DORA ADDENDUM

1

GENERAL

This DORA Addendum (the “Addendum”) applies between the Customer and SignUp when the Customer has purchased SignUp Services under a valid Order Agreement and is a regulated entity within the scope of article 2 of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience of the financial sector ("DORA"). DORA contains requirements for provisions to be included in contracts with ICT third-party service providers. In order to ensure that the Agreement contains such provisions which according to article 30.2 of DORA (and related legal acts) must be included in agreements with third-party providers of ICT services, certain additions need to be made to the Agreement, which are reflected herein.

2

INTERPRETATION

2.1

For the purpose of this Addendum, any reference to "SignUp Service" shall have the meaning as set out in the Agreement and, notwithstanding what is stated in the Agreement, all parts of the SignUp Services and all functions included therein (regardless if such functions are explicitly mentioned in the Order Agreement or the Product Catalogue) that, according to DORA, are to be regarded as an ICT service that SignUp provides to Customer under the Agreement.

2.2

Except as otherwise provided in this Addendum, other definitions used but not expressly defined in this Addendum shall have the meaning (i) set forth in the Agreement and (ii) notwithstanding anything to the contrary in the Agreement, as set forth in DORA.

2.3

When applicable, this Addendum forms and integral part of the Agreement and in case of any conflict or inconsistencies between the content of this Addendum and the Agreement, this Addendum shall prevail.

3

ADDITIONS TO THE AGREEMENT

3.1

Service description

The scope and description of the SignUp Service ordered by the Customer under an Order Agreement are set out in the Product Catalogue and, as applicable, any statement of work applicable between the Parties under the Agreement, and SignUp’s and Customer’s rights and obligations with respect to the SignUp Services are outlined in the Agreement.

3.2

Subcontractors

3.2.1

SignUp is entitled to engage subcontractors for the provision of the SignUp Services. The Customer is entitled to object to the engagement of a subcontractor in accordance with the process described in the Data Processing Agreement. For the avoidance of doubt, the Customer’s right to object to the engagement of a subcontractor and the process described in the Data Processing Agreement shall apply regardless of whether the subcontractor processes personal data or not.

3.2.2

In addition to what is set out in the Data Processing Agreement, the following shall apply in the event the Customer objects to the engagement of a subcontractor.

1. Customer and SignUp shall as soon as practically possible meet to discuss the intended engagement of the subcontractor, where Customer shall describe the reasons for the objections and the measures proposed
2. The Parties shall seek to resolve the Customer’s concerns and the reason for the objection during the meeting referred to above. If such resolution cannot be agreed, the Customer shall be entitled to terminate the impacted SignUp Service effective as of the date when the subcontractor commences its engagement. For the avoidance of doubt, unless the impacted SignUp Service is the only SignUp Service provided under the Agreement, Customer shall not be entitled to terminate the Agreement but only the impacted SignUp Service. Any other SignUp Service provided under the Agreement which is not impacted by the subcontractor shall remain unaffected and unchanged by the Customer’s objection under this Section 3.2.2.

3.2.3

SignUp is responsible for the subcontractor's work as for its own work and personnel.

3.3

Locations for the provision of functions and services

3.3.1

The regions or countries where the Service is provided and where the data is processed and stored are described on SignUp’s sub-processor list available at https://www.signupsoftware.com/gdpr-subprocessors/.

3.3.2

Any change of region and/or country must be notified to the Customer in advance, within a reasonable time before such change takes place.

3.4

Service levels

Service levels, including updates and revisions thereto, are described the Product Terms for the respective SignUp Services provided by SignUp to Customer in accordance with the Order Agreement.

3.5

Data protection and access to data

3.5.1

SignUp shall take measures to ensure, where possible given the nature of the SignUp Service provided by SignUp, the availability, authenticity, integrity and confidentiality in relation to any data used by SignUp within the scope of its provision of the SignUp Services.

3.5.2

Customer acknowledges and understands that SignUp in general does not store any data on behalf of the Customer. Unless granted by Customer in each individual case, e.g. within the scope of Support Services or Consultancy Services, SignUp will not have any regular access to Customer data. Only in cases where it is explicitly stated in the Product Terms that SignUp will host the applicable SignUp Service, SignUp will have regular access to such data within the scope of the applicable SignUp Service.

3.5.3

Provisions relating to the protection of personal data and other data are set out in the Data Processing Agreement.

3.5.4

SignUp shall, in relation to SignUp’s operations in general and within the scope of the provision of the SignUp Services in particular, take measures to ensure the security, integrity and confidentiality of its information systems and any data processed or otherwise handled by SignUp. Any such security measures shall be taken by SignUp (i) to protect information from all internal, external, deliberate, or accidental threats, (ii) to enable secure information sharing, (iii) to ensure consistent and professional use of information, (iv) to ensure clarity about roles and responsibilities at SignUp associated with protecting information, and (v) to ensure business continuity and minimize business damage. Customer is entitled to request (and SignUp shall be obligated to provide) further information about SignUp’s information security framework and the security measures taken by SignUp.

3.5.5

Provisions on ensuring access, recovery and return in a commonly available technical standard and machine-readable format of personal and non-personal data processed by the Customer in the event of the insolvency, resolution or discontinuation of the business operations of the Supplier, or in the event of the termination of the Agreement, are described in the Data Processing Agreement. For the avoidance of doubt, the relevant provisions of the Data Processing Agreement shall apply regardless of whether the data is personal data or non-personal data.

3.6

Assistance in case of incidents

3.6.1

SignUp's obligation to provide assistance to the Customer, including notification obligations, when an ICT incident related to a SignUp Service provided to the Customer occurs, is described in detail in the Data Processing Agreement. For the avoidance of doubt, the process described in the Data Processing Agreement shall apply regardless of whether the affected data is personal data or non-personal data.

3.6.2

SignUp shall provide assistance, including notification, to Customer at no additional cost when an ICT incident related to a SignUp Service occurs. Notwithstanding the foregoing, if SignUp discovers and can demonstrate that the ICT incident is not attributable to or caused by the SignUp Service and/or SignUp, SignUp shall be entitled to charge the Customer for any further assistance on a time and material basis, on the fees for Consultancy Services as agreed in the Order Agreement.

3.7

Right of termination

3.7.1

Provisions on the right of termination and the associated minimum notice period for termination are described in the General Terms and Conditions.

3.7.2

In addition to the Customer's other rights under the Agreement, the Customer has the right to terminate the Agreement (or parts of the Agreement, as the case may be) at any time if:

1. SignUp is in material breach of any laws or regulations applicable to SignUp relating specifically to the provision of the SignUp Services (i.e. not in relation to general laws and regulations applicable to SignUp as a company);
2. circumstances have been identified during the monitoring of ICT third-party risks that the Customer reasonably deems could alter the performance of the functions provided by the Agreement, including material changes affecting the Agreement or the situation of SignUp;
3. there are evidenced weaknesses in SignUp's overall ICT risk management, such as the way in which SignUp ensures the availability, authenticity, integrity and confidentiality of personal data or other data;
4. SignUp implements material changes to subcontracted SignUp Services subject to what is set out in Section 3.2.2; or
5. the competent authority can no longer effectively supervise the Customer as a result of the terms or circumstances related to the Agreement.

3.7.3

For avoidance of doubt, it is noted that any circumstance that gives rise to a right of termination pursuant to Section 3.7.2 shall not be construed as a breach of contract on the part of SignUp unless such circumstance is a breach of an express obligation on SignUp as set out in this Addendum.

3.7.4

If the Customer exercises its right to terminate the Agreement pursuant to Section 3.7.2 (b), (c) or (e), Customer shall not be entitled to any refunds of any pre-paid Subscription Fees related to the then-current Subscription Term.

3.8

Training and awareness

3.8.1

SignUp shall, against compensation as set out in Section 4.1, in accordance with the Customer's additional instructions, participate in the Customer's ICT security awareness programme and digital operational resilience training.

3.8.2

The foregoing shall be limited to personnel at SignUp that are directly involved in the provision of the SignUp Services to Customer and participation in Customer’s ICT security awareness programme and digital operational resilience training shall not be required more than once per year.

3.8.3

If participation at Customer’s ICT security awareness programme and digital operational resilience training requires travel, Customer shall compensate SignUp for all costs and expenses related to such travel. Moreover, SignUp shall be entitled to charge Customer for the travel time by the hour on SignUp’s fees for Consultancy Services.

3.9

Cooperation with authorities

SignUp is required to cooperate fully with the competent authorities of Customer, including persons designated by them.

4

COMPENSATION

4.1

In the event that the obligations in this Addendum require SignUp to take measures or carry out tasks which are specifically requested by the Customer and which SignUp would not otherwise have had to carry out – in other words, measures and tasks due to specific requests, instructions and/or requirements from the Customer, such as participating in threat-led penetration testing, providing incident assistance or adhering to specific instructions by Customer and which are not already implemented by SignUp – then SignUp shall be entitled to charge any reasonable additional costs caused by such measures and tasks to the Customer on a time and material basis based on SignUp’s fees for Consultancy Services.

4.2

Incidents on the part of SignUp (or its sub-processors) shall not be separately chargeable measures.

5

MISCELLANEOUS

5.1

Except as expressly provided herein, the Parties agree that the Agreement shall remain in effect on unchanged terms and that this Addendum shall apply as an integral part of the Agreement.

5.2

Amendments and additions to this Addendum, including provisions of the Agreement to which this Addendum refers, shall be in writing and signed by the Parties to be effective.

6

GOVERNING LAW AND DISPUTES

6.1

Section 11.10 of the General Terms and Conditions relating to governing law and disputes shall apply to this Addendum.