Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Last updated: 2025‑04‑01
ilert GmbH is a B2B SaaS provider of incident management and alerting solutions. This document is a self‑contained dossier demonstrating ilert GmbH’s alignment with Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector ("DORA"). It applies to all EU financial‑sector entities (banks, insurers, investment firms, PSPs, etc.) that rely on ilert’s SaaS platform. ilert reviews and, where necessary, revises this package at least annually and whenever new regulatory guidance is issued.
Topic
Statement
Legal status
GmbH (German private limited‑liability company)
Senior accountability
CEO is executive owner of digital resilience; CTO leads the ISO 27001 ISMS and reports quarterly to the Board.
Data hosting
Active/active AWS eu‑central‑1 (Frankfurt) & eu‑north‑1 (Stockholm)
Certifications
ISO/IEC 27001:2013 (scope: SaaS platform + support scope)
DORA “critical” status
Not designated as critical ICT third‑party
GDPR
Data Processor under Art. 28; DPA
Continuous improvement
Next DORA compliance review scheduled Q1 2026; regulatory monitoring performed monthly
This package concisely maps ilert’s controls to the core obligations for third‑party ICT service providers under DORA. It is uniform for all customers and suitable for inclusion in due‑diligence files.
DORA Theme
ilert Control Summaries
ICT risk management & governance (Arts. 5‑6)
ISO 27001 ISMS; quarterly KPI review by management; annual risk assessment.
Incident detection & reporting (Arts. 10‑11)
24×7 monitoring & on‑call SRE; “Major ICT Incident” = Art. 3(8) DORA. Initial customer notice ≤ 4 h with nature, impact, mitigation. Updates every ≤ 4 h on https://status.ilert.com; post‑incident report within 5 business days.
Digital operational‑resilience testing (Art. 15 & Arts. 24‑27)
Annual external penetration test; quarterly vulnerability scans; full cooperation in client‑led TLPT & cyber exercises.
Information sharing (Art. 45)
Critical threat advisories forwarded to customers within 24 h.
Third‑party contractual clauses (Art. 30)
Standard DORA Addendum: audit & access; subcontractor conditions; security & training participation; TLPT cooperation; material‑developments notice; exit & transition.
Business continuity & DR (Arts. 11‑12)
Active/active Frankfurt + Stockholm; RPO ≤ 15 min & RTO ≤ 60 min; quarterly fail‑over tests; 30‑day data retention post‑termination + export within 10 business days.
Area
ilert (Vendor)
Financial‑entity Customer
Risk management
Operate ISO 27001 ISMS
Assess ilert via vendor‑risk programme
Incident handling
Detect → contain → notify ≤ 4 h; assist with RCA & regulator queries
Classify impact, file DORA incident reports
Audits
Provide ISO certificate & pen‑test summary; allow 1 remote audit/yr free; on‑site audits at agreed cost
Initiate & evaluate audits
Exit plan
30‑day data export (JSON/CSV)
Maintain contingency / migration plan
1. Security & Governance
2. Incident Response & Notification
3. Business Continuity & Disaster Recovery
4. Risk Assessments & Audits
Document
Purpose
ISO 27001 Certificate & SoA
Independent verification of ISMS
Information‑Security Policy
Detailed control descriptions
Incident‑Response Plan
Process, roles, templates
BCP/DR Plan
Recovery architecture & test results
Pen‑Test Executive Summary
Latest external test outcomes
Sub‑processor List
Names, roles, data‑location
