References
This policy has been developed in accordance with the following regulatory frameworks:
| Regulation | Provision | Description |
|---|---|---|
| HIPAA | 45 CFR 164.530(g) | Prohibits retaliation against individuals who file complaints, participate in investigations, or oppose acts made unlawful by HIPAA |
| Sarbanes-Oxley Act | Section 806 | Whistleblower protection for employees of publicly traded companies who report fraud |
| Dodd-Frank Act | Section 922 | Enhanced whistleblower protections and SEC whistleblower award program |
| EU Whistleblower Directive | Directive 2019/1937 | Establishes minimum standards for whistleblower protection across EU member states, including internal reporting channels, confidentiality requirements, and prohibition of retaliation |
In the event of any conflict between this policy and applicable law, the provisions providing the greatest protection to the reporter shall prevail.
12. Contact
To report a concern or for questions about this policy, please contact us:
Email: info@maydayic.com
For anonymous reports:
Email: info@maydayic.com
Blue Beard Solutions Inc.
Compliance Officer