This Supplemental Agreement contains the following sections:
1 INTRODUCTION
This DORA Addendum (“Addendum”) including its Annexes and Appendices supplements the “Agreement” (which refers to “Terms for Deliverables” or “Engage Terms” or “Reseller Agreement” or “Distributor Agreement”). For a Partner, this is a customer specific addendum and forms either an addendum to the Reseller Agreement or the Distributor Agreement. For an End Customer, this functions as an addendum to the "Standard Terms for Pexip Deliverables" as available on www.pexip.com/terms or “Engage Terms”.
SUBJECT MATTER OF THIS DORA ADDENDUM
1.1 PEXIP is an ICT Third-Party Service Provider and has not been designated as a Critical ICT Third-Party Service Provider.
1.2 This Addendum applies only on the following basis:
1.2.1 where and to the extent that the End Customer, in its sole discretion and independent from PEXIP, has determined and represents that it uses the Service (or parts thereof) to support its business activities in a manner that is subject to the regulatory oversight of one or more Regulators under DORA (such Service, or parts thereof, hereinafter defined as the “Regulated Services”); and
1.2.2 for so long as the End Customer is a Regulated Entity (and any use of the term "End Customer" in this Addendum shall mean the End Customer only for so long as it is a Regulated Entity).
1.3 For the avoidance of doubt, in the event that the End Customer consumes both the Regulated Services and other Services under the Agreement, this Addendum shall only apply in respect of the provision of the Regulated Services and shall not apply in respect of the provision of any other Services under the Agreement.
1.4 End Customer is obliged to notify PEXIP on whether End Customer has determined the Services under the Agreement as “Regulated Services” as stated under Section 1.2.1 of this Addendum or whenever they change designation. The terms that apply to “Regulated Services” shall take effect only upon PEXIP receiving this written notice. The notice shall provide a brief description of use case and whether PEXIP Services is designated as Critical or Important Function by the Regulated Entity.
1.5 In the event PEXIP does not have direct contractual relationship with End Customer, the Partner shall act as conduit between End Customer and PEXIP in fulfilling all the obligations (including DORA specific notification obligations specified in Section 3.1, 4.2, 5.2, 8.1, 10.3 etc) under this Addendum.
1.6 Definitions:
1.6.1 ‘Competent Authority’ is as defined in DORA.
1.6.2 ‘Critical ICT Third-Party Service Provider’ is as defined in DORA and means an ICT Third-Party Service Provider designated as critical in accordance with Article 31 of DORA;
1.6.3 ‘Critical or Important Function’ is as defined in DORA and means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
1.6.4 ‘DORA’ means EU Regulation 2022/2554 on digital operational resilience for the financial sector.
1.6.5 ‘Financial Entity’ means a person who meets the definition of financial entity in DORA.
1.6.6 ‘ICT-Related Incident’ is as defined in DORA and means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity.
1.6.7 ‘ICT Services’ is as defined in DORA and means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.
1.6.8 ‘ICT Third-Party Service Provider’ is as defined in DORA and means an undertaking providing ICT Services.
1.6.9 Insolvency Event" means where a party (i) ceases or threatens to cease to carry on business; (ii) is unable to pay its debts within the meaning of the Insolvency Act 1986 section 123 (without the need for a determination by a court); (iii) has an administrator, receiver, administrative receiver or manager appointed over the whole or any part of its assets; (iv) enters into any composition with creditors generally; (v) has an order made or resolution passed for it to be wound up (unless as part of any scheme for solvent amalgamation or solvent reconstruction); (vi) undergoes any similar or equivalent process in any jurisdiction or undergoes any other arrangement which affects the rights of creditors.
1.6.10 “Regulated Entity” means an entity regulated by or subject to oversight by a Regulator and within scope or otherwise subject to DORA in connection with its use of the Regulated Services
1.6.11 "Regulated Services" shall have the meaning given to that term in Section 1.2.1 of this Addendum.
1.6.12 ‘Resolution Authority’ is as defined in DORA.
1.6.13 ‘Service’ is any offering provided by PEXIP and includes self-hosted, private cloud hosted, SaaS service, support service, software licensing etc.
2 INFORMATION SECURITY STANDARDS
PEXIP shall comply with appropriate information security standards viz ISO/IEC 27001:2022, ISO/IEC 27017:2015, ISO/IEC 27018:2019, ISO/IEC 27701:2019 as a Data Processor.
3 DORA TERMINATION RIGHTS
3.1 Without prejudice to the End Customer’s rights to terminate as set out in any other Agreement, the End Customer may terminate this Agreement in respect of the Regulated Services on thirty (30) days’ notice to PEXIP (DORA Notice’), such DORA Notice to specify in detail the basis for serving such notice (‘DORA Concern’), if:
3.1.1 the End Customer identifies circumstances through the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through this Agreement, including material changes that affect the arrangement or the situation of PEXIP as an ICT third-party service provider;
3.1.2 evidenced weaknesses pertaining to PEXIP’s overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; or
3.1.3 where the Competent Authority can no longer effectively supervise the End Customer as a Regulated Entity as a result of the conditions of, or circumstances related to, this Agreement.
3.2 If PEXIP resolves the DORA Concern within the thirty (30) day period of the DORA Notice, the DORA Notice will be deemed withdrawn.
3.3 Given the subjectivity of the termination rights in this Section 3, there shall be no refund if this Agreement is terminated under this Section 3.
3.4 Any termination of the Regulated Services under this Section 3 shall not affect any other Services provided by PEXIP under the Agreement, or the Agreement itself.
4 SERVICE DESCRIPTION AND SUBCONTRACTING
4.1 The Service Description is incorporated into this Agreement. The parties agree that the Software or Cloud Services provided to the End Customer under this Agreement is developed in an agile manner and therefore PEXIP shall be entitled to continuously develop the Software without the consent of the End Customer provided that the capabilities of the Software are never less beneficial to the End Customer than at the Effective Date.
4.2 The subcontracting related information of Regulated Services are set forth at https://help.pexip.com/service/subprocessors.htm or such other website as PEXIP may designate. PEXIP shall give the End Customer notice in advance of making any change to or addition to the Sub-contracting of Regulated Services by email.
5 LOCATION OF REGULATED SERVICES
5.1 The locations (namely the regions or countries) from where the Regulated Services are to be provided and where End Customer Data is to be processed, including the storage location, are set forth at https://help.pexip.com/service/subprocessors.htm or such other website as PEXIP may designate (the "Regulated Service Locations").
5.2 PEXIP shall give the End Customer notice in advance of making any change to or addition to the Regulated Service Locations by email.
6 RECOVERY OF DATA
In the event that:
6.1 PEXIP suffers an Insolvency Event; or
6.2 The Agreement is terminated,
PEXIP shall provide access to, recovery of and return to the End Customer in an industry standard, easily accessible, format of all End Customer Data in PEXIP’s possession or control in accordance with the provisions of the Agreement regarding data export and deletion.
7 SERVICE LEVELS
7.1 Subject to Section 7.2, PEXIP will ensure that the Regulated Services are provided in accordance with the agreed Service Levels (as updated and revised from time to time).
7.2 In the absence of any agreed Service Levels, PEXIP shall perform the Regulated Services using reasonable care and skill.
8 INCIDENT MANAGEMENT
8.1 PEXIP shall notify the Customer of major ICT-related Incidents related to the Regulated Services by email.
8.2 Upon the occurrence of an ICT-related Incident related to the Regulated Services, PEXIP shall provide such assistance as the End Customer may reasonably require in order for the End Customer to fulfil its incident management and reporting obligations under (and in accordance with the timescales required by) DORA.
8.3 In the event that the ICT-related Incident was solely caused by a failure by PEXIP to deliver the Regulated Services in accordance with the requirements of this Addendum, PEXIP shall perform its obligations under this Section 8 at no additional cost to the End Customer; otherwise, the End Customer shall reimburse PEXIP for its costs associated with such assistance.
9 CO-OPERATION WITH REGULATORY AUTHORITIES
9.1 To the extent required under DORA, PEXIP agrees to reasonably cooperate with the Regulatory Authorities (including other persons appointed by them) if requested by such Regulatory Authority in relation to the Regulated Services.
9.2 In the event that such cooperation is required solely by a failure by PEXIP to deliver the Regulated Services in accordance with the requirements of this Addendum, PEXIP shall cooperate with the Regulatory Authorities at no additional cost to the Customer; otherwise, the Customer shall reimburse PEXIP for its costs associated with such cooperation.
10 ASSISTANCE AND CO-OPERATION
10.1 PEXIP shall participate as reasonably requested by the End Customer in the End Customer’s
10.1.1 ICT security awareness programmes and digital operational resilience training.
10.1.2 threat-led penetration testing activities.
10.1.3 transitional services and migration services as part of the exit arrangements.
10.1.4 monitoring and audits, and other appropriate assurances, in a manner that does not compromise the data security of other cloud tenants.
10.2 In absence of any agreed pricing plans, PEXIP shall provide the support pursuant to Section 10.1 at PEXIP’s then-current support hourly rate.
10.3 PEXIP shall notify the End Customer any developments that might have a material impact on its ability to provide the Regulated Services in accordance with the Agreement.