THIS DORA SUPPLEMENT IS AN INTEGRAL PART OF THE CUSTOMER’S SOFTWARE AGREEMENT, AND APPLIES TO THE APPLICABLE ICT SERVICE UNDER THE APPLICABLE AGREEMENT
PART 1: GENERAL TERMS.
1.1 Definitions. Subject to this section, defined terms used in this DORA Supplement are as otherwise defined in the Applicable Agreement. Words denoting the singular include the plural and vice versa. Defined words include their grammatical forms.
(a) “Applicable Agreement” means Software Agreement and /or a M&S Agreement.
(b) “Applicable ICT Services” means M&S.
(c) “Competent Authority” means any governmental, regulatory, or supervisory authority that exercises jurisdiction over Customer’s compliance with DORA.
(d) “Costs Schedule” means Schedule B to this DORA Supplement.
(e) “Critical or Important Function” has the meaning set out in DORA article 3(22).
(f) “Customer Data” means any Customer data (including personal data) that Optimizely may Process in the course of its provision of Applicable ICT Services with respect to the Software.
(g) “Data Retention Policy” means Optimizely’s Software Service Customer Data retention, retrieval and deletion policy, published by Optimizely at https://world.optimizely.com/services/data-retention-policy/, as may be updated by Optimizely from time to time.
(h) “DORA” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
(i) “DORA Supplement Effective Date” means the effective date of this DORA Supplement, which (i) in the case where this DORA Supplement is part of an initial Order Form, is the Effective Date of that Order, or (ii) in the case where this DORA Supplement is part of a Renewal Order Form, is the Effective Date of that Renewal Order, or (iii) in the case where this DORA Supplement is an amendment to an existing Applicable Agreement, is the effective date of the written amendment to that Applicable Agreement incorporating this DORA Supplement.
(j) “ICT” means information and communication technology.
(k) “ICT-related Incident” has the meaning set out in DORA article 3(8).
(l) “ICT Risk” has the meaning set out in DORA article 3(5).
(m) “ICT Services” has the meaning set out in DORA article 3(21).
(n) “License Centre” means https://license.optimizely.com/
(o) “M&S” means maintenance and support of the Software under a Software Agreement, or any stand-alone M&S Agreement, and which includes maintenance releases, including patches, and Software upgrades as may be committed in that Applicable Agreement
(p) “M&S Agreement” means a written agreement with Optimizely for M&S with respect to the Software, whether as part of the Software Agreement, or a standalone agreement, and includes annually-renewing M&S.
(q) “Processing” has the meaning under Article 4 of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR).
(r) “Regulatory Schedule” means Schedule A to this DORA Supplement.
(s) “Regulatory Technical Standards” or “RTS” means the regulatory technical standards developed by the European supervisory authorities and adopted by the European Commission in accordance with DORA.
(t) “Service Continuity Policy” means Optimizely’s Software Services backup, data loss, disaster recovery policy published by Optimizely at https://world.optimizely.com/services/service-continuity-policy/, as may be updated by Optimizely from time to time.
(u) “Software” means Optimizely’s software-as-a and /or platform-as-a services
(v) “Software Service” means Optimizely’s software-as-a and /or platform-as-a services.
(w) “Software” means Optimizely software licensed by the Customer from Optimizely as detailed in the Software Agreement, and any associated Order Form with Optimizely (as applicable).
(x) “Software Agreement” means the written agreement between Optimizely and the Customer with respect to the Software, whether named Master License Agreement or otherwise, and incorporating Optimizely’s (or former EpiServer’s) End-user License Agreement, and includes Software that is purchased from the License Centre, and which may also include M&S.
(y) “Threat-led Penetration Testing” or “TLPT” has the meaning set out in DORA article 3(17).
(z) “TOMs” are Optimizely’s Software Service technical and operational measures with respect to customer data published at https://www.optimizely.com/trust-center/privacy/toms/, as may be updated by Optimizely from time to time
2. supplementary Terms
2.1 Scope and Application
2.1.1 This DORA Supplement applies to the extent Optimizely is providing any Applicable ICT Service with respect to its Software under an Applicable Agreement.
2.1.2 Except as otherwise expressly provided, in the event of any ambiguity or conflict between any provision of this DORA Supplement, and any other provision of the Applicable Agreement, this DORA Supplement shall control to the extent of such ambiguity or conflict.
2.1.3 In the event that any RTS imposes a higher standard of cyber security and operational resilience than that set out in this DORA Supplement, the RTS shall control, in relevant parts, to the exclusion of the applicable terms of this DORA Supplement, provided, however, that (i) the relevant sections of the RTS apply to ICT service providers not supporting Critical or Important Functions, and (ii) the RTS has been adopted by the European Commission in accordance with DORA (i.e. does not constitute a draft RTS).
2.2 Supply of the Software-Related ICT Services
2.2.1 Optimizely will provide the Applicable ICT Service to Customer in accordance with the terms of the Applicable Agreement, and to the extent relevant, the TOMs.
2.2.2 The TOMS, to the extent relevant to the Applicable ICT Service, are subject to update by Optimizely from time to time for purposes of continuous improvement, and comparable or better levels of security will be maintained, although Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level.
2.3 Sub-processors
2.3.1 To the extent relevant to the Optimizely’s ICT Services, Optimizely’s Affiliate Sub-processors are detailed at https://www.optimizely.com/legal/sub-processors. Optimizely may otherwise subcontract any other element of the applicable ICT Services in accordance with Applicable Agreement.
2.3.2 Optimizely shall provide any information reasonably necessary to enable Customer to periodically assess the requirements on subcontracting under DORA, or, if applicable, in any RTS, including, upon Customer’s request, providing the identity of each subcontractor used for the provision of the Applicable ICT Service and other information reasonably required to allow Customer to fulfill its obligations pursuant to DORA article 28(3).
2.3.3 To ensure Optimizely’s obligations to Customer in its provision of Applicable ICT Service, Optimizely shall ensure its agreements with its Affiliate Sub-processors have appropriate provisions with respect to -
(a) monitoring and reporting obligations;
(b) maintenance of the required ICT security measures;
(c) Optimizely’s BCP (defined below); and
(d) access, inspection and audit by Customer, the Competent Authority and their designated representatives - (“Sub-processor Arrangements”).
2.3.4 Optimizely shall monitor its Affiliate Sub-processors to ensure Optimizely’s ability to meet its contractual obligations to Customer and to ensure the required continuity of the Applicable ICT Services. Upon Customer’s reasonable request, Optimizely shall report to Customer regarding the results of such monitoring.
2.3.5 Upon Customer’s reasonable request, Optimizely shall demonstrate its compliance with the requirements of this Section 2.3.
2.3.6 If Customer is not satisfied with Optimizely’s Sub-processor Arrangements in the context of this Section 2.3, acting reasonably, and the Parties are unable to come to reasonable good faith agreement with respect to those Sub-processor Arrangements, Customer’s sole remedy shall be to cancel the Applicable ICT Service, and Optimizely’s sole liability shall be to refund to the Customer the unused prepaid Fees for the Applicable ICT Service.
2.4 ICT Security Measures and Business Contingency Plans
2.4.1 Optimizely undertakes to ensure the availability, authenticity, integrity and confidentiality of Customer Data by -
(a) implementing appropriate technical and organizational measures to protect Customer Data against unauthorized access or disclosure, including, but not limited to, encryption, access controls, and secure communication protocols, as set out in the DPA[1] and the TOMs;
(b) implementing appropriate measures to ensure the availability of Processed Customer Data in the event of cancellation of the Applicable ICT Service and Optimizely’s provision of the Applicable ICT Service in accordance with the Product Supplement[2] and Optimizely’s Data Retention Policy; and
(c) implementing appropriate measures to ensure the recoverability of Processed Customer Data accordance with the Product Supplement[3] and Optimizely’s Service Continuity Policy.
2.4.2 Optimizely shall (i) implement and maintain an appropriate business contingency plan (“BCP”) to ensure the continuity of the Applicable ICT Services in the event of disruptions and, (ii) conduct regular tests of such BCP (no less than annually) to ensure their effectiveness. Upon request from Customer, Optimizely will confirm its BCP testing.
2.5 Threat-Led Penetration Testing
2.5.1 Sections 2.5.2 to 2.5.6 apply only to the extent relevant to the Applicable ICT Service.
2.5.2 Optimizely shall participate and cooperate in good faith in TLPT as reasonably requested by Customer and as set out in article 26 and 27 of DORA.
2.5.3 Customer shall notify Optimizely at least ninety (90) days in advance of TLPT and shall include all information reasonably required for Optimizely to adequately prepare for such testing. Subject to Section 2.5.3, Optimizely shall ensure relevant resources are available to participate in the TLPT.
2.5.4 Any exceptional costs (such as non-standard TLPTs, multiple TLPTs, TLPTs out of normal business hours, or for any such other exceptional costs) shall be borne by Customer, as agreed by both Parties in writing in advance
2.5.5 Following any TLPT, Optimizely shall use commercially-reasonable appropriate corrective actions to address any identified vulnerabilities (“Corrective Actions”). The results of the TLPT, including any identified weaknesses and corrective actions, shall be documented, and reported to Customer (excluding any highly sensitive information (although Optimizely shall nevertheless provide sufficient information to the Customer in relation thereto)). All TLPT information shared by Optimizely with Customer is Optimizely Confidential Information.
2.5.6 If Optimizely is unable or unwilling to implement the Corrective Actions, or the Parties are unable to come to a timely agreement on a commercially-reasonable work-around with respect to the Corrective Actions, Customer’s sole remedy shall be to cancel its subscription to the Applicable ICT Service, and Optimizely’s sole liability shall be to refund to the Customer the unused prepaid Fees for the Applicable ICT Service.
2.6 Access, Recovery and Return in the Event of Insolvency, Resolution or Discontinuation of Business Operations
2.6.1 In the event of Optimizely’s insolvency, resolution, or discontinuation of the business operations, Optimizely shall, so far as relevant to the Applicable ICT Service -
(a) Provide Customer with the credentials, access codes, and documentation to enable access to any Processed Customer Data;
(b) At Customer’s sole discretion, either (i) delete any Processed Customer Data (to the extent permitted under applicable law), or (ii) return any Processed Customer Data to the Customer, or to Customer-designated third party, in an easily accessible and industry standard format mutually agreed by the Parties.
(c) After any Processed Customer Data has been returned to the Customer, Optimizely shall securely delete all remaining copies of the data from its systems (to the extent permitted under applicable law).
2.6.2 Optimizely shall promptly notify the Customer of any event that may trigger the need for data access, recovery, or return, including insolvency proceedings, resolution actions, or discontinuation of the business operations of Optimizely. Such notification shall be provided to the Customer in writing and include relevant details.
2.7.1 In the event of a confirmed ICT-related Incident affecting the Applicable ICT Service, Optimizely shall notify Customer as soon as reasonably practicable, and provide Customer with the following information-
(a) The nature and scope of that ICT-related Incident, including whether any Customer Data is reasonably believed to have been affected;
(b) Measures taken by Optimizely to mitigate or resolve the incident, including resolution progress;
(c) The likely consequences of that incident, taking into account the information available to Optimizely at the time; and
(d) Any other information reasonably requested by the Customer and available to Optimizely at the time (provided that Optimizely, in its sole discretion, determines that such information can be released to Customer).
2.7.2 Optimizely will provide the above ICT-related incident assistance to Customer at no additional cost, or at cost that is determined by the Parties prior to the provision of such assistance.
2.8 Inspection, Audit, Cooperation with Authorities; Sharing of Information.
2.8.1 Sections 2.8.2 to 2.8.9 apply only to the extent relevant to the Applicable ICT Service.
2.8.2 Subject to Section 2.8.3, Customer, the Competent Authority and their designated representatives shall be entitled to access, inspection and audit of Optimizely’s premises, equipment and documentation (“Audit”), to the extent that such premises, equipment and documentation are used in Optimizely’s provision of the Applicable ICT Service to Customer and always subject to the terms of this DORA Supplement and the Applicable Agreement. Optimizely shall cooperate in good faith and in a timely manner with any such Audit.
2.8.3 Customer’s right to Audit does not extend to: (i) the customer data of any other Optimizely customer, or (ii) highly confidential or sensitive information of Optimizely. With respect to any third party data centre Audit, Optimizely will request relevant access, inspection and audit, but will not be in breach of its obligations to Customer under Section 2.8.2 if that third party data centre operator does not agree to any such Audit. In the event of a third party data centre operator denying an Audit request, the Parties will discuss in good faith how to otherwise address the Audit request. If the Parties are unable to come to a timely agreement on any commercially-reasonable work-around with respect to third party data centre operator Audit, Customer’s sole remedy shall be to cancel its subscription to the Applicable ICT Service, and Optimizely’s sole liability shall be to refund to the Customer the unused prepaid Fees for the Applicable ICT Service.
2.8.4 Pursuant to the Audits, Customer, the Competent Authority and their designated representatives shall be entitled to take copies of Optimizely documentation relevant to Optimizely’s provision of the Applicable ICT Service (“Audit Documentation”). Customer accepts and acknowledges that such Audit Documentation may contain Optimizely intellectual property, including e.g. trade secrets, and is subject to the confidentiality requirements of the Applicable Agreement.
2.8.5 Prior to any Audit or inspection, Customer shall, unless prohibited by applicable law, provide Optimizely with written notice at least sixty (60) days in advance of such inspection or audit as well as an audit plan covering the scope and procedures of such audit or inspection.
2.8.6 Notwithstanding anything to the contrary in the Applicable Agreement, if Optimizely is of the reasonable view that an Audit affects the rights of other Optimizely customers or Optimizely’s provision of any ICT Services to such customers, the Parties shall in good faith negotiate and agree on alternative assurances, including, for the avoidance of doubt, provision of industry-accepted audit documents, such as SOC 2 and ISO reports (if any). Optimizely undertakes to, promptly upon receiving the audit plan as set out in Section 2.8.5 above, inform Customer if such inspection or audit is likely to affect other customers’ rights.
2.8.7 Each Party shall bear their own costs related to the Audits.
2.8.8 Optimizely acknowledges that Customer may be obliged to report to the Competent Authority on the number of new arrangements on the use of ICT Services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided, which would include reporting the Applicable ICT Service, subject always to the confidentiality requirements of the Applicable Agreement. Notwithstanding Customer’s right to report ICT Services, Customer will not, to the extent permitted under applicable law, disclose Optimizely’s Fees.
2.8.9 Optimizely also acknowledges that Customer may share information on the use of ICT Services, including, for the avoidance of doubt, the Applicable ICT Service and this DORA Supplement, with other entities regulated under DORA for the purpose of information sharing in accordance with DORA article 45, subject always to the confidentiality requirements of the Applicable Agreement. Notwithstanding Customer’s right to share information about its ICT Services, Customer will not disclose Optimizely’s Fees; and Customer will provide Optimizely with a copy of all information shared pursuant to this Section 2.8.9.
2.9 Participation in ICT Security Awareness and Digital Operational Resilience Training Programs
2.9.1 Upon agreement between the Parties, Optimizely shall (subject to the further provisions of this Section) participate in Customer’s ICT security awareness and digital operational resilience training programs as reasonably requested by Customer from time to time.
2.9.2 Customer’s training programs may be conducted through various formats, including, but not limited to, online modules, and virtual workshops, and on-site in-person sessions. Customer agrees to communicate the specific schedule and format of such training to Optimizely no less than ninety (90) days in advance. Subject to Section 2.9.3, Optimizely shall ensure relevant personnel are available to participate in such training programs.
2.9.3 Any exceptional costs (such as multiple training programs, or training programs out of normal business hours, or on-site training program at the Customer’s or a third party location, and travel and accommodation in relation thereto) shall be borne by Customer, and as agreed by both Parties in writing in advance.
2.10 Additional Regulatory Requirements
2.10.1 To the extent the Customer is subject to the additional regulatory requirements as set out in the Regulatory Requirements Schedule (“Additional Regulatory Requirements”), if any, those Additional Regulatory Requirements, to the extent relevant to the Applicable ICT Service, may impact the rights and responsibilities of the Parties under the cancellation and termination provisions of this DORA Supplement. To the extent that are any applicable Additional Regulatory Requirements, it is the responsibility of Customer to ensure that any Additional Regulatory Requirements are set out in the Regulatory Requirements Schedule. To the extent that there are any Additional Regulatory Requirements, the Customer will meet Optimizely’s reasonable costs and expenses as set out in the Costs Schedule (“Additional Costs”). If there are no Additional Regulatory Requirements or no Additional Costs, the Regulatory Requirements Schedule and the Costs Schedule do not apply to this DORA Supplement.
2.11.1 Notwithstanding Customer’s rights to cancel the Applicable ICT Service under the Applicable Agreement, the Customer shall also be entitled to cancel the Applicable ICT Service under any of the following circumstances (subject to the further provisions of this Section):
(a) a demonstrated breach by Optimizely of any DORA provision applicable to Optimizely as an ICT third-party service provider (within the meaning of DORA article 3 (19));
(b) demonstrated breach by Optimizely of any material provision of this DORA Supplement;
(c) circumstances identified during the monitoring of ICT risks are deemed likely to materially alter the performance of the Applicable ICT Service, or Optimizely’s ability to provide the Applicable ICT Service;
(d) Customer can demonstrate material weaknesses in Optimizely’s overall ICT risk management, concerning, in particular, the availability, authenticity, integrity, and confidentiality of Customer Data; or
(e) the Competent Authority can no longer effectively supervise the Customer as a result of the conditions of, or circumstances related to, the Applicable Agreement.
2.11.2 In the event that Customer wishes to cancel the Applicable ICT Service under any of the circumstances of Section 2.11.1 above, Customer shall notify Optimizely in writing in accordance with the notice provisions of the Applicable Agreement setting out the grounds for its proposed cancellation in reasonable detail.
2.11.3 Notwithstanding any provision in the Applicable Agreement to the contrary, any proposed cancellation under this Section shall become effective fourteen (14) days after Optimizely’s receipt of Customer’s written notification of cancellation, provided that Optimizely has not during such period cured or otherwise eliminated the circumstances cited by Customer as grounds for the proposed cancellation.
2.11.4 In the event of: (i) a cancellation of the Applicable ICT Service pursuant to this Section, or (ii) a cancellation of the Applicable ICT Service for any other reason, or (iii) the expiry of the Customer’s subscription to the Applicable ICT Service (including non-renewal of a then-current Order), Optimizely shall (a) ensure Customer access to the Customer Data as set out in Section 2.5 above, and (b) transfer and/or delete Customer Data in accordance with Section 2.6 above.
2.11.5 Sections 2.11.6 to 2.11.9 apply only to the extent relevant to the Applicable ICT Service.
2.11.6 Further to Section 2.11.4, Optimizely will cooperate in good faith and in a timely with Customer’s requirements with respect to its transition from the Applicable ICT Service (“Exit Requirements”, and also referred to “Transition”), subject to Section 2.11.7 - 2.11.9 below, by:
(a) Engaging in good faith discussions with the Customer in relation to its Exit Requirements, with the objective to conclude in a timely manner a Transition plan that meets Customer’s DORA requirements (“Transition Plan”);
(b) Continuing to provide the Applicable ICT Service for a period of up to two (2) calendar months from the effective date of cancellation of that Applicable ICT Service (“Transition Period”); and
(c) Ensuring by the end of the Transition Period, the transfer to Customer, or to Customer-designated third party, any Processed Customer Data, in accordance with Section 2.6.1(b) above.
2.11.7 Customer shall submit its initial draft Transition Plan to Optimizely within a reasonable period after entry into this DORA Supplement. Optimizely shall review the draft of the Transition Plan in a timely manner, and propose appropriate changes. The Parties shall cooperate in good faith and in a timely manner to finalise a revised form of the Transition Plan as soon as practicable. If the Parties are unable to come to a reasonable good faith agreement with respect to the Transition Plan, Customer’s sole remedy shall be to cancel its subscription to the Applicable ICT Service, and Optimizely’s sole liability shall be to refund to the Customer the unused prepaid Fees for the Applicable ICT Service.
2.11.8 The Transition Plan shall, upon Customer’s request, be reviewed and tested by the Parties, at least annually. Until a revised Transition Plan is agreed, the previous version of the Transition Plan shall continue to apply. The development, maintenance, testing, and execution of the Transition Plan shall be at Customer's sole cost and expense.
2.11.9 Optimizely’s obligations in relation to Transition Plan are subject to (i) payment of Fees for Transition Period, (ii) Customer otherwise remaining in material compliance with its obligations under the Applicable Agreement regarding that service, and (iii) the payment of any additional fees with respect to any additional services required of Optimizely by the Customer to support the Customer’s Transition Plan.
3.1 the event that (i) new or amended regulatory requirements are implemented which affect DORA or this DORA Supplement in the form in force as of the DORA Supplement Effective Date, or (ii) the Applicable ICT Service is materially changed, or (iii) any relevant Sub-processor Arrangements or any third party data centre arrangements are materially changed, the Parties agree to promptly notify each other for the purpose of discussing any necessary amendments to this DORA Supplement for compliance with the regulatory requirements of DORA. The Parties will discuss these matters diligently, and in good faith. If the Parties cannot agree to the amendments within sixty (60) days of the either Party having notified (in writing) the other Party of the relevant circumstances, either Party may cancel the Applicable ICT Service upon written notification to the other Party. The notice provisions of the Applicable Agreement apply to any such cancellation.
4.1 For any cancellations of the Applicable ICT Service under Sections 2.11 or 3.1 above, Customer will be entitled to: (i) a pro rata refund in the amount of the unused portion of prepaid Fees for the cancelled Applicable UCT Service, calculated as of the effective date of cancellation, and (ii) a release from the obligation to pay Fees due for periods after the effective date of cancellation.
4.2 This DORA Supplement shall be effective on the DORA Supplement Effective Date.
___________________________
Accepted and agreed by the Parties.
|
[CUSTOMER] |
|
OPTIMIZELY AB |
||
|
Duly represented by: |
|
Duly represented by: |
||
|
|
|
|
||
|
Name: |
|
|
Name: |
|
|
Title: Date: |
|
|
Title: Date: |
|
SCHEDULE A – Regulatory SCHEDULE
SCHEDULE B - COSTS SCHEDULE
[1] If part of the Applicable Agreement.
[2] Not applicable to Managed Services
[3] As above in FN 2