THEREFORE DORA FINANCIAL ENTIY ADDENDUM

(for services supporting critical or important functions)

This addendum (the “Addendum“) modifies the Terms of Use (all terms as defined below) applying between a customer (“Customer”) who purchased the use of THEREFORE Software as a Service under a Customer Agreement from a Reseller and THEREFORE Corporation GmbH (“Supplier”). This Addendum together with the Terms of Use shall form the “Agreement” and shall be considered as a single document available to the parties and be in writing.

 

1. Definitions

Unless otherwise defined herein or the context otherwise requires, terms used in this Addendum, have the meanings provided in the TOU (as defined below).

1.1. Critical or Important Service: An ICT Service provided by the Supplier that is used by the Customer to support

a) any of its functions that is considered by the Customer to be a critical or important function, or
b) a material part of such a function defined in point a).

1.2. Customer Data: Any data of Customer stored or processed in a system provided by Supplier as part of an ICT Service.

1.3. DORA Regulation: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

1.4. DORA Subcontractor: A subcontractor of the Supplier who provides a material part of an ICT Service to the Supplier that is provided by the Supplier.

1.5. ICT Incident: As defined in Article 3(8) of the DORA Regulation.

1.6. ICT Service: As defined in Article 3(21) of the DORA Regulation and provided by the Supplier to the Customer under the Customer Agreement.

1.7. Regulator: Any competent authority as understood under the DORA Regulation in relation to the Customer or the resolution authority as referred to in Article 3 of Directive 2014/59/EU.

1.8. Terms of Use (or TOU): The terms and conditions applying to the use of the Services as laid down in the Customer Agreement.

1.9. Threat-Led Penetration Testing: The advanced testing of ICT tools, systems and processes carried out by Customer in accordance with Article 26 of the DORA Regulation.

 

2. General provisions

2.1. The Supplier offers to the Customer to enter into this Addendum by specifying when entering into the Customer Agreement that the Customer (i) is an entity listed in Art. 2 of the DORA Regulation and (ii) purchases the use of the Services from a Reseller to perform critical or important function as defined in Art. 3 para (22) of the DORA Regulation within its operation. The Customer accepted this offer by specifying so.

2.2. The Parties enter into this Addendum in view of the DORA Regulation and this Addendum includes and references all the contractual provisions necessary to fulfil the requirements under the DORA Regulation, such as

a) all the rights and obligations of the Customer and the Supplier,
b) the clear and complete description of all functions and ICT Services to be provided by the Supplier.

This Addendum constitutes part of the TOU. If there is any contradiction between the TOU and this Addendum, this Addendum shall prevail.
The Supplier provides the following ICT Service to the Customer: Enterprise Content Management as further defined in and according to the TOU.

 

3. Representation and Warranties of the Customer

The Customer represents and warrants that. (i) is an entity listed in Art. 2 of the DORA Regulation and (ii) purchases the use of the Service from a Reseller to perform critical or important function as defined in Art. 3 para (22) of the DORA Regulation within its operation.

 

4. Data protection and location of the ICT Service

4.1. The GDPR data processing agreement between the parties shall set out the requirements of availability, authenticity, integrity and confidentiality in relation to the protection of Customer Data, including personal data. The Supplier declares that it has the following IT security certificates:
a) ISO/IEC 27001:2022].

4.2. The Supplier shall provide technical means to the Customer to access and recover its Customer Data (if any) in the case of

a) termination of the Agreement, or
b) Supplier’s insolvency, resolution or the discontinuation of its business operations.

4.3. The Supplier allows Customer to migrate the Customer Data to another ICT third-party service provider or change to in-house solutions.

4.4. As part of the ICT Service, Customer Data is processed by the Supplier or its DORA Subcontractors at the following locations (countries or regions): European Union.

4.5. The Supplier shall inform the Customer in advance if it plans to change

a) the location from which the ICT Service is provided by the Supplier or its DORA Subcontractors (if applicable),
b) the location where Customer Data is processed by the Supplier (including storage).

4.6. The Supplier shall assess all risks associated with

a) the location of its current and potential DORA Subcontractors,
b) the location of their parent company, and
c) the location where the ICT Service is provided from.

 

5. Monitoring, cooperation and incident management

5.1. The Customer may monitor, on an ongoing basis, the Supplier’s performance, which shall include the following rights of the Customer:

a) unrestricted access, inspection and audit by the Customer, a third-party appointed by the Customer or the Regulator,
b) to take copies of relevant documentation on-site as long as the documentation is critical to the operations of the Supplier,
c) to agree on alternative assurance levels with the Supplier if rights of other customers of the Supplier are affected.

5.2. The Supplier shall fully cooperate during onsite inspections and audits performed by the persons set out in Section ‎5.1.a).

5.3. In relation to its audits and inspections, the Customer shall provide the Supplier in writing with details on their scope, the procedures to be followed and the frequency thereof.

5.4. The Supplier shall ensure that its DORA Subcontractors grant the same rights directly to the Customers and their Regulators as those set out in Sections 5.1.–5.3.

5.5. The Supplier is required to monitor all Critical or Important Services that it subcontracts to ensure that its contractual obligations are continuously met.

5.6. The Supplier shall ensure that it notifies the Customer of any development that might have a material impact on the Supplier’s ability to effectively provide Critical or Important Services in compliance with the service levels agreed in the Customer Agreement.

5.7. The Supplier shall ensure that in relation to Critical or Important Services, monitoring and reporting obligations are fulfilled by its DORA Subcontractors:

5.8. The Supplier shall include the above requirements in clauses 5.1 – 5.7 in its contract with the DORA Subcontractor.

5.9. Supplier shall fully cooperate with the Regulator of the Customer, including any persons appointed by such Regulator.

5.10. Upon Customer’s request, the Supplier shall participate in Customer’s ICT security awareness programmes and digital operational resilience trainings.

5.11. If an ICT Incident related to the ICT Service occurs, Supplier shall provide assistance to Customer. The Supplier must report any ICT Incident related to the ICT Service to the Customer within 48 hours calculated from the time when the Supplier becomes aware of the ICT Incident. The Supplier reports the following information to the Customer:

a) Description of the ICT Incident;
b) EU member states affected by the ICT Incident;
c) Whether the ICT Incident is a repeated one and has already occurred within the last 12 moths from the same reason or whether it is related to another ICT Incident;
d) Whether it has any impact on other service providers.

For the request of the Customer, the Supplier must provide the information related to the ICT Incident which the Customer is obliged to report to the Regulator according to the DORA Regulation and its regulatory or implementation technical standards.

5.12. Supplier shall participate in and fully cooperate with the digital operational resilience testing carried out by Customer, including its Threat-Led Penetration Testing.

 

6. Provisions applicable to DORA Subcontractors

6.1. The Supplier shall remain responsible to the Customer for the provision of any ICT Service that is provided by its DORA Subcontractors.

6.2. The Supplier shall ensure the continuity of the Critical or Important Services throughout the chain of DORA Subcontractors even in case of breach of contract by one of the DORA Subcontractors.

6.3. The Supplier may subcontract the Critical or Important Service or material parts thereof with the prior written consent of the Customer. The Supplier is liable for the services provided by its Subcontractors.

6.4. The Supplier is required to

a) identify the full chain of its DORA Subcontractors and ensure that each of its DORA Subcontractors does do the same for the Supplier,
b) provide all the necessary information regarding these identified DORA Subcontractors as required by the DORA Regulation,
c) keep all the information outlined in points a) and b) up to date, and
d) perform due diligence on a DORA Subcontractor to assess its abilities, including, relating to the location from which it provides Critical or Important Services.

6.5. The Supplier shall ensure that the Customer can effectively monitor the Critical or Important Services, even when the Critical or Important Services are provided by DORA Subcontractors.

6.6. The Supplier shall ensure that the Customer can assess

a) whether the chain of DORA Subcontractors is long or complex
b) if the chain of DORA Subcontractors is long or complex, how this may impact Customer’s ability to monitor the DORA Subcontractors.

6.7. The Supplier shall provide information to the Customer regarding

a) the contractual documentation between the Supplier and its DORA Subcontractors, and
b) relevant performance indicators of such DORA Subcontractors.

6.8. The Supplier shall ensure that its contracts with DORA Subcontractors include

a) the requirement of implementing and testing business contingency plans;
b) service levels for the DORA Subcontractors to meet in relation to their business contingency plans.

6.9. The Supplier shall ensure that its contracts with DORA Subcontractors for Critical or Important Services include the ICT security standards and any additional security requirements that shall be met by the DORA Subcontractors.

 

7. Service levels

7.1. The description, updates and revisions of the service level of the ICT Service is set out in the Customer Agreement.

7.2. Such description shall include a full service level description, including updates and revisions thereof with precise quantitative performance targets with the agreed service levels to allow effective monitoring by Customer and enable appropriate corrective actions to be taken when agreed service levels are not met.

 

8. Business continuity

8.1. The Supplier shall

a) implement and test business contingency plans; and
b) have in place appropriate ICT security measures, tools and policies that provide appropriate security for the provision of services by the Customer in line with the DORA Regulation.

 

9. DORA Subcontractors

9.1. The Supplier notifies the Customer of any material changes to the contracts with DORA Subcontractors affecting Critical or Important Services with a notice period in advance that enables the Customer to assess the impact of such change on the risks that the Customer is exposed to:

a) whether such changes might affect the ability of the Supplier to comply with the Agreement,
b) considering the elements of increased or reduced complexity.

9.2. The Supplier may only implement material changes in the ICT Service if

a) it has notified the Customer in line with Section ‎9.1. above, and
b) either the Customer has approved the change, or the Customer has not objected to the change before the end of the notice period in line with Section ‎9.3.

9.3. Before the end of the notice period, the Customer may send its objections to the proposed changes to the Supplier with

a) informing the Supplier of the results of its risk assessment of the proposed change, and
b) request any modifications it considers necessary to the proposed changes.

 

10. Condition Precedent

This Addendum enters into force, once the Customer Agreement enters into force.

 

11. Termination rights and transition period

11.1. The Customer may terminate the Agreement and the use of the Service according to the TOU if

a) the Supplier is in significant breach of applicable laws, regulations or a provision of the Agreement,
b) circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the Customer Agreement, including material changes that affect the Customer Agreement or the situation of the Supplier,
c) there is clear evidence that the Supplier’s overall ICT risk management system is weak in the way it ensures the availability, authenticity, integrity and confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data,
d) where the Regulator can no longer effectively supervise the Customer as a result of the conditions of, or circumstances related to, the Customer Agreement.

11.2. The Customer may terminate the Agreement and the use of the Service according to the TOU if

a) the Supplier implements material changes to its agreements with DORA Subcontractors despite the objection and request for modifications to the changes by the Customer,
b) the Supplier implements material changes to its agreements with DORA Subcontractors before the end of the notice period without explicit approval by the Customer,
c) if the Supplier subcontracts a Critical or Important Service without being permitted to do so by the Agreement.

11.3. The notice period for termination shall be 30 days.

11.4. Supplier agrees to provide ICT Service after the termination of the Customer Agreement during a transition period as requested by the Customer, which transition period shall not be longer than 18 months. All fees shall be payable during this transition period.

11.5. The Supplier may terminate the Agreement in case of a misrepresentation or a significant breach of the Agreement by the Customer in accordance with Clause 15 of the TOU

 

12. Fees

12.1. In consideration for the performance of its obligations under clause 5 (including providing access to the Regulator solely in relation to the Customer), the Supplier shall be entitled to a remuneration from the Customer. Such an obligation performed by the Supplier is to be considered to form part of the ICT Service itself. In exchange for the performance of such an obligation, the Customer agrees to pay a separate fee to the Supplier on a time and material basis (“DORA Compliance Fee”). None of the obligations under clause 5 is expected to be performed by the Supplier free of charge, at the expense of the Supplier or as a part of any fixed or lump sum fees already paid by the Customer to the Supplier.

12.2. In relation to the DORA Compliance Fee, the terms and conditions of the Agreement shall apply. The Supplier and the Customer shall enter into good faith negotiations on a commercial basis to establish and agree upon such missing terms. Should the Parties fail to agree on any such fee prior to Customer requesting Supplier’s performance of such obligations under clause 5, a uniform rate € 2,400 per each person day commenced shall apply.

12.3. The Customer shall indemnify the Supplier against all reasonable costs, expenses and damages incurred as a result of the Customer’s, or any third party acting on the Customer’s behalf, failure to comply with this Agreement, applicable laws, or any internal procedures recommended by the Supplier. This indemnification also extends to damages caused to other customers or to the DORA Subcontractors due to such non-compliance, provided that Supplier is liable for such damages towards those other customers or DORA Subcontractors.

12.4. In the event that any act of the Customer during an access, inspection or audit causes or threatens to cause significant damage to the Supplier, its other customers, or its DORA Subcontractors due to the Customer’s non-compliance as set out in this Addendum, the Supplier shall promptly notify the Customer, specifying the act and the damages caused or threatened. The Customer and the Supplier may then agree on a procedure to be followed, an alternative assurance, or a security to be provided by the Customer before continuing the current activity. If the Parties are unable to agree on such terms, the Supplier may terminate the Agreement with immediate effect, and such termination shall not be considered a breach of the Agreement.

12.5. DORA Compliance fees shall be invoiced by the Supplier on a monthly basis, including VAT, if applicable, specifying the activities giving rise to the fees. The invoices shall be paid by the Customer within 30 days.

 

13. Miscellaneous

All other clauses of the TOU, in particular the introductory paragraphs on page 1 of the TOU and Clauses 15, 16, 17, 18, 21, 22 and 23 of the TOU apply to the Addendum mutatis mutandis.

 

IN WITNESS WHEREOF, Customer and Supplier have entered into this Agreement on the date of the Customer Agreement.

 

DORA Add critical v1

2025-07-18