Legal

DORA ICT Third-Party Addendum

Addendum to the Contwave Terms & Conditions and Data Processing Agreement — Digital Operational Resilience Act (Regulation (EU) 2022/2554)

Last updated: [● date] · Version: 0.1 (draft)

Draft for legal review — not legal advice. This document is a working draft prepared to enable platform onboarding and initial operations. It will be reviewed and finalised by qualified counsel before it is relied upon. Items marked [● like this] are to be confirmed before publishing.

1. Purpose and relationship to other documents

1.1. This Addendum supplements the Contwave Terms and Conditions (the "Terms") and the Data Processing Agreement (the "DPA") where the Client is a "financial entity" within the meaning of DORA and Contwave (Plenvar Labs SRL) provides ICT services to the Client through the Platform.

1.2. It does not duplicate the Terms or the DPA. It supplies only the digital operational resilience provisions a financial entity is required to address in its ICT contracts under Article 30(2) DORA.

1.3. Order of precedence: the Terms govern the commercial relationship; the DPA prevails on all matters of personal-data protection; this Addendum prevails on matters of ICT operational resilience. Each document prevails only within its own subject matter.

2. Definitions

2.1. "DORA" means Regulation (EU) 2022/2554. "ICT services", "ICT-related incident", and "critical or important function" ("CIF") have the meanings given in Article 3 DORA. "Financial entity" means the Client where it is an entity listed in Article 2 DORA (including investment firms). Capitalised terms not defined here have the meaning given in the Terms or the DPA.

3. Scope and classification — the operative positioning

3.1. Nature of the service. Contwave provides a marketing-content software platform (generation, scheduling, compliance pre-screening, distribution and analytics of marketing content). It supports the Client's marketing function.

3.2. Non-critical positioning. The parties acknowledge that this service does not, of itself, support a critical or important function within the meaning of Article 3(22) DORA. It does not provide, support or process the Client's core regulated activities (such as order execution, client onboarding/KYC, AML screening, payments, custody, trading, risk management or regulatory reporting).

3.3. Classification rests with the Client. Whether an ICT service supports a CIF is determined by the financial entity on the basis of its own resilience analysis. If the Client classifies the service as supporting a CIF, the additional Article 30(3) provisions (including unrestricted on-site audit and access rights, exit strategies with a mandatory transition period, and participation in threat-led penetration testing) do not apply automatically under this Addendum and shall be negotiated and agreed in a separate written schedule on commercially reasonable terms proportionate to the nature of a marketing-content service.

3.4. No admission. Nothing in this Addendum is an admission that Contwave is an "ICT third-party service provider" for all purposes, or that the service supports a CIF. This Addendum is provided to assist the Client's DORA compliance.

4. Article 30(2) baseline contractual provisions

For the duration of the engagement, Contwave commits to the following, mapped where relevant to existing commitments in the Terms and DPA:

4.1. (a) Description of services and subcontracting. The functions and ICT services are described in the Terms and in DPA Annex II. Subcontracting is governed by DPA Clause 7 (general authorisation, advance notice of changes, and the Client's right to object); current sub-processors and their processing locations are listed in DPA Annex IV.

4.2. (b) Locations of processing. The regions/countries where the service is provided and where data is processed are indicated in DPA Annex IV. Contwave will give the Client reasonable prior notice of any material change to those processing locations.

4.3. (c) Availability, authenticity, integrity and confidentiality of data. Contwave maintains technical and organisational security measures consistent with Article 32 GDPR, described in DPA Annex III; protection of personal data is governed by the DPA.

4.4. (d) Access, recovery and return of data. On discontinuation, termination, or in the event of Contwave's insolvency or resolution, Contwave will make the Client's data available for export in a commonly used, machine-readable format, and will return or delete personal data in accordance with DPA Clause 11, so that the Client can recover its data without the migration itself becoming an operational disruption.

4.5. (e) Service levels. The Platform is provided with a target availability of [● e.g. 99.x%] and reasonable technical support, with any specific service-level terms set out in the order. Service-level descriptions may be updated provided the agreed level of service is not diminished.

4.6. (f) Assistance on ICT-related incidents. Contwave will, without undue delay, inform the Client of ICT-related incidents materially affecting the service and provide reasonable assistance to the Client in responding to them. Personal-data breaches are notified in accordance with DPA Clause 10 (no later than 48 hours).

4.7. (g) Cooperation with authorities. Contwave will, on reasonable notice and within the scope of the service, cooperate with the Client and with the competent authorities and resolution authorities of the Client to the extent they exercise statutory powers in relation to the service.

4.8. (h) Termination rights and notice. Termination rights and notice periods are set out in Terms §18. On termination, Contwave will provide a reasonable transition/wind-down period and the data export described in §4.4, sufficient to allow the Client to move the service to another provider or in-house in an orderly manner.

4.9. (i) Awareness and resilience programmes. On reasonable request, Contwave will provide information reasonably necessary to support the Client's ICT security-awareness and digital operational-resilience training, proportionate to the nature of the service.

5. Register of Information (Article 28(3))

5.1. On request, Contwave will provide the information the Client reasonably needs to maintain its DORA Register of Information in respect of this arrangement — provider identity, the services supplied, the processing locations, and the sub-processor chain — drawing on the Terms and DPA Annex IV.

6. Limits

6.1. This Addendum does not increase Contwave's aggregate liability beyond the cap set out in the Terms (§16). It does not, of itself, confer the Article 30(3) rights described in §3.3. Cooperation with competent and resolution authorities under §4.7 is limited to the exercise of statutory powers and to the scope of the service. On-site access, where it would otherwise apply, may be satisfied through third-party certifications or audit reports where these reasonably address the request, consistent with DPA Clause 12.