Ethics and Compliance
Leading with Integrity
Our business depends on maintaining high standards of professional ethics among our team members and remaining compliant with all relevant laws and regulations. The Novanta Leadership Team strives to promote business practices and operating procedures that can withstand the highest levels of scrutiny. Novanta’s independent Internal Audit function monitors and assesses the Company’s practices and reports directly to the Audit Committee of our Board of Directors. We also conduct risk assessments annually and modify any policies or controls as needed.
Ethical decision-making requires an understanding of personal and company values and principles, coupled with good personal judgment. We expect all Novanta team members—from the Board of Directors and the Novanta Leadership Team to all employees—to understand and embrace our Novanta Values. We are committed to these principles in everything we do, so our activities reflect positively on our stockholders, our marketplace, our community, and ourselves.
Code of Ethics & Business Conduct
The Novanta Code of Ethics & Business Conduct (the “Code of Conduct”) identifies the ethics, values, and principles that guide our business relationships. We are dedicated to doing business with a strong sense of ethics, honesty, and integrity. The Code of Conduct was written by management and approved by the Board of Directors. The Code of Conduct provides guidelines on relationships between employees and internal and external stakeholders, conflicts of interest, anti-corruption, protection of assets, and more. All employees and directors are responsible for upholding the Code of Conduct, which is translated into seven languages besides English.
Anti-bribery and Anti-corruption
Under our Anti-Bribery and Anti-Corruption (ABAC) Policy, Novanta conducts an annual risk assessment and screening of customers, suppliers, distributors, and resellers to identify and replace any third parties that may have violated anti-corruption or anti-bribery laws in recent years and do not have the necessary controls and procedures in place to prevent and prohibit bribery and corruption behaviors. If a third party is identified as high risk based on an adverse data search, further due diligence is conducted, and the business relationship is reviewed by the Chief Financial Officer, the General Counsel, or the Chief Accounting Officer. Proper safeguards are put in place to protect our business if it is deemed acceptable to continue doing business with the third-party.
New and existing employees are required to regularly pass training courses on ethics, anti-bribery and anti-corruption, harassment, and data privacy policies. Additionally, all employees are required to annually certify that they understand and uphold the Code of Conduct, anti-bribery and anti-corruption, and harassment policies.
Confidential Reporting of Suspected Violations
As an alternative channel of communication for anyone who does not wish to report directly to a manager, business unit and corporate leader, or a human resources representative under our open-door reporting policy, we maintain an external compliance hotline for the confidential reporting of any suspected policy violations or unethical business conduct on the part of our businesses, employees, officers, directors, suppliers, or customers, and provide training and education to our global workforce with respect to our Code of Conduct, anti-bribery and anti-corruption policies, data privacy regulations, and workplace harassment. To file a complaint, individuals can visit https://novanta.ethicspoint.com or call the hotline. The Code of Conduct and posters displayed at our facilities list local numbers for each country. Internal Audit reports on hotline activities to the Audit Committee on a quarterly basis. The Chair of the Audit Committee also has direct access to all fraud, anti-bribery and anti-corruption, internal control, and financial matter-related reports on the compliance hotline.
We require all our employees and facilities to comply with all relevant laws and regulations in the countries in which they work or operate. We closely govern the activities of our employees, facilities, and supply chain partners through a host of corporate policies, including our:
- Code of Ethics & Business Conduct (the “Code of Conduct”)
- Supplier Code of Conduct
- Anti-Bribery and Anti-Corruption (ABAC) Policy
- Anti-Harassment Policy
- Antitrust Law Compliance Statement
- California Proposition 65 Compliance Policy
- China Restriction of Hazardous Substances (China RoHS) Policy
- Conflict Minerals Responsible Sourcing Policy
- Corporate Sustainability Policy
- Equal Employment Opportunity Policy
- Human Rights Policy
- Political Activity Policy
- Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) Compliance Policy
- Related Party Transaction Policy
- Restriction of Hazardous Substances (RoHS) and Waste Electrical and Electronic Equipment Directive (WEEE) Compliance Policy
Our production facilities are subject to federal, state, local and, in some cases, foreign environmental regulations related to the use, storage, handling, and disposal of regulated materials, chemicals, and certain waste from production processes.
In 2022, we did not receive any notices of violation or record any spills, fines, or sanctions for non-compliance with manufacturing or production laws or regulations. We experienced one non-material permit breach and immediately implemented countermeasures to prevent future issues.
We are subject to many privacy and data protection laws and regulations around the world, some of which place restrictions on our ability to process personal data across our business. In particular, the General Data Protection Regulation (GDPR) became effective in the European Union (EU) and the European Economic Area (EEA) in 2018 and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) will take effect in 2023. These regulations create individual privacy rights for consumers, increase the privacy and security obligations of entities handling certain personal data, and require transparency and disclosure to data subjects on how their data is being used. Novanta currently complies with all relevant data privacy and security laws and regulations in the jurisdictions in which we operate. We keep abreast of new and developing legislations related to cybersecurity and data privacy and make plans to comply before new laws take effect.
In the normal course of business, we may collect and store confidential and other sensitive information, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party information, and employee information. To protect this information, we have developed and implemented continuous monitoring and detection programs, multi-layer defense architecture, encryption of critical data, and comprehensive security assessments protocols. Our cybersecurity program enables us to assess and mitigate cybersecurity risks (threats, vulnerabilities, and impacts) with customized measures and controls to protect and preserve the confidentiality, integrity and availability of our data and systems. We have established policies and procedures leveraging widely accepted industry standard cyber security frameworks like National Institute of Standards and Technology (NIST) to safeguard against cyber-attacks.
Furthermore, we perform penetration testing and engage third parties to assess the effectiveness of our security program. Additionally, we perform organization-wide cybersecurity awareness training multiple times a year and have established a multi-layer recovery plan of our information technology ecosystem to protect against business interruption. Our dedicated team of cybersecurity professionals utilize a variety of cyber protection tools and methods to monitor and enforce our cybersecurity controls and procedures. We also monitor current developments in the cybersecurity industry and adopt new tools and technologies deemed suitable to our environment in order to continuously enhance our cybersecurity profile. However, despite all of our efforts to strengthen our cybersecurity program, there is no guarantee that a significant cyber-attack will not occur in the future.
The Audit Committee and the ESG Committee of our Board of Directors are jointly responsible for the oversight of cybersecurity risks. The Audit Committee reviews and oversees quarterly the Company’s cybersecurity risk management, associated control environment, policies, procedures, incident response plans, and external disclosures. The ESG Committee reviews and oversees quarterly the Company’s cybersecurity program strategy, including NIST cybersecurity frameworks implementation, management, and related investment matters. Finally, once per year, our Board of Directors reviews the Company’s overall cybersecurity program and associated risk management.
We have experienced cybersecurity incidents in the past; however, to date, these incidents have not represented a material breach, nor have they had a material impact on our operations or financial results. Future cybersecurity incidents could have a material adverse effect on our business, reputation, financial condition, or operating results. Expenses incurred in connection with information security incidents have been immaterial for the years ended December 31, 2022, 2021, and 2020, respectively.