DORA Addendum

1.1. This DORA Addendum solely applies where Customer is a Regulated Entity that uses the Service(s) as ICT Services in a manner subject to DORA (“Applicable Base”).

1.2. Unless expressly agreed otherwise by the Parties, this DORA Addendum is effective the earlier of: (a) the Effective Date of Customer’s Agreement or (b) January 17, 2025.

2.1. A complete description of Veriff Services is set forth in the Agreement, including (i) Service Level Descriptions ; (ii) DORA Subcontractors and their locations, along with the mechanism related to DORA Subcontractors change ; and (iii) provisions on availability, authenticity, integrity, and confidentiality in relation to the protection of data, including Personal Data, as well as the terms ensuring access, recovery, and return of Personal Data. 

3.1. Veriff shall cooperate in good faith with Competent Authorities, including but not limited to persons appointed lawfully either by the Competent Authorities or by the Customer at the request of the Competent Authorities.

3.2. In case the Customer becomes subject to the implemented requirements of the BRRD due to insolvency, resolution, or other similar proceeding (“BRRD Customer”), Veriff acknowledges that (i) the BRRD Customer may be subject to a range of powers exercisable by the designated Resolution Authority; and (ii) Veriff will cooperate in good faith with the Resolution Authority, without prejudice to any rights or remedies Veriff has under the Agreement.

4.1. Where appropriate, as mutually agreed by Parties and at no additional cost to Veriff, Veriff may participate in relevant Customer’s ICT security awareness programs and digital operational resilience training.

5.1. Monitoring and Reporting

(a) Customer acknowledges that Information regarding uptime can be found at status.veriff.com (or successor site) and Customer may subscribe thereto to receive updates with regards to Veriff Service.

(b) Service development reporting: Veriff undertakes to provide Customer with relevant notification if it becomes aware of or reasonably anticipates a development of the Service that may have a material impact on Veriff’s ability to effectively perform the Service in line with the Service Level Descriptions, to the extent Veriff Service is deemed to support a Critical or Important Function of the Customer.

(c) ICT Incident reporting: Veriff undertakes to mitigate against ICT Incidents, and if Veriff becomes aware of any ICT Incident(s) with material impact on the Service, Veriff shall (i) notify Customer without undue delay via the status.veriff.com site (or successor site) and respond to reasonable queries and requests for information from Customer about such ICT Incident; and (ii) at no additional cost to Customer, provide commercially reasonable assistance as is required to Customer to solve such ICT Incident.

5.2. Penetration Testing

(a) To the extent Veriff Service is deemed to support a Critical or Important Function of the Customer, Customer may run TLPT against their own dedicated Service environment, provided that (i) Veriff shall participate and cooperate with Customer for conducted TLPT, (ii) Customer will be responsible for any TLPT undertaken by it, or external tester appointed by it, and (iii) Customer will apply effective risk management controls to mitigate the risks of any potential impact on data, damage to assets, and disruption to the Service or to any other Veriff customer.

(b) If Customer is required by a Competent Authority to conduct TLPT (“Regulator-Lead TLPT”) and where such TLPT would be conducted on the Services provided by Veriff to the Customer, the Customer will provide notice to Veriff within 30 days from the date of being notified of such requirement.

(c) Customer acknowledges that, due to the nature of Veriff Services, TLPT beyond that described in Section 5.2.a would likely have an adverse impact on the performance or security of Veriff Services or onto other Veriff customers. Notwithstanding the foregoing, where the Competent Authority requiring the Regulator-Lead TLPT determines that such TLPT conducted in accordance with Section 5.2.a is insufficient to meet the requirements of Article 26(3) of DORA, Parties may agree to perform a pooled TLPT, whereby Veriff may enter into a separate written agreement with an external auditor to govern TLPT that falls outside the scope of Section 5.2.a, which will include, without limitation, appropriate integration of Veriff personnel in any control team managing relevant TLPT, and applicable terms relating to fees, confidentiality, liability and security.

(d) Customer will indemnify Veriff against all reasonable fees, costs, expenses, losses and damages arising from the exercise of any TLPT, including any Regulator-Lead TLPT regardless of whether it was exercised by Customer.

5.3. Right of Access and Audits
(a) As required by DORA for Customer to monitor Veriff’s compliance with its obligations under the Agreement, Veriff will cooperate and shall grant, upon request and reasonable notice, to the Customer or any of its authorized agents and to any of its auditors (or any other person appointed by such auditors) (together, the “Customer Auditors”), access to Veriff Records for the purpose of performing primary inspections as the Customer may request during the term of the Agreement.

(b) If Customer Auditors reasonably determine that Veriff Records are insufficient to demonstrate Veriff’s compliance with the Agreement, Customer Auditors may submit a written list of questions to Veriff (“Audit Questions”) which Veriff shall respond to within a commercially reasonable amount of time (“Responses”). If Customer Auditors reasonably determine that the Responses are insufficient to demonstrate Veriff’s compliance with the Agreement, to the extent Veriff Service is deemed to support a Critical or Important Function of the Customer, the Customer Auditors may request unrestricted rights of access and audit Veriff’s relevant business premises providing the Service.

(c) Notwithstanding the foregoing, Customer Auditors will exercise the audit in a proportional and reasonable manner, taking into account the complexity, risk, continuity, critical nature, and importance of the Services used by Customer. Accordingly, Customer Auditors shall provide at least thirty (30) days advance written notice of their intention to conduct an audit under Section 5.3.b during Veriff’s normal business hours (unless an early prior notification is not possible due to an emergency or crisis situation or where such notice would deem such audit ineffective), specifying in reasonable detail and with sensible care: (i) the purpose and scope of the audit and its estimated duration; and (ii) the audit frequency and areas to be audited using a risk-based approach, adhering to relevant, commonly accepted, audit standards.

(d) In light of Section 5.3.c, If Customer Auditor’s exercise of the audit under Section 5.3.b could, in Veriff’s reasonable opinion, create a risk for another Veriff customer’s environment (including due to its impact on Service Level Descriptions, availability of data, and confidentiality), Parties will mutually agree in writing on an acceptable resolution, including any commercially reasonable alternative assurances.

(e) Competent Authorities, including persons appointed by them, shall at all times have necessary access to the extent needed for auditing purposes to Veriff Records and/or relevant business premises where such access is requested by any Competent Authorities to the extent Veriff Service is deemed to support a critical or important function of the Customer. For the avoidance of doubt, and in light of Section 3, the Parties acknowledge and agree that nothing in the Agreement or any other contractual arrangement shall impede or limit the rights of audit and access of any Competent Authorities.

(f) Prior to the inspections and/or audits described in this Section 5.3, Parties shall mutually agree upon reasonable reimbursement rate(s) for which the Customer shall be responsible.

6.1. Veriff shall maintain and test for the duration of the Agreement adequate business continuity and disaster recovery plans intended to provide the Services and restore normal operations in the event of an emergency.

6.2. The controls supporting such plans shall be validated through internationally recognized industry standards and audit reports, such as ISO 27001 and SOC 2 Type II, which includes confirmation that Veriff maintains a business contingency system plan together with a description of the controls Veriff operates for its business contingency system plan.

7.1. DORA Termination Events

(a) In addition to the termination rights under the Agreement, Customer may elect to terminate the Agreement in whole or in part for any of the reasons contemplated under Article 28(7) of DORA, provided that Customer acknowledges and agrees that     all Service Fees are non-refundable and non-cancellable.

(b) Parties agree that Customer’s status as a BRRD Customer is not in itself alone a material breach giving rise to Veriff’s termination for cause, provided that the Customer continues to fulfil its obligations under the Agreement, including payment obligations.

7.2. DORA Post-Termination Cooperation

(a) Upon termination or expiration of the Agreement as per Section 7.1, Veriff will continue to cooperate with Customer in good faith concerning the provision of post-termination services, to minimize the risk of disruption to Customer, including for retrieving, access, recovery, return and/or deletion of the data processed in the context of the Service in accordance with the Agreement, for a period of 14 (fourteen) days from termination.

(b) Customer acknowledges this above provision of post-termination Services may require, depending on scope, as mutually agreed, the execution of an Order Form and may  include corresponding additional costs.

Customer’s sole and exclusive remedy for any breach by Veriff in relation to this Addendum is to terminate this Addendum.

The following words and expressions shall have the following meaning:

“BRRD” means Directive 2014/59/EU establishing a framework for the recovery and resolution of credit institutions and investment firms, and related implementation laws which give effect to its provisions.

“Competent Authorities” has the meaning provided under Article 46 of DORA.

“Critical or Important Function” has the meaning provided under Article 3(22) of DORA.

“DORA Subcontractor” means an entity as identified on Veriff’s site located at https://help.veriff.com/en/articles/6896122-sub-processors-used-by-veriff (as may be updated from time to time).

“ICT Incident” means a single event or a series of linked events that compromise(s) the security of network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of Customer data, or on Services provided by Veriff.

“ICT Services” has the meaning provided under Article 3(21) of DORA.

“ICT Third-Party Service Provider” has the meaning provided under Article 3(19) of DORA. For clarity sake, in case of Applicable Base, Veriff is an ICT Third-Party Service Provider under the Agreement.

“Records” means documentation relating to the Agreement and the performance of the Services, including operational repords and documentation as may be reasonably necessary for the Customer to determine, as required under the DORA, the accuracy of any fees and/or Veriff’s compliance with the terms of this Addendum.

“Regulated Entity” means Customer or Customer’s End User if and so long as such entity is a ‘financial entity’ as defined in Article 2(1) of DORA, and is not excluded from the scope of application of DORA under Article 2(3) or 2(4) of DORA.

“Resolution Authority” has the meaning provided under Article 2(18) of the BRRD.

“TLPT” relates to ‘Threat-led Penetration Testing’ and has the meaning provided under Article 3(17) of DORA.

“Service Level Descriptions” means the uptime and response time commitments as provided in the Agreement.