This Digital Operational Resilience Act ("DORA") addendum ("Addendum") is created to document compliance with REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
This addendum will become effective from the date of signature of both parties.
In the event of any inconsistency or conflict between the provisions of this Addendum and the provisions of any other document referenced in the Agreement, the terms of this Addendum shall prevail to the extent of such inconsistency or conflict.
Agreement - means the Order Confirmation, Terms and Conditions, Data Processing Agreement, DORA Addendum and the Service Level Agreements agreed upon between Formalize and the Customer.
ICT Services - has the meaning prescribed in article 3 of DORA.
Personal Data - means any information as defined by Article 4.1 of the General Data Protection Regulation (EU) 2016/679.
Processor - has the meaning prescribed in Article 4.8 of the General Data Protection Regulation (EU) 2016/679.
Services - means the services provided to the Customer by Formalize under the Agreement.
Subcontracting - means Formalize's use of subcontractors to fulfil its obligations and deliver its Services under the Agreement and this Addendum.
The Customer is an entity that falls under the Scope of DORA as defined in Article 2. Of DORA and/or its implementing national law.
Formalize undertakes to provide to the Customer Services that constitute ICT Services as defined under DORA. This Addendum purpose is to ensure those requirements and standards are included in the Agreement.
For the purposes of this Addendum, the Parties assume Formalize ApS is supporting Customer's important or critical business functions.
A clear and complete description of all functions and ICT services to be provided by Formalize can be found in the Terms and Conditions that are part to this Agreement. These ICT Services shall be considered as Cloud services: SaaS.
The Customer has the duty to identify which of those services are supporting the Customer's important or critical business functions.
The Customer is entitled to monitor Formalize's performance in connection with the Agreement and the agreed service levels on an ongoing basis. For this regard, the Customer is granted:
To facilitate the exercise of these rights, Formalize will provide the Customer with third-party certifications, internal and external audit reports. These will be available at any time in Formalize's trust center as further explained below in 4.3. Reporting.
Further, the Customer will have the right to request, with a frequency that is reasonable and legitimate from a risk management perspective, modifications of the scope of the certifications or audit reports to other relevant systems and controls and the contractual right to perform individual and pooled audits at its discretion with regard to the contractual arrangements and execute those rights in line with the agreed frequency.
Formalize agrees to notify the Customer without undue delay in writing of any developments that may have a material impact on Formalize's ability to effectively perform the Services in compliance with:
Formalize undergoes yearly audits and as part of the certifications and reports obtained and renewed, the business contingency plan is reviewed and tested. Formalize further performs, in order to maintain the aforementioned certifications and reports, a half-yearly test of the Disaster Recovery plan. Furthermore, Formalize performs a yearly penetration test performed by an independent third party. The results of these exercises are published on the webpage of Formalize at the Trust Center.
The Customer has the right to require Formalize to provide the Customer with reports (including internal or external audit reports), as appropriate, where such reports indicate Formalize's inability to effectively perform the Services in accordance with the requirements set out in this Clause.
The Customer has the responsibility to provide to Formalize and keep updated a specific mail where communications related to DORA will be supplied.
Incidents will be managed and communicated to the Customer as described in the Service Level Agreement.
Formalize will provide the Customer with all necessary assistance in the event of an Incident arising from or in connection with the Services.
Any assistance in connection with an ICT-Related Incident will be provided by Formalize free of charge, unless otherwise agreed between the Parties.
Formalize may use subcontractors to perform part of the Services ("Subcontracting" to a "Subcontracting Partner").
With regard to the subcontracted Services, location, length of the supply chain, the nature of data, the subcontractor and the services locations (processing and storage of data), this information can be found in the form Formalize - DORA - Supplier data and the Data Processing Agreement, provided together with this Addendum.
In the event that Formalize uses Subcontracting Partners to perform part of the services, Formalize acknowledges and agrees:
Formalize provides in the Data Processing Agreement an up-to-date overview of the locations (countries) where the subcontracted Services are provided and where data is processed, including the storage location.
Formalize shall inform the Customer about any changes to the locations where the subcontracted functions and Services are provided.
Formalize has implemented appropriate technical and organisational measures considering the current state of technological development and the measures available, including inter alia as appropriate:
Notwithstanding anything to the contrary, during the term of the Agreement, the Customer will be entitled to access data belonging to the Customer, at all times, in a manner consistent with the functionality of the Services.
In the event of insolvency or discontinuation of business operations of Formalize, the Customer will have unfettered access to the data belonging to the Customer.
Formalize's provision of Services include processing of the Customer's Personal Data in scope of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data ("General Data Protection Regulation"), for this purpose, the Parties have concluded a separate Data Processing Agreement laying down responsibilities and obligations with respect to such processing of Personal Data.
Where appropriate, and at least yearly, Formalize personnel participate in security awareness programmes.
Formalize's relevant employees can be requested to participate in the Customer's ICT security awareness programmes and digital operational resilience training if the Customer considers the content of Formalize's awareness programmes is not enough for the purposes of DORA.
When the programmes and training have an impact in Formalize normal business activities, Formalize has the right to charge a fee determined ex ante for the employees availability.
The term of this Addendum commences on the date of its signature and continues in full force and effect until (i) the date on which the active Agreement expires or is terminated in accordance with the terms of the Agreement; (ii) the date on which the active Agreement is terminated in accordance with the provisions of this Addendum; or (iii) the date on which the Customer is not company subject to DORA.
In addition to the Customer's termination rights as stated in the Terms and Conditions, the Customer may terminate an Agreement upon:
With regard to the termination rights described in clauses a, b, and c, the Customer shall provide Formalize with at least 15 days' prior written notice, which shall serve as a cure period for Formalize to remedy the identified breach, risk, or weakness to the Customer's reasonable satisfaction. If Formalize fails to adequately address the issue within the cure period, the Customer may terminate the Agreement with immediate effect.
For termination under clause d, the Agreement shall be deemed terminated immediately upon written notice from the Customer, without the need for a cure period.
Termination pursuant to this clause shall be without prejudice to any other rights or remedies available to the Customer under the Agreement or applicable law.
The intention of this section (hereinafter referred to as "the Exit Plan") is to provide clarity on an adequate transition period for cases where the Agreement has or have been terminated (or soon to be terminated). The Exit Plan provides for measures to ensure a smooth and timely transition, whereby Formalize is obliged to fully cooperate with the exit.
The Exit Plan starts 30 days before the termination of the agreement.
Soft Exit - 30 days before the terminations
From this day, and for the following 30 days the Customer still has access to the Services, all applications and all stored data, the Customer shall take the opportunity to extract the relevant data from Formalize's infrastructure. During this term, the Customer will have to communicate to Formalize any other information that could not be extracted in order to allow the Customer to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
During the Soft Exit phase, the Customer bears responsibility for initiating all data export activities. Formalize will support the Customer in exporting the items listed under Data above.
Hard Exit - Data deletion - Days 1 to 30 after termination
Following the Soft Exit Phase, Formalize will review and ensure the removal of all Customer's data from its infrastructure. This removal will take place within 30 days after the Soft Exit Phase concludes, after which the information will be retained in backup storage for 90 days.
Following the Soft Exit Phase, Formalize will review and ensure the removal of all Customer's data from its infrastructure. This removal will take place within 30 days after the Soft Exit Phase concludes, after which the information will be retained in backup storage for 90 days.
During the Hard Exit Phase, Formalize is responsible for the final deletion of all Customer data from its infrastructure and for informing Customer in writing of the completion of the Exit Plan.
Cooperation with the exit:
Formalize is obliged to fully cooperate in the implementation of the exit and carry out all necessary work, subject to the limits established below.
Services by Formalize may continue after the termination date and continue until the transition to a new service provider or system is fully completed. Customer shall inform Formalize of its intention to continue accessing the System. This notification shall be done before the termination date and the parties will agree to an interim agreement for a period between 6 months to 1 year, the costs for the interim agreement might reflect a price increase of no more than 10% with regard to the former Agreement.
Exit Plan update:
The Exit Plan may be updated and revised annually at the written request of Customer in consultation with Formalize, including a cost and schedule.
Any request made by the Customer under this Addendum must:
To the extent of any conflict or inconsistency between this Addendum and the terms of the Agreement, this Addendum will prevail.
Changes to the Agreement or Addendum may only be agreed upon between Parties in writing.
This Addendum is governed by Danish National Law, and the applicable European Regulations reference herein, DORA and related delegated regulations.
If the court declares articles from this Addendum invalid, the other articles will remain fully in force.
The provisions of this Addendum are based on the Digital Operational Resilience Act (DORA), related Delegated Acts, Implementing Technical Standards (ITS), and Regulatory Technical Standards (RTS). In the event that any of these legal instruments are amended or repealed, and any provision of this Addendum is no longer reflected or required under the applicable regulatory framework, such provision shall cease to apply. However, the remaining provisions of this Addendum shall continue in full force and effect unless otherwise agreed by the parties.
