What if incidents resolved themselves... while you slept?

DORA Addendum

Effective: November 3, 2025

INTRODUCTION

  1. In providing the Services to the Customer under the Terms and Conditions (“Terms”), incident.io may act as an “ICT third-party service provider” on behalf of the Customer for the purposes of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”).

  2. Where it has been agreed by the parties that Section 9.6 of the Terms applies, this DORA Addendum (“Addendum”), including the terms set out below, shall form an integral part of the Terms.

DORA Terms

  1. Definitions

    • 1.1. In this Addendum, all capitalised terms used without definition have the meanings ascribed to them in the Terms.

    • 1.2. The following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

      • 1.2.1. “Critical or Important Function” means a function, the disruption of which would materially impair the financial performance of Customer, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of Customer with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.

      • 1.2.2. “ICT-related Incident” means a single event or a series of linked events unplanned by Customer that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by Customer.

      • 1.2.3. “Third-Party Customer” means the Customer’s end-customer, who is a financial entity subject to DORA, and whose services rely on the Services.

  2. Scope of Services and Service Level Descriptions

    • 2.1. incident.io will deliver the Services as defined in the Terms and any applicable Order Form and in accordance with the service levels specified in the Service Level Agreement. Any service level issues will be addressed in accordance with the aforementioned Service Level Agreement.

    • 2.2. Customer will notify incident.io of any material changes to its intended use of the Services.

    • 2.3. To the extent that Customer is a contractor on behalf of a Third-Party Customer, Customer engages incident.io as a subcontractor. To the extent necessary to comply with DORA, Customer may assign certain rights granted to Customer in this Addendum to that Third-Party Customer with incident.io’s prior written consent.

  3. Subcontracting

    • 3.1. incident.io may subcontract the Services to a third party subject to the following conditions:

      • a. incident.io will carry out reasonable due diligence over any subcontractor’s performance of the Services. incident.io will remain responsible for the performance of the Services towards Customer in accordance with the Terms.

      • b. incident.io will, upon request, inform Customer about the monitoring and reporting obligations of its subcontractors. Such information may be redacted to protect any commercially sensitive data, and limited to what is strictly necessary to address Customer’s request. Customer will treat such information as confidential and use it solely for the purpose for which it was provided.

      • c. If Customer demonstrates that a subcontractor’s material failure to perform their obligations threatens the performance of the Services, Customer may require incident.io to replace the subcontractor, subject to reasonable notice.

  4. Service Locations

    • 4.1. The Services will be provided, and data will be processed, in the regions specified in incident.io’s list of sub-processors online (https://incident.io/legal/sub-processors). Changes to these locations will be communicated to Customer. Continued use of the Services after such notification will constitute Customer’s acceptance of the changes.

  5. Data Protection Obligations

    • 5.1. incident.io will take appropriate steps to maintain the availability, authenticity, integrity, and confidentiality of data processed under the Terms, including as specified in the Data Processing Addendum.

  6. Data Access and Continuity

    • 6.1. In the event of insolvency, resolution, or discontinuation of incident.io’s business operations or termination of the Terms, incident.io will take appropriate steps to enable access to, recovery of, and return of all (non-)personal data processed for Customer.

    • 6.2. If Customer requests the return of data and such is technically feasible, incident.io will make the data available for retrieval by Customer within a reasonable period upon receipt of the request. The data will be provided in its then current condition (‘as is’). Notwithstanding the terms of this Addendum, personal data will be processed, returned, or deleted upon termination in accordance with the Data Processing Addendum.

  7. Incident Assistance

    • 7.1. In the event of an ICT-related Incident affecting the Services provided to Customer, incident.io will assist Customer in resolving the issue. incident.io shall provide such assistance at no cost to Customer where the ICT-related Incident is attributable solely to the acts or omissions of incident.ioo. If the cause of the ICT-related Incident cannot be determined, the parties will work in good faith to determine a reasonable cost for assistance.

  8. Cooperation with DORA Authorities

    • 8.1. incident.io will reasonably cooperate with the competent DORA authorities of Customer where required by applicable law and, only to the extent directly related to the Services and as necessary to address issues relating to Customer’s compliance with its obligations under DORA. Such cooperation will not place an undue burden on incident.io or require the disclosure of proprietary or confidential information. incident.io may charge Customer for such assistance if such cooperation does place an undue burden on incident.io whereby the parties will work in good faith to determine a reasonable cost for assistance.

  9. ICT Security Awareness Training

    • 9.1. At Customer’s request, incident.io’s relevant personnel may be requested to participate in Customer’s DORA related security training. Such participation will be limited to once per year and must be scheduled with 30 business days notice and at a time that does not disrupt incident.io’s business operations.

    • 9.2. Participation is subject to the following conditions: (i) training must be directly relevant to the Services, (ii) all costs will be borne by Customer, (iii) participation will not involve the disclosure of proprietary or confidential information of incident.io, and (iv) participation will not create any obligations beyond those already set out in the Terms.

  10. Termination

    • 10.1. In addition to the circumstances set out in Section 8.2 of the Terms, Customer may terminate the Services in the following circumstances:

      • a. If incident.io is in material breach of its commitments under this Addendum and fails to correct the breach within 30 business days;

      • b. If circumstances are identified that materially affect incident.io’s ability to perform its commitments under this Addendum, including material changes that prevent incident.io from complying with the Terms;

      • c. In case of demonstrated material non-compliance with incident.io’s security commitments as set out in Appendix 2 of the Data Processing Addendum; or

      • d. If such is expressly required by Customer’s DORA supervisory authority.

    • 10.2. Customer will notify incident.io immediately of any concerns that could lead to termination under Section 10.1. incident.io will be granted at least 30 business days to address and respond to these concerns before Customer may exercise its right to terminate the Terms.

    • 10.3. The minimum notice period for termination will be 60 business days unless otherwise specified by regulatory requirements or in the Terms.

    • 10.4. In the event of termination for any reason, Customer will remain liable for and will promptly pay any outstanding fees due to incident.io for Services rendered prior to the effective date of termination. incident.io will issue a final invoice for such fees, which shall be payable in accordance with the terms specified in the Terms. Regardless, upon termination, neither party shall be liable for indirect, incidental, consequential, special, exemplary or punitive damages, including loss of profits or business opportunities, in accordance with the Terms.

  11. Services That Supply a Critical or Important Function

    • 11.1. Where Customer reasonably determines that the Services provided by incident.io to Customer amount to a Critical or Important Function of Customer or the Third-Party Controller under DORA, this Section 11 shall apply, provided that:

      • 11.1.1. Customer notifies incident.io of such determination, such notification to include details of its reasoning; and

      • 11.1.2. incident.io agrees that the Services support a Critical or Important Function.

    • 11.2. Service Level Descriptions

      • 11.2.1. In the event the service levels are not met in accordance with the SLA, corrective actions will be implemented, which may include remediation measures or service credits defined by Incident.io or other remedies agreed upon between the parties.

    • 11.3. Subcontracting

      • 11.3.1. incident.io will identify the subcontractors that help support a Critical or Important Function for Customer and keep this list up-to-date.

      • 11.3.2. incident.io will inform Customer of any material changes to its subcontracting arrangements and will implement such changes if Customer does not object to them within 30 business days after being informed thereof by incident.io.

      • 11.3.3. The appointment of subcontractors processing Personal Data shall be supplemented by Section 4.2.4 of the Data Processing Addendum.

    • 11.4. Notice and Reporting Obligations

      • 11.4.1. incident.io will promptly notify Customer of developments that may materially impact its ability to effectively deliver its Services that are supporting critical or important functions, in line with the agreed service levels. Service level notifications will be posted on https://status.incident.io/ and include notifications of circumstances that can reasonably be expected to have a material impact on the provision of the Services.

    • 11.5. Business Continuity and ICT Security

      • 11.5.1. incident.io will implement and test business contingency plans.

      • 11.5.2. incident.io maintains the ICT security measures as outlined in the Data Processing Addendum.

      • 11.5.3. Upon Customer’s request, and to the extent necessary for the Services, incident.io will participate in Customer Threat-Led Penetration Testing (“TLPT”) efforts. Such participation will be limited to once per year and take place at a time that does not disrupt incident.io’s business operations. Participation is subject to the following conditions: (i) the selected TLPT program must be directly relevant to the nature of the Services and (ii) all costs will be borne by Customer.

    • 11.6. Ongoing Monitoring and Audits

      • 11.6.1. To the extent necessary for the provision of the Services, Customer (or an appointed independent third-party auditor on its behalf that has been approved by Incident.io) and the competent financial supervisory authorities may request to access, inspect, and audit incident.io’s facilities, systems, and documentation, that are relevant for the Services (“Audit”). incident.io will cooperate and provide reasonable assistance during such an Audit.

      • 11.6.2. If an Audit would affect the rights of other incident.io customers, the parties will agree upon alternative assurance levels. If Customer is required by applicable law to take copies of relevant documentation during an Audit, incident.io will provide such copies provided that it does not threaten the security or integrity of incident.io networks or systems or other customers’ data or services.

      • 11.6.3. Customer will inform incident.io of the scope, duration (including start and end date) and procedure of an Audit at least one calendar month prior to the Audit. All costs related to an Audit will be borne by Customer.

      • 11.6.4. The provisions of this Section 11.6 are supplemented by the audit provisions of the Data Processing Addendum.

    • 11.7. Exit Strategy and Transition Period

      • 11.7.1 incident.io will maintain an exit strategy that includes an adequate transition period. incident.io will, upon written request, continue to make the Services available for up to 3 months following termination subject to certain conditions to be agreed upon by the parties. During this period, incident.io will continue to offer the Services to minimise disruption to Customer’s operations and allow Customer to transition to another provider. Subscription Fees shall continue to accrue and to be invoiced by incident.io pursuant to Section 5 of the Terms during any transition period. If Customer requires any assistance with a transition, incident.io will enter good faith negotiations with Customer regarding the provision of transition assistance services at Customer’s expense.