Addendum for Regulated Customers (DORA / NIS2)
This Addendum supplements the General Terms and Conditions of Datargo GmbH with the contractual mandatory content required under the regulatory framework for financial entities under DORA and for important and critical entities under NIS2.
1. Subject Matter, Scope and Relationship to Other Documents
(1) This Addendum for regulated customers (hereinafter the “Addendum”) supplements the General Terms and Conditions of Datargo GmbH, Frankfurt am Main (hereinafter “Datargo”), with those contractual mandatory contents that are required for regulated customers under Regulation (EU) 2022/2554 (Digital Operational Resilience Act, hereinafter “DORA”) and under Directive (EU) 2022/2555 (hereinafter “NIS2”) as well as their respective national implementation.
(2) This Addendum applies exclusively to customers that are
| Category | Description |
|---|---|
| Financial entity | a financial entity within the meaning of Art. 2(1) and (2) DORA (in particular credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, managers of alternative investment funds, management companies and comparable supervised undertakings). |
| Important or critical entity | an important or critical entity within the meaning of NIS2 and its national implementation. |
(3) Datargo provides ICT services within the meaning of Art. 3(21) DORA to these customers and is, in this respect, an ICT third-party service provider within the meaning of Art. 3(19) DORA. This Addendum reflects the contractual mandatory contents required under DORA and NIS2, to the extent that Datargo can provide them as a provider of Software-as-a-Service.
(4) This Addendum becomes part of the contract by express agreement in text form (Textform) or by reference in the individual contract. If the customer designates the procured services to Datargo as intended to support a critical or important function within the meaning of Art. 3(22) DORA, the provisions of this Addendum specifically marked for critical or important functions apply in addition.
(5) To the extent that this Addendum for regulated customers deviates from the General Terms and Conditions, the Service Level Agreement , the module-specific terms or the Data Processing Agreement , this Addendum prevails within its subject matter. In all other respects, the aforementioned documents continue to apply on a supplementary basis. In matters concerning the processing of personal data, the Data Processing Agreement prevails. In all other respects, the order of precedence set out in Section 20 of the General Terms and Conditions applies (individual agreement before Data Processing Agreement and this Addendum before Service Level Agreement and module-specific terms before General Terms and Conditions).
(6) The liability governed in Section 9 of the General Terms and Conditions applies uniformly and with precedence to the entire contractual relationship. This Addendum does not establish any independent or extended liability; to the extent it refers to liability, this serves solely for clarification.
2. Definitions
In addition to the definitions of the General Terms and Conditions, the following apply to this Addendum:
| Term | Meaning |
|---|---|
| DORA | Regulation (EU) 2022/2554 on digital operational resilience for the financial sector. |
| NIS2 | Directive (EU) 2022/2555 as well as its respective national implementation (in Germany in particular the NIS2 Implementation Act (NIS2-Umsetzungsgesetz)). |
| ICT service | a digital service and data service within the meaning of Art. 3(21) DORA that is provided through the services of Datargo. |
| Critical or important function | a function within the meaning of Art. 3(22) DORA whose disruption would materially impair the financial performance of a financial entity, or the soundness or continuity of its business operations. The classification is the sole responsibility of the customer. |
| Competent authority | the supervisory authority competent for the customer as well as, where applicable, the competent resolution authority within the meaning of DORA and NIS2. |
| ICT-related incident | an ICT-related incident within the meaning of Art. 3(8) DORA, including major incidents within the meaning of Art. 3(10) DORA, insofar as it affects the services provided to the customer. |
| Subcontractor | a further service provider engaged by Datargo within the meaning of the General Terms and Conditions and, insofar as personal data is concerned, a sub-processor within the meaning of the Data Processing Agreement . |
| Register of information | the register of contractual arrangements on the use of ICT services to be maintained by the customer pursuant to Art. 28(3) DORA. |
| TLPT | threat-led penetration testing within the meaning of Art. 26 and 27 DORA. |
3. Description of Services and Functions, Data Locations
(1) Datargo provides the services designated in the respective individual contract and in the associated service description (Datargo Monitor, Datargo CRM, Datargo ID, Datargo ERP, NextPKI as well as the bundle offering Datargo One) as Software-as-a-Service. The complete and current description of the functions and ICT services, including any subcontracted services, results from the respective service description, the selected plan and any individual agreements (Art. 30(2)(a) DORA).
(2) The services are provided within the European Union. Hosting as well as the processing and storage of customer data take place in a data center in Frankfurt am Main (Art. 30(2)(b) DORA). Region pinning as well as further operational and location arrangements may be agreed via Datargo One.
(3) Datargo informs the customer in good time in text form (Textform) before the location of the processing or storage of customer data changes, and states the conditions of such a relocation. Where an intended relocation provides for processing or storage outside the European Union, it requires the prior consent of the customer in text form; otherwise, the customer has a right of termination pursuant to Section 11.
(4) Within the scope of the agreed services, Datargo ensures the availability, authenticity, integrity and confidentiality of the processed data, including the protection of personal data (Art. 30(2)(c) DORA). The technical and organisational measures result from the Data Processing Agreement and the measures documented therein pursuant to Art. 32 GDPR.
(5) Datargo ensures access to the customer data as well as its recovery and return in an easily accessible, commonly used and machine-readable format (Art. 30(2)(c) DORA). The details are governed by Section 9 (Exit Strategy and Reversibility).
4. Service Levels and Performance Targets
(1) The service levels applicable to the services, in particular availability, the measurement method, maintenance as well as response and service times, result from the Service Level Agreement (Art. 30(2)(d) DORA).
(2) Where the services support a critical or important function, the parties shall, at the customer’s request, agree a complete service description with precise quantitative and qualitative performance targets as well as provisions for the adjustment of these targets (Art. 30(3)(a) DORA). Further or deviating service levels, in particular increased availability targets or shortened response times, are agreed as individual agreements and prevail over the Service Level Agreement.
(3) Datargo monitors compliance with the agreed performance targets on an ongoing basis and provides the customer, upon request and to a reasonable extent, with meaningful reports on service delivery.
5. Access, Inspection and Audit Rights; Rights of the Supervisory Authorities
(1) Datargo grants the customer and the auditors appointed by it as well as the competent authority access, inspection and audit rights with respect to the services provided to the customer (Art. 30(2)(e) and (3)(e) DORA). These rights include access to the relevant information, systems and business premises, to the extent necessary for the customer to exercise its regulatory obligations.
(2) Priority of document-based evidence. Datargo demonstrates compliance with the relevant security and compliance requirements primarily by means of suitable, up-to-date evidence, in particular through recognised certifications and independent audit reports (such as ISO/IEC 27001 or comparable standards, a BSI C5 attestation or a SOC 2 Type II report), through self-assessments as well as through summary reports on audits and tests. Datargo provides this evidence to the customer upon request and to a reasonable extent. The customer accepts such evidence to the extent that it covers the audited area and is up to date.
(3) On-site audit. Where the evidence provided pursuant to paragraph 2 is insufficient in an individual case, or where the competent authority requires a further audit, the customer may carry out an audit on site or have it carried out by a suitable third party. The following applies to the conduct of such audits:
| Aspect | Provision |
|---|---|
| Auditor | the customer itself, an independent auditor appointed by it who is bound to confidentiality and who is not in competition with Datargo, or the competent authority. |
| Notice | upon reasonable prior notice in text form (Textform); in the case of audits by a competent authority or where there is a specific cause (such as following a major incident), the period is shortened to the extent required by the authority or by the cause. |
| Time and place | during normal business hours, without unreasonable interference with the business operations of Datargo. |
| Scope | limited to the services provided to the customer and to compliance with the contractual and regulatory requirements; while safeguarding the confidentiality interests of Datargo and the protective rights of third parties and other customers (tenant separation). |
| Frequency | as a rule, no more than once per calendar year; additional audits where there is a specific cause or at the request of a competent authority. |
| Copies | the right to inspect relevant documents on site during the audit and, to the extent necessary for critical or important functions, to take copies, to the extent that no confidentiality, data protection or security concerns conflict with this. |
(4) Extended audit rights for critical or important functions. Where the services support a critical or important function, Datargo grants the customer and the competent authority unrestricted rights of access, inspection and audit as well as the right to take copies of relevant documents on site (Art. 30(3)(e) DORA). Datargo cooperates fully and in good faith in audits and does not restrict these rights beyond the extent necessary to protect the confidentiality, data protection and security interests as well as tenant separation.
(5) Authority access rights and cooperation. Datargo cooperates fully with the supervisory and resolution authorities competent for the customer and enables them to exercise their supervisory, audit and access rights, including on-site audits (Art. 30(2)(f) DORA). Datargo informs the customer of requests from authorities that concern the services provided to it, to the extent legally permissible.
(6) The costs of audits pursuant to paragraph 3 are borne by the customer, unless the audit reveals a material defect for which Datargo is responsible; in that case, Datargo bears the reasonable costs attributable to it. Datargo may request reasonable remuneration for support services exceeding the customary effort, to the extent DORA does not preclude this. Audits by authorities are carried out without separate remuneration.
6. Subcontracting and Subcontractors
(1) Datargo is entitled to engage subcontractors to provide the services. Datargo selects them carefully, monitors them and remains responsible for their performance as for its own conduct. The subcontractors engaged in each case that process personal data are available under Sub-Processors .
(2) Subcontracting for critical or important functions. Where the services support a critical or important function, the conditions for subcontracting pursuant to Art. 30(2)(a) DORA apply in addition. Datargo contractually obligates the subcontractor to comply with the security, availability, audit and cooperation obligations relevant to the function concerned, which correspond to those of this Addendum, including the access and audit rights of the customer and the competent authority as well as the location binding to the European Union.
(3) Prior information and right to object. Datargo informs the customer in good time in text form (Textform) of an intended change in the roster of subcontractors that support a critical or important function. The customer may object to the change within a reasonable period for an important regulatory or security-related reason. In the event of a justified objection, the parties shall seek an amicable solution; if this does not succeed, the customer has a right of termination pursuant to Section 11 with respect to the affected service.
(4) Datargo notifies the customer without undue delay of material changes that could significantly impair the suitability of a subcontractor to support a critical or important function.
7. Reporting of ICT-Related Incidents
(1) Datargo informs the customer without undue delay of ICT-related incidents that affect the services provided to it, as well as of significant cyber threats and vulnerabilities, to the extent they are relevant to the customer (Art. 30(2)(f) and (3)(c) DORA).
(2) Reporting deadlines. The notification is made without culpable delay, as a rule within 24 hours of becoming aware of a major incident affecting the customer’s services. In an initial notification, Datargo informs of the nature, known extent and likely impact as well as the measures initiated, and continuously updates the information until the incident has been remedied. Datargo provides the customer in good time and as far as possible with the information required for the customer’s own supervisory reporting obligations pursuant to Art. 19 DORA and under NIS2.
(3) Datargo supports the customer in the assessment, handling and remediation of an ICT-related incident to the agreed extent. For incidents affecting the customer’s services, the support is provided without additional costs; any further effort to be determined in advance is agreed separately (Art. 30(2)(f) DORA).
(4) The reporting of personal data breaches is additionally governed by the Data Processing Agreement and Art. 33 and 34 GDPR.
8. Business Continuity, Security and Threat-Led Testing
(1) Datargo maintains appropriate contingency, restart and recovery arrangements as well as ICT security measures in line with the state of the art and reviews their effectiveness regularly (Art. 30(3)(c) DORA). Upon request, Datargo provides the customer with summary information on the arrangements and the results of the tests to a reasonable extent.
(2) Threat-led penetration testing (TLPT). Where the customer is subject to the obligation to conduct threat-led penetration testing pursuant to Art. 26 and 27 DORA and these tests include the services provided by Datargo, Datargo cooperates in the conduct to a reasonable extent (Art. 30(3)(d) DORA). Scope, timing, methodology, remuneration and protective measures, in particular to safeguard security and tenant separation vis-Ã -vis other customers in a multi-tenant environment, are set out in a separate agreement. To the extent that a pooled test pursuant to Art. 26(4) DORA is being considered, Datargo supports the coordination with other participating financial entities.
(3) Awareness and training. At the customer’s request and to a reasonable extent, Datargo participates in the customer’s programmes for ICT security awareness and for training in digital operational resilience, to the extent that these concern the cooperation under this contract (Art. 30(2)(g) DORA).
9. Exit Strategy and Reversibility
(1) Datargo supports the customer in an orderly exit from the contractual relationship, whether for migration to another provider or for repatriation into the customer’s own solution (Art. 28(8) and Art. 30(3)(f) DORA).
(2) Transition period. Where the services support a critical or important function, Datargo continues to provide the affected services at the customer’s request after termination of the contract for a reasonable transition period of up to twelve months under the existing conditions against the agreed remuneration, in order to avoid a disruption at the customer or an impairment of its orderly wind-down. The customer notifies the use and the desired duration in good time before the end of the contract.
(3) Return of data. Datargo returns to the customer its customer data in an easily accessible, commonly used, structured and machine-readable format and enables its export. Datargo supports the migration of the data and, to the extent agreed, of the configurations to a target system to the necessary and reasonable extent. Migration and transition services exceeding the customary export scope are provided against reasonable remuneration to be determined in advance.
(4) Orderly exit. During the transition period, Datargo cooperates in an orderly exit, in particular by providing the necessary documentation and information as well as by the requisite cooperation in tests of reversibility. After completion of the exit and expiry of the transition period, Datargo deletes the customer data and existing copies or returns them, to the extent that no statutory retention obligation conflicts with this. Data protection deletion and return obligations are additionally governed by the Data Processing Agreement .
(5) Upon request, Datargo provides the customer with the information it needs to prepare and maintain its own exit strategy pursuant to Art. 28(8) DORA, to the extent it concerns the services provided to it.
10. Support with the Register of Information
(1) Datargo provides the customer with the information it needs to maintain and update its register of information pursuant to Art. 28(3) DORA with respect to the contractual arrangements existing with Datargo, in particular details of the procured services, the data locations and, for critical or important functions, the subcontractors engaged.
(2) To the extent that Datargo holds the identifiers required for this purpose (in particular the Legal Entity Identifier, LEI), Datargo communicates these to the customer upon request. Datargo supports the customer with plausibility queries regarding the register-relevant details to a reasonable extent.
(3) Responsibility for the preparation, completeness, accuracy and timely transmission of the register of information to the competent authority remains with the customer.
11. Termination Rights
(1) In addition to the termination rights of the General Terms and Conditions, the customer may terminate the contract or the affected service for good cause if one of the circumstances of Art. 28(7) DORA exists, in particular if
| Letter | Termination ground (Art. 28(7) DORA) |
|---|---|
| a | Datargo significantly breaches applicable laws, regulations or contractual terms; |
| b | in the course of monitoring ICT third-party risk, circumstances are identified that are capable of altering the performance of the functions agreed under the contract, including material changes affecting the arrangement or the situation of Datargo; |
| c | there are evidenced weaknesses at Datargo in ICT risk management, in particular in ensuring the availability, authenticity, integrity and confidentiality of data; or |
| d | the competent authority can no longer effectively supervise the customer as a result of the conditions or circumstances at Datargo. |
(2) Datargo grants the customer reasonable minimum notice periods for termination pursuant to paragraph 1 in line with the expectations of the competent authorities (Art. 30(2)(h) DORA). The right to ordinary termination as well as the termination rights under the General Terms and Conditions remain unaffected.
(3) In the event of a termination under this Addendum, the provisions on exit strategy and reversibility pursuant to Section 9 apply, in particular on the transition period and the return of data.
12. NIS2 Supply Chain Cooperation
(1) To the extent that the customer is subject to NIS2 as an important or critical entity, Datargo supports the customer in fulfilling its obligations regarding supply chain security pursuant to Art. 21(2) NIS2 and its national implementation.
(2) Datargo takes appropriate technical and organisational security measures in line with the state of the art (see the Data Processing Agreement ), maintains security incident management and provides the customer, upon request and to a reasonable extent, with evidence of the measures taken (such as certificates, attestations or audit reports).
(3) Datargo informs the customer without undue delay of security incidents that affect the services provided to it, and supports it in complying with its reporting obligations to the competent authorities, including the deadlines applicable under NIS2 (in particular early warning, notification and final report). The reporting deadlines and details are governed by Section 7, which applies accordingly in this respect.
(4) Datargo cooperates with the customer in managing and following up on security incidents in the supply chain to the agreed extent and designates suitable points of contact and contact channels for this purpose.
13. Remaining Regulatory Responsibility of the Customer
(1) Responsibility for compliance with the regulatory requirements applicable to the customer, in particular under DORA and NIS2, remains solely with the customer. It cannot, from a regulatory perspective, be transferred to Datargo.
(2) Datargo supports the customer in fulfilling its obligations within the scope of this Addendum but does not warrant that the use of the services alone fulfils the customer’s regulatory requirements. The customer is responsible in particular for the classification of critical or important functions, its own ICT risk management, the maintenance of the register of information, its own supervisory reporting and the preparation of its own exit strategy.
(3) The promotion or designation of the services as suitable to support DORA or NIS2 requirements does not establish any warranty and no obligation of Datargo going beyond this Addendum.
14. Unreasonable Obligations; Individual Agreement
(1) To the extent that a requirement provided for under DORA or NIS2 for critical or important functions goes beyond what Datargo can provide as a provider of multi-tenant standard Software-as-a-Service with reasonable effort and while safeguarding the security and the rights of other customers, this requirement is the subject of a separate individual agreement. This concerns in particular further individual penetration tests, individual on-site access into multi-tenant systems, individual availability or restart targets as well as individual location or operational specifications.
(2) The parties negotiate such requirements in good faith with the aim of finding a solution that satisfies the customer’s regulatory requirements and is reasonable for Datargo. Such an individual agreement prevails over this Addendum.
15. Final Provisions
(1) To the extent that this Addendum does not make any deviating provisions, the General Terms and Conditions apply on a supplementary basis, in particular as regards governing law, place of jurisdiction, text form (Textform) and the treatment of invalid provisions.
(2) If the legal or regulatory requirements relevant to regulated customers change, the parties shall adapt this Addendum to the extent necessary in good faith.
Authoritative language version
This document is provided in German, English and French. The English and French versions are translations provided solely for convenience. The German version is authoritative and solely binding in the event of any dispute or any difference of interpretation or translation.