Addendum Digital Operational Resilience Act - DORA

1.1 Personal data are processed in accordance with the Data Processing Agreement.

1.2 The Parties undertake to treat all Confidential Information, business and trade secrets obtained within the scope of the contractual relationship as confidential, in particular not to pass them on to third parties or to utilize them for purposes other than contractual purposes.

1.3 Confidential Information is information that a reasonable third party would consider worthy of protection or that is marked as confidential; this may also be information that becomes known during an oral presentation or discussion. Confidential Information may only be used for the purpose of fulfilling the obligations arising from the Contract. The obligation of confidentiality does not apply to information that is already lawfully known to the Parties or becomes known outside the contract without breach of a confidentiality obligation.

1.4 The Customer retains continuous access to all data stored on the Provider's systems.

1.5 The Provider is obligated to restore all data stored on their systems, if necessary.

1.6 The Customer may request data release and export at any time. The Provider will supply all stored data in a readily accessible format.

1.7 The rights and obligations under Sections 1.4 to 1.6 shall apply in particular in the event of insolvency, resolution or discontinuation of the business operations of the Provider, or in the event of the termination of the contractual arrangements. The Provider shall take appropriate measures to ensure this.

1.8 The Provider shall have no right of retention with regard to Sections 1.4 to 1.7

2.1 The Service Level Agreement is subject to continuous evaluation and optimization by both parties.

3.1 The Provider is obliged to cooperate fully with the supervisory and resolution authorities responsible for the Customer, including the persons designated by them.

3.2 The Provider is obliged to support the Customer in the event of an ICT-related incident which is related to the services provided in main agreement in order to minimize damage, system failures or similar risks and to remedy the incident as quickly as possible.

3.2.1 For the purpose of this contract, ”ICT-related incident“ means a single event or a series of linked events unplanned by the Customer that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by the Customer.

3.2.2 The Provider offers this support free of charge for up to 4 hours annually. Additional support will be billed at $150 per hour.

4.1 The Customer shall be entitled to terminate the agreement in the following cases:

a) Significant breach by Provider of applicable laws, regulations or contractual terms.

b) Circumstances identified throughout the monitoring of ICT third-party risk (Article 3 paragraph 18 DORA Regulation) that are deemed capable of altering the performance of the functions provided through the agreement, including material changes that affect the arrangement or the situation of the Provider.

c) Provider evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data.

d) Where the competent authority can no longer effectively supervise the Customer as a result of the conditions of, or circumstances related to, the respective agreement.

e) At the request of the competent authorities or the resolution authorities.

The service can be cancelled at any time in the admin interface in accordance with §12 of the main agreement.

5.1 At the request of the Customer, the persons entrusted by the Provider with the provision of services under this agreement shall participate in the programs developed by the Customer to raise awareness of ICT security and training on digital operational resilience within the meaning of Article 13 paragraph 6 DORA Regulation.

5.2 Trainings will be charged with a fee of 150$ per hour.

6.1 The Customer is aware that the legal requirements for digital and operational resilience in the financial sector and their interpretation by the courts and supervisory authorities as well as technical developments may require adjustments to this agreement over time. In this case, the Provider will take appropriate measures to ensure legal conformity.

6.2. Any changes to this DORA Addendum will be announced 6 weeks in advance by email to the designated license contact and on our trust center.

6.3 Any amendments to this Agreement must be in writing and signed by each party’s authorized representatives (an “Amendment”). Amendments become part of this Agreement.

6.4 If individual provisions of the agreement become invalid, in whole or in part, the validity of the remaining provisions shall remain unaffected. The Parties agree to replace any invalid provision with one that most closely aligns with the original provision's economic purpose.