Mahana Therapeutics, Inc., Mahana Therapeutics Ltd.
SOC 2 Criteria: CC1.1, CC1.4, CC1.5, CC2.2, CC5.3
Keywords: Ethical Behavior, Safety, Harassment, Disciplinary Action, Law Enforcement
Purpose and Scope of our Code
Legal and Regulatory Compliance
Workplace Conduct and Employment Practices
Respect for the Individual
Culture of Open & Honest Communication
Set Tone at all Management Levels
Conflicts of Interest
Accepting Business Courtesies
Personal Use of Mahana Resources
Health & Safety
Competitive Activities and Marketing Practices
Interactions with Health Care Professionals
Antitrust and Unfair Competition
Marketing and Advertising
Personal, Confidential and Business Information
Protecting Confidential Information
Information Security Principles
Data Privacy Principles
Intellectual Property Rights and Obligations
Accuracy, Retention and Disposal of Documents and Records
Code Compliance and Non-Retaliation Policy
This Code of Ethics and Conduct (“Code”) is built around our belief that everything we do will be measured against high standards of ethical business conduct. Our commitment to high standards helps us hire great people, develop great products, and build trust and credibility with the patient and professional communities whom we serve.
Who must follow the Code?
We expect all employees, officers and directors of Mahana Therapeutics, Inc., and its subsidiaries and affiliates (collectively, “Mahana”), as well as contractors and key consultants who provide services to Mahana, to know and follow the Code. Failure to do so can result in disciplinary action, up to and including termination of employment or termination of your relationship with Mahana.
What is the purpose of the Code?
As a Mahana team member, you’re expected to be honest, act ethically, and demonstrate integrity in all situations. You have a duty to follow policies and procedures found in this Code of Conduct, as well as those that are specific to your job. You must also comply with all laws, rules and regulations that apply to our business, and specifically to your specific roles. No Code or policy/procedure library can address every regulation, expectation or ethical situation in which employees may find themselves. Most of the time, common sense and good judgment provide excellent guideposts. If you’re unsure about the right thing to do, ask someone on the management, Legal team (email@example.com) or the Mahana Compliance Officer (firstname.lastname@example.org).
Before you act, ask yourself:
Is this the right thing to do? Is it legal?
Do I have the authority to act?
Does the action comply with our Code and policies and procedures? If this action became public, how would it look in the news media?
Would I be upset or embarrassed if other people found out about this action?
Is it consistent with Mahana’s values and commitments to its associated communities? Is it what I’d expect of a digital health company if I were a customer or user?
If your answer to any of these questions raises doubts, talk with your supervisor, anyone in management or the Legal team, or the Mahana Compliance Officer.
Managers are expected to:
Lead with integrity.
Encourage your team members to ask questions and to act ethically.
Demonstrate integrity by acting promptly and effectively when necessary.
Who to ask about the Code?
If you have a question or concern about this Code, be proactive and contact your manager. You can also submit a question or raise a concern regarding a suspected violation of our Code (or any other Mahana policy) to Legal (Legal@Mahana.com), the Compliance Officer (Compliance@Mahana.com), Privacy (Privacy@Mahana.com), Security (Security@Mahana.com), Finance (Finance@Mahana.com) or Human Resources (HR@Mahana.com). If you wish to report anonymously, you may do so by submitting your report here and it will be reviewed by an outside firm.
Our operations in support of the digital health products and services that we provide are regulated by US state and federal regulations, as well as international laws. To address the complex legal and regulatory framework in which we operate, we have developed policies and procedures to address applicable requirements, however it is impractical to create documentation encompassing the full body of applicable laws, standards, guidance and regulations. There is a range of expertise within the organization, including the Legal/Privacy, HR and Regulatory teams and numerous functional experts, who should be consulted for advice concerning employment law, legal, health care compliance and regulatory standards and requirements.
Anyone aware of violations or suspected violations of laws, regulations, standards or company policies/procedures or contractual obligations must report them immediately to a supervisor or member of management, HR, the General Counsel, Finance, or the Chief Information Security, Privacy or Compliance Officers (as applicable).
3.1 Respect for the Individual
We all deserve to work in an environment where we are treated with dignity and respect. Our organization is committed to creating such an environment. We expect that everyone in the organization with supervisory responsibility to exercise that responsibility in a manner that is kind, thoughtful and respectful, and that embraces Mahana’s values.
Mahana strictly prohibits unlawful discrimination or harassment on the basis of race, color, religion, veteran status, national origin, ancestry, pregnancy status, sex, gender identity or expression, age, marital status, mental or physical disability, medical condition, sexual orientation, or any other characteristics protected by law. We also make reasonable accommodations to meet our obligations under laws protecting the rights of the disabled.
Mahana strictly prohibits discrimination, harassment, and bullying in any form – verbal, physical, or visual. If you believe that you’ve been discriminated against, bullied or harassed, you should report the incident to your manager or to HR. Human Resources will promptly and thoroughly investigate any complaints and take appropriate action.
3.2 Culture of Open and Honest Communication
Everyone should feel comfortable to speak their minds, particularly with respect to ethics concerns. Managers have a responsibility to create an open and supportive environment where employees feel comfortable raising questions and concerns. We all benefit tremendously when employees exercise their power to prevent mistakes or wrongdoing by asking questions or expressing opinions.
Our company will investigate all reported instances of questionable or unethical behavior. In every instance where improper behavior is found to have occurred, Mahana management will take appropriate action. We will not tolerate retaliation against employees who raise genuine ethical or legal concerns in good faith.
3.3 Set Tone at all Management Levels
Management has the added responsibility to demonstrate, through their actions, the importance of this Code. In any organization, ethical behavior does not simply happen by chance; it is the product of clear and direct communication of behavioral expectations, modeled by all levels of management. Again, ultimately our decisions to act ethically are what really matter.
To make our Code work, managers must be responsible for promptly addressing ethical questions or concerns raised by employees and for taking the appropriate steps to deal with such issues. Managers should welcome employee questions and perspectives on what is the “right thing to do” in all aspects of our business. We want the ethics dialogue to become a natural part of everyday communications and decision-making.
3.4 Ineligible Persons
Mahana does not contract with or employ any individual or entity that is excluded or ineligible to participate in Federal health care programs or suspended or debarred from Federal government contracts. We are required to report to HR if we get notice that we have or may become excluded, debarred or ineligible to participate in Federal health care programs, which is grounds for immediate termination.
3.5 Conflicts of interest
A conflict of interest may occur if your outside activities, personal financial interests, or other private interests interfere with your ability to make objective decisions in the course of your role.
Here is list of areas where conflicts of interest often arise:
External job opportunities or personal investments (e.g. with competitors, customers or vendors)
Outside employment, advisory roles, and board seats
Personal business opportunities found through your work at Mahana
Inventions or work product for sale influenced by your work at Mahana or created using Mahana resources or business information
Business opportunities involving friends and relatives
Acceptance of gifts, entertainment, and other business courtesies
Hiring friends or family members for your team or using your influence to get them hired by other teams
As Mahana employees, we should avoid conflicts of interest and circumstances that reasonably present the appearance of a conflict of interest, especially if it would create an incentive for you or present the appearance of an incentive for you, (whether directly or indirectly). As a general rule, to avoid an inappropriate conflict, you should immediately disclose it to your manager and HR as soon as you become aware. In some cases, initiating an arrangement where you have a conflict may be appropriate if it is approved by the Head of your Department and HR. For example, it is never appropriate to hire a family member for your own team, but you can refer family members for other roles as long as that relationship is disclosed up front to HR and you don’t participate in the hiring process.
If you are unsure if there is a conflict of interest, contact the Compliance Officer or Legal team to discuss.
3.6 Accepting Business Courtesies
Most business courtesies offered to us in the course of our employment are offered because of our positions at our company. Although we may not use our position to obtain business courtesies, and we must never ask for them, we may accept unsolicited business courtesies that promote successful working relationships and good will with the existing vendors.
Employees who award contracts or who can influence the allocation of business, who create specifications that result in the placement of business or who participate in negotiation of contracts must be particularly careful to avoid actions that create the appearance of favoritism or that may adversely affect the organization’s reputation for impartiality and fair dealing. The prudent course is to refuse a courtesy from a supplier when our organization is involved in choosing or reconfirming a supplier or under circumstances that would create an impression that offering courtesies is the way to obtain our organization’s business.
3.7 Personal Use of Mahana Computers and other Assets
Occasional personal use of company computers or other assets is permissible if it does not affect job performance or cause a disruption to the workplace. To protect the interests of Mahana’s network and employees, IT and Security can monitor and review all data and information contained on an employee’s work computer or other Mahana-issued device, and the use of company email, Internet and other enterprise applications/systems. We will not tolerate the use of our resources to create, access, store, print, solicit or send any materials that are harassing, threatening, sexually explicit or otherwise offensive or inappropriate.
3.8 Health and Safety
Drugs and alcohol
Substance abuse during work is incompatible with the health and safety of our employees, and we don’t permit it. Consumption of alcohol is allowed at Mahana events on special occasions, but we ask everyone to use good judgment and never drink in a way that: (i) leads to impaired performance or inappropriate behavior, (ii) endangers the safety of others, or (iii) violates the law. Illegal drugs at work-related events are strictly prohibited.
Mahana operates in a highly regulated and competitive environment. Our competitive activities must conform to the high standards of integrity and fairness reflected in this Code. We are required to comply with antitrust, anti-corruption and other laws governing competitive activities, and with our policies governing interactions with competitors, customers, health care providers, payers and suppliers.
4.1 Interactions with Health Care Providers
Mahana works with health care providers (HCPs) who can prescribe, order, recommend or refer our digital health products and services, to develop and improve products, conduct research, and educate HCPs and patients on health issues and applicability of our products. However, state, federal and country laws and regulations govern the relationship between health product manufacturers and HCPs who may refer patients to our products. The applicable US federal laws include the Anti-Kickback Statute and False Claims Act. In other jurisdictions, manufacturers’ relationships with HCPs are regulated by a combination of industry codes, legal regulations (e.g., the US Foreign Corrupt Practices Act, national anti-kickback regulations) and national health service guidance. With respect to our interactions with customers, in the U.S. Mahana follows the AdvaMed Code of Ethics and in the UK, the ABHI Code of Ethical Business Practice.
Relationships with HCPs must be both properly structured and diligently administered in order to ensure compliance with regulations and internal policies. In nearly all cases, arrangements with HCPs must be submitted to Legal to develop a written contract with financial terms pre-approved by the Compliance Officer (including ensuring rates are consistent with fair market value). You are responsible for ensuring that an active contract is in place with an HCP for the proposed services before committing to any financial terms or initiating any consulting or advisory services. Once the contract is fully executed, it is your responsibility to ensure that all services that you ask the HCP consultant to perform are legitimate, all associated expenses modest, and all fees submitted for payment accurately reflect the time and value of the services provided.
When scheduling product education or marketing events for HCP attendees, you must ensure that the focus of the event is the exchange of medical information and product education, does not include entertainment (at least none sponsored by Mahana), and that any hospitality provided is modest, conforms with Mahana spend limits, and is subordinate to the educational focus of the event.
Most countries prohibit manufacturers from giving HCPs anything other than product marketing materials, educational items and nominal items related to patient care. You may never provide gifts, tokens of appreciation, or business courtesies to any HCP, family member, or office staff as a reward or favor for their business.
Key principles that govern our interactions with HCPs:
You may never offer any HCP, or those who may influence an HCP (e.g. a family member or office staff), anything of value to reward past prescriptions, recommendations or referrals or to induce future prescriptions, recommendations or referrals of Mahana digital health products or services
You may not offer any HCP hospitality (e.g. food, drinks) except as a courtesy during symposia or Mahana product information events, business discussions, or while the HCP provides consulting services
Most relationships with HCPs must be reflected in a written agreement executed before any event or services begin. Contact Legal well in advance of any planned activities to ensure compliance
4.2 Antitrust and Unfair Competition
Mahana has strict restrictions on communication with competitors. Generally, we are not to discuss with competitors topics including: agreements to control or stabilize prices or terms and conditions of sale (“price fixing”); non-public present or future pricing; allocating territories or customers between competitors; boycotting customers, suppliers or vendors; agreeing on levels of production; conspiring to exclude other competitors from the market; or discussing other confidential business information (e.g., R&D, sales or marketing plans, or product development strategies). You may work with competitors as part of industry organizations on other topics, such as payer reimbursement, legal compliance updates, market trends (based on public data), government lobbying and changes in legislation.
4.3 Marketing and Advertising
Consistent with laws and regulations that may govern such activities, we may use marketing and advertising activities to educate the public, provide information to the community, increase awareness of our services, provide instructions on operational aspects of our products and services, and to recruit colleagues. All information presented will be truthful, balanced, non-misleading, and supported by credible evidence. Contact Regulatory for more information on Mahana’s Marketing Materials Review process.
While it is permissible to compare and contrast our products, services and prices, it is against Mahana policy to intentionally disparage our competitors based on information that is uncorroborated or inaccurate, or to intentionally interfere with another business’s contractual and commercial relationships through wrongful means. For example, in some cases a head-to-head trial is required in order to make superior efficacy claims. We will strive at all times to compete using fair, non-deceptive practices that honors the high quality of our products and services.
4.4 Global Anti-Corruption
It is Mahana’s policy to comply with all anti-corruption laws that apply to our operations, including the US Foreign Corruption Practices Act (FCPA) and the UK Bribery Act. Our policies set forth standards and “red flags” signaling potential corruption issues in business dealings with foreign government officials, and prohibits all employees, contractors, vendors and suppliers from giving, offering or authorizing the provision of anything of value to, or for the benefit of, a foreign official, in order to retain or secure business or beneficial government treatment, except as specifically permitted by local law. In our area, many of the health care providers, health funds, research institutions and medical advisory boards are government funded, and as such their employees and representatives may qualify as Foreign Officials under the FCPA. Thus, before offering or providing anything of value to any individual who may be an official, employee or representative of a foreign government, or of a state-owned or controlled entity, please contact the Compliance Officer (Compliance@Mahana.com).
5.1 Protecting Confidential Information
Throughout its lifecycle, all nonpublic information that is processed, transmitted, and/ or stored by Mahana must be protected in a manner that is consistent with our contractual and legal requirements and reasonable and appropriate for the level of sensitivity, value, and risk associated with Nonpublic information. Information that contains data elements from multiple classifications must be protected at the highest level of information represented. For example, a document that contains both Nonpublic and Public information must be treated as Nonpublic information. Nonpublic information must be secured against disclosure, modification, and access by unauthorized individuals. Therefore, the information must be:
Secured at rest;
Secured in transit; and
Securely destroyed in accordance with record retention policies and procedures.
At Mahana, we process different types of confidential (or Nonpublic) data. These include sensitive data (like user, patient and employee health, insurance or financial data), highly confidential data (like unpublished inventions, early product development strategies, clinical trial preliminary results, pharma collaboration terms in negotiation, and merger details) and confidential data (like unpublished revenue or pre-product launch details). On the other hand, you can share public information (any confidential information that Mahana intentionally made public). For example, you can discuss information from a company press release or patient story from a Mahana webinar with your family, friends and vendors as long as you share only what was shared in the release or by the presenter.
The following sections summarize security and privacy principles that are key to protecting sensitive and confidential information, and we are all responsible for understanding the applicable data protection policies and procedures that apply to how we handle information in each of our roles.
5.2 Information Security Principles
You are responsible for using Mahana’s computer, security and network resources properly – especially with regard to information security – and you need to be thoroughly familiar with Mahana’s Information Security policies and procedures (available on Drata).
These steps can go a long way in preventing unauthorized access:
Never share your login information.
Lock your workstation when you step away.
Log off your workstation when you leave for the day.
Clear your workstation, waste can, printers and fax machines of sensitive information, such as PII or company-sensitive information. Ideally all company work product should be in electronic format and stored in the appropriate Mahana enterprise application.
Protecting Mahana’s Assets
Mahana gives us the tools and equipment that we need to do our jobs effectively but counts on us to be responsible and not wasteful. Uncertain whether personal use of company assets is okay? Ask your manager and IT.
Mahana’s network, software, and computing hardware are a critical aspect of our company’s physical property and intellectual property. Follow all security policies diligently. If you have any reason to believe that our network security has been violated – for example, you lose your laptop or think that your network password may have been compromised – promptly report the incident to IT via JIRA, Slack, email or telephone.
Bad actors may steal company assets. Always secure your laptop, important equipment, and your personal belongings, even while at company events. Don’t keep a written log of your company passwords (e.g. post-its or binders). Promptly report any suspicious activity to your manager.
5.3 Data Privacy Principles
The protection and responsible use of personal data (any information related to an identified or identifiable person) is reflected in our daily operations. We see data as a valuable element for developing and delivering innovative treatments for patients, and as a driver for business excellence. As such, we strive to earn the trust of our research subjects and digital application users and interested patients who provide that data. We are committed to collecting and using data in a lawful, fair, legitimate and ethical way, and will always respect the privacy of individuals in order to earn and deserve their trust.
Any personal data must be collected and processed in compliance with applicable data privacy laws (e.g. EU/UK General Data Protection Regulation (GDPR), US Health Insurance Portability and Accountability Act (HIPAA) and US state privacy laws, including California Medical Information Act and Consumer Privacy Act as modified by the CPRA). Mahana employees, contractors and vendors with access to such personal data are expected to apply the privacy principles of lawful, fair and transparent data processing, respecting any purpose limitations, as well as the principles of data minimization, accuracy, retention and deletion timelines, integrity and confidentiality. Mahana will provide all data subjects with at least the following rights: access (can request electronic copy of their data), correction, deletion of data that Mahana doesn’t have a legal obligation or reason to retain, and notice of our privacy practices.
Mahana applies additional appropriate governance and safeguard measures to protect personal data. The Chief Privacy Officer coordinates a global network with subject matter experts. We are all expected to:
Collect, use and store data in compliance with applicable laws, privacy and security principles, and Mahana’s commitments
Respect individuals’ privacy at all times
Never allow third party access to or change how personal data is processed, or re-identify or attempt to re-identify anonymized data, without pre-approval by our Chief Information Security and Privacy Officers (e.g., data privacy impact assessment process)
Carefully select the third parties we’re trusting to process or access personal data, and ensure that they’ve completed the vendor security assessment process and Legal is aware of their role with personal data as part of the contract negotiation process
5.4 Intellectual Property Rights and Obligations
Any work of authorship, invention or other creation created by an employee during the course of their employment is considered the intellectual property of Mahana. Our intellectual property rights (e.g. patents, trademarks, copyrights, trade secrets, and “know-how”) are valuable assets. Unauthorized use can lead to their loss or serious loss of value. You must comply with all intellectual property laws, including laws governing the fair use of copyrights and trademarks. You must never use Mahana know-how, trademarks or other protected information or property for any business or commercial venture without pre-clearance from the Marketing team. Report any suspected misuse of trademarks or other Mahana intellectual property to the Legal team.
Likewise, respect the intellectual property rights of others. Inappropriate use of others’ intellectual property may expose Mahana and you to criminal and civil fines and penalties. Seek advice from the Legal team before you solicit, accept, or use proprietary information from individuals outside the company or allow them to obtain access to Mahana proprietary information. You should also check with the Legal team if developing a product feature that uses content not belonging to Mahana, i.e. before you sign a license or SaaS agreement on behalf of Mahana.
5.5 Accuracy, Retention and Disposal of Documents and Records
We all are responsible for the integrity and accuracy of our company’s documents and records, not only to comply with regulatory and legal requirements, but also to ensure records are available to support our business. No one may alter or falsify information on any record or document. Records must never be destroyed in contradiction of our retention policies in an effort to avoid discovery for a government investigation or civil legal matter.
We have established and maintain a high standard of accuracy and completeness in documenting, maintaining, and reporting financial information. Our books and records are maintained consistent with applicable legal requirements, which in reasonable detail accurately and fairly reflect our transactions and dispositions of assets. Finance maintains a system of internal controls designed to provide reasonable assurance that all transactions are executed in accordance with management’s authorization and are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles (GAAP). Our consolidated financial statements are certified by our officers as fairly presenting in all material respects our financial condition, results of operations and cash flows in accordance with applicable rules and regulations.
It’s important that we also keep records for an appropriate length of time. Mahana’s Records Retention Procedure suggests minimum record retention periods for certain types of records. These guidelines help keep in mind applicable legal requirements, accounting rules, and other external requirements. Contractual obligations may sometimes specify longer retention periods for certain types of records. In addition, if you are asked by the Legal team to retain records relevant to a litigation, audit, or investigation, do so until Legal tells you that retention is no longer necessary. If you have any questions regarding the correct length of time to retain a record, contact the Compliance Officer or Legal teams.
We are all expected to comply with this Code, and to report any violations or concerns to our managers, HR, Legal or Compliance. All credible reports will be investigated, and Mahana prohibits retaliation against anyone who reports in good faith, or participates in an investigation of, a possible violation of our Code, our policies, or the law. Please contact HR or a member of senior management if you believe that you are the subject of retaliation within Mahana.
Any exception to this Code must be approved by the Compliance Officer in writing and any employee or contractor who violates this Code may be subject to disciplinary action, up to and including termination of employment or contract, in addition to any civil and criminal liability.