DORA Addendum
This Addendum (the “DORA Addendum”) is entered into between QEVLAR AI, a French société par actions simplifiée with share capital of 18 298,30 €, having its registered office at 15 rue Auguste Gervais, 92130 Issy-les-Moulineaux, France, registered with the Trade and Companies Register of Nanterre under number 952 849 115 ( “Provider” or “ICT Third-Party Service Provider”), and the financial entity identified in the Agreement (“Customer” or “Financial Entity”). This DORA Addendum is incorporated into and forms part of the Master Services Agreement entered into between the Parties governing Customer's use of the Services (the “Agreement”). Capitalised terms used but not defined in this DORA Addendum have the meanings given in the Agreement or in DORA.
Preamble
The Parties acknowledge that Customer is a financial entity within the scope of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“ DORA”), and that the Services provided by Provider under the Agreement constitute ICT services within the meaning of DORA. The Parties enter into this DORA Addendum to satisfy the mandatory contractual provisions for ICT third-party arrangements set forth in Articles 28 to 30 of DORA and the related Commission Regulatory Technical Standards. This DORA Addendum applies to the Agreement from the Effective Date set forth below and, in the event of any conflict between this DORA Addendum and any other provision of the Agreement (including the DPA, the Service Level Agreement, or any Order Form), this DORA Addendum prevails with respect to subject matter covered by Articles 28 to 30 of DORA, provided that any provision more favourable to Customer's DORA compliance in another part of the Agreement remains in force and is read together with this DORA Addendum.
1. Definitions
In addition to the terms defined in the Agreement, the following terms have the meanings given below. Where DORA itself defines a term, that DORA definition prevails.
“Competent Authority ” means any competent authority designated under DORA or any other applicable Union financial-services law that has supervisory or resolution powers in respect of Customer, including the European Supervisory Authorities (EBA, EIOPA, and ESMA, together the “ESAs”) and any national competent authority. “Critical or Important Function” means a function the disruption of which would materially impair Customer's financial performance, soundness, continuity of services or activities, or compliance with applicable law, as determined by Customer pursuant to Article 28 of DORA. Customer shall notify Provider in the Order Form (or by separate written notice) where the Services support a Critical or Important Function (a “CIF Designation”). The additional provisions of Section 11 (CIF Provisions) apply only where a CIF Designation is in force.
“DORA” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector, as amended, supplemented, or replaced from time to time, together with any Regulatory Technical Standards, Implementing Technical Standards, guidelines, and supervisory expectations issued thereunder.
“ICT-Related Incident” means a single event or series of linked events, unplanned by Provider, that compromises the security of network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data or the services provided by Provider, as defined in Article 3 of DORA.
“ICT Services” means the digital and data services rendered by Provider through ICT systems to Customer on an ongoing basis under the Agreement, within the meaning of Article 3(21) of DORA.
“Register of Information” means Customer's register of all contractual arrangements on the use of ICT services provided by ICT third-party service providers, maintained by Customer pursuant to Article 28(3) of DORA. “ Sub-Contractor” means an entity engaged by Provider to perform all or part of the ICT Services under the Agreement, including any Sub-processor (as defined in the DPA), within the meaning of Article 29 of DORA and the related Regulatory Technical Standards.
“TLPT” means Threat-Led Penetration Testing within the meaning of Article 26 of DORA.
2. Scope and Application
2.1 Application.
This DORA Addendum applies to any ICT Services provided by Provider to Customer under the Agreement that fall within the scope of DORA. Customer is solely responsible for determining whether and to what extent its activities and the Services fall within the scope of DORA, and shall notify Provider promptly in writing of any change in that determination (including any CIF Designation or de-designation).
2.2 Order of Precedence.
In the event of any conflict between this DORA Addendum and the body of the Agreement, the DPA, the Service Level Agreement, or any Order Form, this DORA Addendum prevails with respect to subject matter covered by Articles 28 to 30 of DORA. Otherwise, the order of precedence set forth in the Agreement applies.
2.3 Term.
This DORA Addendum takes effect on the later of (a) the Effective Date of the Agreement, and (b) the date of signature of this DORA Addendum, and remains in force for so long as the Agreement remains in force. Any provision of this DORA Addendum that by its nature is intended to survive (including Sections 7, 8, 9, 10, 11, 12, and 14) survives termination of the Agreement.
3. Description of ICT Services (DORA Art. 30(2)(a))
A clear and complete description of the ICT Services to be provided is set out in (a) the Agreement (in particular the definition of Services and the Documentation), (b) the applicable Order Form, and (c) Annex A of the DPA (Data Processing Description). Where the ICT Services include subscription-based access to Provider's cloud-based cybersecurity software-as-a-service offering, such description is incorporated by reference. Provider shall update the description as necessary to reflect any material change to the ICT Services and shall notify Customer in writing in accordance with Section 8 (Material Changes).
4. Locations of Processing (DORA Art. 30(2)(b))
4.1 Processing Locations.
Customer Data and other data processed by Provider in the course of providing the ICT Services are processed in the locations set forth in Section 5(a) of the DPA and the applicable Order Form. As of the Effective Date, the default processing region is the European Economic Area; processing in the United States may occur where elected by Customer in the Order Form or as expressly authorised by Customer in writing.
4.2 Notice of Change.
Provider shall notify Customer in writing at least thirty (30) days in advance of any change to the locations of processing that would result in Customer Data being processed outside the country or region designated in the Order Form (or, for changes required by applicable law, as soon as reasonably practicable). Customer's objection rights with respect to such changes are governed by Section 3(d) of the DPA and Section 8 of this DORA Addendum.
4.3 Cross-Border Transfers.
All cross-border transfers of personal data are governed by Section 5 of the DPA, including any applicable Standard Contractual Clauses.
5. Data Availability, Authenticity, Integrity, and Confidentiality (DORA Art. 30(2)(c))
Provider shall implement and maintain appropriate technical and organisational measures designed to ensure the availability, authenticity, integrity, and confidentiality of Customer Data and personal data processed in the course of providing the ICT Services. The applicable measures are described in Annex B (Security Measures) of the DPA and include, at a minimum: (a) encryption at rest a nd in transit using industry-standard algorithms and key lengths, (b) role-based access controls and multi-factor authentication for all administrative access, (c) network segmentation and intrusion-detection systems, (d) regular vulnerability scanning and remediation per documented service-level objectives, (e) logging and monitoring of security-relevant events, (f) backup and recovery procedures, and (g) personnel access controls and confidentiality obligations. Provider shall maintain these measures during the Term and shall not materially diminish their overall effectiveness, in accordance with Section 4(b) of the DPA.
6. Access, Recovery, and Return of Data (DORA Art. 30(2)(d))
6.1 Access During Term.
During the Term, Customer shall have access to Customer Data, security telemetry, Investigation Reports, and other operational information made available through the Services in accordance with the Documentation. Provider shall not unreasonably impede such access.
6.2 Recovery in Disruption.
Provider sha ll implement business-continuity, disaster-recovery, and backup arrangements in accordance with Annex B of the DPA and the Service Level Agreement, sufficient to enable timely recovery of Customer Data and resumption of the ICT Services following a disruption. Provider shall test such arrangements at least annually and shall, on Customer's reasonable request, provide a summary of the most recent test results.
6.3 Return and Deletion on Termination.
On expiration or earlier termination of the Agreement, Provider shall return or delete Customer Data in accordance with Section 6 of the DPA, on Customer's election and subject to applicable law. Provider shall, on Customer's request, provide reasonable assistance to enable Customer to migrate Customer Data to Customer or to a successor ICT third-party service provider, on the terms set forth in Section 9 (Exit Strategy) below.
7. Service Levels and Performance Targets (DORA Art. 30(2)(e), 30(3)(a))
7.1 General Service Levels.
The service levels applicable to the ICT Services are set forth in Exhibit B of the Agreement (Service Level Agreement) and the applicable Order Form, and include availability targets, response-time objectives, and the measurement methodology.
7.2 Quantitative and Qualitative Targets for CIF.
Where a CIF Designation is in force, the Service Level Agreement and the applicable Order Form together include precise quantitative and qualitative performance targets in accordance with Article 30(3)(a) of DORA, including: (a) availability targets ex pressed as a Monthly Availability Rate; (b) response and resolution targets for P1, P2, and P3 incidents; (c) recovery-time objective (RTO) and recovery-point objective (RPO) for disaster-recovery scenarios; and (d) any additional targets agreed in the Order Form.
7.3 Monitoring and Reporting.
Provider shall measure and report on the service levels in accordance with Exhibit B and shall make such reports available to Customer at the cadence specified therein. Customer may use such reports for the purpose of monitoring Provider's performance and for inclusion in Customer's Register of Information.
8. ICT Incident Notification and Assistance (DORA Art. 30(2)(f))
8.1 Notification.
Provider shall notify Customer of any ICT-Related Incident that affects Customer's use of the ICT Services without undue delay after Provider becomes aware of it, and in any event within the time period required by Applicable Data Protection Laws and applicable DORA Regulatory Technical Standards. Each notification shall include, to the extent then known, (a) the nature and scope of the incident, (b) the affected ICT Services and (if known) the affected Customer Data, (c) the actions taken or proposed to mitigate and remediate the incident, (d) Provider's primary security and operational contacts for the incident, and (e) any other information reasonably requested by Customer to enable Customer to comply with its DORA reporting obligations.
8.2 Cooperation in Incident Handling.
Provider shall, at no additional cost during the period of the incident, provide reasonable assistance to Customer in connection with (a) the investigation, containment, and remediation of the incident, (b) the assessment of impact on Customer Data and on Customer's services, (c) any reporting obligations Customer has under DORA (including reporting to Competent Authorities), and (d) any communication with affected data subjects, customers, or counterparties as required by applicable law.
8.3 Post-Incident Review.
Following the resolution of any major ICT-Related Incident affecting Customer's use of the ICT Services, Provider shall provide Customer with a written post-incident review containing (a) a description of the root cause, (b) the corrective and preventive actions taken or planned, and (c) lessons learned and process improvements. Such review shall be provided within thirty (30) days of resolution, unless a longer period is reasonable in the circumstances.
8.4 Material Changes.
Provider shall notify Customer in writing of any material change to the ICT Services that may have a material impact on Provider's ability to perform its obligations under the Agreement or this DORA Addendum, including changes to processing locations, Sub-Contractors, or material technical or operational arrangements, on the timelines set forth in Section 4.2 and Section 10.
9. Cooperation with Competent Authorities and Resolution Authorities (DORA Art. 30(2)(g), 30(3)(e))
9.1 General Cooperation.
Provider shall cooperate, in good faith and to the extent legally permissible, with any Competent Authority, including by (a) responding to information requests, (b) providing access to records and premises to the extent permitted in this DORA Addendum, and (c) participating in supervisory dialogue where reasonably requested.
9.2 Access Rights for Customer and Competent Authorities.
Subject to the safeguards set forth in Section 4(e) of the DPA, Provider grants Customer and any Competent Authority (and any third party appointed by either of them) the right to inspect and audit Provider's records, systems, and premises in connection with the ICT Services. The exercise of such rights is subject to (a) reasonable advance notice (not less than thirty (30) days, except in case of suspected material breach or supervisory urgency), (b) scope agre ed in writing in advance, (c) confidentiality obligations on the auditor, (d) no compromise of Provider's security measures or other customers' data, and (e) cost allocation as set out in Section 4(e) of the DPA.
9.3 Unrestricted Access for Competent Authorities.
Notwithstanding Section 9.2 and Section 4(e) of the DPA, Provider acknowledges that Competent Authorities have direct rights of access, inspection, and audit in respect of ICT third-party service providers under Articles 35 to 39 of DORA (where ap plicable) and shall not impede the exercise of such rights. Customer shall give Provider reasonable advance notice (where lawful) of any inspection or audit by a Competent Authority.
10. Termination Rights (DORA Art. 30(2)(h), 30(3)(f))
10.1 Customer Termination Triggers.
In addition to any termination rights set forth in the Agreement, Customer may terminate the Agreement on written notice to Provider, with effect at the end of a reasonable notice period to permit transition, if: (a) Provider materially breaches Union or national law, regulation, or contractual terms (including this DORA Addendum) in a manner that compromises Customer's compliance with DORA; (b) circumstances arise that may materially impair the performance of the ICT Services, including Sub-Contractor changes not approved by Customer where approval is required under Section 11.5 or the DPA; (c) Provider exhibits weaknesses in its overall ICT risk management or its ability to provide the ICT Services that pose a material risk to Customer; (d) a Competent Authority requires or recommends termination on the basis of supervisory findings; or (e) Provider becomes subject to insolvency or resolution proceedings or otherwise becomes unable to continue to provide the ICT Services.
10.2 Minimum Notice.
Unless immediate termination is required by law or by a Competent Authority, the minimum notice period for termination under Section 10.1 is thirty (30) days, except where Customer requires a longer notice period to ensure orderly transition; in no e vent will the minimum notice period for CIF arrangements be less than what is necessary to allow Customer to complete the exit plan referred to in Section 9 (Exit Strategy) without disruption to a Critical or Important Function.
10.3 Provider Termination for Cause.
Provider may terminate the Agreement only in accordance with Section 11(b) of the Agreement and shall not exercise any termination right (including for non-payment) in a manner that would cause Customer to be in breach of DORA, provided Customer is engaging in good-faith cure and migration efforts.
10.4 Continuation of Services During Transition.
On notice of termination, Provider shall continue to perform the ICT Services in accordance with the Agreement and shall, on Customer's reasonable request, perform the transition assistance described in Section 9 (Exit Strategy) below.
11. Additional Provisions for Critical or Important Functions (DORA Art. 30(3))
The provisions of this Section 11 apply only where a CIF Designation is in force in respect of all or part of the ICT Services.
11.1 Detailed Service Descriptions.
The Agreement, the DPA, the Service Level Agreement, and the Order Form together contain (a) a full description of the ICT Services and Critical or Important Functions supported, (b) the locations of processing and the territorial scope, (c) the data types processed, and (d) the conditions for sub-contracting, sufficient to satisfy Article 30(3)(a) of DORA.
11.2 Quantitative and Qualitative Performance Targets.
Section 7.2 and Exhibit B of the Agreement contain the precise quantitative and qualitative perf ormance targets required by Article 30(3)(a) of DORA, including availability, response, recovery, and security-incident targets. Provider's failure to meet such targets entitles Customer to the remedies set out in Exhibit B and (in the case of repeated or persistent material failure) to terminate under Section 10.1(c).
11.3 Business Continuity and Disaster Recovery.
Provider shall implement and maintain business-continuity and disaster - recovery arrangements as described in Annex B of the DPA, including documented RTO and RPO targets, annual testing, and prompt reporting of test outcomes to Customer on request, in accordance with Article 30(3)(c) of DORA. Provider's BCP/DR arrangements shall be designed to ensure recovery of the ICT Services within the timelines set out in the Service Level Agreement and the Order Form.
11.4 Threat-Led Penetration Testing (TLPT).
Where Customer is required by DORA to undertake Threat-Led Penetration Testing under Article 26 of DORA, Provider shall, on Customer's reasonable request and at Customer's cost (unless otherwise agreed in the Order Form), cooperate in the planning, scoping, and execution of such TLPT to the extent the TLPT scope reasonably includes the ICT Services. Provider's cooperation includes (a) participation i n scoping meetings, (b) provision of relevant technical information under appropriate confidentiality safeguards, (c) coordination of testing windows to minimise operational impact, and (d) participation in remediation discussions for findings affecting th e ICT Services. Provider may share the results of an equivalent recent TLPT or pooled testing exercise (within the meaning of Article 26(4) of DORA) in lieu of a Customer-commissioned TLPT, where such results adequately cover the relevant scope.
11.5 Sub-Contracting Restrictions for CIF.
Where the ICT Services support a Critical or Important Function, Provider shall: (a)
notify Customer in writing at least thirty (30) days in advance of any intended new Sub-Contractor (or proposed material change to an existing Sub-Contractor) that would perform a function supporting a Critical or Important Function; (b) provide such information as Customer reasonably requires to assess ICT concentration risk under Article 29 of DORA; and (c) where Customer raises a reasonable objection on data-protection or operational-resilience grounds, refrain from engaging that Sub-Contractor or terminate the Agreement in respect of the affected ICT Services in accordance with Section 3(d) of the DPA.
11.6 Exit Strategy.
On entry into the Agreement (or on receipt of a CIF Designation, if later), the Parties shall agree a written exit strategy reasonably designed to ensure (a) orderly migration of the ICT Services to Customer or to a successor ICT third-party service provider, (b) return or deletion of Customer Data, (c) transfer of operational knowledge and key documentation, and (d) continuation of services during a transition period of up to twelve (12) months following the effective date of termination. Customer is responsible for selecting and contracting with any successor provider. Provider shall, on Customer's reasonable request, perform transition assistance in accordance with the exit strategy, at Provider's then-current professional services rates.
12. ICT Security Awareness and Training (DORA Art. 30(2)(i))
Provider shall ensure that personnel involved in providing the ICT Services participate in Provider's information-security awareness and training programmes on at least an annual basis. On Customer's reasonable request, Provider shall provide a summary of its training programme and Customer may request the inclusion of Customer-specific topics relevant to Customer's ICT risk profile, subject to mutual agreement on scope and cost.
13. Sub-Contracting (DORA Art. 29, 30(2)(a))
13.1 General Authorisation.
Customer's general authorisation for Provider's use of Sub-Contractors is governed by Section 3 of the DPA. The Sub-Contractor list in effect from time to time is made available by Provider as set forth in the DPA.
13.2 Chain of Sub-Contracting Conditions.
Provider shall ensure that any Sub-Contractor performing a Critical or Important Function on behalf of Provider is (a) bound by written terms imposing data-protection, security, confidentiality, audit, and ICT-risk-management obligations no less protective of Customer than those set forth in the Agreement and this DORA Addendum, and (b) subject to Provider's full liability for the Sub-Contractor's acts and omissions. Provider's right to use further levels of sub-contracting in respect of CIF is restricted in accordance with Section 11.5 and Article 29 of DORA.
13.3 Information for Concentration-Risk Assessment.
On Customer's reasonable request, Provider shall provide such information as is necessary for Customer to perform the ICT concentration-risk assessment required under Article 29 of DORA, including (where relevant) the identity and location of Sub-Contractors performing material functions in support of the ICT Services.
14. Register of Information (DORA Art. 28(3))
Provider acknowledges that Customer is required to maintain a Register of Information for all ICT third-party arrangements. On Customer's reasonable request, Provider shall provide to Customer the information necessary to populate the Register of Information in the format prescribed by the ESAs from time to time, including (a) the identification of the contractual arrangement, (b) the type of ICT Services provided, (c) the identification of any function supported by the ICT Services, (d) any CIF Designation, (e) the identification of relevant Sub-Contractors (where required), and (f) any other information required by DORA-implementing measures. Provider shall use commercially reasonable efforts to provide such information within a reasonable timeframe and may publish a standard “DORA Information Sheet” containing such information.
15. General
15.1 Cost Allocation.
Unless otherwise agreed in writing, each Party bears its own costs of complying with this DORA Addendum.
Where Customer requests assistance from Provider that materially exceeds Provider's standard cooperation under the Agreement (including bespoke audit support, TLPT execution, customised migration assistance, or extended transition services), Provider may invoice Customer for such assistance at Provider's then-current professional services rates.
15.2 Compliance Updates.
Provider may update this DORA Addendum from time to time to reflect changes in DORA, related Regulatory Technical Standards, Implementing Technical Standards, supervisory guidance, or industry best practice, provided that any such update does not materially diminish Customer's rights or Provider's obligations. Provider shall give Customer reasonable advance written notice of any material update.
15.3 Governing Law and Jurisdiction.
This DORA Addendum is governed by, and construed in accordance with, the governing law specified in the Agreement, except where mandatory provisions of DORA or national implementing measures require otherwise. Disputes arising out of or relating to this DORA Addendum are subject to the jurisdiction set forth in the Agreement.
Annex — DORA Article Cross-Reference
For ease of reference and supervisory mapping, the following table maps the provisions of this DORA Addendum to the corresponding Articles of DORA.
