THEREFORE DORA FINANCIAL ENTITY ADDENDUM
(for services supporting non-critical or important functions)
This addendum (the “Addendum“) modifies the Terms of Use (all terms as defined below) applying between a customer (“Customer”) who purchased the use of THEREFORE Software as a Service under a Customer Agreement from a Reseller and THEREFORE Corporation GmbH (“Supplier”). This Addendum together with the Terms of Use shall form the “Agreement” and shall be considered as a single document available to the parties and be in writing.
1. Definitions
Unless otherwise defined herein or the context otherwise requires, terms used in this Addendum, have the meanings provided in the TOU (as defined below).
1.1. Critical or Important Service: An ICT Service provided by the Supplier that is used by the Customer to support
a) any of its functions that is considered by the Customer to be a critical or important function, or
b) a material part of such a function defined in point a).
1.2. Customer Data: Any data of Customer stored or processed in a system provided by Supplier as part of an ICT Service.
1.3. DORA Regulation: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
1.4. DORA Subcontractor: A subcontractor of the Supplier who provides a material part of an ICT Service to the Supplier.
1.5. ICT Incident: As defined in Article 3(8) of the DORA Regulation.
1.6. ICT Service: As defined in Article 3(21) of the DORA Regulation and provided by the Supplier to the Customer under the Customer Agreement.
1.7. Regulator: Any competent authority as understood under the DORA Regulation in relation to the Customer or the resolution authority as referred to in Article 3 of Directive 2014/59/EU.
1.8. Terms of Use (or TOU): The terms and conditions applying to the use of the Services as laid down in the Customer Agreement.
2. General provisions
2.1. The Supplier offers to the Customer to enter into this Addendum by specifying when entering into the Customer Agreement that the Customer (i) is an entity listed in Art. 2 of the DORA Regulation and (ii) purchases the use of the Services from a Reseller to perform functions other than critical or important function as defined in Art. 3 para (22) of the DORA Regulation within its operation. The Customer accepted this offer by specifying so.
2.2. The Parties enter into this Addendum in view of the DORA Regulation and this Addendum includes and references all the contractual provisions necessary to fulfil the requirements under the DORA Regulation, such as
a) all the rights and obligations of the Customer and the Supplier,
b) the clear and complete description of all functions and ICT Services to be provided by the Supplier.
This Addendum constitutes part of the TOU. If there is any contradiction between the TOU and this Addendum, this Addendum shall prevail.
The Supplier provides the following ICT Service to the Customer: Enterprise Content Management as further defined in and according to the TOU.
3. Representation and Warranties of the Customer
The Customer represents and warrants that. (i) is an entity listed in Art. 2 of the DORA Regulation and (ii) purchases the use of the Service from a Reseller to perform functions other than critical or important function as defined in Art. 3 para (22) of the DORA Regulation within its operation.
4. Data protection and location of the ICT Service
4.1. The GDPR data processing agreement between the parties shall set out the requirements of availability, authenticity, integrity and confidentiality in relation to the protection of Customer Data, including personal data. The Supplier declares that it has the following IT security certificates:
a) ISO/IEC 27001:2022].
4.2. The Supplier shall provide technical means to the Customer to access and recover its Customer Data (if any) in an easily accessible format in case of
a) termination of the Agreement, or
b) Supplier’s insolvency, resolution or the discontinuation of its business operations.
4.3. The Supplier allows Customer to migrate the Customer Data to another ICT third-party service provider or change to in-house solutions.
4.4. As part of the ICT Service, Customer Data is processed by the Supplier or its DORA Subcontractors at the following locations (countries or regions): European Union.
4.5. The Supplier shall inform the Customer in advance if it plans to change
a) the location from which the ICT Service is provided by the Supplier or its DORA Subcontractors (if applicable),
b) the location where Customer Data is processed by the Supplier (including storage).
5. Monitoring, cooperation and incident management
5.1. Supplier shall fully cooperate with the Regulator of the Customer, including any persons appointed by such Regulator.
5.2. Upon Customer’s request, the Supplier shall participate in Customer’s ICT security awareness programmes and digital operational resilience trainings.
5.3. If an ICT Incident related to the ICT Service occurs, Supplier shall provide assistance to Customer. The Supplier must report any ICT Incident related to the ICT Service to the Customer within 48 hours calculated from the time when the Supplier becomes aware of the ICT Incident. The Supplier reports the following information to the Customer:
a) Description of the ICT Incident;
b) EU member states affected by the ICT Incident;
c) Whether the ICT Incident is a repeated one and has already occurred within the last 12 moths from the same reason or whether it is related to another ICT Incident;
d) Whether it has any impact on other service providers.
For the request of the Customer, the Supplier must provide the information related to the ICT Incident which the Customer is obliged to report to the Regulator according to the DORA Regulation and its regulatory or implementation technical standards.
6. Provisions applicable to DORA Subcontractors
6.1. The Supplier may subcontract the ICT Service or material parts thereof with the prior written consent of the Customer. The Supplier is liable for the services provided by its Subcontractors.
6.1. If the Supplier infringes the above provisions concerning Subcontractors, the Customer is entitled to terminate this Agreement with immediate effect.
7. Service levels
7.1. The description, updates and revisions of the service level of the ICT Service is set out in the Customer Agreement.
8. Condition Precedent
This Addendum enters into force, once the Customer Agreement enters into force.
9. Termination rights and transition period
9.1. The Customer may terminate the Agreement and the use of the Service according to the TOU with immediate effect in writing if
a) the Supplier is in significant breach of applicable laws, regulations or a provision of the Agreement,
b) circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the Customer Agreement, including material changes that affect the Customer Agreement or the situation of the Supplier,
c) there is clear evidence that the Supplier’s overall ICT risk management system is weak in the way it ensures the availability, authenticity, integrity and confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data,
d) where the Regulator can no longer effectively supervise the Customer as a result of the conditions of, or circumstances related to, the Customer Agreement.
9.2. The Supplier may terminate the Agreement in case of a misrepresentation or a significant breach of the Agreement by the Customer in accordance with Clause 15 of the TOU
10. Fees
10.1. In consideration for the performance of its obligations under clause 5, the Supplier shall be entitled to a remuneration from the Customer. Such an obligation performed by the Supplier is to be considered to form part of the ICT Service itself. In exchange for the performance of such an obligation, the Customer agrees to pay a separate fee to the Supplier on a time and material basis (“DORA Compliance Fee”). None of the obligations under clause 5 is expected to be performed by the Supplier free of charge, at the expense of the Supplier or as a part of any fixed or lump sum fees already paid by the Customer to the Supplier.
10.2. In relation to the DORA Compliance Fee, the terms and conditions of the Agreement shall apply. The Supplier and the Customer shall enter into good faith negotiations on a commercial basis to establish and agree upon such missing terms. Should the Parties fail to agree on any such fee prior to Customer requesting Supplier’s performance of such obligations under clause 5, a uniform rate € 2,400 per each person day commenced shall apply.
10.3. The Customer shall indemnify the Supplier against all reasonable costs, expenses and damages incurred as a result of the Customer’s, or any third party acting on the Customer’s behalf, failure to comply with this Agreement, applicable laws, or any internal procedures recommended by the Supplier. This indemnification also extends to damages caused to other customers or to the DORA Subcontractors due to such non-compliance, provided that Supplier is liable for such damages towards those other customers or DORA Subcontractors.
10.4. In the event that any act of the Customer during an access, inspection or audit causes or threatens to cause significant damage to the Supplier, its other customers, or its DORA Subcontractors due to the Customer’s non-compliance as set out in this Addendum, the Supplier shall promptly notify the Customer, specifying the act and the damages caused or threatened. The Customer and the Supplier may then agree on a procedure to be followed, an alternative assurance, or a security to be provided by the Customer before continuing the current activity. If the Parties are unable to agree on such terms, the Supplier may terminate the Agreement with immediate effect, and such termination shall not be considered a breach of the Agreement.
10.5. DORA Compliance fees shall be invoiced by the Supplier on a monthly basis, including VAT, if applicable, specifying the activities giving rise to the fees. The invoices shall be paid by the Customer within 30 days.
11. Miscellaneous
All other clauses of the TOU, in particular the introductory paragraphs on page 1 of the TOU and Clauses 15, 16, 17, 18, 21, 22 and 23 of the TOU apply to the Addendum mutatis mutandis.
IN WITNESS WHEREOF, Customer and Supplier have entered into this Agreement on the date of the Customer Agreement.
DORA Add non-critical v1
2025-07-18