Preamble
From January 17, 2025, customers in regulated financial industries must comply with the requirements of regulation (EU) 2022/2554 on digital and operational resilience for the financial sector and amending regulations (EC) No 1060/2009, (EU) No 846/2012, (EU) No 600/214, (EU) No 909/2014 and (EU) 2016/1011 (so-called ”DORA regulation“).
The following provisions serves the purpose of adapting the main agreement to the requirements of the DORA regulation for contracts with ICT third-party service providers.
1. Data protection and data access
1.1 Personal data are processed in accordance with the Data Processing Agreement.
1.2 The Parties undertake to treat all Confidential Information, business and trade secrets obtained within the scope of the contractual relationship as confidential, in particular not to pass them on to third parties or to utilize them for purposes other than contractual purposes.
1.3 Confidential Information is information that a reasonable third party would consider worthy of protection or that is marked as confidential; this may also be information that becomes known during an oral presentation or discussion. Confidential Information may only be used for the purpose of fulfilling the obligations arising from the Contract. The obligation of confidentiality does not apply to information that is already lawfully known to the Parties or becomes known outside the contract without breach of a confidentiality obligation.
1.4 The Customer shall be granted access to all of the Customer’s data stored on the Provider’s systems at all times.
1.5 If necessary, the Provider shall be obliged to restore all data stored on the Provider’s systems.
1.6 The Customer may request the release of the data and export the data at any time. The Provider shall hand over all stored data to the Customer in an easily accessible format.
1.7 The rights and obligations under Sections 1.4 to 1.6 shall apply in particular in the event of insolvency, resolution or discontinuation of the business operations of the Provider, or in the event of the termination of the contractual arrangements. The Provider shall take appropriate measures to ensure this.
1.8 The Provider shall have no right of retention with regard to Sections 1.4 to 1.7
2. Service Level Agreement
2.1 The determination of the Service Level Agreement is continuously evaluated and optimized by the Parties.
3. Obligation to cooperate; support services
3.1 The Provider is obliged to cooperate fully with the supervisory and resolution authorities responsible for the Customer, including the persons designated by them.
3.2 The Provider is obliged to support the Customer in the event of an ICT-related incident which is related to the services provided in main agreement in order to minimize damage, system failures or similar risks and to remedy the incident as quickly as possible.
3.2.1 For the purpose of this contract, ”ICT-related incident“ means a single event or a series of linked events unplanned by the Customer that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by the Customer.
3.2.2 The Provider shall provide these services free of charge for up to 4 hours per year. Additional efforts will be charged with a fee of 150$ per hour.
4. Termination
4.1 The Customer shall be entitled to terminate the agreement in the following cases:
a) Significant breach by Provider of applicable laws, regulations or contractual terms.
b) Circumstances identified throughout the monitoring of ICT third-party risk (Article 3 paragraph 18 DORA Regulation) that are deemed capable of altering the performance of the functions provided through the agreement, including material changes that affect the arrangement or the situation of the Provider.
c) Provider evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data.
d) Where the competent authority can no longer effectively supervise the Customer as a result of the conditions of, or circumstances related to, the respective agreement.
e) At the request of the competent authorities or the resolution authorities.
The service can be cancelled at any time in the admin interface in accordance with §12 of the main agreement.
5. Trainings
5.1 At the request of the Customer, the persons entrusted by the Provider with the provision of services under this agreement shall participate in the programs developed by the Customer to raise awareness of ICT security and training on digital operational resilience within the meaning of Article 13 paragraph 6 DORA Regulation.
5.2 Trainings will be charged with a fee of 150$ per hour.
6. Final provisions
6.1 The Customer is aware that the legal requirements for digital and operational resilience in the financial sector and their interpretation by the courts and supervisory authorities as well as technical developments may require adjustments to this agreement over time. In this case, the Provider will take appropriate measures to ensure legal conformity.
6.2. Any changes to this DORA Addendum will be announced 6 weeks in advance by email to the license named contact and on our trust center.
6.3 Any amendments to this Agreement must be in writing and signed by each party’s authorized representatives (an “Amendment”). Amendments become part of this Agreement.
6.4 Should individual provisions of the agreement be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. In place of the invalid provision, the Parties undertake to agree on a provision that comes closest to the economic purpose of the invalid provision.