Commmunify DORA Addendum Non-Critical ICT

Financial Services Addendum (FSA) — Communify DORA Addendum (Non-Critical ICT Third-Party Provider)

This Financial Services Addendum (“FSA” or “Addendum”) supplements the Agreement (defined below) between Communify and [_____________] (“Customer”). Customer and Communify are collectively known as the “parties” or “Parties”.

As Customer is subject to DORA (as defined below), and to the extent that the Communify Services constitute “ICT Services” as defined in DORA, the parties agree that the Agreement must contain certain provisions as set forth in this Addendum.
Customer has assessed Supplier as a non-critical ICT third-party provider pursuant to Article 28 DORA. The obligations herein reflect a proportionate risk-based application of DORA requirements.

In consideration of the mutual obligations set out herein, the parties agree to comply with the following provisions, each acting reasonably and in good faith.

1. Definitions

Unless otherwise defined herein, all capitalized terms have the same meaning given to them in the Agreement. In addition, the following definitions apply:

Agreement” means all current and future agreements between Communify and Customer in connection with which Communify provides Services (defined below) to Customer, such as a Master Subscription Agreement (“MSA”), including all Orders thereunder (directly or through an authorized partner) applicable to the Services. This Addendum is incorporated into such Agreement(s) by this reference.

“Communify” means Communify On Demand, Inc, or the applicable Communify affiliate entity that is party to the Agreement.

DORA” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

DPA” means the data processing or data protection addendum, as applicable, between Customer and Communify governing the processing of Personal Data by Communify on behalf of Customer, which forms part of the Agreement.

Customer Data” means, for purposes of this Addendum, any information that Customer provides to Communify or otherwise authorizes access to in the course of accessing and using the Services, and includes all Customer Confidential Information and any information concerning Customer’s operations, customers, employees, contracting parties and other persons, including Personal Data, which Communify receives from Customer or has access to in connection with the provision of the Services.

ICT-Related Incident” means a single event or a series of linked events unplanned by the Customer, directly related to the Services, that compromises the security of the network and information systems, and have an adverse material impact on the availability, authenticity, integrity or confidentiality of Customer Data, or on the services provided by the Customer.

Personal Data” means any Customer Data that relates to an identified or identifiable natural person which is protected under Data Protection Laws. “Data Protection Laws” means local, state, federal, or international laws, regulations, or treaties applicable to protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data under the Agreement, as may be defined in such laws, including, the European Area Law, the California Consumer Protection Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.

Services” means the provision of cloud services (such as software as a service (“SaaS”) and/or hosted or managed services), maintenance and support services in connection with the Software and/or cloud services licensed by Customer, and/or Professional Services made available by Communify to Customer under the Agreement and for the purposes of which Communify is an ICT provider of Customer pursuant to DORA. References to Services or ICT Services in this Addendum refers to Services that constitute ICT Services under DORA (referred to interchangeably in this Addendum as “Services” or “ICT Services”).

ICT Services” has the meaning as defined under DORA.

Service Levels” means to the extent applicable to the Services provided to Customer, the agreed upon service levels are set forth in the Agreement.

Supervisory Authority” or “Regulator” means any European financial service regulator or national competent authority that has the monitoring or supervisory rights over Customer and/or over Communify as the provider of the ICT Services to Customer under the DORA Regulation.

Subcontractor” means a third party engaged by Communify in connection with the Services, which (i) perform and process operations that are involved in the delivery of the Services, and/or (ii) store or process Customer Data in connection with the ICT Services (also referred to as “Subprocessors”), in accordance with the Agreement.

2. General Obligations

  1. Services Description Services are as described in the Agreement and applicable Documentation.

  2. Service Levels To the extent applicable to the Services provided to Customer under the Agreement, Communify shall provide such Services in accordance with the Service Levels. Any updates and revisions to the agreed service levels must be documented in writing and signed by authorized representatives for both Parties in order to be valid.

  3. Cooperation Communify shall cooperate fully with Supervisory Authorities, including persons appointed by them, in all matters.

  4. Notification Obligation Communify shall monitor material regulatory developments relating to Regulation (EU) 2022/2554 (“DORA”) that are reasonably applicable to the ICT Services and notify Customer without undue delay of any material changes in DORA that would reasonably require amendment of this Addendum or materially affect the obligations of the Parties hereunder.

    1. Where Supplier becomes aware of material DORA-related developments specifically impacting the ICT Services and has reason to believe that Customer is not aware of such developments, Supplier shall promptly notify Customer in writing.

    2. If Supplier is formally designated by a competent Supervisory Authority as a critical ICT third-party service provider pursuant to DORA, Supplier shall notify Customer in writing within a commercially reasonable timeframe following official notification of such designation. Following any such designation, the Parties shall in good faith negotiate amendments to this Addendum necessary to reflect any additional regulatory obligations applicable to Supplier under DORA and proportionate to the ICT Services provided to Customer. Until such designation occurs, Supplier shall not be subject to obligations applicable exclusively to critical ICT third-party service providers, except to the extent expressly required by applicable law.

  5. Standard Contractual Clauses To the extent that any standard contractual clauses are developed by competent authorities or European Union institutions under DORA concerning the subject matter of this Addendum, then upon Customer’s request, the parties shall in good faith negotiate and agree on the incorporation of such standard contractual clauses (as applicable to the ICT Services provided to Customer under the Agreement) and replace any overlapping terms and conditions in this Addendum with the corresponding terms and conditions of the standard contractual clauses.

  6. Protection of Personal Data The provisions on availability, authenticity, integrity, and confidentiality in relation to the protection of data, including Personal Data, as well as the terms ensuring access, recovery, and return of Personal Data, are stated in the Agreement and applicable DPA between Communify and Customer. For the avoidance of doubt, Personal Data that Communify processes on behalf of the Customer is processed, transferred, and stored as set forth in the Data Processing Addendum, located at https://www.communify.com/data-processing-addendun

  7. Digital Operational Resilience Testing. Communify shall:

    1. Conduct risk-based digital operational resilience testing of its ICT systems supporting the ICT Services, proportionate to the nature, scale and complexity of the services provided, which may include vulnerability assessments and periodic penetration testing, as appropriate;

    2. Provide Customer, upon request, with summaries of relevant testing results and remediation plans relating to the ICT Services within thirty (30) days following completion of such testing, subject to confidentiality and security considerations;

    3. Implement corrective measures identified through testing within commercially reasonable timeframes, prioritizing remediation of high-risk findings without undue delay and, where agreed with Customer, within remediation periods proportionate to the severity of the issue; and

    4. Coordinate testing activities in good faith to minimize disruption to the ICT Services while maintaining adequate resilience assurance over services provided to Customer.

3. Information Security

  1. Communify shall maintain and operate a documented information security program, including appropriate policies, procedures, technical and organizational measures, designed to protect Customer Data in Supplier’s possession or control and to support its availability, confidentiality, integrity and authenticity, proportionate to the nature, scale and complexity of the ICT Services provided.

    1. Implement security controls that are reasonably aligned with the information security requirements set out in the Agreement and with generally recognized industry practices applicable to similar ICT services.

    2. Use a recognized industry security framework, such as the NIST Cybersecurity Framework or ISO 27001 (or an equivalent standard), as a reference model for the development, implementation and maintenance of its information security policies and practices. Adoption of such framework shall serve as guidance and shall not be construed as a guarantee of compliance with every prescriptive element thereof.

    3. Conduct a review of its information security policies, procedures and relevant technical standards at least annually, and update such policies and controls as appropriate to address material changes in risk, technology, regulatory requirements, or the ICT Services.

  2. Communify shall provide reasonable assistance to Customer in connection with any ICT-Related Incident affecting the ICT Services provided under the Agreement. Unless otherwise agreed in writing between the Parties, in the event of an ICT-Related Incident that materially impacts or is reasonably likely to materially impact the availability, confidentiality, integrity, or security of the ICT Services provided to Customer, Communify shall

    1. notify Customer without undue delay and, in any event, within forty-eight (48) hours after becoming aware of a material ICT-Related Incident affecting the ICT Services;

    2. Provide Customer with reasonably available information necessary to enable Customer to assess potential impact to its functions and comply with applicable regulatory obligations;

    3. Cooperate in good faith with Customer by providing updates at reasonable intervals proportionate to the severity and impact of the incident;

    4. Provide, within a commercially reasonable period (and typically within ten (10) business days where reasonably practicable), a written incident summary including, to the extent then known, preliminary root cause analysis (which may be updated as investigation continues), impact assessment, and estimated remediation timeline.

  3. Communify shall ensure Customer has access to Customer Data that Communify stores, transmits, or otherwise processes in connection with the Services. Communify encrypts sensitive data both at rest and while in transit using encryption methods that meet or exceed the Transport Layer Security (TLS) 1.2 or Advanced Encryption Standard (AES) 256. Customer Data can be recovered and returned in a standard readable format to Customer in the event of insolvency, resolution, discontinuation of Communify’s business operations or termination of the Agreement.

4. Digital Operational Resilience & Security Awareness Training

  1. Communify shall ensure its personnel participate in ongoing IT security training courses in accordance with the regulations applicable to it. Where necessary, Communify undertakes to participate in the appropriate security awareness programs and digital operational resilience training. Customer will accept evidence from Communify of its personnel’s participation in Communify’s own or any other equivalent ICT security awareness programs and digital operational resilience training in lieu of requiring Communify personnel to participate in Customer’s ICT security awareness training.

5. Authorized Locations & Subcontractors

  1. Unless otherwise specified in the Agreement or an applicable Order Form, Communify may provide the ICT Services (including the subcontracted functions) to the Customer from, and/or Customer Data may be processed/stored in, the following location(s): United States, Canada, United Kingdom, European Union, India, Japan, Australia; provided that Communify shall conduct and maintain ongoing assessments of concentration risk, geopolitical risk, and operational resilience risks associated with each location. Communify shall notify Customer of any material changes to risk assessments that may impact service delivery or regulatory compliance.

  2. Communify shall notify Customer in writing within a reasonable period (and where practicable, in advance) if Communify or any of its Subcontractors materially change any of the aforementioned locations with respect to the provision of the ICT Services and/or the processing or storage of Customer Data in accordance with this section.

    1. The Customer Data processing locations are specified in the DPA. Communify shall notify Customer of any intended additions or replacements to the processing locations pursuant to the process set forth in the Communify DPA.

  3. Customer authorizes Communify to engage Subcontractors in accordance with this Addendum, provided that:

    1. Communify shall conduct comprehensive due diligence on all Subcontractors before engagement, including assessment of their operational resilience, security capabilities, and regulatory compliance;

    2. Communify shall enter into written agreements with such Subcontractors containing terms related to confidentiality, data protection, security, incident management, and business continuity that are at least as protective as those contained in this Addendum;

    3. for critical Subcontractors supporting critical or important functions, Communify shall maintain detailed exit strategies and alternative sourcing arrangements;

    4. Communify shall monitor Subcontractor performance continuously and conduct regular risk assessments; and

    5. Communify shall be liable for the acts and omissions of any Subcontractor, provided that such liability shall be subject to the same limitations of liability set forth in the Agreement and shall not exceed the amount actually recoverable by Communify from such Subcontractor.

  4. A list of the Subcontractors and Subprocessors used by Communify is set forth in Exhibit 1 and maintained at: https://www.communify.com/critical-subcontractors. The online list supersedes Exhibit 1 for operational purposes, with material changes requiring 90 days advance notice per Section 5(b).

6. Termination

In addition to the termination rights set out in the Agreement, Customer may terminate the Agreement or applicable Order Form, in whole or in part, if:

  1. Communify is in material breach of applicable laws, regulations or this Addendum, and such breach remains uncured for thirty (30) days following written notice from Customer specifying the breach in reasonable detail (or, if such breach is not reasonably capable of cure within such period, Communify has not commenced and diligently pursued cure within such period);

  2. circumstances have been identified throughout the monitoring of ICT third-party risk that have actually and materially negatively altered the performance of the functions of the Services for which Communify provides an express warranty in a manner that cannot be remedied, and Customer has provided Communify written notice specifying the circumstances and Communify has failed to propose a reasonable remediation plan within thirty (30) days of such notice;

  3. Communify has evidenced material weaknesses pertaining to its overall ICT risk management that have had, or pose an imminent and demonstrable risk of having, an adverse impact on the availability, authenticity, integrity, or confidentiality of Customer’s Confidential Information, and such weaknesses remain unremedied for forty-five (45) days following written notice from Customer identifying the specific weaknesses with reasonable particularity.

Customer shall pay Communify all amounts owed for the Services through the effective date of termination, which will become due immediately upon such termination, and no portion of any prepaid amounts (if applicable) shall be refunded.

Communify acknowledges that Customer may be required to ensure that Customer is able to continue to carry on its business in the event of termination of the Agreement. Upon termination, Communify shall:

  1. offer reasonable assistance in transition support;

  2. maintain service levels during the transition period; and

  3. ensure secure deletion of all Customer Data after successful transition, with written certification of deletion provided to Customer.

Service Continuity. Recognizing Customer's obligations, Communify acknowledges that

  1. Immediate termination of Services could cause material harm to Customer's business operations;

  2. In the event of termination for cause, Communify shall provide reasonable transition assistance to minimize disruption to Customer's operations

7. Audit

  1. Upon reasonable request (and no more than once per twelve (12) month period, unless a material ICT-Related Incident has occurred or Customer is required by a Supervisory Authority to conduct additional verification), Customer may examine relevant audit reports and/or certifications (such as SOC 2 Type 2) that are available from Communify and applicable to the Services to verify compliance with this Addendum and/or Communify’s technical and organizational measures. Customer will have the right to submit security questionnaires to Communify (limited to one comprehensive questionnaire per twelve (12) month period, plus reasonable follow-up questions) in the event any identified gaps or unresolved questions exist following Customer’s review of Communify’s documentation.

  2. If justified by material risk, Customer may utilize an independent third party to perform such audits on Customer’s behalf, provided the third party is subject to confidentiality obligations at least as restrictive as those set forth in the Agreement and such third party auditor is required to execute an appropriate confidentiality agreement with Communify. Customer will not utilize an independent party that is a competitor of Communify to perform the audit. Customer must ensure that any personnel performing the inspection (whether internal or external to Customer) has appropriate and relevant skills and knowledge to perform the relevant audits and/or assessments effectively. Customer is responsible for the acts and omissions of its auditor when performing the audit.

  3. Any information provided by or obtained from Communify pursuant to this Section 7 shall be considered Confidential Information of Communify and is subject to the confidentiality obligations set forth in the Agreement. Any audits or inspections will be conducted in a manner that does not impact the ongoing safety, security, confidentiality, integrity, availability, continuity and resilience of the inspected facilities, networks and systems, nor otherwise expose or compromise any data processed therein.

  4. Expenses incurred by Communify in connection with the performance of any inspections and audits in accordance with Section 7 shall be added to the remuneration to be paid to Communify.

8. Business Continuity

Communify and Customer agree as follows:

  1. With respect to the ICT Services provided to Customer, Communify shall implement and maintain adequate business continuity plans, ICT business continuity plans and response and recovery plans.

  2. Communify shall review, test and update its business continuity plans, ICT business continuity plans and response and recovery plans at least once per year, and immediately following any material changes to ICT systems or upon designation as a critical ICT third party service provider as well as in the event of any substantive changes to ICT systems regarding their efficiency and adequacy and eliminate any material gaps or safety issues that have been identified without undue delay. Upon Customer’s reasonable request, Communify shall inform Customer in writing about the status and results of such tests to the extent relevant to the ICT Services, including, if applicable, any material gaps or safety issues identified and a description of the corrective measures.

9. Miscellaneous

  1. Termination. This Addendum shall terminate upon any termination or expiration of the Agreement.

  2. Miscellaneous:. The section headings contained in this Addendum are for reference purposes only and shall not in any way affect the meaning or interpretation of this Addendum. Customer’s sole and exclusive remedy for any breach by Communify in relation to this Addendum is to terminate this Addendum and the applicable Agreement or Order for the affected ICT Services; provided, however, that to the extent Customer suffers direct damages arising from Communify’s gross negligence or willful misconduct in connection with this Addendum, Customer may seek recovery of such direct damages subject to (and within) the limitations of liability set forth in the Agreement. In no event shall Communify be liable under this Addendum for any indirect, incidental, special, consequential, or punitive damages, including without limitation loss of profits, business interruption, or regulatory fines or penalties. For the purposes of this Addendum, the rights and obligations of the parties in this Addendum are in addition to, and not in replacement of, the rights and obligations of the parties in the Agreement, except that this Section will prevail over any conflicting term in the Agreement. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is any conflict or inconsistency between this Addendum and the Agreement, this Addendum shall prevail to the extent that conflict or inconsistency relates to the subject matter herein. Except to the extent otherwise mandated by applicable laws, this Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement.

Exhibit 1 — Critical Subcontractors and Subprocessors

The following is a current list of Subcontractors and Subprocessors engaged by Communify in connection with the ICT Services. This list is updated periodically and the current version is maintained at the URL specified in Section 5(d):

Entity Name Services Provided Location
NTT DATA Services, LLC. IT managed services and data center hosting Plano, TX
Amazon Web Services, Inc. Cloud computing services Seattle, WA
Morningstar, Inc. TSA services and hosting Chicago, IL
Cloudflare, Inc. Internet performance, security and reliability services San Francisco, CA
Atlassian, Inc. Collaboration, project management and development tools San Francisco, CA

This list shall be updated periodically and is available upon Customer request. Changes to Subcontractors are governed by Section 5 of this Addendum.