DORA Addendum

LAST MODIFIED: March 20, 2025; Last Reviewed: March 20, 2025

 

This DORA Addendum supplements the Terms of Service or the Master Services Agreement (the “Agreement”) between HYPR Corp. (“Company,” “us,” “we”) and the customer entity that is a party to the Agreement (“Customer” or “you”). We may update this DORA Addendum from time to time, and we will provide reasonable notice of any such updates.

Any terms not defined in this DORA Addendum shall have the meaning set forth in the Agreement or as set forth in the "DORA Regulation” or “DORA". “DORA” means The Digital Operational Resilience Act published by the Official Journal of the European Union as Regulation 2022/2554 or any successor or update thereto (subject to such successor or update being in force).

1   Effective Date, Purpose and Application of this DORA Addendum

This DORA Addendum is effective as of January 17, 2025 (the “Effective Date”) and is intended to allow Customer, as a Regulated Entity, meet its regulatory requirements imposed under DORA. It applies only where Customer is a Regulated Entity and applies only with respect to ICT Services which are received or used by the Regulated Entity , and not to any other services provided by HYPR under the Agreement. The respective rights and obligations of the Parties are described in writing in the applicable terms of the Agreement.

2.    Services and data location

2.1    In performing services under the Agreement, Customer Data is processed from the data locations specified in the Agreement. 

2.2    HYPR shall not relocate the performance of any services or change the data locations without prior notification to the Customer.  

3.    Data and IT-security

3.1    HYPR shall notify the Customer promptly if it believes that there is, has been, or is likely to be, a material breach in information security affecting the confidentiality, integrity or availability of its services or data, including personal data, which might impact the Customer. HYPR shall promptly notify the Customer of any development that might have a material impact on its ability to effectively provide the services in line with the agreed service levels.

3.2    In the event the Customer is required to perform a threat-led penetration test, HYPR shall provide all relevant information and reasonable cooperation to perform such tests. 

3.3    HYPR shall participate and cooperate in the Customer’s ICT security awareness programs and digital operational resilience training as communicated by the Customer to HYPR within a reasonable time, and at least two (2) months in advance, when requested by the Customer.

3.4    HYPR shall provide all relevant assistance to the Customer at no additional cost when an ICT incident related to the Agreement between the Parties occurs. 

3.5    HYPR will ensure the accessibility, availability, integrity, security and protection of the data, including personal data, of the Customer. HYPR shall ensure that the Customer Data can be assessed in the case of insolvency, resolution of discontinuation of business operation of HYPR or its subcontractors.

4.    Business Continuity and Disaster Recovery Plans  

4.1    HYPR shall maintain in accordance with industry standards Business Continuity and Disaster Recovery Plans (hereafter ‘BC/DR Plan’) and the capacity to execute such plans (including the periodic testing of such plans). HYPR shall be responsible for the development and on-going maintenance of Business Continuity and Disaster Recovery Plans. Upon request by the Customer, HYPR shall provide the Customer with an executive summary of its current Business Continuity and Disaster Recovery Plans and a description of any test results.

4.2    The BC/DR Plan shall at least contain or provide the following:
    i.    The necessary measures to prevent the discontinuity of the performance by HYPR of its obligations under the Agreement;
   ii.    The necessary measures to ensure the rapid resolution of problems and an efficient recovery from any discontinuity;
   iii.    A periodic assessment and testing of BC/DR Plan, as well as a periodic testing of all back-up facilities; 
   iv.    The obligation of HYPR to notify the Customer any event that is likely to trigger the activation of BC/DR Plan; 
   v.    The provision of additional assistance to the Customer for the recovery of the Customer’s own ability to perform its services in case of disaster affecting the Services.  

5.    Subcontracting 

5.1    For the purpose of this clause, outsourcing, subcontracting or delegation shall be construed as the transfer by HYPR to a third party, of one of the Services as a whole or a material part thereof.   

5.2    Customer acknowledges and agrees that HYPR may (1) engage its affiliates and its existing subcontractors to perform the Services and (2) from time to time engage additional third parties for the purpose of providing the Services. By way of this DORA Addendum, Customer provides general written authorization to HYPR to engage sub-contractors as necessary to perform the Services.

5.3    HYPR shall not outsource or subcontract or delegate its obligations under this Agreement or make any material change to an existing outsourcing/subcontracting, except after having informed the Customer in due time of the planned outsourcing (or material change thereof).  

5.4    As part of HYPR’s due diligence and risk assessment of its (potential) subcontractors, HYPR will assess at least the following: (i) its business reputation; (ii) resources including expertise and adequate financial, human and technical resources; (iii) information security, and (iv) risk management and internal control in place. These assessments are intended to address all risks, including ICT risks, associated with the location of the potential subcontractor and with the location from which the services are provided. Upon request from the Customer, HYPR will also provide the Customer with all information reasonably necessary for the Customer to determine whether the function to be outsourced or delegated is critical or important, and where relevant any information required under DORA and its implanting acts, such as regulatory technical standards (‘RTS’), related to the part of the services concerned by the subcontracting.

5.5    If the planned sub-outsourcing concerns a service supporting a critical or important function, and the Customer has objective reasons to demonstrate that such sub-outsourcing/sub-contract materially increases its risks, or material parts thereof, the Customer may object to such sub-outsourcing/subcontracting or change thereof. In the absence of objection by the Customer within ten (10) days from notification, the Customer is deemed to have accepted the sub-outsourcing/sub-contracting or change thereof.

5.6    In any event, HYPR will oversee the functions outsourced to ensure that the contractual obligations under the Agreement and all addenda are continuously met, including to ensure the continuity of the services in case of failure of a subcontractor and all audit and inspection rights. HYPR will foresee as part of its separate agreement with its subcontractor at least (i) sufficient monitoring and reporting obligations of its subcontractors, (ii) requirements on business continuity, (iii) any relevant service levels to be met by the subcontractor in relation thereof and (iv) where relevant, sufficient IT security requirements.

5.7    HYPR shall, in its relations with its own providers, comply with all relevant regulatory standards, including DORA and EBA Guidelines EBA/GL/2019/02, regarding the selection and management of its providers. 

6.    Audit and inspection rights

6.1    The Customer shall have the right, at its cost and expense  to perform upon reasonable notice audit(s) or risk assessment(s) with regard to the compliance of HYPR with its obligations under this DORA Addendum (hereafter ‘the Audit’). HYPR shall provide cooperation and agrees that the Customer, or any appointed non-competitor third party, has a reasonable right of access for sites managed by HYPR, inspection and audit. This includes, among other things, the right to access the premises and perform an on-site inspection for sites managed by HYPR, the right to obtain information and the right to take copies provided that the relevant document is considered critical to the execution of this DORA Addendum.

6.2    The Customer will use best efforts to limit the number and the impact of its Audits. In normal circumstances, the Customer shall not perform more than one (1) Audit per calendar year, except in exceptional circumstances such as suspicion of fraud or a major technical incident. In the event, the Customer wishes to perform an Audit, it shall provide notice at least two weeks in advance.

6.3    The Customer shall ensure that any and all internal and external advisors designated by it for purposes of performing the Audit shall be bound by confidentiality obligations at least as stringent as the obligations under the Agreement.

7.     Termination rights

7.1    In addition to the termination rights specified in the Agreement, the Customer may terminate the Agreement with immediate effect as from the date of receipt of the notice of termination sent by the Customer in the following circumstances: 
   i.    if a competent authority instructs Customer to terminate the Agreement or relevant part thereof; 
   ii.    if, during a monitoring of HYPR’s performance, the Customer identifies a material issue that is deemed capable of altering HYPR’s performance of the Critical Services causing a material interruption or reduction in quality of the Critical Services under the Agreement; 
   iii.    where the Customer has documented evidence of material weaknesses pertaining to the overall ICT risk management of HYPR and in particular how HYPR ensures the availability, authenticity, integrity, and confidentiality of Customer Data;
   iv.    Where HYPR subcontracts a Critical Service in violation of the terms of this DORA Addendum or HYPR implements material changes to subcontracting arrangements for Critical Services despite the objection of the Customer as referred to in Section 5.4;
   v.    In the event a sub-contractor enters into insolvency proceedings and Customer is unable to continue to receive the Critical Services (or an alternative equivalent) related to the Agreement without material interruption or reduction in quality of the Critical Services.  

7.2    If Customer terminates the Agreement for any reason specified above in Section 7 .1, then Customer may elect to extend the Services on a month-to-month basis for up to twelve months, or longer if expressly required by a Regulator in writing, that HYPR continue to provide the HYPR Services, from the date of termination by providing notice of such election to HYPR.  During such period, HYPR shall continue to provide, and Customer shall continue to receive and pay for, HYPR Services pursuant to the terms and conditions of the Agreement. 

8.    Conflict resolution clause

8.1    In the event of any contradiction between the provisions of this DORA Addendum and the Agreement, the provisions of this DORA Addendum shall prevail, insofar as ICT Services are concerned, whether they are critical or not.

9.     Termination

 This DORA Addendum shall terminate automatically upon any termination of the Agreement. 

DORA Checklist

HYPR Contract Checklist for the EU Digital Operational Resilience Act (DORA) (PDF)