This Addendum for the applicability of DORA (the “DORA Addendum”)  supplements the Contentsquare Master Service Agreement (the “MSA") and forms part of the Agreement in the event Customer is subject to compliance with DORA. The Parties expressly agree that this DORA Addendum sets out the full scope of the additional contractual requirements imposed on Contentsquare under the Agreement pursuant to DORA. In case of conflict between this DORA Addendum and the Agreement, this DORA Addendum shall prevail for the purpose of determining the scope of applicability of DORA to the CS Service under the Agreement. Unless otherwise defined in this DORA Addendum, capitalized terms will have the meaning given to them in the Agreement.

1. DEFINITIONS AND RULES OF INTERPRETATION

1.1. Definitions

1.1.1. “DORA” or “ Digital Operational Resilience Act” refers to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, as may be amended, extended, re-enacted, or interpreted from time-to-time.

1.1.2. All capitalized terms used herein shall have the meanings given to it under DORA or the Agreement. In particular:

1.1.2.1. “ICT third-party service provider” shall have the meaning given to it under DORA Article 3 (19),

1.1.2.2. “ICT services” shall have the meaning given to it under DORA Article 3 (21);

1.1.2.3. “Critical or important function’” shall have the meaning given to it under DORA Article 3 (22); and

1.1.2.4. “‘Critical ICT third-party service provider” shall have the meaning given to it under DORA Article 3 (23).

1.2. Headings and Interpretation

1.2.1. In this DORA Addendum, (a) the meaning of defined terms shall be equally applicable to both the singular and plural forms of the terms defined, (b) the captions and headings are used only for convenience and are not to be considered in construing or interpreting this DORA Addendum, and (c) the words “including,” “includes” and “include” shall be deemed to be followed by the words “without limitation.” All references in this DORA Addendum to sections, paragraphs, exhibits, linked documents and schedules shall, unless otherwise provided, refer to sections and paragraphs hereof and exhibits, linked documents and schedules attached hereto, all of which exhibits, linked documents and schedules are incorporated herein by this reference.

2. QUALIFICATION OF CONTENTSQUARE UNDER DORA

2.1. ICT third-party service provider. The Parties expressly agree that:  (i) Contentsquare provides a SaaS analytics solution defined as the CS Service under the Agreement; (ii) the CS Service falls under the definition of ICT services above; (iii) as such, Contentsquare falls under the definition of ICT third-party service provider above; (iv) the CS Service does not directly impact the delivery of core financial services of Customers and disruption to the CS Service would not pose a systemic risk to financial entities. Therefore, the CS Service does not support Critical or important functions as defined above; and (v) Contentsquare does not fall under the definition of a Critical ICT third-party service provider above.

2.2. Applicability of DORA. Pursuant to Section 2.1 of this DORA Addendum, and for the purposes of DORA, the Parties expressly agree that Contentsquare shall only be subject to the applicable contractual requirements imposed by (i) DORA Article 28; and (ii) DORA Article 30.2.

2.3. Contractual requirements under DORA Article 28. Pursuant to Section 2.1 of this DORA Addendum,  and for the purposes of DORA, the Parties expressly agree that the Agreement complies with the “General Principles” of DORA Article 28. In particular:

“5. (...) appropriate information security standards” are provided in the Agreement (including in the applicable CS Security Safeguards) based on the nature of the CS Service;

“6. (...) the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards”, are provided under the Agreement (including in the applicable CS Security Safeguards) based on the nature of the CS Service; and

“7. (...) contractual arrangements on the use of ICT services may be terminated [in the] circumstances” listed in subsections DORA Article 28.7(a) through (d), by terminating the Agreement for cause, subject to the terms set out in the Agreement.

2.4. Contractual requirements under DORA Article 30.2. The Parties agree that the Agreement includes “at least” the contractual elements set out under DORA Article 30.2. In particular: 

“(a) a clear and complete description of all functions and ICT services to be provided  by the ICT third-party service provider,” is provided in the Agreement (including the applicable Order Form(s), DPA, and the Documentation);

“(b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations” are provided in the Agreement (including the DPA); 

“(c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data” are provided in the Agreement (including the Service Level Agreement and the DPA);

“(d) provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements” are provided in the Agreement (including the DPA);

“(e) service level descriptions, including updates and revisions thereof” are provided in the Agreement (including the Service Level Agreement);

“(f) the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs” is provided under Appendix 1 of this DORA Addendum;

“(g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them” is provided under Appendix 1 of this DORA Addendum; 

“(h) termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities” are provided in the Agreement; 

“(i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6)” are provided under Appendix 1 of this DORA Addendum.

Appendix 1: Additional contractual terms

The Parties expressly agree that the Agreement shall be supplemented by the terms of this Appendix 1 for the purposes of compliance with DORA Article 30.2. 

1. Pursuant to DORA Article 30.2(f), the Parties agree that Contentsquare shall provide assistance to the financial entity at a cost that is determined ex-ante upon the Parties’ mutual agreement, when an ICT incident that is related to the CS Service provided to the Customer occurs. 

2. Pursuant to DORA Article 30.2(g),  the Parties agree that Contentsquare shall fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them.

3. Pursuant to DORA Article 30.2(i),  the Parties agree that upon Customer’s prior written request, Contentsquare shall reasonably cooperate to participate, at Customer’s cost, in Customer’s security awareness programmes and digital operational resilience training in accordance with Article 13(6) (unless such programmes and trainings are already covered by Contentsquare’s internal programmes and trainings). Customer shall provide Contentsquare with the elements of applicability of such programmes and training based on the nature of the CS Service.