Skip to content
Get started

DORA Addendum

Version: 0.9.0 | Last Updated: 1st October 2025

(Digital Operational Resilience Addendum)

This DORA Addendum ("Addendum") forms part of the Terms of Service or other agreement (" Agreement") between The GRC Company AB, a company incorporated in Sweden ("Provider "), and the Customer identified in the Agreement.

This Addendum applies where the Customer is a "financial entity" as defined in Regulation (EU) 2022/2554 — the Digital Operational Resilience Act ("DORA") — and where Provider acts as an ICT third-party service provider to the Customer within the meaning of DORA.

1. Purpose

The purpose of this Addendum is to ensure that Provider supports Customer's compliance with the Digital Operational Resilience Act by maintaining appropriate ICT risk management, business continuity, and reporting capabilities.

2. Governance and Risk Management

Provider shall:

  • Maintain documented information security, incident management, and business continuity policies aligned with ISO 27001 and industry best practices.
  • Review, test, and update these policies and procedures at least annually.
  • Provide summaries or certifications (e.g., ISO 27001 or SOC 2 Type II) as evidence of compliance upon reasonable request.

3. Service Continuity and Availability

Provider shall:

  • Operate its services on resilient cloud infrastructure hosted in the European Union.
  • Maintain backup and disaster recovery processes designed to ensure restoration of Customer Data and service functionality within commercially reasonable timeframes.

4. Incident Management and Notification

Provider shall:

  • Promptly notify Customer of any major ICT-related incident that may materially impact the confidentiality, integrity, or availability of the services or Customer Data.
  • Cooperate with Customer to investigate, mitigate, and support regulatory reporting of such incidents as required under DORA.

5. Subcontracting

Provider shall:

  • Maintain an up-to-date list of subprocessors and critical subcontractors https://trust.noru.tech .
  • Notify Customer in advance of material changes to subprocessors or subcontractors where such changes may affect operational resilience or service continuity.

6. Audit and Inspection

Provider shall:

  • Make available, upon reasonable written request, evidence of its operational resilience and security controls (e.g., third-party audit reports, penetration test summaries, or certifications).
  • Cooperate in good faith with Customer or its competent authorities in case of regulatory audits or lawful inspections related to DORA compliance.

7. Exit and Portability

Upon termination or expiration of the Agreement, Provider shall:

  • Make Customer Data available in a commonly used, machine-readable format.
  • Cooperate in good faith to facilitate orderly transition or migration of Customer Data within a reasonable timeframe.

8. Cooperation with Authorities

Provider shall:

  • Cooperate with competent EU or national supervisory authorities in connection with DORA compliance, upon lawful request.
  • Notify Customer promptly if such a request directly concerns Customer Data or Customer's use of the services, unless prohibited by law.

9. Security Measures

Provider maintains technical and organizational measures to ensure the ongoing confidentiality, integrity, and resilience of its systems and services, consistent with Articles 9 and 11 of DORA and aligned with recognized information security frameworks.

These measures include encryption in transit and at rest, logical access controls, vulnerability management, and business continuity testing.

10. General

In case of any conflict between this Addendum and the Agreement, this Addendum shall prevail solely to the extent required for compliance with DORA.

All other terms of the Agreement remain unchanged.