Communify
Get in touch

Financial Services Addendum (FSA) — Communify DORA Addendum (Critical ICT)

This Financial Services Addendum (“FSA” or “Addendum”) supplements the Agreement (defined below) between Communify and [_____________] (“Customer”). Customer and Communify are collectively known as the “parties” or “Parties”.

As Customer is subject to DORA (as defined below), and to the extent that the Communify Services constitute “ICT Services” as defined in DORA, the parties agree that the Agreement must contain certain provisions as set forth in this Addendum.

In consideration of the mutual obligations set out herein, the parties agree to comply with the following provisions, each acting reasonably and in good faith.

1. Definitions

Unless otherwise defined herein, all capitalized terms have the same meaning given to them in the Agreement. In addition, the following definitions apply:

Agreement” means all current and future agreements between Communify and Customer in connection with which Communify provides Services (defined below) to Customer, such as a Master Subscription Agreement (“MSA”), including all Orders thereunder (directly or through an authorized partner) applicable to the Services. This DPA is incorporated into such Agreement(s) by this reference.

“Communify” means Communify On Demand, Inc, or the applicable Communify affiliate entity that is party to the Agreement.

DORA” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

DPA” means the data processing or data protection addendum, as applicable, between Customer and Communify governing the processing of Personal Data by Communify on behalf of Customer, which forms part of the Agreement.

Customer Data” means, for purposes of this Addendum, any information that Customer provides to Communify or otherwise authorizes access to in the course of accessing and using the Services, and includes all Customer Confidential Information and any information concerning Customer’s operations, customers, employees, contracting parties and other persons, including Personal Data, which Communify receives from Customer or has access to in connection with the provision of the Services.

ICT-Related Incident” means a single event or a series of linked events unplanned by the Customer, directly related to the Services, that compromises the security of the network and information systems, and have an adverse material impact on the availability, authenticity, integrity or confidentiality of Customer Data, or on the services provided by the Customer.

Personal Data” means any Customer Data that relates to an identified or identifiable natural person which is protected under Data Protection Laws. “Data Protection Laws” means local, state, federal, or international laws, regulations, or treaties applicable to protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data under the Agreement, as may be defined in such laws, including, the European Area Law, the California Consumer Protection Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.

Services” means the provision of cloud services (such as software as a service (“SaaS”) and/or hosted or managed services), maintenance and support services in connection with the Software and/or cloud services licensed by Customer, and/or Professional Services made available by Communify to Customer under the Agreement and for the purposes of which Communify is an ICT provider of Customer pursuant to DORA. References to Services or ICT Services in this Addendum refers to Services that constitute ICT Services under DORA (referred to interchangeably in this Addendum as “Services” or “ICT Services”).

ICT Services” has the meaning as defined under DORA.

Service Levels” means to the extent applicable to the Services provided to Customer, the agreed upon service levels are set forth in the Agreement.

Supervisory Authority” or “Regulator” means any European financial service regulator or national competent authority that has the monitoring or supervisory rights over Customer and/or over Communify as the provider of the ICT Services to Customer under the DORA Regulation.

Subcontractor” means a third party engaged by Communify in connection with the Services, which (i) perform and process operations that are involved in the delivery of the Services, and/or (ii) store or process Customer Data in connection with the ICT Services (also referred to as “Subprocessors”), in accordance with the Agreement.

2. General Obligations

  1. Services Description Services are as described in the Agreement and applicable Documentation.

  2. Service Levels To the extent applicable to the Services provided to Customer under the Agreement, Communify shall provide such Services in accordance with the Service Levels. Any updates and revisions to the agreed service levels must be documented in writing and signed by authorized representatives for both Parties in order to be valid.

  3. Cooperation Communify shall cooperate fully with Supervisory Authorities, including persons appointed by them, in all matters.

  4. Notification Obligation Customer shall notify Communify of any changes to DORA which affect the obligations of the Parties under this Addendum. If Communify becomes aware of any changes in DORA regarding the ICT Services, independently of the Customer, and has reason to believe that Customer is not already aware, Communify will promptly notify Customer. Further, in the event that Communify is designated by a Supervisory Authority as a critical ICT third-party service provider as set out in DORA, Communify shall within 24 hours inform Customer of such designation in writing and shall immediately comply with all additional obligations applicable to critical ICT third-party service providers, including but not limited to: (i) enhanced oversight and audit requirements; (ii) mandatory participation in digital operational resilience testing programs; (iii) strengthened incident reporting and business continuity obligations; and (iv) compliance with any specific instructions or measures imposed by the relevant Supervisory Authority.

  5. Standard Contractual Clauses To the extent that any standard contractual clauses are developed by competent authorities or European Union institutions under DORA concerning the subject matter of this Addendum, then upon Customer’s request, the parties shall in good faith negotiate and agree on the incorporation of such standard contractual clauses (as applicable to the ICT Services provided to Customer under the Agreement) and replace any overlapping terms and conditions in this Addendum with the corresponding terms and conditions of the standard contractual clauses.

  6. Protection of Personal Data The provisions on availability, authenticity, integrity, and confidentiality in relation to the protection of data, including Personal Data, as well as the terms ensuring access, recovery, and return of Personal Data, are stated in the Agreement and applicable DPA between Communify and Customer. For the avoidance of doubt, Personal Data that Communify processes on behalf of the Customer is processed, transferred, and stored as set forth in the Data Processing Addendum, located at https://www.communify.com/data-processing-addendun

  7. Digital Operational Resilience Testing. Communify shall:

    1. Conduct comprehensive digital operational resilience testing of its ICT systems, including threat-led penetration testing (TLPT) where designated as a critical ICT third-party service provider;

    2. Participate in and support Customer's digital operational resilience testing programs, including advanced testing such as TLPT, upon reasonable request;

    3. Provide Customer with testing results and remediation plans relevant to the ICT Services within 30 days of completion;

    4. Implement corrective measures identified through testing within agreed timeframes not exceeding 90 days for critical issues; and

    5. Coordinate testing activities to minimize disruption to ICT Services while ensuring comprehensive coverage of critical functions.

3. Information Security

  1. Communify shall maintain an information security program (including relevant processes, measures, and tools) designed to protect Customer Data in Communify’s possession and/or control and ensure its availability, confidentiality, authenticity and integrity. Communify’s information security program shall comply with any information security requirements identified in the Agreement and are aligned with industry best practices. Communify uses the NIST framework as a reference standard for its information security policies, implementation, and practices. A review of all Communify information security policies, procedures and technical standards is conducted at least once annually.

  2. Communify shall provide necessary assistance to Customer when an ICT-Related Incident that is related to the Services provided to Customer occurs. Unless other incident support or reporting procedures are agreed between Communify and Customer, in the event of the occurrence of an ICT-Related Incident that could have a negative impact on the continuity or security of the Services, Communify will: (i) notify Customer of the ICTRelated Incident within 4 hours of detection for major incidents and within 24 hours for all other ICT-Related Incidents; (ii) provide Customer with reasonably requested information Communify has on the ICT-Related Incident that Customer needs to secure Customer's functions at risk due to such incident; (iii) provide Customer with reasonably requested information on how Communify handled the ICT-Related Incident; (iv) provide detailed incident reports within 72 hours including root cause analysis, impact assessment, and remediation timeline; and (v) for incidents affecting critical or important functions, immediately notify Customer's designated incident response team and provide continuous updates every 4 hours until resolution.

  3. Communify shall ensure Customer has access to Customer Data that Communify stores, transmits, or otherwise processes in connection with the Services. Communify encrypts sensitive data both at rest and while in transit using encryption methods that meet or exceed the Transport Layer Security (TLS) 1.2 or Advanced Encryption Standard (AES) 256. Customer Data can be recovered and returned in a standard readable format to Customer in the event of insolvency, resolution, discontinuation of Communify’s business operations or termination of the Agreement.

4. Digital Operational Resilience & Security Awareness Training

  1. Communify shall ensure its personnel participate in ongoing IT security training courses in accordance with the regulations applicable to it. Where necessary, Communify undertakes to participate in the appropriate security awareness programs and digital operational resilience training. Customer will accept evidence from Communify of its personnel’s participation in Communify’s own or any other equivalent ICT security awareness programs and digital operational resilience training in lieu of requiring Communify personnel to participate in Customer’s ICT security awareness training.

5. Authorized Locations & Subcontractors

  1. Unless otherwise specified in the Agreement or an applicable Order Form, Communify may provide the ICT Services (including the subcontracted functions) to the Customer from, and/or Customer Data may be processed/stored in, the following location(s): United States, Canada, United Kingdom, European Union, India, Japan, Australia; provided that Communify shall conduct and maintain ongoing assessments of concentration risk, geopolitical risk, and operational resilience risks associated with each location. Communify shall notify Customer within 30 days of any material changes to risk assessments that may impact service delivery or regulatory compliance.

  2. Communify shall notify Customer in writing in advance, and without undue delay, if Communify or any of its Subcontractors change any of the aforementioned locations with respect to the provision of the ICT Services and/or the processing or storage of Customer Data in accordance with this section.

    1. The Customer Data processing locations are specified in the DPA. Communify shall notify Customer of any intended additions or replacements to the processing locations pursuant to the process set forth in the Communify DPA.

  3. Customer authorizes Communify to engage Subcontractors in accordance with this Addendum, provided that:

    1. Communify shall conduct comprehensive due diligence on all Subcontractors before engagement, including assessment of their operational resilience, security capabilities, and regulatory compliance;

    2. Communify shall enter into written agreements with such Subcontractors containing terms related to confidentiality, data protection, security, incident management, and business continuity that are at least as protective as those contained in this Addendum;

    3. for critical Subcontractors supporting critical or important functions, Communify shall maintain detailed exit strategies and alternative sourcing arrangements;

    4. Communify shall monitor Subcontractor performance continuously and conduct regular risk assessments; and

    5. Communify shall be liable for the acts and omissions of any Subcontractor, provided that such liability shall be subject to the same limitations of liability set forth in the Agreement and shall not exceed the amount actually recoverable by Communify from such Subcontractor.

  4. A list of the Subcontractors and Subprocessors used by Communify is set forth in Exhibit 1 and maintained at: https://www.communify.com/critical-subcontractors. The online list supersedes Exhibit 1 for operational purposes, with material changes requiring 90 days advance notice per Section 5(b).

6. Termination

In addition to the termination rights set out in the Agreement, Customer may terminate the Agreement or applicable Order Form, in whole or in part, if:

  1. Communify is in material breach of applicable laws, regulations or this Addendum;

  2. circumstances have been identified throughout the monitoring of ICT third-party risk that in Customer’s reasonable opinion are capable of materially negatively altering the performance of the functions of the Services for which Communify provides an express warranty, including material changes that affect the Agreement, the arrangement or the situation of Communify;

  3. Communify has evidenced material weaknesses pertaining to its overall ICT risk management capable of having an adverse impact on the way it ensures the availability, authenticity, integrity, and confidentiality of Customer’s Confidential Information; or

  4. a Supervisory Authority gives an instruction of termination, for example in case the Supervisory Authority can no longer effectively supervise Customer; provided, however, (1) the aforementioned termination rights are limited to the Services that are subject to this Addendum, and (2) that Customer must give written notice describing the nature and basis of the breach to Communify and Communify has failed to cure the breach within 30 days after receipt of Customer´s breach notice

Customer shall pay Communify all amounts owed for the Services through the effective date of termination, which will become due immediately upon such termination, and no portion of any prepaid amounts (if applicable) shall be refunded.

Communify acknowledges that Customer may be required by its Supervisory Authorities to ensure that Customer is able to continue to carry on its business in the event of termination of the Agreement. Upon termination, Communify shall:

  1. provide comprehensive transition assistance for a minimum period of 12 months or until Customer has successfully migrated to an alternative provider;

  2. export all Customer Data in standard, portable formats within 30 days of termination;

  3. provide detailed documentation of all configurations, customizations, and integration points;

  4. offer reasonable assistance in onboarding alternative service providers;

  5. maintain service levels during the transition period; and

  6. ensure secure deletion of all Customer Data after successful transition, with written certification of deletion provided to Customer.

Service Continuity. Recognizing Customer's regulatory obligations and the critical nature of the ICT Services, Communify acknowledges that:

  1. Immediate termination of Services could cause material harm to Customer's business operations and regulatory compliance;

  2. Communify shall not terminate Services for convenience with less than 12 months' written notice;

  3. In the event of termination for cause, Communify shall provide reasonable transition assistance to minimize disruption to Customer's operations; and

  4. Communify shall maintain appropriate business continuity insurance and financial resources to support transition obligations.

7. Audit

  1. Upon reasonable request, Customer may examine relevant audit reports and/or certifications (such as SOC 2 Type 2) that are available from Communify and applicable to the Services to verify compliance with this Addendum and/or Communify’s technical and organizational measures. Customer will have the right to submit security questionnaires to Communify in the event any identified gaps or unresolved questions exist following Customer’s review of Communify’s documentation.

  2. In the event the ICT Services are considered by Customer as supporting critical or important functions and if Customer or one of its Supervisory Authorities requests to audit the Services to fulfill a regulatory requirement, Communify shall permit Customer and/or such Supervisory Authority to conduct such audit during normal business hours at a date and time mutually agreeable to Communify and Customer and/or such Supervisory Authority. Before a planned audit or on-site visit, Customer shall provide reasonable notice (at least 30 days in advance) to Communify, as well as the details regarding the scope and duration of such audit. Customer shall provide Communify with a copy of any final audit report (unless prohibited by applicable law) and shall use such report solely for the purpose of assessing Communify’s compliance with the terms of the Agreement, this Addendum and any applicable laws. For critical ICT third-party service providers, Supervisory Authorities may conduct additional audits as required by applicable law. Customer may conduct up to two (2) audits per year, with additional audits permitted upon reasonable justification related to regulatory requirements, significant incidents, or material changes to the ICT Services.

  3. Customer may utilize an independent third party to perform such audits on Customer’s behalf, provided the third party is subject to confidentiality obligations at least as restrictive as those set forth in the Agreement and such third party auditor is required to execute an appropriate confidentiality agreement with Communify. Customer will not utilize an independent party that is a competitor of Communify to perform the audit. Customer must ensure that any personnel performing the inspection (whether internal or external to Customer) has appropriate and relevant skills and knowledge to perform the relevant audits and/or assessments effectively. Customer is responsible for the acts and omissions of its auditor when performing the audit.

  4. If an audit is requested and performed by Customer’s Supervisory Authority and to the extent required under applicable law, Communify shall reasonably cooperate with the Supervisory Authority, including with persons appointed by the Supervisory Authority, for requested information regarding the Services provided to Customer, so long as Customer does not otherwise have access to the relevant information. Customer will respond directly to a Supervisory Authority’s request(s) for Customer Data and shall not circumvent such requests by referring such matters to Communify.

  5. Any information provided by or obtained from Communify pursuant to this Section 7 shall be considered Confidential Information of Communify and is subject to the confidentiality obligations set forth in the Agreement. Any audits or inspections will be conducted in a manner that does not impact the ongoing safety, security, confidentiality, integrity, availability, continuity and resilience of the inspected facilities, networks and systems, nor otherwise expose or compromise any data processed therein.

  6. Expenses incurred by Communify in connection with the performance of any inspections and audits in accordance with Section 7 shall be added to the remuneration to be paid to Communify.

8. Business Continuity

Communify and Customer agree as follows:

  1. With respect to the ICT Services provided to Customer, Communify shall implement and maintain adequate business continuity plans, ICT business continuity plans and response and recovery plans.

  2. Communify shall review, test and update its business continuity plans, ICT business continuity plans and response and recovery plans at least once per year, and immediately following any material changes to ICT systems or upon designation as a critical ICT thirdparty service provider as well as in the event of any substantive changes to ICT systems regarding their efficiency and adequacy and eliminate any material gaps or safety issues that have been identified without undue delay. Upon Customer’s reasonable request, Communify shall inform Customer in writing about the status and results of such tests to the extent relevant to the ICT Services, including, if applicable, any material gaps or safety issues identified and a description of the corrective measures.

  3. To the extent applicable to the ICT Services provided to Customer, Communify shall support and participate in Customer’s testing of the Customer’s ICT business continuity management. Communify shall support Customer in the analysis of test results and implementation of necessary remediation measures.

  4. Expenses incurred by Communify in connection with the Customer’s testing of the Customer’s ICT business continuity management in accordance with Section 8 shall be added to the remuneration to be paid to Communify.

9. Miscellaneous

  1. Termination. This Addendum shall terminate upon any termination or expiration of the Agreement.

  2. Miscellaneous:. The section headings contained in this Addendum are for reference purposes only and shall not in any way affect the meaning or interpretation of this Addendum. Customer's sole and exclusive remedy for any breach by Communify in relation to this Addendum is to terminate this Addendum and the applicable Agreement or Order for the affected ICT Services. For the purposes of this Addendum, the rights and obligations of the parties in this Addendum are in addition to, and not in replacement of, the rights and obligations of the parties in the Agreement, except that this Section will prevail over any conflicting term in the Agreement. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is any conflict or inconsistency between this Addendum and the Agreement, this Addendum shall prevail to the extent that conflict or inconsistency relates to the subject matter herein. Except to the extent otherwise mandated by applicable laws, this Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement.

10. Critical ICT Third-Party Obligations

Upon designation as a critical ICT third-party service provider, Communify shall additionally:

  1. Comply with all specific measures and instructions imposed by relevant Supervisory Authorities;

  2. Participate in supervisory colleges and provide required reporting on systemic risk and concentration risk;

  3. Maintain enhanced capital adequacy and operational resilience standards as may be required;

  4. Implement additional risk management measures for services provided to multiple financial entities;

  5. Provide Supervisory Authorities with direct access to relevant information and systems as required by law;

  6. Notify all affected customers within 48 hours of any supervisory measures or restrictions imposed.

Exhibit 1 — Critical Subcontractors and Subprocessors

The following is a current list of Subcontractors and Subprocessors engaged by Communify in connection with the ICT Services:

Entity Name Services Provided Location Risk Classification Contract Expiration
NTT DATA Services, LLC. IT managed services and data center hosting Plano, TX Tier 1 / Critical Provider Mar 31, 2027
Amazon Web Services, Inc. Cloud computing services Seattle, WA Tier 1 / Critical Provider Monthly
Morningstar, Inc. TSA services and hosting Chicago, IL Tier 1 / Critical Provider June 13, 2028
Cloudflare, Inc. Internet performance, security and reliability services San Francisco, CA Tier 1 / Critical Provider Feb 28, 2028
Akamai Technologies, Inc. Internet performance, security and reliability services Cambridge, MA Tier 2 / Material Provider Feb 28, 2026
Atlassian, Inc. Collaboration, project management and development tools San Francisco, CA Tier 3 / Relevant Provider Jan 30, 2026

This list shall be updated annually and provided upon Customer request. Material changes to Tier 1/Critical Providers require 90 days advance notice to Customer per Section 5(b).

×
Top