A governance framework built around child safety.
Class2Class works directly with children and young people across borders, so our governance and compliance framework is designed first to protect children and then to support ethical, transparent, and accountable operations in every partnership.
Child safeguarding leads
A single ordering principle: where two policies could plausibly resolve a question, the resolution that better protects the child governs.
Named accountability
Every decision in the framework has a named owner with explicit decision rights — DSL, DPO, Tech Lead, CEO, Independent Reviewer, Board.
Independent escalation
When a concern involves the CEO or someone in the routing path, an external Independent Reviewer takes the case — not anyone Class2Class employs.
Transparent & reviewed
The framework is reviewed annually. Cases feed an Annual Transparency Report. Regulatory anchors are checked every cycle.
Who decides what — and who they answer to.
Six named roles with explicit decision rights and accountability. No ambiguity.
| Role | Person | Decision rights | Accountable for |
|---|---|---|---|
| CEO | Jørgen Balle Olesen [email protected] |
Final approval of all policies; final approval of strategic decisions; CEO-only sign-off on High-severity case outcomes | Overall integrity of Class2Class; Board reporting; this Framework |
| Data Protection Officer | Giancarlo Mena [email protected] |
Owns data-protection regime; owns this Framework; owns Anti-Corruption Policy; co-investigates safeguarding cases involving personal data | GDPR Article 39 duties; Compliance Scorecard; cross-cutting reporting |
| Designated Safeguarding Lead | Anton Skriver [email protected] |
Owns Child Safeguarding Policy; owns safeguarding-case routing; co-owns Annual Child Safety Risk Assessment | UNCRC Article 19 duties; safeguarding-case outcomes |
| Technical Lead | Leonard Abrahamian | Implements platform safeguards; preserves evidence; co-investigates AI-feature cases | Platform-level safeguarding controls; AI System Inventory accuracy |
| Independent Reviewer | Externally engaged [email protected] |
Final decision on cases involving the CEO or that cannot be handled internally without conflict | Independence of escalation path under EU Whistleblower Directive |
| Board of Directors (or designated independent oversight contact) |
To be named | Oversight of CEO; receives Annual Transparency Report; resolves CEO removal where warranted | Governance integrity; oversight of conflict of interest at executive level |
Where a concern goes
| If the concern is about… | First contact | If conflicted or unavailable |
|---|---|---|
| A safeguarding matter | DSL — Anton Skriver | CEO |
| A data-protection matter | DPO — Giancarlo Mena | CEO |
| An anti-corruption matter | DPO — Giancarlo Mena | CEO |
| A Code of Conduct breach | Direct manager + DPO | CEO |
| Anyone in the routing path above | CEO | Independent Reviewer |
| The CEO | Independent Reviewer | Datatilsynet / competent authority direct |
Every channel allows anonymous reporting through the dedicated Anonymous Reports Form.
Three policies. One framework.
Click any policy to read it in full.
Child Safeguarding Policy
The institutional policy on preventing harm to children, recognising and responding to safeguarding concerns, and protecting every child who participates in our programmes — in classrooms and in digital collaboration.
Read the PolicyAnti-Corruption Policy
The institutional policy on bribery, fraud, conflicts of interest, gifts and hospitality, fair hiring, fair procurement, donor due diligence, and reporting suspected corruption.
Read the PolicyCode of Conduct
The behavioural framework for everyone who represents the organisation, with a personal declaration and signed commitment to safeguarding, reporting, and high standards of conduct.
Read the CodeWhat stands behind the three policies.
The three core policies stand on a layer of operational procedures, registers, and external review. Here's the map of what supports what.
Public-facing
- Ethical Guidelines (A1)Values and expected conduct of the whole Class2Class community
- Child-Friendly Privacy Summary (A7)Plain-language version of rights and protections for students 13–18
Operational procedures
- Reports Handling and Whistleblower Procedure (B2)The pipe through which every report flows — receipt, routing, investigation, outcome, records
- Annual Child Safety Risk Assessment (B7)Annual operational risk assessment that the Child Safeguarding Policy frames
- Parental DSAR Request Process (B8)Operational process for parents asserting their child's data rights
- AI Incident Reporting Procedure (B6)Runs in parallel where a safeguarding or anti-corruption case involves AI
Independent & external
- Independent Reviewer ToR (C1)Terms on which the external Reviewer handles CEO-conflict cases
- External Review Scope Document (C2)One-time independent review of the governance system
- Annual Transparency Report (C3)Annual public-facing report on safeguarding, anti-corruption, and Code-of-Conduct cases (in aggregate, anonymised)
- Commitment to Safeguarding declaration (C4)The signed declaration every representative renews annually
Data-protection underpinning
- ROPA (D1)Records of Processing Activities — every data flow documented
- DPIA (D2)Data Protection Impact Assessment — high-risk processing identified and mitigated
- GDPR Art. 9 / 5(1)(f) Compliance (D3)Special-category and security commitments declared
- Data Breach Response Procedure (D4)Runs in parallel where a case is also a personal-data breach
Operational artifacts
- Reports Workbook (E1)The case-tracking tool the DSL and DPO use
- Anonymous Reports Form (E2)Live, no-sign-in, no email capture
- Compliance Scorecard (E3)Quarterly snapshot of compliance posture across 8 areas
How they connect
- One concern, parallel proceduresA safeguarding case involving AI and personal data can run B2, B6, B9, and D4 in parallel — with the highest severity governing the timeline
- One outcome, two registersEvery case closed feeds the Compliance Scorecard and (in aggregate) the Annual Transparency Report
The standards we hold ourselves to.
Class2Class anchors its safeguarding and governance framework in a defined set of legal and rights-based commitments. The list isn't exhaustive — it's the set we hold ourselves to.
UN Convention on the Rights of the Child (UNCRC)
Best-interests principle; right to be heard; right to privacy; protection from violence, abuse, and exploitation.
GDPR & Danish Data Protection Act
Lawful basis, fairness, data minimisation, breach notification, DPIA, parental authority verification (Art. 8).
EU Digital Services Act — Article 28
Protection of minors on online platforms.
EU AI Act — Articles 4, 5, 6, 50, 73
AI literacy; prohibited practices; risk classification; transparency; serious-incident reporting.
EU Whistleblower Directive (2019/1937)
Functioning channels for reporting; protection of reporters from retaliation.
EU Accessibility Act — microenterprise context
Voluntary best-practice approach; growth-trigger watch list.
UN Convention against Corruption (UNCAC)
Preventive policies; codes of conduct; private-sector standards; whistleblower protection.
Danish Penal Code
Criminal-law floor for offences against children (Ch. 24, 25), bribery (§§144, 299), and fraud / embezzlement (§§278–286).
COPPA (United States)
School-authorisation framework for under-13 students whose schools partner with Class2Class.
EU Better Internet for Kids (BIK+)
Design and operational expectations for platforms with minor users.
How a real case flows through the system.
A short worked example. This is what the framework is for: child first, parallel procedures where relevant, evidence preserved, named owner accountable at every step.
The teacher uses the in-platform report button. The Reports Handling Procedure (B2) routes the case to the DSL (Anton).
Anton classifies it as High — emergency under the Child Safeguarding Policy (B9) §10.2 because it engages CS-01 (inappropriate adult-to-student contact) and CS-02 (grooming pattern) under the Annual Child Safety Risk Assessment (B7).
Within 1 hour, the Tech Lead (Leonard) restricts the suspected adult's platform access; the DSL contacts the partner school and the relevant child-protection authority.
Because messages may have been logged by an AI moderation system, the AI Incident Reporting Procedure (B6) runs in parallel. Because the messages contain personal data of a child, the Data Breach Response Procedure (D4) is assessed for a parallel run.
The DSL leads, with the DPO co-investigating the data-handling aspects. Evidence is preserved per B9 §10.3.
The case closes with the suspected adult removed from the platform and a referral to law enforcement; the case is recorded in the safeguarding case register (B9 §11) with cross-references to B6, D4, and the Reports Workbook (E1).
The case is reflected in aggregate in the Annual Transparency Report (C3). Where regulators require notification, the DPO notifies under the relevant article — DSA Art. 28 to Coordinator; GDPR Art. 33 to Datatilsynet within 72 hours; AI Act Art. 73 to the designated Danish AI authority where the threshold is met.
The case feeds the next Annual Child Safety Risk Assessment (B7) and any platform changes go through the standard development process, with the DPO and DSL signing off the safeguarding implications.
Common governance questions.
These are the core questions partners, schools, and collaborators often ask when reviewing how Class2Class operates.
Why is child safeguarding the first priority in this framework?
Because most of our users are minors, including children under 13 with parental consent. We operate in educational settings and directly involve young people, so safeguarding is the starting point — every other commitment (anti-corruption, code of conduct, data protection, AI literacy, accessibility) reinforces or supports child safeguarding rather than competing with it.
In practice that means: where two policies could plausibly resolve a question, the resolution that better protects the child governs. Where a sanction decision balances institutional cost against child safety, child safety governs. Section 2 of the Framework has the full ordering principle.
Who do these policies apply to?
The three core policies cover different audiences:
Child Safeguarding Policy — applies to every individual acting on behalf of Class2Class (employees, board, volunteers, consultants, partner teachers, NGO partners) and protects every child connected to our programmes.
Anti-Corruption Policy — applies to the same set of representatives, plus suppliers and donors where the contractual relationship engages it.
Code of Conduct — binds every Class2Class representative through a signed personal declaration (renewed annually) and applies around the clock — at work, on platform, in public, in personal settings where conduct could reasonably be linked to Class2Class.
How can concerns or incidents be reported?
Five routes, depending on what the concern is about:
Safeguarding — DSL Anton Skriver at [email protected]
Data protection — DPO Giancarlo Mena at [email protected]
Anti-corruption or general concern — [email protected]
Concern about a team member in the routing path — CEO Jørgen Balle Olesen at [email protected]
Concern about the CEO — Independent Reviewer at [email protected]
Every channel allows anonymous reporting through the dedicated Anonymous Reports Form. Reports made in good faith are protected from retaliation.
What kinds of topics are covered across the three policies?
Child Safeguarding covers harm types (sexual abuse, physical and psychological violence, emotional harm, neglect, exploitation), prevention and screening (including criminal-record checks like the børneattest), the Code of Behaviour with Children, indicators of harm, response procedures, digital safeguarding, and cross-border considerations.
Anti-Corruption covers bribery, fraud, conflicts of interest, gifts and hospitality, fair hiring and procurement, donor due diligence, and reporting suspected corruption — aligned to the Danish Penal Code, UNCAC, and the OECD Anti-Bribery Convention.
Code of Conduct covers the behavioural standards that bind every representative — integrity, anti-discrimination, anti-harassment, conflicts of interest, no bribery/fraud, substance use, organisational resources, confidentiality, public representation and social media. It applies around the clock and is signed annually.
What is the Independent Reviewer and why does it exist?
The Independent Reviewer is an externally engaged person who handles concerns that involve the CEO or that cannot be handled internally without conflict. The Reviewer is not a Class2Class employee and does not report to Class2Class management — they have final decision rights on the cases routed to them.
The role exists to satisfy the EU Whistleblower Directive's independence requirement. The channel address is [email protected]; the Reviewer's terms are documented in the Independent Reviewer Terms of Reference.
How often is the framework reviewed?
The Framework is reviewed annually by the DPO with input from the DSL, the Tech Lead, and the CEO. The review confirms named roles are filled and contact channels are live, regulatory anchors are current, each core policy and supporting procedure has been reviewed within its own cadence, operational artifacts are accurate, and the Annual Transparency Report accurately reflects the year's posture.
The next scheduled review is on or before 30 April 2027. The review report feeds the Compliance Scorecard and the Annual Transparency Report.
What if I'm a partner school doing due diligence on Class2Class?
You're in the right place. The three core policies linked above (Child Safeguarding, Anti-Corruption, Code of Conduct) plus the supporting infrastructure section give you most of what you need. For the contractual setup, contact the DPO at [email protected] for the current Data Processing Agreement template — it covers GDPR Article 28(3) end-to-end, including sub-processors, transfer mechanisms, breach notification SLAs, and AI-specific Technical and Organisational Measures.
If you need additional documentation — Annual Child Safety Risk Assessment, ROPA, DPIA, sub-processor list — write to the DPO and we'll provide it.
Need to ask a policy question — or report a concern?
Reports made in good faith are taken seriously, kept confidential, and protected from any form of retaliation. Every channel allows anonymous reporting. You will not be in trouble for telling us.
- SafeguardingAnton Skriver — [email protected]
- Data protectionGiancarlo Mena (DPO) — [email protected]
- Anti-corruption or general[email protected]
- Concern about the CEOIndependent Reviewer — [email protected]
- Lodge a complaintDatatilsynet — [email protected]
Want to dig deeper into a specific policy?
The three core policies above link out to their full institutional documents. For the operational procedures and audit-evidence documents (B7 risk assessment, B8 parental DSAR, ROPA, DPIA, DPA template), write to [email protected].
Email the DPO