Exhibit 1.01
Qualys, Inc.
Conflict
Minerals Report
For the Reporting Period from January 1, 2023 to December 31, 2023
This Conflict Minerals Report (this Report) of Qualys, Inc. (we, Qualys or the Company) has been prepared
pursuant to Rule 13p-1 and Form SD (the Rule) promulgated under the Securities Exchange Act of 1934, as amended, for the reporting period from January 1, 2023 to December 31, 2023 (the
Reporting Period).
The Rule requires disclosure of certain information when a company manufactures or contracts to manufacture products where
the minerals specified in the Rule are necessary to the functionality or production of those products. The specified minerals are referred to as Conflict Minerals, which include gold, columbite-tantalite (coltan), cassiterite, wolframite
and their derivatives, which are limited to tantalum, tin and tungsten. The Covered Countries for purposes of the Rule and this Report are the Democratic Republic of Congo (the DRC), the Republic of Congo, the Central African
Republic, South Sudan, Uganda, Rwanda, Burundi, Tanzania, Zambia and Angola.
Company Overview
We are a pioneer and leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions that
enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations.
Our cloud platform addresses the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between IT
infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets. Our integrated suite of IT, security and compliance solutions delivered on
Qualys Enterprise TruRisk Platform enables our customers to identify and manage their IT and operational technology (OT) assets, collect and analyze large amounts of IT security data, discover and prioritize vulnerabilities,
quantify cyber risk exposure, recommend and implement remediation actions and verify the implementation of such actions. Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT
and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer
security and cloud teams.
Our cloud platform utilizes physical and virtual sensors, and cloud agents that provide our customers with continuous
visibility enabling customers to respond to threats immediately. Our cloud platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive
analyzers, and correlate information at very high speeds in a distributed manner for millions of devices.
Description of the Companys Products
Covered by this Report
This Report relates to our physical scanner appliances: (1) for which Conflict Minerals are necessary to their
functionality or production, (2) that were manufactured, or contracted to be manufactured, by the Company, and (3) for which the manufacture was completed during the Reporting Period. In this Report, we refer to these products collectively
as the Covered Products.
Description of the Companys Reasonable Country of Origin Inquiry
We have determined that Conflict Minerals are necessary to the functionality or production of the Covered Products that were manufactured or contracted to be
manufactured by us during the Reporting Period. As a result, we conducted in good faith a reasonable country of origin inquiry (RCOI) reasonably designed to determine if any of these Conflict Minerals originated in the Covered Countries
and whether any of the Conflict Minerals may be from recycled or scrap sources.
Our supply chain is complex, and there are many third parties in the
supply chain between the ultimate manufacturer of the Covered Products and the original sources of Conflict Minerals. We do not directly purchase Conflict Minerals from mines, smelters or refiners. Therefore, we must rely on our contract
manufacturers to provide information regarding the country of origin of Conflict Minerals that are included in the Covered Products. In designing our RCOI, we determined to survey all of our first tier contract manufacturers.
As such, our RCOI primarily consisted of requesting the Conflict-Free Sourcing Initiatives (CFSI) Conflict Minerals Reporting Template
(CMRT) be completed and returned to us from our first tier contract manufacturers. Responses were reviewed for completeness, reasonableness, and consistency, and we followed up with our contract manufacturers for corrections and
clarifications as needed.
We requested from our seven contract manufacturers that they complete the CMRT, and we received a 100% response rate. Based on
the smelter lists provided by our suppliers via the CMRTs, an aggregate of 352 facilities or smelters were used by our contract manufacturers to fulfill their requirements for Conflict Minerals. Of these 352 facilities and smelters, we have
identified 223 facilities or smelters that are deemed to be compliant with the Conflict-Free Smelter Program (CFSP). There are four other smelters or refiners that are deemed active by the CFSP, which means such smelters or
refiners have committed to undergo a CFSP audit or are participating in one of the cross-recognized certification programs: LBMA Responsible Gold Certification or Responsible Jewelry Program Chain-of-Custody Certification. The remaining 125 facilities or smelters identified by our contract manufacturers are not on the CFSI lists for compliant or active smelters. We have assessed these 125
facilities and determined that most of these are of low risk due to their geographic location. There is one smelter or refiner that may be considered at greater risk because it is geographically located in a Covered Country. Further, there is no
guarantee that these 125 facilities or smelters are present in our supply chain as our contract manufacturers were only able to provide company-level CMRTs, rather than product-level CMRTs directly linking smelters or refiners to the Covered
Products.