Non-Critical ICT Third-Party Service Provider
This Annexe exclusively applies to EuroDNS’ customers qualifying as a European based Financial Institutions under the Digital Operational Resilience Act (Regulation EU 2022/2554) and the relevant regulatory technical standards, implementing technical standards, and any applicable guidelines or instructions issued by competent supervisory authorities (hereinafter collectively referred to as “DORA”).
Unless defined otherwise in this Annexe, capitalised terms shall have the meaning set forth in the Agreement.
Agreement refers to the EuroDNS Contractual Terms https://www.eurodns.com/terms-and-conditions .
Competent Authority refers to a competent authority as defined in Article 46 of DORA.
ICT Incident is defined in DORA and means a single event or series of linked events that compromise the security of network and information systems and adversely impact the availability, authenticity, integrity, or confidentiality of Customer’s data or services.
Subcontractor means a third party that provides any ICT service to EuroDNS within the same ICT service supply chain connected with the provision of the Service, in accordance with the Implementing Technical Standards on the Register of Information under Article 28(9) of DORA.
2.1 To the extent that the Customer does not qualify as an EU “financial entity” as defined in Article 2 of DORA, or is excluded under Article 2(3) or 2(4) of DORA, this Annexe shall not apply.
2.2 EuroDNS acknowledges that the Customer is subject to certain obligations under DORA in relation to Customer’s use of ICT services provided by ICT third-party service providers such as EuroDNS. As such, EuroDNS agrees to cooperate with the Customer to help satisfy their obligations under DORA.
2.3 The Customer acknowledges and agrees that they must not use the Services to support a critical or important function of network or information systems.
2.4 The full and up-to-date list of services subscribed to by the Customer is available for consultation at any time within their EuroDNS Account.
3.1 EuroDNS provides the Services to the Customer from the territory of the Grand Duchy of Luxembourg. EuroDNS processes and stores the Customer’s information and data, including personal data, in accordance with its Privacy Policy available at: https://www.eurodns.com/privacy-policy.
3.2 EuroDNS confirms that its data processing activities are strictly limited to the Customer’s account data.
3.3 Depending on the Service ordered by the Customer, additional data processing may be required. The location of processing and the identities of sub-processors are outlined in the Privacy Policy.
3.4 EuroDNS undertakes to inform the Customer in advance and without undue delay of any material change to the location of data processing or storage, including when such change is carried out by a sub-processor.
EuroDNS undertakes to provide the Services in accordance with the quality standards defined in the Contractual Terms.
5.1 EuroDNS has implemented and will maintain appropriate technical and organisational measures to protect the Customer Account’s data from unauthorised access, loss, alteration, or disclosure. These measures shall be consistent with industry standards for data protection, information security, and ICT risk management. They shall be periodically reviewed and updated to reflect the state of the art. For the avoidance of doubt, it’s expressly stated here that these measures solely apply to the Customer Account’s data. The Customer remains solely liable for the Content they may store, host or transmit via the Service and the security measures protecting the Content.
5.2 Throughout the term of the Agreement, EuroDNS shall ensure the availability, confidentiality, authenticity, andintegrity of the Customer Account’s Data processed within the context of the Services.
5.3 EuroDNS undertakes to ensure that the Customer Account’s Data remains readily accessible to the Customer. Upon request and in accordance with applicable law, EuroDNS shall provide the Customer with a copy of their Account Data in an easily accessible format. No Customer Account’s Data shall be retained beyond the termination of the Agreement unless legally required. Upon request, EuroDNS shall confirm deletion or anonymisation in writing.
5.4 EuroDNS commits to backing up Customer Account’s Data in accordance with good industry practice, taking into account the nature and sensitivity of such data. In the event of termination of the Agreement, insolvency, or business discontinuation, EuroDNS shall ensure that such data is timely deleted from all environments and backups.
EuroDNS shall notify the Customer of any material ICT-related incident affecting its ability to deliver the Services.
Customer Support is available during Working Hours, and any critical disruption will be managed in line with EuroDNS’s incident response procedures. EuroDNS will cooperate with the Customer in addressing and resolving any such incidents. Notwithstanding the foregoing, EuroDNS will ensure that EuroDNS’s platform remains available and functional at all times.
EuroDNS reserves the right to use subcontractors where necessary. EuroDNS shall make reasonable efforts to ensure that Services provided by such subcontractors meet acceptable industry standards. However, EuroDNS shall not be responsible for any loss or damage incurred by the Customer due to any service interruption outside EuroDNS’ control. EuroDNS shall not be responsible for any malfunction that affects the Internet in general and, more specifically, those affecting EuroDNS’ communications with the subcontractors. EuroDNS does not provide guarantees regarding the information systems continuity or availability of subcontractors, such as domain registries and SSL certification authorities.
This Annexe shall terminate automatically upon the expiration or termination of the Agreement.
The Customer may terminate the Agreement without penalty in any of the following cases:
material breach of contract by EuroDNS that remains uncured for more than 30 days after written notice ;
changes to EuroDNS’s operations that adversely impact its digital resilience or security obligations;
the inability of the Competent Authority to supervise the Customer due to the terms of the Agreement; or
upon order from a Competent Authority.
Prior to any termination in accordance with clause 8.4, the Parties will use reasonable efforts to attempt to resolve the Competent Authority’s grounds for termination. In the event that an appeal of the termination is unsuccessful, the Customer will remain obligated to pay any fees payable to EuroDNS for the period prior to the effective date of termination.
EuroDNS shall cooperate in good faith with the Competent Authority and the Customer for any lawful requests relating to audits or oversight of the services rendered. EuroDNS will charge any such cooperation to the Customer at its standard hourly rates.
Upon request, EuroDNS will participate in the Customer’s ICT security and digital operational resilience awareness programmes. Any participation will be invoiced at EuroDNS’s standard hourly rates and subject to prior agreement.
This Annexe complements the existing Agreement. In the event of any inconsistency or conflict, the terms of this Annexe shall prevail solely with respect to the obligations concerning DORA compliance.