# DORA Addendum (to ilert Terms & Conditions – [Terms and Conditions](https://docs.ilert.com/trust-center/legal/terms-and-conditions)) **Last updated 2025‑10‑30 – UNSIGNED TEMPLATE** > **Note:** Brackets \[…] indicate fields the Parties must complete on execution. *** ### Version History | Date | Version | Summary of Changes | | ---------- | ------- | ---------------------------------------------------------------------------- | | 2025-04-01 | v1.0 | Initial publication | | 2025-10-30 | v1.1 | Clause 8.3 updated – cooperation with authorities (Arts. 30(2)(g) & 38 DORA) | ## 1 Parties This DORA Addendum (“Addendum”) is entered into on **\[Date]** by and between: * **\[Full legal name of Customer]** (“Firm”), and * **ilert GmbH**, Bayenstr. 65, 50678 Cologne, Germany (“Vendor”). The Firm and Vendor are each a “Party” and together the “Parties”. ## 2 Hierarchy & Incorporation 1. This Addendum supplements the **ilert Terms & Conditions (“ToS”)** (latest version available at [Terms and Conditions](https://docs.ilert.com/trust-center/legal/terms-and-conditions)). 2. In the event of conflict, this Addendum prevails with respect to **Regulation (EU) 2022/2554 (“DORA”)** requirements. 3. All capitalised terms not defined herein have the meaning set forth in the ToS or in **Article 3 DORA**. ## 3 Definitions *(excerpt)* * **“Critical or Important Function”** – as in Art. 3(22) DORA. * **“ICT Services”** – as in Art. 3(21) DORA. * **“Major ICT Incident”** – an ICT‑related incident meeting the thresholds in Art. 3(8) DORA. * **“Permitted Location”** – the countries/regions listed in **Schedule B**. * **“Service Levels”** – performance metrics in **Schedule A**. * **“TLPT”** – a threat‑led penetration test under DORA Art. 26. * **“Material Development”** – any circumstance reasonably likely to impair Vendor’s ability to deliver the Services (e.g. insolvency, acquisition, systemic outage). ## 4 Service Standards 1. Vendor **shall meet or exceed** the Service Levels. 2. Failure to meet a Service Level triggers the remedies in Schedule A and obliges Vendor to: * **notify Firm immediately**, * implement a corrective action plan at no charge, and * report progress until restored. 3. Parties shall review Service Levels **annually** and update Schedule A in writing. ## 5 Data Location & Sub‑processing 1. Vendor may subcontract the performance of ICT Services only in accordance with this Clause 5 and the DPA. 2. Vendor shall provide Services **only from Permitted Locations**. 3. Vendor shall give Firm 30 days’ prior written notice of any new or replacement sub‑processor or processing location. Firm may, on reasonable grounds, object in writing within that period; the Parties will collaborate in good faith to resolve the objection. ## 6 Security & Incident Handling 1. **Security Controls**: Vendor shall maintain an ISO 27001‑certified ISMS, enforce least‑privilege access, encrypt data in transit and at rest, and monitor compliance. 2. **Incident Notification**: Vendor shall inform Firm without undue delay and in any event within 4 hours of confirming a Major ICT Incident. The notice shall include known root cause, scope, impact, immediate mitigation, and next update timing. Vendor shall issue progress updates at least every 4 hours and deliver a written post‑incident report within 5 business days of incident closure. 3. **Incident Assistance**: Vendor shall provide fee‑free assistance for investigation, forensics, regulator queries and final incident reports. 4. **Resilience Testing**: Vendor shall reasonably cooperate, at no additional cost, with Firm’s digital operational resilience testing, including TLPT and cyber table‑top exercises, and shall remediate resulting findings within mutually agreed timelines. 5. **Training & Awareness**: Vendor shall, on reasonable notice, participate in Firm‑led ICT security awareness or operational‑resilience training exercises where relevant to the Services. ## 7 Business Continuity & Exit 1. Vendor maintains BCP/DR with **RTO ≤ 60 min / RPO ≤ 15 min**; tests at least annually. 2. Upon termination or Vendor insolvency, Vendor shall: * continue providing the Services for up to 60 days (“Transition Period”) at no additional fee, if requested by Firm, to facilitate orderly migration; and * grant Firm or its designee **step‑in rights** to systems holding Firm Data or supply a complete data export (industry‑standard JSON/CSV) within 5 business days. Self‑service exports remain available for 30 days after termination. ## 8 Audit & Regulatory Cooperation 1. Firm, its auditors, or competent authorities may audit Vendor once per contract year (remote or on‑site). Additional audits following a Major ICT Incident or regulatory requirement are permitted. 2. Vendor shall provide reasonable access to premises (physical or virtual), personnel, systems and documentation. 3. Vendor shall fully cooperate with the supervisory, resolution, or other authorities competent for the Firm, including during TLPT observations, in the sense of Articles 30(2)(g) and 38 of DORA. ## 9 Material Developments Vendor shall promptly notify Firm in writing of any Material Development that might materially impair Vendor’s ability to perform the Services or comply with Applicable Law. ## 10 Termination Firm may terminate the MSA/Addendum immediately if: * instructed by a competent Regulatory Body; * Vendor materially breaches Applicable Law or this Addendum and fails to cure within 30 days; * a Material Development or material weakness in Vendor’s ICT security jeopardises Firm’s operational resilience. ## 11 Confidentiality Vendor shall keep all **Confidential Information** strictly confidential, disclose only to authorised persons under equivalent obligations, and comply with Applicable Law. ## Schedule A – Service Levels (aligned with ToS § 6) | Metric | Target & Window | Definition | | -------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------- | | **Notification Delivery** | ≥ 99.9 % of First‑Responder Alerts delivered to telco / push provider **within 5 min** per calendar month | Mirrors ToS § 6.1.1 | | **Web Application Availability** | ≥ 99.9 % uptime per calendar month | Mirrors ToS § 6.1.2 | *Exclusions*: Force Majeure & causes outside Vendor control (see ToS § 6.2). ## Schedule B – Permitted Locations & Sub‑processors ### 1 Vendor infrastructure | Component | Region | Processing | Storage | | --------------- | -------------------------------- | ---------- | ------- | | Active Region 1 | AWS **eu‑central‑1 (Frankfurt)** | ✓ | ✓ | | Active Region 2 | AWS **eu‑north‑1 (Stockholm)** | ✓ | ✓ | ### 2 Authorised sub‑processors See ../subprocessors/README.md - updates subject to Clause 5. ## Schedule C – Update Commitment Vendor shall review this Addendum at least annually and update it as necessary to remain compliant with DORA and related regulatory technical standards. Vendor shall provide Firm 30 days’ advance notice of any update; if Firm raises no objection within that period, the update will be deemed accepted. *** ## Signature Blocks | Firm | Vendor | | ------------------ | ------------------ | | **\[Name, Title]** | **\[Name, Title]** | | *Date:* \[‑‑‑] | *Date:* \[‑‑‑] | *** © 2025 ilert GmbH – Template for customer execution; becomes binding only when signed.