DORA Addendum

‍

DORA Addendum

Last modified: 8 April 2026

This Supplementary Agreement (“DORA Addendum”) forms part of the Atominvest Terms and Conditions (the “Agreement”) between Atominvest Software Ltd. (“Company”) and Customer.

The terms used in this DORA Addendum shall have the meanings set forth in the Agreement unless otherwise provided. Except as modified below, the terms of the Agreement remain in effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that this DORA Addendum shall form part of the Agreement.

It is further agreed that the Services fall within the scope of ICT Services for the purposes of the DORA Regulation, as defined herein.

1. Scope and objective

1.1 This DORA Addendum governs the relationship between the Customer and the Company with regard to the provision, safeguarding and monitoring of the contractually agreed Services.

1.2 The aim of this DORA Addendum is to ensure that the Company complies with the requirements of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience in the financial sector ("DORA Regulation") and that the digital resilience of the Customer remains guaranteed, in each case in a manner proportionate to the nature, scale and complexity of the Services provided by the Company under the Agreement.

2. Quality of Service

The quality of service to be provided by the Company is set out in the Service Level Agreement, which shall be attached to the Order Form. The Company shall also maintain and apply reasonable and proportionate business continuity and disaster recovery measures in relation to the Services, taking into account the nature of the Services and the Company’s obligations under the Agreement.

3. Security

3.1 The Company’s undertakings with respect to security of the Services and the identification, assessment and mitigation of risks in relation to of the Services are set out in the DPA, which also forms part of the Agreement. Without prejudice to the foregoing, the Company shall maintain appropriate technical and organisational measures designed to protect the security, confidentiality, integrity and availability of the Services.

3.2 Upon the Customer’s request, the Company shall participate in the Customer’s ICT security awareness programmes and digital operational resilience training in accordance with the Customer’s reasonable instructions and at the Customer’s expense.

3.3 The Company shall maintain reasonable incident management procedures in relation to the Services.

3.4 In the event of any material ICT-related incident affecting the Services and which is reasonably likely to have a material adverse impact on the Services or the Customer’s use of the Services, the Company shall notify the Customer without undue delay after becoming aware of such incident and shall provide such further information as is reasonably available to the Company regarding the nature of the incident, its likely impact on the Services and the status of the Company’s mitigation and remediation efforts.

3.5 The Company shall use reasonable efforts to mitigate the effects of any such incident and to restore the affected Services as soon as reasonably practicable.

4. Localisation, Subprocessing

4.1 The Services will be provided from the Company’s chosen hosting location, currently Frankfurt, Germany.

4.2 Further terms related to the processing of Customer data, including notification of changes in location and subprocessing are set out in the DPA. The Company shall ensure that its Subprocessors (whom are noted in Annex 2 to the DPA) are subject to contractual obligations that are materially equivalent to those set out in this DORA Addendum, to the extent applicable. The Company shall, upon reasonable request, provide the Customer with an up to date list of the Subprocessors used by the Company in connection with the provision of the Services.

5. Adjustment to regulatory requirements

5.1 The Company undertakes to agree to an adjustment of the provisions contained in this DORA Addendum at the request of the Customer as long as and insofar as this is necessary due to changed regulatory requirements and provided that such adjustment is not in conflict with other obligations the Company may have in the Agreement or in Law.

5.2 Notwithstanding the foregoing, the Company reserves the right to charge the Customer for any and all work associated to the adjustment process, including making pricing adjustments for ongoing modifications to the Services and/or ongoing provision of the Services.

6. Co-operation with supervisory authorities

6.1 The Company acknowledges that the Customer may require assistance to ensure compliance with applicable laws and regulations (including but not limited to the Data Protection Legislation) and to resolve any requests from a competent national or supranational supervisory authority. The Company undertakes to cooperate with the Customer to resolve any such requests, at the Customer’s expense where applicable.

6.2 The Company undertakes to cooperate fully with requests from a competent national or supranational supervisory authority, at the Customer’s expense where applicable.

6.3 The Company accepts that supervisory authorities may carry out audits, inspections and investigations of the Company's systems and services if this is necessary to fulfil regulatory requirements. The Company undertakes to support the supervisory authorities in this and to grant them full access to the relevant information and systems, at the Customer’s expense and provided that the Customer undertakes to keep the Company’s Confidential Information and Intellectual Property (“Confidential Company Materials”) confidential, and further provided that any such access shall be exercised on reasonable notice (unless otherwise required by a supervisory authority), during normal business hours where practicable, and in a manner designed to minimise disruption to the Company’s business and to preserve the confidentiality and security of information relating to the Company and its other customers.

6.4 Should the Customer need to disclose the Confidential Company Materials to the supervisory authorities, it shall limit the disclosure as far as is reasonable and it shall clearly identify any Confidential Company Materials and procure that the supervisory authorities also keep them confidential. 

6.5 The Company undertakes to treat all information and instructions received from the supervisory authorities as confidential and to ensure that no unauthorised disclosure or use of this information takes place, unless this is required by law.

7. Information and audit rights

7.1 The Company's obligations in relation to the provision of information and audit cooperation are set out in clause 9 of the DPA, which shall apply equally to the Customer's rights under this DORA Addendum as if set out in full herein.

7.2 For the avoidance of doubt, any audit or inspection conducted under clause 9 of the DPA shall be deemed to satisfy any equivalent audit right arising under this DORA Addendum, and vice versa.

8. Exit and transition

8.1 Upon expiry or termination of the Agreement, the Company shall provide reasonable cooperation and assistance to the Customer to facilitate an orderly transition of the Services, including enabling the Customer to retrieve Customer Data from the Services in a commonly used and machine-readable format during the period set out in the Agreement or DPA.

8.2 The Customer may request additional transition or exit assistance from the Company, and the Company shall provide such assistance to the extent reasonably requested by the Customer, subject to the Customer paying the Company’s applicable fees in accordance with the Rate Card.

8.3 Nothing in this clause 8 shall require the Company to disclose any of its Confidential Company Materials, except to the extent strictly necessary for the orderly transition of the Services or as otherwise required by law.

9. Obligation of the Customer to co-operate

The Customer is obliged to co-operate with the Company in the provision of the Services to the extent necessary and reasonable. In principle, this applies in particular to the provision of all documents, information, data and access authorisations required for the provision of the Services.

10. Obligation to support the client in the event of ICT incidents

In the event of an ICT incident related to the Services, the Company shall provide support in line with the costs set out in the Rate Card, provided that where such ICT incident falls within clause 3.4, the Company shall also provide reasonable cooperation to the Customer in connection with the Customer’s assessment, containment, mitigation and remediation of such ICT incident.

‍