Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
(to ilert Terms & Conditions)
Last updated 2025‑04‑01 – UNSIGNED TEMPLATE
Note: Brackets […] indicate fields the Parties must complete on execution.
This DORA Addendum (“Addendum”) is entered into on [Date] by and between:
The Firm and Vendor are each a “Party” and together the “Parties”.
1. This Addendum supplements the ilert Terms & Conditions (“ToS”) (latest version available at https://www.ilert.com/legal/terms-and-conditions).
2. In the event of conflict, this Addendum prevails with respect to Regulation (EU) 2022/2554 (“DORA”) requirements.
3. All capitalised terms not defined herein have the meaning set forth in the ToS or in Article 3 DORA.
1. Vendor shall meet or exceed the Service Levels.
2. Failure to meet a Service Level triggers the remedies in Schedule A and obliges Vendor to:
3. Parties shall review Service Levels annually and update Schedule A in writing.
1. Vendor may subcontract the performance of ICT Services only in accordance with this Clause 5 and the DPA.
2. Vendor shall provide Services only from Permitted Locations.
3. Vendor shall give Firm 30 days’ prior written notice of any new or replacement sub‑processor or processing location. Firm may, on reasonable grounds, object in writing within that period; the Parties will collaborate in good faith to resolve the objection.
1. Security Controls: Vendor shall maintain an ISO 27001‑certified ISMS, enforce least‑privilege access, encrypt data in transit and at rest, and monitor compliance.
2. Incident Notification: Vendor shall inform Firm without undue delay and in any event within 4 hours of confirming a Major ICT Incident. The notice shall include known root cause, scope, impact, immediate mitigation, and next update timing. Vendor shall issue progress updates at least every 4 hours and deliver a written post‑incident report within 5 business days of incident closure.
3. Incident Assistance: Vendor shall provide fee‑free assistance for investigation, forensics, regulator queries and final incident reports.
4. Resilience Testing: Vendor shall reasonably cooperate, at no additional cost, with Firm’s digital operational resilience testing, including TLPT and cyber table‑top exercises, and shall remediate resulting findings within mutually agreed timelines.
5. Training & Awareness: Vendor shall, on reasonable notice, participate in Firm‑led ICT security awareness or operational‑resilience training exercises where relevant to the Services.
1. Vendor maintains BCP/DR with RTO ≤ 60 min / RPO ≤ 15 min; tests at least annually.
2. Upon termination or Vendor insolvency, Vendor shall:
1. Firm, its auditors, or competent authorities may audit Vendor once per contract year (remote or on‑site). Additional audits following a Major ICT Incident or regulatory requirement are permitted.
2. Vendor shall provide reasonable access to premises (physical or virtual), personnel, systems and documentation.
3. Vendor shall fully cooperate with supervisory, resolution or other competent authorities in accordance with Art. 38 DORA, including during TLPT observation.
Vendor shall promptly notify Firm in writing of any Material Development that might materially impair Vendor’s ability to perform the Services or comply with Applicable Law.
Firm may terminate the MSA/Addendum immediately if:
Vendor shall keep all Confidential Information strictly confidential, disclose only to authorised persons under equivalent obligations, and comply with Applicable Law.
Metric
Target & Window
Definition
Notification Delivery
≥ 99.9 % of First‑Responder Alerts delivered to telco / push provider within 5 min per calendar month
Mirrors ToS § 6.1.1
Web Application Availability
≥ 99.9 % uptime per calendar month
Mirrors ToS § 6.1.2
Exclusions: Force Majeure & causes outside Vendor control (see ToS § 6.2).
Component
Region
Processing
Storage
Active Region 1
AWS eu‑central‑1 (Frankfurt)
✔️
✔️
Active Region 2
AWS eu‑north‑1 (Stockholm)
✔️
✔️
See https://www.ilert.com/legal/subcontractors - updates subject to Clause 5.
Vendor shall review this Addendum at least annually and update it as necessary to remain compliant with DORA and related regulatory technical standards. Vendor shall provide Firm 30 days’ advance notice of any update; if Firm raises no objection within that period, the update will be deemed accepted.
Firm
Vendor
[Name, Title]
[Name, Title]
Date: [‑‑‑]
Date: [‑‑‑]
© 2025 ilert GmbH – Template for customer execution; becomes binding only when signed.
