This DORA Addendum (“Addendum”) supplements the Terms of Service or the Enterprise Agreement, as applicable, (the “Agreement”) between North Park, as your supplier (“North Park”), and you, as a European Union (“EU”)-based North Park customer (“Customer”). This Addendum applies exclusively to North Park customers subject to Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”) and takes precedence over any conflicting terms in the Agreement.
Unless defined otherwise in this Addendum, capitalized terms shall have the meaning set forth in the Agreement.
1.1. “Agreement” refers to the North Park Terms of Service (“Terms of Service”) entered into between North Park and Customer.
1.2. “Competent Authority” refers to a competent authority as defined in Article 46 of DORA.
1.3. “ICT Incident” is defined in DORA and means a single event or series of linked events that compromise the security of network and information systems and adversely impact the availability, authenticity, integrity, or confidentiality of Customer’s data or services.
1.4. “Subcontractor” means a third party that provides any ICT service (as defined by DORA) to North Park within the same ICT service supply chain connected with (and effectively underpinning) the provision of the North Park Service, in accordance with the Implementing Technical Standards on the Register of Information under Article 28(9) of DORA. The term “Subcontracting” shall be construed accordingly.
2.1 To the extent that Customer does not qualify as an EU “financial entity” as defined in Article 2(a)-(t) of DORA, or is excluded under Article 2(3) or 2(4) of DORA, this Addendum shall not apply.
2.2. North Park acknowledges that Customer is subject to certain obligations under DORA in relation to Customer’s use of ICT services provided by ICT third-party service providers such as North Park. North Park agrees to cooperate with Customer to enable Customer to satisfy its applicable obligations under DORA.
2.3. Customer acknowledges and agrees that Customer is not, and during the Term is not expected to, use North Park’s services to support a critical or important function of Customer.
3.1. Service Description: The description of the Service is provided as part of the Service Documentation.
3.2. Location of Data: North Park provides the Service from Digital Ocean servers in Europe, and certain data may be processed by our Subprocessors (defined below), unless otherwise agreed by the parties from time to time. North Park processes Customer Content in accordance with the Data Processing Addendum (“DPA”). Each North Park subprocessor (the “Subprocessors”), and the locations where North Park and each such subprocessor processes data, can be inquired at any time via email to legal@violet-dove-566109.hostingersite.com. North Park shall not change the country or region for provision of the Services or processing of Customer Content without providing reasonable prior notice to Customer.
3.3. Data Protection and Security: North Park will implement and maintain appropriate technical and organizational measures to ensure the availability, authenticity, integrity, and confidentiality of Customer Content as described in, including recovery and secure deletion of data upon termination, all in accordance with the DPA.
3.4. Data Access, Recovery, and Return: In the event of North Park’s insolvency or discontinuation of business operations, North Park provides Customer with access and technology to download, transfer, or delete its Customer Content during the term of the Agreement, as described in North Parks’s data retention policies.
3.5. Service Level Agreement: The provisions of Section 8 of the Agreement shall apply to the Service provided by North Park to Customer and shall constitute the service level agreements as required under DORA (the “Service Levels”).
3.6. ICT Incidents: North Park will cooperate with Customer relating to an ICT Incident resulting in unauthorized access or disclosure of Customer Content stored on the Service. North Park reserves the right to charge reasonable fees (including personnel cost as determined by North Park in accordance with its then-current rates) for support provided.
3.7. Cooperation with Competent Authorities: If requested by a Competent Authority under DORA, North Park will cooperate with Competent Authorities in relation to Customer’s compliance as required under DORA.
3.8. Termination Rights: The Customer may terminate the Agreement in accordance with the termination provisions of the Agreement. To the extent that DORA requires that Customer have any termination rights under the Terms of Service that are not already included in the Agreement, Customer shall have those additional termination rights as required by DORA. Termination, however effected, shall not relieve Customer of any payment obligations for Services rendered prior to termination.
3.9. Security Awareness Training: North Park will provide its personnel with security awareness program and digital operational resilience training program. To the extent required by DORA and subject to mutual agreement between the parties (including as to reasonable costs), Customer can engage North Park support personnel to participate in Customer’s ICT risk management training, provided that such training is reasonable and directly relevant to the North Park Services, can be attended virtually, and provides for input from North Park to adapt the training for relevance and reasonableness.
3.10. Subcontracting: Customer agrees that North Park may engage Subcontractors in respect of the Service and the provisions of this clause shall apply to any such Subcontracting. North Park will remain fully responsible under the Agreement for the provision of the Service to Customer.
4.1. Audit Right: To the extent necessary and required under DORA, you may, at your sole expense, conduct a reasonable audit pursuant to a mutually agreed-upon audit plan with North Park that is consistent with the requirements of this Section 4.
4.2. Exercise of Audit Right: You may exercise such audit right: (a) to the extent North Park’s provision of third- party audit reports (e.g., Service Organization Control (SOC) 2 reports) do not provide sufficient information to verify North Park’s compliance with this Addendum and/or the DPA; and (b) where required by DORA or a relevant government authority.
4.3. Conditions: Each such audit must: (a) be conducted by you or through a third-party auditor on your behalf that will enter into a confidentiality agreement with North Park; (b) be limited in scope to matters reasonably required to assess North Park’s compliance with this Addendum, the DPA and/or your regulatory obligations under DORA; (c) occur no more than once annually (unless required by a Competent Authority or DORA); (d) cover only processing facilities directly controlled by North Park; (e) restrict findings to your Personal Information (as defined in the DPA) only; and (f) treat any results as confidential information to the fullest extent permitted by applicable law.
5.1. Confidentiality: Confidential Information shared in connection with this Addendum shall be treated as “Confidential Information” as defined in, and in accordance with, the Agreement.
5.2. Conflict: In the event of any conflict between this Addendum and the Agreement, the terms of this Addendum shall prevail.
5.3. Termination of Addendum: This Addendum shall terminate automatically upon the expiration or termination of the Agreement.