Effective: March 3, 2026
1. Incorporation; Order of Precedence
This DORA Addendum (“Addendum”) supplements the EULA and DPA, is incorporated as of the date of last signature, and shall remain in force for the term of the Agreement. In the event of conflict between this Addendum and the EULA or DPA on DORA-related ICT resilience, this Addendum controls. This Addendum applies exclusively to customers subject to Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”). Any capitalized words in this Addendum have the same meaning as specified in the EULA or DPA.
2. Scope and Applicability
2.1 To the extent that Customer does not qualify as an EU financial entity as defined in Article 2(a)-(t) of DORA, or is excluded under Article 2(3) or 2(4) of DORA, this Addendum shall not apply, and Macabacus shall have no obligations under this Addendum.
2.2. If this Addendum applies pursuant to Section 2.1, Macabacus acknowledges that Customer is subject to certain obligations under DORA in relation to Customer’s use of ICT services provided by ICT third-party service providers such as Macabacus. Macabacus agrees to cooperate with Customer to enable Customer to satisfy its applicable obligations under DORA.
2.3. If this Addendum applies pursuant to Section 2.1, Customer acknowledges and agrees that Customer shall not, and during the Term will not, use Macabacus’ Services to support a critical or important function of Customer.
3. DORA Requirements (Article 30 Section 2)
3.1. Services are as described in the Agreement.
3.2. Data Location: If applicable, Macabacus processes Customer Data in accordance with the DPA. Each sub-processor and locations such sub-processors processes data is available at https://macabacus.com/legal/third-parties. Changes or modifications to such sub-processors shall be in accordance with the DPA.
3.3. Data Protection and Security: Macabacus will implement and maintain appropriate technical and organizational measures to ensure the availability, authenticity, integrity, and confidentiality of Customer Data as described in and in accordance with the DPA.
3.4. Data Access, Recovery, and Return: In the event of contractual termination, or Macabacus’ insolvency or discontinuation of business operations, Macabacus shall provide Customer with access, through the Services’ standard functionality and processes and in accordance with the DPA, to download, export, or delete its Customer Data during the applicable post-termination period.
3.5. Macabacus shall cooperate with Customer and further manage ICT Incidents in accordance with Section 5 of the DPA.
3.6. Supervisory Authorities: If requested by a Supervisory Authority under DORA, Macabacus will cooperate with such entities to the extent legally required and applicable to Macabacus in relation to Customer’s use of the Services under DORA, consistent with Macabacus’ confidentiality and security obligations, and limited to information and assistance reasonably necessary for Customer’s DORA compliance.
3.7. Termination Rights: The Customer may terminate the Agreement in accordance with the termination provisions of the EULA. To the extent that DORA expressly requires that Customer have any additional termination rights in relation to the Services that are not already included in the EULA, Customer shall have those additional termination rights, and only as necessary to comply with DORA. Termination, however effected, shall not relieve Customer of any payment obligations for Services rendered prior to termination.
3.8. Security Awareness Training: Macabacus will provide its personnel with security awareness program and digital operational resilience training program.
3.9. Sub-processing: Customer acknowledges and agrees that Macabacus may engage sub-processors in provision of the Services and such engagement shall be in accordance with Section 4 of the DPA.
4. Audits
4.1. Rights: Subject to Section 4.2 and to the extent necessary and required under DORA, Customer may, at Customer’s sole expense, conduct a reasonable audit as mutually agreed between the parties and is consistent with the requirements of this Section 4.
4.2. Exercise of Rights: You may exercise such audit right only: (a) to the extent Macabacus’ third- party audit reports (e.g., SOC 2 report) does not provide sufficient information to verify Macabacus’ compliance with this Addendum and/or the DPA; and (b) where required by DORA or a relevant government authority, in each case subject to the frequency limitation in paragraph-6.
4.3. Conditions: Each such audit must:
(a) be conducted by Customer or through a third-party auditor on Customer’s behalf;
(b) be limited in scope to matters reasonably required to assess Macabacus’ compliance with this Addendum, the DPA, and/or Customer’s regulatory obligations under DORA;
(c) occur no more than once annually (unless required by a Supervisory Authority or DORA);
(d) treat any results and all audit deliverables (including any reports, summaries, findings, recommendations, and workpapers) as confidential information to the fullest extent permitted by applicable law.