AS | Ankit Sarawagi|Founder, CFOmatrix·June 2026·11 min read | Updated Jun 2026 |
- A code of conduct sets the standards of behaviour for your whole company; individual HR policies are the detailed rules that sit underneath it.
- The core sections are ethics, conflicts of interest, confidentiality, anti-harassment, anti-bribery, and reporting, plus use of company assets and external communications.
- In India the code must align with the POSH Act 2013 (Internal Committee mandatory at 10+ employees) and the DPDP Act 2023 for data and privacy.
- A code is only enforceable if you can prove every employee read and acknowledged it, so the rollout matters as much as the drafting.
- Use a tested template, adapt it to your company, get legal sign-off, and review it once a year and whenever the law changes.
| 10+ Employees at which a POSH Internal Committee becomes mandatory in India | 9 Core sections every code of conduct should contain (covered below) | 100% Of employees should sign an acknowledgement for the code to be enforceable |
What a Code of Conduct Is (and What It Is Not)
A code of conduct is a single document that sets out the standards of behaviour your company expects from everyone who works there. It turns abstract values like “integrity” and “respect” into clear, enforceable rules: do not take a bribe, do not share confidential information, do not let a personal interest cloud a company decision, treat colleagues with dignity, and report it when you see something wrong.
It is easy to confuse the code with the rest of your HR documentation, so it helps to be precise. The code sits at the top. It is the why and the boundary. The detailed operational rules, such as how to claim expenses, how leave is calculated, or how a harassment complaint is investigated, live in separate policies underneath it.
| Document | What it does | Example |
|---|---|---|
| Code of Conduct | Sets the principles and the boundaries of behaviour | “We do not accept gifts that could influence a decision.” |
| HR / Operational Policy | Sets the detailed procedure to follow | “Declare any gift over Rs 2,000 to your manager within 7 days.” |
| Employee Handbook | Bundles the code and policies into one reference | Code on page 1, policies as chapters after it |
A code of conduct is not a wish list of nice values. If a line in the code cannot lead to a real consequence when it is broken, it belongs in your culture deck, not your code. Keep the code to standards you are prepared to enforce.
Why You Need a Code of Conduct in India
There is no single statute that forces every private company to publish a standalone code of conduct. But a good chunk of what a code covers is legally required, and bundling it into one document is the cleanest way to stay on the right side of the law and to defend yourself if a dispute arises.
- Anti-harassment is mandatory. The POSH Act 2013 requires an anti-sexual-harassment policy and an Internal Committee once you have 10 or more employees. The code is where you state the standard; the POSH policy carries the procedure.
- Data protection is now law. The Digital Personal Data Protection (DPDP) Act 2023 places real obligations around consent, data principal rights and breach notification. Your confidentiality and data clauses should reflect it.
- Governance expects it. Listed companies and many regulated or investor-backed firms are expected to maintain a code under SEBI and corporate-governance norms. Investors and enterprise customers increasingly ask to see one in due diligence.
- It makes discipline defensible. Acting on misconduct is far safer when you can point to a written standard the employee acknowledged in advance, rather than an unwritten expectation.
In a funding round or an acquisition, the data room almost always asks for the code of conduct, the POSH policy and the Internal Committee constitution. Having a clean, signed-off code ready signals a company that takes governance seriously, and removes a recurring item from the diligence checklist.
What to Include: The Core Sections of a Code of Conduct
A strong company code of conduct does not need to be long, but it does need to be complete. These are the nine sections we recommend, and they are exactly what the downloadable template contains.
1. Purpose, scope and who it applies to
State why the code exists, who it covers (all employees, and where relevant directors, contractors, interns and consultants), and that it applies at the office, at client sites, at company events and online. Make clear that acknowledging the code is a condition of employment.
2. Core values and business ethics
Set the standard: honesty, integrity, fair dealing, compliance with the law, and acting in the company’s best interest. This is the section that frames everything that follows. Keep it short and concrete.
3. Conflicts of interest
Define a conflict (a personal, family or financial interest that could improperly influence a work decision), give plain examples (hiring a relative, a side business with a competitor, a stake in a vendor), and require employees to declare conflicts rather than hide them.
4. Confidentiality and data protection
Cover company confidential information, customer and employee personal data, and intellectual property. Align it with the DPDP Act 2023: handle personal data only with a lawful basis, respect data principal rights, and report any breach internally so the company can notify the Data Protection Board where required.
5. Anti-harassment and respect at work
State a zero-tolerance position on harassment, discrimination and bullying, and reference your POSH policy and Internal Committee for sexual-harassment complaints. Make clear that the standard protects everyone at the workplace, including contract staff and visitors.
6. Anti-bribery and anti-corruption
Prohibit giving or taking bribes, kickbacks or improper payments, including facilitation payments and improper dealings with government officials. Set a clear rule on gifts and entertainment with a declaration threshold so ordinary courtesy is allowed but influence is not.
7. Use of company assets, IT and external communications
Cover acceptable use of devices, email, software and funds, protection against misuse and fraud, and the rules for speaking on behalf of the company, including social media. Make clear that company assets are for company purposes.
8. Reporting concerns and whistleblower protection
Tell people exactly how to raise a concern, promise no retaliation for good-faith reports, and explain confidentiality. A code with no safe reporting channel is a code people will not use. (More on this in Section 5.)
9. Consequences of breach and acknowledgement
State that breaching the code can lead to disciplinary action up to termination, and close with an acknowledgement that every employee signs. The acknowledgement is what makes the code enforceable.
Six words capture the heart of any code: ethics, conflicts, confidentiality, anti-harassment, anti-bribery, reporting. Everything else is detail around those six.
Mapping the Code to Indian Law
Each behavioural section of the code connects to a specific piece of Indian law or compliance. This is the part most generic, imported templates get wrong, so it is worth being exact.
| Code section | Indian law / requirement | What it means in practice |
|---|---|---|
| Anti-harassment | POSH Act 2013 | Internal Committee mandatory at 10+ employees; 90-day inquiry; annual report filed |
| Confidentiality / data | DPDP Act 2023 | Consent and lawful basis, data principal rights, breach notification to the Data Protection Board |
| IT / security incidents | CERT-In directions | Cyber incidents reportable to CERT-In within 6 hours of becoming aware |
| Anti-bribery | Prevention of Corruption Act | No bribes or improper payments, especially to public servants; gift declaration threshold |
| Governance / code itself | Companies Act & SEBI norms | Listed and many regulated firms expected to maintain and publish a code |
The code states the principle; the detailed procedure lives in the dedicated policy. For POSH, that means the code says “zero tolerance for sexual harassment” while the separate POSH policy names the Internal Committee, the 90-day inquiry timeline and the complaint process. Keep the two linked but distinct.
Reporting Concerns and Whistleblower Protection
The reporting section is the difference between a code that lives on a shelf and one that protects the company. People will only raise a concern if it is easy, safe and confidential. Build three things into the code.
- Clear channels. Name who to go to: a line manager, HR, a designated ethics or compliance contact, and an alternative route (for example a confidential email or hotline) for when the concern involves a manager.
- No retaliation. Promise in writing that anyone who reports a concern in good faith will not face retaliation, even if the concern turns out to be mistaken. State that retaliation is itself a breach of the code.
- Confidentiality and follow-through. Commit to handling reports confidentially, to investigating fairly, and to telling the reporter that action was taken (within the limits of privacy).
A reporting channel that funnels every complaint to the person most likely to be the subject of it (the founder, or HR reporting to the CEO) is no channel at all. Always provide a second, independent route, and make sure POSH complaints go to the Internal Committee, not just to a manager.
How to Roll Out a Code of Conduct (Step by Step)
A code is only as good as the rollout. A document nobody read is hard to enforce. Follow these five steps, in order.
| Draft and adapt to your company |
Start from a tested template, then adapt it to your size, sector and the laws above. Cut what does not apply and add what is specific to you. Avoid a generic, imported US code: it will miss POSH and the DPDP Act.
| Get leadership and legal sign-off |
The code carries weight only if leadership stands behind it. Have founders or the board approve it, and have a lawyer check the POSH, DPDP and disciplinary clauses against current law before you publish.
| Communicate it, do not just file it |
Introduce the code at an all-hands and in onboarding, explain the why, and put it where people can find it (the handbook, the intranet). A short, plain-English code that people actually understand beats a long legalistic one.
| Collect a signed acknowledgement |
Every employee, new and existing, should confirm in writing (a signature or a tracked digital acceptance) that they have read and will follow the code. This record is what lets you act on a breach later.
| Train, review and refresh annually |
Run periodic training (POSH training is itself expected), review the code at least once a year and whenever the law changes, keep a version number and effective date, and re-collect acknowledgements after any material change.
“A code of conduct is not the document you write to look governed. It is the standard you can point to, calmly, on the day someone crosses a line.”
Ankit Sarawagi, CFOmatrixCommon Mistakes to Avoid
Most code-of-conduct problems are not about what is written but about what is missing or unenforced. Watch for these.
- Copying a foreign template. A US or UK code will reference the wrong laws and skip POSH and the DPDP Act entirely. Always localise to India.
- No acknowledgement trail. If you cannot prove an employee read the code, enforcing it in a disciplinary matter is far harder.
- One reporting route through the wrong person. Always give an independent channel, and route POSH complaints to the Internal Committee.
- Set and forget. A code that has not been touched since 2019 will not mention the DPDP Act 2023. Review it yearly.
- Vague consequences. If the code does not say what happens when it is breached, it is guidance, not a standard.
The code of conduct is one of more than forty policies a growing company eventually needs, from POSH and leave to data protection and travel. You can see all 41 policy templates in our policy library and build your handbook one tested document at a time.
Frequently Asked Questions
What is a code of conduct?
A code of conduct is a single document that sets out the standards of behaviour a company expects from its people: ethics, honesty, conflicts of interest, confidentiality, respect at work, anti-harassment, anti-bribery, use of company assets, and how to report concerns. It translates a company’s values into clear, enforceable rules and is usually referenced in the employment contract and the employee handbook.
What should a company code of conduct include in India?
A code of conduct for an Indian company should cover purpose and scope, core values and ethics, conflicts of interest, confidentiality and data protection (now governed by the DPDP Act 2023), anti-harassment aligned to the POSH Act 2013, anti-bribery and anti-corruption, use of company assets and IT, gifts and entertainment, external communications, reporting and whistleblower protection, and the consequences of breach. It should reference the Internal Committee under the POSH Act once the company has 10 or more employees.
Is a code of conduct legally required in India?
There is no single law that mandates a standalone code of conduct for every private company. However, parts of what a code covers are legally required: an anti-harassment policy and Internal Committee under the POSH Act 2013 (mandatory at 10 or more employees), and data protection obligations under the DPDP Act 2023. Listed companies and many large or regulated firms are also expected to maintain a code under SEBI and governance norms. For most companies a code is best practice that consolidates these obligations in one place.
What is the difference between a code of conduct and an HR policy?
A code of conduct sets the high-level principles and standards of behaviour: integrity, respect, no conflicts, no bribery, confidentiality. HR policies are the detailed operational rules that sit underneath it: leave, attendance, POSH procedure, IT acceptable use, expense claims, disciplinary process. The code is the why and the boundary; the individual policies are the how. Most companies reference the code at the top of the employee handbook and link out to specific policies.
How do you roll out a code of conduct to employees?
Roll out a code of conduct in five steps: draft it to fit your company and Indian law, get leadership and legal sign-off, communicate it through an all-hands and the handbook, collect a signed or digital acknowledgement from every employee, and refresh it with annual training and a yearly review. Acknowledgement matters because a code you cannot prove people read is hard to enforce in a disciplinary matter.
Should the code of conduct apply to contractors and vendors?
The full employee code applies to employees, but the core principles (anti-bribery, confidentiality, anti-harassment, no conflicts) should extend to contractors, consultants and on-site partners through their contracts or a shorter supplier code of conduct. POSH protections in particular cover anyone at the workplace, including contract staff, interns and visitors, so harassment standards must reach beyond the payroll.
How often should a code of conduct be updated?
Review the code of conduct at least once a year and whenever the law changes, the company enters a new market, or an incident exposes a gap. Recent triggers in India include the DPDP Act 2023 for data and privacy clauses and ongoing POSH compliance. Keep a version number and effective date on the document, and re-collect acknowledgements when you make a material change.
This is general information for India as of 2026 and not legal advice. Laws such as the POSH Act 2013 and the DPDP Act 2023 evolve, and rules and notified dates change. Verify the current law and have a qualified lawyer review your code of conduct before you adopt it.
- POSH Policy: Internal Committee, Inquiry and Annual Report (India)Policies & Templates · CFOmatrix
- Data Protection Policy Under the DPDP Act 2023Policies & Templates · CFOmatrix
- All 41 HR & Company Policy Templates (India)Policies & Templates · CFOmatrix
AS | Founder, CFOmatrix | Finance Strategy & Equity Compliance CFOmatrix is a knowledge platform focused on how finance actually works inside growing companies. Every insight is shaped by real operating experience across startups and growth-stage companies, including cross-border setups. |