DORA ADDENDUM

1

GENERAL

This DORA Addendum (the “Addendum”) applies between the Customer and Truvio when the Customer has purchased Truvio Services under a valid Order Agreement and is a regulated entity within the scope of article 2 of Regulation, available at https://www.signupsoftware.com/gdpr-subprocessors

2

INTERPRETATION

2.1

For the purpose of this Addendum, any reference to "Truvio Service" shall have the meaning as set out in the Agreement

1. Customer and Truvio shall as soon as practically possible meet to discuss the intended engagement of the subcontractor, where Customer shall describe the reasons for the objections and the measures proposed
2. The Parties shall seek to resolve the Customer’s concerns and the reason for the objection during the meeting referred to above.

2.2

Except as otherwise provided in this Addendum, other definitions used but not expressly defined in this Addendum shall have the meaning (i) set forth in the Agreement and (ii) notwithstanding anything to the contrary in the Agreement, as set forth in DORA.

2.3

When applicable, this Addendum forms and integral part of the Agreement and in case of any conflict or inconsistencies between the content of this Addendum and the Agreement, this Addendum shall prevail.

3

ADDITIONS TO THE AGREEMENT

3.1

Service description

The scope and description of the Truvio Service ordered by the Customer under an Order Agreement are set out in the Product Catalogue and, as applicable, any statement of work applicable between the Parties under the Agreement, and Truvio’s and Customer’s rights and obligations with respect to the Truvio Services are outlined in the Agreement.

3.2

Subcontractors

3.2.1

Truvio is entitled to engage subcontractors for the provision of the Truvio Services. The Customer is entitled to object to the engagement of a subcontractor in accordance with the process described in the Data Processing Agreement. For the avoidance of doubt, the Customer’s right to object to the engagement of a subcontractor and the process described in the Data Processing Agreement shall apply regardless of whether the subcontractor processes personal data or not.

3.2.2

In addition to what is set out in the Data Processing Agreement, the following shall apply in the event the Customer objects to the engagement of a subcontractor.

1. Customer and Truvio shall as soon as practically possible meet to discuss the intended engagement of the subcontractor, where Customer shall describe the reasons for the objections and the measures proposed
2. The Parties shall seek to resolve the Customer’s concerns and the reason for the objection during the meeting referred to above. If such resolution cannot be agreed, the Customer shall be entitled to terminate the impacted Truvio Service effective as of the date when the subcontractor commences its engagement. For the avoidance of doubt, unless the impacted Truvio Service is the only Truvio Service provided under the Agreement, Customer shall not be entitled to terminate the Agreement but only the impacted Truvio Service. Any other Truvio Service provided under the Agreement which is not impacted by the subcontractor shall remain unaffected and unchanged by the Customer’s objection under this Section 3.2.2.

3.2.3

Truvio is responsible for the subcontractor's work as for its own work and personnel.

3.3

Locations for the provision of functions and services

3.3.1

The regions or countries where the Service is provided and where the data is processed and stored are described on Truvio’s sub-processor list available at https://www.signupsoftware.com/gdpr-subprocessors/.

3.3.2

Any change of region and/or country must be notified to the Customer in advance, within a reasonable time before such change takes place.

3.4

Service levels

Service levels, including updates and revisions thereto, are described the Product Terms for the respective Truvio Services provided by Truvio to Customer in accordance with the Order Agreement.

3.5

Data protection and access to data

3.5.1

Truvio shall take measures to ensure, where possible given the nature of the Truvio Service provided by Truvio, the availability, authenticity, integrity and confidentiality in relation to any data used by Truvio within the scope of its provision of the Truvio Services.

3.5.2

Customer acknowledges and understands that Truvio in general does not store any data on behalf of the Customer. Unless granted by Customer in each individual case, e.g. within the scope of Support Services or Consultancy Services, Truvio will not have any regular access to Customer data. Only in cases where it is explicitly stated in the Product Terms that Truvio will host the applicable Truvio Service, Truvio will have regular access to such data within the scope of the applicable Truvio Service.

3.5.3

Provisions relating to the protection of personal data and other data are set out in the Data Processing Agreement.

3.5.4

Truvio shall, in relation to Truvio’s operations in general and within the scope of the provision of the Truvio Services in particular, take measures to ensure the security, integrity and confidentiality of its information systems and any data processed or otherwise handled by Truvio. Any such security measures shall be taken by Truvio (i) to protect information from all internal, external, deliberate, or accidental threats, (ii) to enable secure information sharing, (iii) to ensure consistent and professional use of information, (iv) to ensure clarity about roles and responsibilities at Truvio associated with protecting information, and (v) to ensure business continuity and minimize business damage. Customer is entitled to request (and Truvio shall be obligated to provide) further information about Truvio’s information security framework and the security measures taken by Truvio.

3.5.5

Provisions on ensuring access, recovery and return in a commonly available technical standard and machine-readable format of personal and non-personal data processed by the Customer in the event of the insolvency, resolution or discontinuation of the business operations of the Supplier, or in the event of the termination of the Agreement, are described in the Data Processing Agreement. For the avoidance of doubt, the relevant provisions of the Data Processing Agreement shall apply regardless of whether the data is personal data or non-personal data.

3.6

Assistance in case of incidents

3.6.1

Truvio's obligation to provide assistance to the Customer, including notification obligations, when an ICT incident related to a Truvio Service provided to the Customer occurs, is described in detail in the Data Processing Agreement. For the avoidance of doubt, the process described in the Data Processing Agreement shall apply regardless of whether the affected data is personal data or non-personal data.

3.6.2

Truvio shall provide assistance, including notification, to Customer at no additional cost when an ICT incident related to a Truvio Service occurs. Notwithstanding the foregoing, if Truvio discovers and can demonstrate that the ICT incident is not attributable to or caused by the Truvio Service and/or Truvio, Truvio shall be entitled to charge the Customer for any further assistance on a time and material basis, on the fees for Consultancy Services as agreed in the Order Agreement.

3.7

Right of termination

3.7.1

Provisions on the right of termination and the associated minimum notice period for termination are described in the General Terms and Conditions.

3.7.2

In addition to the Customer's other rights under the Agreement, the Customer has the right to terminate the Agreement (or parts of the Agreement, as the case may be) at any time if:

1. Truvio is in material breach of any laws or regulations applicable to Truvio relating specifically to the provision of the Truvio Services (i.e. not in relation to general laws and regulations applicable to Truvio as a company);
2. circumstances have been identified during the monitoring of ICT third-party risks that the Customer reasonably deems could alter the performance of the functions provided by the Agreement, including material changes affecting the Agreement or the situation of Truvio;
3. there are evidenced weaknesses in Truvio's overall ICT risk management, such as the way in which Truvio ensures the availability, authenticity, integrity and confidentiality of personal data or other data;
4. Truvio implements material changes to subcontracted Truvio Services subject to what is set out in Section 3.2.2; or
5. the competent authority can no longer effectively supervise the Customer as a result of the terms or circumstances related to the Agreement.

3.7.3

For avoidance of doubt, it is noted that any circumstance that gives rise to a right of termination pursuant to Section 3.7.2 shall not be construed as a breach of contract on the part of Truvio unless such circumstance is a breach of an express obligation on Truvio as set out in this Addendum.

3.7.4

If the Customer exercises its right to terminate the Agreement pursuant to Section 3.7.2 (b), (c) or (e), Customer shall not be entitled to any refunds of any pre-paid Subscription Fees related to the then-current Subscription Term.

3.8

Training and awareness

3.8.1

Truvio shall, against compensation as set out in Section 4.1, in accordance with the Customer's additional instructions, participate in the Customer's ICT security awareness programme and digital operational resilience training.

3.8.2

The foregoing shall be limited to personnel at Truvio that are directly involved in the provision of the Truvio Services to Customer and participation in Customer’s ICT security awareness programme and digital operational resilience training shall not be required more than once per year.

3.8.3

If participation at Customer’s ICT security awareness programme and digital operational resilience training requires travel, Customer shall compensate Truvio for all costs and expenses related to such travel. Moreover, Truvio shall be entitled to charge Customer for the travel time by the hour on Truvio’s fees for Consultancy Services.

3.9

Cooperation with authorities

Truvio is required to cooperate fully with the competent authorities of Customer, including persons designated by them.

4

COMPENSATION

4.1

In the event that the obligations in this Addendum require Truvio to take measures or carry out tasks which are specifically requested by the Customer and which Truvio would not otherwise have had to carry out – in other words, measures and tasks due to specific requests, instructions and/or requirements from the Customer, such as participating in threat-led penetration testing, providing incident assistance or adhering to specific instructions by Customer and which are not already implemented by Truvio – then Truvio shall be entitled to charge any reasonable additional costs caused by such measures and tasks to the Customer on a time and material basis based on Truvio’s fees for Consultancy Services.

4.2

Incidents on the part of Truvio (or its sub-processors) shall not be separately chargeable measures.

5

MISCELLANEOUS

5.1

Except as expressly provided herein, the Parties agree that the Agreement shall remain in effect on unchanged terms and that this Addendum shall apply as an integral part of the Agreement.

5.2

Amendments and additions to this Addendum, including provisions of the Agreement to which this Addendum refers, shall be in writing and signed by the Parties to be effective.

6

GOVERNING LAW AND DISPUTES

6.1

Section 11.10 of the General Terms and Conditions relating to governing law and disputes shall apply to this Addendum.