Keepabl DORA Addendum - Keepabl TM : Keepabl TM

KEEPABL’S DORA ADDENDUM

v011124

1 INTERPRETATION

1.1 Unless defined otherwise in this DORA Addendum, terms shall have the meaning set out in the other parts of this Agreement. In this DORA Addendum:

‘Competent Authority’ is as defined in DORA.

‘Critical ICT Third-Party Service Provider’ is as defined in DORA and means an ICT Third-Party Service Provider designated as critical in accordance with Article 31 of DORA;

‘Critical or Important Function’ is as defined in DORA and means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.

‘DORA’ means EU Regulation 2022/2554 on digital operational resilience for the financial sector.

‘Financial Entity’ means a person who meets the definition of financial entity in DORA.

‘ICT-Related Incident’ is as defined in DORA and means a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity.

‘ICT Services’ is as defined in DORA and means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.

‘ICT Third-Party Service Provider’ is as defined in DORA and means an undertaking providing ICT Services.

‘ICT Third-Party Service Provider Established in a Third Country’ is as defined in DORA and means an ICT third-party service provider that is a legal person established in a third country and that has entered into a contractual arrangement with a financial entity for the provision of ICT Services.

‘Resolution Authority’ is as defined in DORA.

2 FINANCIAL ENTITIES ONLY

2.1 This DORA Addendum only applies as from 17 January 2025 and only if, and only for so long as, the Customer is a Financial Entity and shall automatically and immediately terminate if and when a Customer who was a Financial Entity no longer meets the definition of Financial Entity.

3 KEEPABL AS AN ICT PROVIDER

3.1 When the Customer is a Financial Entity, to the extent that Keepabl provides Software to the Customer under this Agreement, Keepabl is an ICT Third-Party Service Provider and, as Keepabl is established in the UK, an ICT Third-Party Service Provider Established in a Third Country.

3.2 The Services do not support a Critical or Important Function and Keepabl has not been designated as a Critical ICT Third-Party Service Provider. If Keepabl is designated as a Critical ICT Third-Party Service Provider, it shall establish a subsidiary in the European Union within 12 months of such designation.

4 DORA TERMINATION RIGHTS

4.1 Without prejudice to the Customer’s rights to terminate this Agreement as set out in any other part of this Agreement, the Customer may terminate this Agreement on thirty (30) days’ notice to Keepabl (‘DORA Notice’), such DORA Notice to specify in detail the basis for serving such notice (‘DORA Concern’), if:

4.1.1 the Customer identifies circumstances through the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through this Agreement, including material changes that affect the arrangement or the situation of Keepabl as an ICT third-party service provider;

4.1.2 evidenced weaknesses pertaining to Keepabl’s overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; or

4.1.3 where the Competent Authority can no longer effectively supervise the Customer as a Financial Entity as a result of the conditions of, or circumstances related to, this Agreement.

4.2 If Keepabl resolves the DORA Concern to the Customer’s reasonable satisfaction within the thirty (30) day period of the DORA Notice, the DORA Notice will be deemed withdrawn.

4.3 Given the subjectivity of the termination rights in this paragraph 4, there shall be no refund if this Agreement is terminated under this paragraph 4.

5 SERVICE DESCRIPTION

5.1 The Service Description is incorporated into this Agreement. The parties agree that the Software provided to the Customer under this Agreement is developed in an agile manner and therefore Keepabl shall be entitled to continuously develop the Software without the consent of the Customer provided that the capabilities of the Software are never less beneficial to the Customer than at the Effective Date. Keepabl shall update the Service Description for material changes in the Software and update the Customer accordingly.

6 ASSISTANCE & COOPERATION

6.1 Keepabl shall provide reasonable assistance to the Customer, at the Customer’s cost at Keepabl’s then-current support rate failing which at £200 per hour charged in half-hourly increments, when an ICT-related incident that is related to the Services occurs.

6.2 Keepabl shall fully cooperate with the Competent Authorities and the Resolution Authorities of the Customer, including persons appointed by them.

6.3 Keepabl shall participate as reasonably requested by the Customer, at the Customer’s cost at Keepabl’s then-current support rate failing which at £200 per hour charged in half-hourly increments, in the Customer’s ICT security awareness programmes and digital operational resilience training.