GPM^® Acceptable Use Policy

Please read GPM’s Acceptable Use Policy ("AUP") carefully before accessing any site operated by GPM or its affiliates.

All site contents are copyright © 2009–2025 GPM and/or its affiliates. All rights reserved.
No portion of our sites may be reproduced, distributed, or transmitted in any form without prior written permission from GPM.

1. General

By accessing and using this website, you agree to comply with  our AUP. GPM reserves the right to update these terms at any time. Violations may result in legal action, suspension of access, or other remedies.

2. Limited License

You are granted a limited, non-exclusive license to use materials from this site for non-commercial purposes within your organization or, if you are a GPM Accredited Training Partner, within your customer’s organizations. All copyright and proprietary notices must be retained in copies. No other rights are granted.

3. Compliance with Laws

You must comply with all applicable laws, including U.S. export controls and local laws. GPM products are commercial and subject to restrictions under DFARS 252.227-7015 and FAR 52.227-19.

4. Trademarks

All trademarks, logos, and service marks on this site are the property of GPM or their respective owners. Use without prior written consent is prohibited. Refer also to our Logo Use Policy.

5. Disclaimer of Warranties

All site content is provided “as is” without warranties of any kind. GPM disclaims all warranties, including fitness for a particular purpose. We are not liable for any damages resulting from your use of this site or its content.

6. Product Availability

Some GPM products or services may not be available in your region. Contact your local GPM representative for information.

7. Third-Party Links

We may provide links to third-party sites for convenience. GPM is not responsible for the content or accuracy of third-party sites.

8. Restricted Areas

Unauthorized access to restricted areas is prohibited. You may not use this site for illegal activities, fraudulent purposes, or to abuse GPM’s services or data.

9. Account Security

Your GPM account is personal and must be kept secure. Notify us immediately of any unauthorized use or access. Failure to do so may result in liability for unauthorized activities associated with your account.

10. Copyright Policy

You may not reproduce copyrighted materials without prior written permission.

If you believe your copyright has been infringed, contact our Designated Agent with the required information under the Digital Millennium Copyright Act (DMCA).

Designated Agent:
GPM – Legal Department
41502 Orianna Lane
Novi, MI 48385 USA
Email:This email address is being protected from spambots. You need JavaScript enabled to view it.

Updated: March 9, 2025

GPM^® Privacy Policy

At GPM, protecting your privacy is a top priority. This Privacy Policy explains how we collect, use, share, and safeguard your personal information when you visit our websites, use our services, or interact with us. By using our services, you agree to the terms of this Privacy Policy.

1. Information We Collect

We collect information in various ways, including:

• Directly from You: When you sign up for services, download resources, contact us, or participate in surveys.
• Automatically: Through cookies, server logs, and analytics tools when you visit our websites.
• From Third Parties: Business partners, service providers, and publicly available sources.

Types of information we collect:

• Personal identifiers: Name, address, email, phone number.
• Account details: Username, password.
• Payment info: Billing address, credit card details (handled securely by third-party processors).
• Technical data: IP address, browser type, operating system, device information.
• Usage data: Pages visited, time spent on site, interaction with content.
• Marketing preferences: Your choices regarding communications from us.

2. How We Use Your Information

We use your information for:

• Providing and managing services you request.
• Improving our website, services, and user experience.
• Sending updates, newsletters, and promotional materials (with your consent).
• Processing payments and managing accounts.
• Enforcing our terms of service and legal obligations.
• Conducting research and analysis to improve sustainability project management practices.

3. Cookies and Tracking Technologies

We use cookies to:

• Remember your preferences.
• Analyze site traffic and user interactions.
• Deliver targeted ads (where applicable).

You can control cookies through your browser settings. Disabling cookies may limit your experience on our site.

4. Sharing Your Information

We share information with:

• Service Providers: Cloud hosting, payment processors, email platforms.
• Affiliates: GPM subsidiaries and partners.
• Legal Authorities: When required by law or to protect our rights.
• Third-Party Tools: Google Analytics, social media integrations, and CRM platforms.

We do not sell your personal data to third parties.

5. Data Retention

We retain your information for as long as necessary to:

• Provide services.
• Comply with legal obligations.
• Resolve disputes.
• Enforce our agreements.

Once no longer needed, we securely delete or anonymize your data.

6. Your Privacy Rights

Depending on your location, you may have the following rights:

• Access and Portability: Request access to your data or a copy of it.
• Correction: Correct inaccurate or incomplete data.
• Deletion: Request deletion of your personal data.
• Opt-Out: Decline marketing communications at any time.
• Restrict Processing: Limit how we use your data.
• Object to Processing: Oppose the use of your data for certain purposes.

GDPR Users: EU residents can exercise these rights under GDPR.
CCPA Users: California residents have additional rights under the CCPA, including the right to opt out of data sales (though we do not sell data).

To exercise any of these rights, contact us at  This email address is being protected from spambots. You need JavaScript enabled to view it..

7. Data Security

We use administrative, technical, and physical safeguards to protect your data. While no system is 100% secure, we continuously improve our security practices to reduce risks.

8. International Transfers

We operate globally, so your data may be transferred and stored outside your home country. We ensure appropriate safeguards for cross-border transfers, including Standard Contractual Clauses where applicable.

9. Children’s Privacy

Our services are intended for users 13 years and older. We do not knowingly collect data from children under 13. If we discover such data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted here with an updated effective date. Significant changes will be communicated directly.

Contact Us

For any questions, concerns, or to exercise your privacy rights, reach out to:

GPM
41502 Orianna Lane
Novi, MI 48385 USA
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Updated March 10, 2025

Introduction

As a business and an employer, it is necessary for GPM Ltd. D.B.A. GPM Global and its subsidiaries and affiliates (collectively, “GPM” or the “Company”) to collect, store, and process personal data about our employees, contingent workers, customers, suppliers, and other third parties with whom we engage to provide products or services on our behalf.

Purpose

With the introduction of the European General Data Protection Regulation (“GDPR”) on May 25, 2018 and other applicable laws governing data protection, we are subject to enhanced requirements regarding how we collect, use, and store personal data.

The purpose of this policy is to help all of us comply with our legal obligations and enable individuals about whom we hold personal data to have confidence in us. This policy applies to all GPM employees, contingent workers and third parties processing data on behalf of GPM. Unless specified, this policy applies in all countries in which GPM operates and/or conducts business.

Policy Requirements 

Definitions

“Data Controller” or “Personally Identifiable Information Controller (PII Controller)” means the entity that determines the purpose and means of Processing Personal Data.

“Data Processor” or “Personally Identifiable Information Processor (PII Processor)” means the entity that Processes Personal Data on behalf of the Controller.

“Data Protection Laws” means all applicable data protection and data privacy laws and regulations, including but not limited to the EU General Data Protection Regulation (GDPR), UK General Data Protection Regulation (UK GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA).

“Data Subject” or “Personally Identifiable Information Principal (PII Principal)” means the identified or identifiable person or household to whom Personal Data relates.

“Data User” is a term used to describe any employee, consultant, independent contractor, intern, temporary worker or third party acting on GPM’s behalf (including data processors) whose work involves processing personal data for GPM.

“Personal Data” shall have the meaning ascribed to “personally identifiable information,” “personal information,” “personal data” or equivalent terms as such terms are defined under Data Protection Laws.

“Personal Data Incident” shall have the meaning assigned by Data Protection Laws to the terms “security incident,” “security breach” or “personal data breach” and shall include any situation in which Vendor becomes aware that Personal Data has been or is likely to have been accessed, disclosed, altered, lost, destroyed or used by unauthorized persons, in an unauthorized manner.

“Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring or disclosing personal data to third parties.

“Special Category Data” or “Special Category Personal Information” is a subset of personal data and refers to information about an individual’s race or ethnic origin, sex life or sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (eye color, hair color, height, weight), medical history, or criminal convictions and offenses or related security measures.

Our Responsibilities 

Depending on the circumstances, GPM may act as a data controller or a data processor. As a data controller, GPM is responsible for establishing practices and policies in line with Data Protection Laws. It is equally important that GPM be able to demonstrate compliance with these laws. The Company does this by:

• Implementing policies that enable the Company to comply with data protection laws such as this policy, policies around document retention and data security, and GPM’s privacy statements;
• Communicating and training employees, contingent workers and third parties acting on behalf of GPM about data protection requirements;
• Investigating instances of non-compliance with GPM data protection policies and taking appropriate remedial and/or disciplinary action;
• Investigating, remediating and, in some instances, providing notification of a Personal Data Incident;
• Conducting data processing impact assessments where required for new types of processing activities;
• Undertaking periodic internal audits of GPM’s data protection policies and procedures; and
• Considering data protection at the outset of new product

Processing Personal Data 

Any personal data that the Company processes or that is processed on GPM’s behalf must:

• Be processed fairly, lawfully and in a transparent manner;
• Be processed only for specified, explicit and legitimate purposes;
• Be relevant and limited to what is necessary for the legitimate purpose(s) for which the data is processed;
• Be accurate and kept up to date ensuring, where reasonably possible, that inaccurate personal data is erased or rectified without delay;
• Not be kept any longer than is necessary to fulfill the purpose(s) for which the data was collected; and
• Be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or

Sensitive and Special Category Data Processing 

GPM processes sensitive information on behalf of colleagues across various business systems and limited special category data in Workday. Appropriate controls are in place and outlined in the Special Category Data, Benefits and Payroll DPIAs and the Access Control Standard for Sensitive and Special Category Data available on the GPM Compliance site.

Legal Grounds for Processing Personal Data 

The Company may only process personal data if permitted to do so under Data Protection Laws. The following are the grounds GPM relies upon to process personal data:

Where processing is necessary:

• For the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
• For compliance with a legal obligation to which GPM is subject, including but not limited to, legal requests from law enforcement authorities; and/or
• To pursue GPM’s legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In addition to these grounds, GPM may also process personal data where the data subject has given consent to the processing for one or more specified purposes, provided that the consent is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. Where GPM uses consent as the grounds for the processing, a data subject has the right to withdraw consent at any time and for any reason.

GPM may, on occasion, also need to process special categories of personal data for customers, employees or contingent workers (e.g., where required by safe employment practices). When GPM processes or uses a third party to process on its behalf special categories of personal data, GPM will ensure, where applicable, that the following conditions are satisfied:

• Data subject has given explicit consent to the processing of the special category of personal data for one or more specified purposes;
• Processing is necessary for carrying out obligations under employment law, social security or social protection law, or a collective bargaining agreement;
• Processing is necessary for the purposes of preventive or occupational medicine or for the assessment of the working capacity of an employee;
• Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
• Processing relates to personal data which has been made public by the data subject; and/or
• Processing is necessary for establishing or defending legal

Data Records Management 

GPM maintains a central record of the types of personal data the Company collects and why that data is collected. GPM will only process personal data for the specific purpose(s) set forth

in the central record or for any other purpose(s) specifically permitted Data Protection Laws.

GPM will notify data subjects of those purposes when data is first collected or, where not possible, as soon as possible thereafter.

GPM will only process personal data to the extent required for the purposes provided to the data subject. This means that GPM may not ask for, or record in its systems, more personal data than is needed. The Company has appropriate technical and organizational measures in place to ensure that personal data that is no longer needed is erased or destroyed.

The Company also employs reasonable measures to ensure that any personal data held is accurate and kept up to date. GPM aims to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. The Company will take all reasonable steps to erase, destroy or amend inaccurate or out-of-date data without undue delay and, in any event, within one month of a data subject’s request (or for up to three months where there are specific reasons why one month is not possible).

Erasure or Destruction of Personal Data 

Paper records that contain personal data must be shredded and disposed of securely when there is no longer a need to retain them. Paper records containing personal data may not be disposed of in any other manner.

When deleting electronic personal data, all possible steps should be taken to put the data in question beyond use. Where it is impossible to delete personal data altogether, reasonable steps must be taken to ensure the data is deleted to the fullest extent possible.

IT is responsible for destroying or erasing electronic equipment that contains personal data (e.g. laptops, desktops, company-owned mobile devices, and work data on BYOD devices).

Information Security 

When the Company processes personal data, it takes reasonable measures to ensure data remains secure and is protected against unauthorized or unlawful processing, accidental loss, destruction or damage.

GPM does this by:

• Encrypting personal data where possible and appropriate;
• Ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process personal data;
• Ensuring the restoration of access to personal data in a timely manner in the event of a physical or technical incident; and
• Facilitating testing, assessment and evaluation of the effectiveness of technical and organizational measures for ensuring data security.

In assessing the appropriate level of security, GPM considers the risks associated with the processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the personal data that is processed.

Where GPM engages third parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure data security. Personal data may not be shared with anyone outside of GPM or authorized third parties.

Desks and cupboards are kept locked if they hold personal data or confidential information of any kind. Data users ensure that individual monitors/screens do not show personal data or confidential information to passers-by and that they log off from or lock their computers/tablets when left unattended.

Reporting a Personal Data Incident 

A Personal Data Incident can happen in many ways, including:

• Loss of a mobile device or hard copy file which contains personal data (e.g., accidentally leaving a device behind on public transportation);
• Theft of a mobile device or hard copy file which contains personal data (e.g., stolen from a vehicle or home);
• Human error (e.g., an employee accidentally sending an email containing personal data to an unintended recipient, or accidentally altering or deleting personal data);
• Cyber-attack (e.g., opening an attachment to an email from an unknown third party that contains ransomware or other malware);
• Allowing unauthorized use/access (e.g., permitting an unauthorized third party to access secure areas of GPM offices or systems);
• Unforeseen circumstances such as a fire or flood; or
• Where information is obtained from GPM by a third party through deception. Signs that a Personal Data Incident may have occurred include the following:

• Unusual log-in and/or excessive system activity, in particular with respect to active user accounts;
• Unusual remote access activity;
• The presence of spoof wireless (Wi-Fi) networks visible or accessible from GPM’s working environment;
• Equipment failure; and
• Hardware or software key-loggers connected to or installed on GPM

Colleagues who become aware of or have any reason to suspect that a Personal Data Incident has occurred or is about to occur must immediately contact their immediate report or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Personal Data Incident Response Plan 

In the event of an actual or imminent Personal Data Incident, GPM takes quick action to minimize the impact of the incident and report the incident if required by law. In most cases, the response will involve:

• Investigating the incident to determine the nature, cause, and extent of the damage or harm that may result;
• Implementing necessary steps to stop the incident from continuing or recurring and limiting the harm to affected data subjects;
• Assessing whether there is an obligation to notify other parties (e.g., national data protection authorities, affected data subjects) and making those notifications. If there is an obligation to notify data protection authorities, reporting must usually occur within 72 hours of the Company, including any of its employees, becoming aware of the incident; and
• Recording information about the Personal Data Incident and the steps taken in response, including documentation that explains the decision to notify or not notify.

Storage and Backup of Personal Data 

GPM utilizes multiple server locations to store and back up personal data. For server locations utilized by third parties with whom GPM engages to process personal data on behalf of colleagues and customers, consult the relevant data protection impact assessments for colleague personal data and the external sub-processor page and product privacy notices for customer personal data. These documents are all located either internally on the Compliance page or externally on the Legal & Compliance site under the Data Privacy icons. For a current list of corporate data server locations, colleagues may also reach out directly to IT.

International Data Transfers and Transfers to Third Parties 

Under the GDPR, GPM may transfer personal data to countries outside the European Economic Area (“EEA”) where there is an adequate level of protection in that country or where GPM has put appropriate measures in place to ensure data protection.

Companies within the GPM group (i.e., all corporate entities and subsidiaries) must enter into the Intra-Group Data Transfer Agreement in order to ensure appropriate safeguards for the transfer of personal data outside the EEA, but within the GPM group.

Companies outside of the GPM group who process personal data for or on behalf of GPM, for which GPM acts as a data controller or data processor, must enter into a data processing agreement with GPM to ensure appropriate safeguards for the transfer of personal data outside the EEA. That agreement contains language to ensure the third party has appropriate technical and organizational measures in place to comply with the GDPR and to ensure the protection of data subject rights.

Instances where GPM transfers personal data to a country outside the EEA may include:

• The data subject has given their explicit consent to the proposed transfer after GPM has informed them of any possible risks associated with such transfer (e.g., the absenc e in that country of equivalent safeguards);
• The transfer is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
• The transfer is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
• The transfer is necessary for the establishment or defense of a legal

For each transfer of data outside the EEA, GPM will rely upon the Standard Contractual Clauses as defined by the European Commission (2001/497/EC, 2004/915/EC and 2010/87/EU).1 Note that a data transfer agreement is also required if transferring personal data outside of the United States.

Notifying Data Subjects 

GPM is required to provide information to data subjects about the processing of their personal data. This information is contained in the Company’s Web Privacy Statement which is publicly available at www.greenprojectmanagement.org and the Employee Privacy Statement, which is available on the GPM intranet. Such statements provide information about:

• The types of personal data GPM processes;
• The purpose and legal basis for processing personal data;
• Whether personal data will be disclosed to any third parties in the course of the processing;

NOTE: 1 As of December 27, 2022, these transfers will be effected using the new standard contractual clauses as outlined in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

• Whether personal data will be transferred outside of the EEA and Canada and, if so, what safeguards will be put in place;
• How long the personal data will be processed or, if not possible to determine, the criteria the Company will use to determine the processing period;
• How the data subject can obtain a copy of their personal data held by GPM;
• Data subject’s rights, including how to make a complaint;
• If the personal data must be processed in order to comply with a law or a contract, the possible consequences of the data subject failing to provide the data or objecting to processing; and
• The existence and details of any automated decision-making processes, where

If GPM receives personal data about a data subject from a third party, the Company will also provide the data subject with information on:

• The type of personal data received from the third party; and
• The source of the data and whether it came from a publicly accessible source (e.g., a website accessible to the public).

Privacy by Design and Data Protection Impact Assessments 

Data Protection Laws require GPM to consider data protection during the development stages of a new product offering. In order to satisfy this obligation, GPM must take steps to ensure

data protection is part of the design process and personal data collection is minimized to the

extent possible.

In some circumstances (namely, when processing would result in a high risk to an individual’s rights and freedoms), GPM may be required to undertake a formal data protection impact assessment (DPIA) in relation to the processing of personal data. Such an assessment involves documenting the purposes for which the activity is carried out, how GPM will comply with data protection laws, and how the Company will mitigate potential risks to individuals’ privacy. If you believe a data protection impact assessment may be needed, contact the Compliance Director at This email address is being protected from spambots. You need JavaScript enabled to view it.

Data Subject Rights         

If GPM processes personal data, under Data Protection Laws, the data subject may have the right to:

• Request information about the personal data held with respect to them;
• Have any inaccurate personal data about them corrected and incomplete personal data completed, subject to GPM determining that the data is, in fact, inaccurate or incomplete;
• Object to GPM processing their personal data where the Company is doing so in pursuit of its own legitimate GPM can continue processing the personal data

notwithstanding an objection if the Company’s legitimate interests outweigh those of the data subject, or if GPM needs to do so for the establishment or defense of a legal claim;

• Ask GPM to destroy personal data held with respect to the data. The Company can refuse this request if the personal data is still necessary for the purposes for which it is being processed, and there is a legitimate basis for GPM to continue processing;
• Ask GPM to restrict the processing of their personal data to This can only be requested if the accuracy of personal data has been contested and remains unverified; GPM no longer requires the personal data, but the data subject needs it to establish or defend a legal claim; the data subject has objected to the processing of personal data, and GPM is deciding whether its legitimate interests override the data subject’s interests or if the processing is unlawful.

GPM will assess the data subject’s rights under applicable data privacy legislation on a case-by-case basis in determining how to fulfill a data subject access request. In general, GPM will use a data subject’s rights under the EU GDPR as a baseline for fulfilling requests and applying rights available under applicable data privacy legislation to the extent those are more favorable towards the data subject. If a data subject exercises these rights and GPM has disclosed the personal data in question to a third party, the Company will do its best to ensure that the third party also complies with the wishes of the data subject.

Data Subject Access Rights 

Data subjects who wish to request information about the personal data GPM holds about them may do so by submitting a Data Subject Access Request (DSAR). If colleagues receive a request directly (whether verbally or in writing), immediately forward details of the request to This email address is being protected from spambots. You need JavaScript enabled to view it..

Training 

GPM provides its employees and contingent workers with access to training about data protection responsibilities. This training occurs at onboarding and at regular intervals thereafter.

Supervisory Authorities  

Contact information for relevant data supervisory authorities varies by location.

 If you have questions about GPM’s Privacy Information Management System, please contact:

GPM
Attention: Compliance Director
41592 Orianna Ln
Novi MI 48375 USA

Email:This email address is being protected from spambots. You need JavaScript enabled to view it.pm.org

GPM^® Code of Ethics 

As GPM staff, Ambassadors, partners, and certificate holders, we recognize the importance of behaving ethically. Our Code of Ethics makes public the values to which we are committed and embodies the responsibilities we promise to uphold.

1. To decouple social and environmental degradation from economic growth through the advancement of the integration of sustainability and project management.
2. To promote the Principles of Sustainable Change Delivery through in own practices.
3. To strive to set the bar higher for standards of integrity, dedication to our discipline, and the professional conduct that is expected of subject matter experts and leaders.
4. To be transparent in representing our project management experience, abilities, recognition, and areas that are still being developed.
5. To constantly strive to improve ourselves and acquire new skills in the realm of project/program management and overall leadership.
6. To serve as role models in our local communities and expand our field of influence to create positive impacts wherever we are.
7. To treat all persons fairly regardless of their race, religion, gender, disability, age, national origin, or other differences.
8. To serve as mentors to those who aspire to enter the discipline and to continue to seek from those who have gone before us.
9. To uphold and support the ten principles of the UN Global Compact.

Supportive Policies

Conflicts of Interest

Those subject to the Code must avoid any situation in which they have, or appear to have, an interest that conflicts with the best interests of GPM. Conflicts of interest can arise in situations where the colleague or a member of the colleague's immediate family have an interest or relationship (financial, employment, or otherwise) that may have an adverse effect on GPM or may unduly influence the colleague's exercise of independent judgment due to considerations of personal gain or benefit.

While it is impossible to list every situation in which an actual or apparent conflict of interest may exist, GPM considers the following activities to be conflicts of interest. As such, colleagues are prohibited from engaging in these activities without receiving prior written approval from the President or their designee:

• Competing, either directly or indirectly, with GPM.
• Having an interest, either direct or indirect, in competitors, suppliers, or customers of GPM, other than non-substantial, passive ownership of securities. What constitutes a "substantial" interest will depend on facts such as the size of the entity, whether it is a public or private company, the type and dollar amount of business the entity does with GPM, the nature of its competition with GPM, and the significance of the investment considering the colleague's other financial resources.
• Serving as a colleague, consultant, officer, or director of, or receiving income from, any person or organization that the colleague knows, or reasonably should know, does business with GPM, seeks to do business with GPM, or directly competes with GPM.
• Engaging in non-GPM employment or consulting work that may conflict with GPM's business interests or prevent the colleague from satisfactorily performing the colleague's responsibilities to GPM.
• Accepting gifts or entertainment from a person or organization that does business with GPM or seeks to do business with GPM except as permitted under the section entitled "Gifts and "
• Trading in the stock of any company or dealing for personal gain on the basis of material, non-public information learned in the course of employment with GPM.
• Personally exploiting a corporate opportunity or receiving any personal benefit from a business transaction in which GPM engages.

Gifts and Entertainment

The exchange of gifts and entertainment can create improper influence (or the appearance of improper influence) and must be in accordance with this policy.

Gifts and entertainment means anything of value, e.g. loans, favorable terms on a product or service, prizes, use of another company's vehicles, tickets, gift certificates, use of vacation facilities, stocks, other securities or participation in stock offerings. Entertainment is considered a gift, subject to these guidelines, when the giver or representative from the giving organization will not accompany you to the event. Gifts and entertainment between GPM colleagues and others fall into three categories:

Acceptable for self-approval

Some gifts and entertainment are sufficiently modest that they do not require prior approval. Think through the intent (e.g., Is it normal courtesy or to build a business relationship versus influencing the recipient's objectivity in making a business decision?), materiality, frequency and transparency (e.g., Would you be embarrassed if your manager, colleagues or anyone else outside GPM became aware?). The following are usually acceptable without prior approval:

• Meals: Modest occasional meals with someone with whom we do business.
• Entertainment: Occasional attendance at ordinary sports, theater and other cultural events.
• Gifts: Gifts of nominal value such as pens, calendars, or small promotional items.

Never acceptable

Other types of gifts and entertainment are never permissible. They are:

• Any gift or entertainment that would be illegal.
• Any payment, offer, or promise to pay, either directly or through an intermediary, money or anything of value, to any foreign official, foreign political party or party official, or any candidate for foreign political office, for the purpose of inducing the recipient to misuse their official position to direct business to the payor or to any other person.
• Gifts or entertainment involving parties engaged in a tender or competitive bidding process.
• Any gift of cash or cash equivalent (such as gift certificates or loans).
• A gift or entertainment that you pay for personally to avoid having to seek approval.
• Any entertainment that is indecent or sexually-oriented or might otherwise adversely affect GPM's reputation.

May be acceptable with prior approval

For anything that does not fit into the other categories, the gift or entertainment may or may not be permissible. You must get approval from your manager or Strategic Leadership Team member as appropriate for the following:

• Entertainment that exceeds $150 USD or equivalent
• Gifts valued at more than $100 USD or equivalent
• Lavish meals that cost more than $150 USD or equivalent per person
• Special events such as a World Cup game or major golf tournament (these usually have a value of more than $150 USD)
• Travel or overnight accommodation, as this normally raises the personal benefit to material levels

Any entertainment valued at more than $500 USD (or gifts over $250 USD) must be approved by the GPM President.

In some departments or regions, more restrictive guidelines or rules on gifts and entertainment may apply. Colleagues must be careful not to accept gifts or entertainment that do not comply with these guidelines or rules.

Other important things to know about gifts and entertainment

It is acceptable to receive a gift that exceeds a designated monetary limit if it would be insulting to decline, but the gift must be reported to management who will decide whether it:

• May be retained by the recipient
• Will be retained for the benefit of GPM
• Will be sold and the money donated to charity
• Will be returned to the donor

You must immediately return any gift of cash or a cash equivalent such as a bank check, money order, or negotiable instrument.

Anti-Corruption

The nature of GPM's business requires colleagues and third parties with whom we do business to interact regularly with government officials and private sector customers. Applicable anti-corruption laws (e.g., the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, the US Foreign Corrupt Practices Act (FCPA), the International Travel Act, the UK Bribery Act, and Canada's Corruption of Foreign Public Officials Act (COFPA)) establish certain rules and restrictions on those interactions in all countries where GPM does business.

GPM^® Committment to Responsible AI Use

See also our Digital Sustainability Policy.

At GPM, we understand the immense power and potential of Artificial Intelligence (AI). As we harness this technology to create innovative solutions, we also acknowledge that with great power comes great responsibility.

Our Commitment

We pledge to use AI responsibly, ethically, and transparently. We will always prioritize the privacy, security, and well-being of our users, customers, and partners.

Respect for Human Rights

We commit to respecting and upholding human rights in all our AI-powered endeavors. We will ensure that our AI systems do not discriminate, marginalize, or harm individuals or groups.

Transparency and Accountability

We promise transparency about how, why, and where we use AI. We will hold ourselves accountable for our AI systems' impact and continually seek ways to improve their performance and safety.

Privacy and Security

We will protect the privacy and security of our users' data. We will use AI only for purposes that our users have explicitly consented to, and we will never share user data without explicit permission.

Continuous Learning and Improvement

We will constantly strive to learn more about the ethical implications of AI, and we will continually improve our practices based on these learnings.

Collaboration and Open Dialogue

We will foster a culture of open dialogue and collaboration around AI ethics. We invite user, employee, and stakeholder feedback to help us shape our responsible AI practices. By making this pledge, we hope to create a future where AI serves humanity responsibly, ethically, and beneficially. We invite you to join us on this journey.

Updated March 12, 2025

GPM^® Environmental Regeneration Policy

1. Our Commitment to Regeneration

At GPM, we are committed to regenerative development—an approach that moves beyond sustainability to actively restore, enhance, and revitalize the natural world. Our goal is not merely to reduce harm, but to create thriving ecosystems, resilient communities, and flourishing living systems.

This policy establishes our dedication to:

• Rebuilding natural ecosystems rather than just conserving them.
• Restoring biodiversity through active regeneration efforts.
• Ensuring environmental justice by recognizing that ecological health is tied to social equity.
• Aligning business with planetary boundaries to ensure our actions contribute to the long-term health of the Earth.

We embrace the interdependence of human and natural systems, embedding planetary stewardship into every aspect of our operations, partnerships, and decision making.

2. Climate and Carbon Regeneration

GPM commits to climate-positive actions that go beyond carbon neutrality by actively removing more carbon than we emit.

Our Commitments:

• Achieve Net Positive Carbon Impact by 2025, ensuring our activities sequester more carbon than they produce.
• Prioritize reduction over offsets, integrating carbon-negative strategies into our projects.
• Scope 1, 2, and 3 emissions accountability—tracking and eliminating emissions across all business activities, supply chains, and digital infrastructure.
• Invest in nature-based carbon removal, including reforestation, soil restoration, and regenerative agriculture projects.
• Develop and implement circular carbon systems, ensuring carbon is reused and reintegrated into natural cycles.

3. Water Stewardship and Regenerative Hydrology

As signatories of the UN Global Compact CEO Water Mandate, GPM is committed to water regeneration—ensuring that our operations and projects contribute to the restoration and protection of global water cycles.

Our Commitments:

• Adopt a net-positive water strategy, replenishing more water than we consume.
• Implement WASH principles (Water, Sanitation and Hygiene) to ensure equitable access to clean water, sanitation, and hygiene facilities in all project areas​.
• Work with suppliers to enforce water stewardship policies and eliminate water waste.
• Invest in watershed restoration projects to rebuild natural water cycles.
• Advocate for climate-resilient water infrastructure in urban and rural communities.

4. Biodiversity and Ecosystem Regeneration

GPM recognizes that true sustainability is not just about reducing harm but actively restoring biodiversity and ecological resilience.

Our Commitments:

• Design projects using nature-positive principles, ensuring no net loss of biodiversity.
• Support reforestation, land restoration, and habitat connectivity efforts.
• Require biodiversity impact assessments for all major projects.
• Implement a no-deforestation policy across our supply chain.
• Engage in partnerships with conservation organizations to enhance global biodiversity efforts.

5. Circular Economy and Regenerative Resources

To eliminate waste and regenerate resources, GPM commits to designing closed-loop systems that mimic nature’s cycles.

Our Commitments:

• Implement zero-waste principles, ensuring full material recovery and reuse.
• Shift to 100% regenerative materials in operations and project management practices.
• Eliminate reliance on single-use plastics across all offices and events.
• Require all suppliers to comply with circular economy standards.
• Promote cradle-to-cradle design thinking in Sustainable Project Management™.

6. Governance, Accountability, and Transparency

To ensure that our commitments translate into action, we will establish strong governance and oversight mechanisms.

Our Commitments:

• GPM’s Environmental Regeneration Reports will be published as part of our annual UN Global Compact COP report.
• These reports will detail our progress on regenerative commitments, including carbon sequestration, water stewardship, biodiversity impact, and circular economy initiatives.
• We will ensure alignment with UN Sustainable Development Goals (SDGs), IFRS S2, and TNFD disclosure frameworks​.
• All metrics, case studies, and outcomes will be transparently shared to set a benchmark for regenerative business practice.

7. Stakeholder and Partner Engagement

Regenerative development requires collective action. GPM will lead by example and engage stakeholders at all levels to drive meaningful change.

Our Commitments:

• Work exclusively with partners and clients who align with regenerative principles.
• Provide mentorship and training to ensure project managers integrate sustainability into every decision.
• Use our influence and thought leadership to drive policy change and system-wide transformation.

8. Call to Action

GPM is not just committing to sustainability—we are committing to a fundamentally new way of thinking and acting. Our role is not to minimize damage but to actively heal, restore, and regenerate.

At GPM, we believe that projects can be life-giving—not neutral, not less harmful, but actively restoring the Earth, rebuilding ecosystems, and revitalizing communities.

This isn’t just our policy.
         It’s our ethos.
                  It’s who we are.

Updated March 12, 2025