DORA-Addendum

Last Updated: 17.06.2026

1. Scope, Incorporation and Precedence

  1. This DORA Addendum (“Addendum”) applies to Customers that, as a financial entity, ICT third-party service provider or otherwise, fall within the scope of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”), insofar as the Customer uses the nuwacom Services under a contractual agreement with nuwacom.

  2. This Addendum supplements the contractual arrangements applicable between the Parties regarding the use of the nuwacom Services, in particular the Terms, any Work Order, the nuwacom Data Processing Agreement (“DPA”), the applicable Service Plan, the Documentation, the service description and the price list (the “Contract Documents”).

  3. In the event of conflicts between this Addendum and the other Contract Documents, the provisions of this Addendum shall prevail exclusively for DORA-specific matters. In all other respects, the Contract Documents shall remain in force unchanged. In the event of conflicts relating to the processing of Personal Data, the DPA shall prevail.

  4. Terms used in this Addendum shall, unless expressly defined otherwise, have the same meaning as in the Terms or the DPA.

2. Contracting Parties and nuwacom Entity

“nuwacom” means the relevant nuwacom entity that is the Customer’s contracting party under the Terms. For Enterprise Customers located in Germany, this is nuwacom GmbH, Universitätsstraße 3, 56070 Koblenz, Germany. For all other Customers, this is nuwacom S.à r.l., 20 rue des Peupliers, L-2328 Luxembourg, unless expressly agreed otherwise in a Work Order.

3. Subject Matter and Description of the ICT Services

  1. nuwacom provides the Customer, in accordance with the Contract Documents, with the Platform as a cloud-based SaaS platform for AI-powered productivity and applications. The functions and features of the Platform made available under the selected subscription are hereinafter referred to as the “nuwacom Services” or “ICT Services”.

  2. The nature, scope, availability, service quality, support, rights of use, technical requirements, support hours, any Service Levels and other performance characteristics of the ICT Services are set out in the Contract Documents, in particular in the Work Order, the Service Plan, the Documentation, the service description and the DPA. To the extent qualitative or quantitative performance parameters are agreed therein, these shall constitute the service description of the ICT Services within the meaning of this Addendum.

  3. Third Party Services are not part of the nuwacom Services and are subject to the terms of the respective provider. AI Services are services related to AI provided by a third party, made available on the Platform and used for the operation of the nuwacom Services or to extend some of their features. The use of AI Services and Third Party Services is additionally governed by the Terms.

4. Classification of Use and Critical or Important Functions

  1. The Customer is responsible for assessing, on the basis of its own regulatory requirements, whether and to what extent the use of the nuwacom Services supports a critical or important function within the meaning of DORA. nuwacom does not make this classification on the Customer’s behalf.

  2. This Addendum is designed for a use of the nuwacom Services in which the ICT Services do not support critical or important functions of the Customer within the meaning of DORA. Unless expressly agreed otherwise in a Work Order, the Parties assume that nuwacom is not classified as a critical ICT third-party service provider under this Addendum.

  3. Use of the nuwacom Services to support critical or important functions requires an express agreement in a Work Order or a separate agreement. Should the Customer intend such use, or should the relevant classification change during the term of the contract, the Customer shall inform nuwacom without undue delay in text form. In such a case, the Parties shall agree on the necessary additional contractual arrangements, in particular regarding the service description, Service Level Agreements, subcontracting, audit rights, exit strategy, transition assistance and regulatory information obligations.

  4. Until such a supplementary agreement is concluded, this Addendum shall continue to apply. nuwacom is not obliged to enable use for critical or important functions unless the contractual, technical, organizational or economic requirements necessary for this purpose have been mutually agreed.

5. Rights and Obligations of the Parties

  1. The Parties shall set out their rights and obligations in connection with the ICT Services in writing in the Contract Documents. The Customer remains responsible for its overall regulatory responsibility, its ICT risk management, its outsourcing or third-party management, its internal documentation and the fulfilment of its own reporting and information obligations.

  2. nuwacom is responsible for providing the nuwacom Services in accordance with the Contract Documents. nuwacom owes no legal, compliance, risk, audit or regulatory advisory services to the Customer.

  3. The Customer shall provide nuwacom with the information, instructions, contacts and cooperation required to fulfil the obligations under this Addendum. This includes, in particular, the designation of professional and technical contact persons as well as the timely communication of regulatory requirements that are relevant.

6. Locations, Data Processing and Data Residency

  1. nuwacom provides the ICT Services, in accordance with the Contract Documents, within the European Union, unless expressly agreed otherwise or configured by the Customer. Customer Data under nuwacom’s control is stored at rest in the European Union, unless the Customer expressly selects otherwise.

  2. Insofar as the Customer activates, connects or configures AI Services or Third Party Services, data processing may take place outside the European Union. This shall be carried out in accordance with the Terms and the DPA, including any Standard Contractual Clauses, adequacy decisions or other permissible transfer mechanisms, where required.

  3. nuwacom shall inform the Customer in good time in text form of intended material changes to the primary processing locations, insofar as these affect the ICT Services and are not already provided via the DPA, the Trust Center or another suitable source of information.

7. Register of Information and Regulatory Documentation

  1. nuwacom shall provide the Customer, upon request, with the information that the Customer requires in order to create and maintain its register of information, outsourcing register or comparable regulatory documentation, insofar as such information is available to nuwacom, relates to the ICT Services provided by nuwacom, and no statutory obligations, security requirements or legitimate confidentiality interests preclude disclosure.

  2. The Parties acknowledge that the Customer remains responsible for the content accuracy, completeness, timeliness and submission of its register of information to the competent authorities.

8. Information Security and Technical and Organizational Measures

  1. nuwacom operates an information security management system (ISMS) for the Platform and is certified to ISO/IEC 27001. nuwacom shall provide the Customer, upon request, with the current certificate or equivalent evidence as well as relevant audit reports, attestations or security evidence to a reasonable extent, insofar as this is necessary to fulfil the Customer’s statutory or regulatory obligations and no statutory obligations, security requirements or legitimate confidentiality interests preclude disclosure.

  2. nuwacom shall take appropriate technical and organizational security measures to protect the confidentiality, integrity, availability and authenticity of the ICT Services and the Customer Data and Customer Content processed in connection therewith. The specific measures implemented are set out in particular in the DPA, the Trust Center, the Documentation and nuwacom’s security materials.

  3. The security measures may include, in particular, access controls, role-based access concepts, encryption, logging, vulnerability management, network security measures, backup and recovery processes, and procedures for handling security-relevant events.

  4. nuwacom may further develop technical and organizational measures, provided that the overall protection level of the nuwacom Services is not thereby materially reduced. Critical security vulnerabilities of the Platform shall be assessed by nuwacom without undue delay and handled according to their criticality.

9. ICT Incidents, Security Events and Support

  1. nuwacom shall inform the Customer without undue delay after becoming aware, in text form, of ICT-related incidents that affect the ICT Services provided by nuwacom and that may materially jeopardize the security, availability, confidentiality, integrity or authenticity of the ICT Services or the Customer Data.

  2. nuwacom shall provide the Customer, upon request, with the information available to nuwacom that the Customer requires in order to classify a reported ICT-related incident and to prepare reports required by law or regulation to the competent authorities, insofar as no statutory obligations, security requirements or legitimate confidentiality interests preclude disclosure.

  3. nuwacom shall support the Customer, to a reasonable extent, in the event of an ICT-related incident connected with the ICT Services provided by nuwacom. This support shall be provided at no additional cost insofar as it is necessary to fulfil the Customer’s mandatory DORA-related reporting or information obligations. Support services beyond this may be remunerated in accordance with the applicable daily rates or a separate agreement.

  4. The foregoing obligations shall not apply insofar as the incident was caused by the Customer, its Authorized Users, its systems, its configuration, its content, its instructions or Third Party Services selected or configured by it. In such cases, nuwacom shall support the Customer under a separate agreement.

  5. nuwacom shall inform the Customer of material developments that could significantly affect nuwacom’s ability to provide the ICT Services in accordance with the Contract Documents, insofar as and as soon as nuwacom becomes aware of such developments.

10. Business Continuity, Contingency and Recovery

  1. nuwacom maintains appropriate measures for business continuity, contingency management and recovery in connection with its own business operations and the provision of the Platform.

  2. These measures serve to support the continuity of the nuwacom Services, to respond to ICT-related incidents and to enable the recovery of affected services in an appropriate manner. The scope and specific arrangements depend on the nature, scope and risk profile of the nuwacom Services as well as the performance characteristics described in the Contract Documents.

  3. nuwacom reviews and tests the appropriateness and effectiveness of its business continuity and contingency measures regularly and to a reasonable extent. Insofar as corresponding evidence is available, nuwacom shall provide the Customer, upon request, with suitable summaries, certificates or reports, insofar as this is necessary to fulfil the Customer’s statutory or regulatory obligations.

11. Data Access, Data Export, Deletion and Termination Management

  1. The protection of Personal Data, access to Personal Data, and the deletion and return of Personal Data shall be governed by the DPA.

  2. In the event of termination of the ICT Services, nuwacom shall enable the Customer, in accordance with the Contract Documents, to export the Customer Data and Customer Content stored in the Platform in a common, machine-readable format. The export shall be possible for a period of 30 days after the termination takes effect, unless otherwise provided in a Work Order, the DPA or a separate agreement.

  3. After expiry of the export period, nuwacom may delete Customer Data and Customer Content in accordance with the Contract Documents, unless statutory retention obligations, legitimate interests in retaining evidence or other legal grounds preclude deletion. nuwacom shall confirm the deletion to the Customer upon request in an appropriate form.

  4. Insofar as the Customer requires support beyond the standard export functions for the migration, transfer or orderly termination of use, the Parties shall separately agree on the nature, scope, timetable and remuneration of these support services.

  5. Insofar as the Parties agree on a use of the nuwacom Services to support critical or important functions, they shall make additional exit and transition arrangements, including an appropriate transition period, in order to reduce the risk of disruption to the Customer and to enable migration to another ICT third-party service provider or to an in-house solution.

12. Subcontractors and Subprocessors

  1. nuwacom is entitled to engage Subcontractors to provide certain parts of the nuwacom Services. Insofar as these Subcontractors process Personal Data on a commissioned basis, the provisions of the DPA on Subprocessors shall apply additionally.

  2. The Subcontractors and Subprocessors engaged to provide the nuwacom Services are listed in the DPA, the Trust Center or another suitable source accessible to the Customer. The engagement of new Subprocessors shall be carried out in accordance with the DPA.

  3. nuwacom shall provide the Customer, upon request, with relevant information about engaged Subcontractors and Subprocessors, insofar as this is necessary to fulfil the Customer’s statutory or regulatory obligations and no statutory obligations, security requirements or legitimate confidentiality interests preclude disclosure.

  4. Insofar as Subcontractors provide material parts of the ICT Services or are relevant to an agreed use to support critical or important functions, the Parties shall, upon the Customer’s request, agree on additional information regarding the scope, location, function and conditions of the subcontracting.

13. Training and Awareness

  1. nuwacom maintains appropriate internal training and awareness measures in the areas of information security, data protection and digital operational resilience, insofar as this is relevant to the provision of the nuwacom Services.

  2. If the Customer requests nuwacom to participate in Customer-specific training on ICT security or digital operational resilience, the Parties shall mutually agree on whether and to what extent participation is necessary, appropriate and feasible.

  3. Insofar as participation is agreed, it shall in principle be limited to employees who are directly involved in the provision of the ICT Services to the Customer, and shall take place remotely by video conference or via comparable means of communication, unless agreed otherwise. The Customer shall remunerate the time spent for this purpose in accordance with the applicable daily rates, unless the Parties expressly agree otherwise.

14. Audit, Information and Access Rights

  1. nuwacom shall provide the Customer, upon request, with relevant information available to nuwacom and necessary to demonstrate compliance with the obligations under this Addendum to the competent supervisory authorities.

  2. Compliance with the obligations under this Addendum shall be demonstrated primarily by means of appropriate certificates, attestations, reports of independent third parties, security documentation, information or other evidence. This applies in particular insofar as a direct audit could impair the security, availability or confidentiality of nuwacom’s systems or the data of other Customers.

  3. Insofar as this is necessary for audit purposes and legally permissible, the Customer may receive or make copies of relevant evidence, certificates, reports or documentation, provided that no trade secrets, security interests, third-party rights or data of other Customers are thereby impaired. nuwacom may require appropriate confidentiality, access protection and use restrictions for this purpose.

  4. Insofar as (i) the Customer demonstrates a specific and substantiated suspicion of a material breach of this Addendum, (ii) the evidence under paragraph 2 does not, in the individual case, allow for an appropriate review, or (iii) an audit has been bindingly ordered by a competent supervisory authority, the Customer or auditors appointed by it shall be entitled to conduct audits with regard to the ICT Services provided by nuwacom to the Customer.

  5. Audits shall be conducted with reasonable advance notice, during normal business hours, to a reasonable extent and in compliance with nuwacom’s security, confidentiality and operational requirements. The Customer and its auditors must enter into appropriate confidentiality obligations and may not disclose or copy any information about other Customers, systems or trade secrets of nuwacom, insofar as this is not strictly necessary for the audit purpose.

  6. Insofar as audits concern Personal Data, the provisions of the DPA on audits and inspections shall apply additionally. Audit rights under this Section shall continue for a period of up to one year after termination of the ICT Services, insofar as this is necessary to fulfil the Customer’s statutory or regulatory obligations.

15. Cooperation with Competent and Resolution Authorities

  1. nuwacom shall cooperate, to a reasonable extent, with the competent authorities and resolution authorities responsible for the Customer, including persons appointed by them, insofar as their requests relate to the ICT Services provided by nuwacom to the Customer.

  2. Cooperation is subject to mandatory statutory obligations, security requirements, confidentiality obligations, trade secrets and the legitimate interests of nuwacom, Affiliates, other Customers or Subcontractors.

  3. nuwacom shall, insofar as legally permissible, inform the Customer of official requests relating to the Customer’s ICT Services.

16. Testing, TLPT and Further Resilience Testing

  1. Insofar as the Customer requests nuwacom to participate in tests, assessments or scenario-based exercises relating to digital operational resilience, the Parties shall mutually agree on whether and to what extent participation is necessary, appropriate and technically feasible.

  2. Participation by nuwacom in threat-led penetration testing (TLPT) or comparable assessments requires a prior written agreement on scope, procedures, time windows, security requirements, permissible test methods, contact persons, confidentiality and remuneration.

  3. The Customer may not conduct or commission any tests that could jeopardize the security, integrity, availability or performance of the Platform, the nuwacom Services or the data of other Customers, unless nuwacom has expressly consented thereto in advance.

17. Customer’s Termination Rights

  1. The Customer may terminate the affected ICT Services and this Addendum for good cause with 14 days’ notice in text form if (i) nuwacom materially breaches applicable laws, regulations or this Addendum, (ii) circumstances are identified in the course of monitoring ICT third-party risk that materially impair the proper provision of the ICT Services by nuwacom, (iii) nuwacom exhibits demonstrable material weaknesses in ICT risk management that materially jeopardize the availability, authenticity, security or confidentiality of the ICT Services, or (iv) a competent supervisory authority bindingly orders that the Customer must terminate the affected ICT Services.

  2. In the cases under paragraphs 1(i) to 1(iii), termination shall only be permissible if the Customer has previously notified nuwacom of the relevant circumstance in text form and nuwacom has not remedied the circumstance within a reasonable period, insofar as remediation is possible and reasonable.

  3. Other termination rights under the Contract Documents remain unaffected.

18. Term and Termination

  1. This Addendum applies for the duration of the Customer’s use of the nuwacom Services, for as long as and insofar as the Customer falls within the scope of DORA.

  2. Upon termination of the affected ICT Services, this Addendum shall also end insofar as it relates to those ICT Services, without the need for separate termination. Provisions that by their nature are intended to survive termination shall remain unaffected.

19. Miscellaneous

  1. This Addendum forms part of the Contract Documents. Unless expressly provided otherwise in this Addendum, the provisions of the Terms shall apply, including the provisions on governing law and jurisdiction.

  2. Amendments and supplements to this Addendum must be made in text form, unless a stricter form is required by law.

  3. Should individual provisions of this Addendum be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The Parties shall replace the invalid or unenforceable provision with a valid and enforceable arrangement that comes as close as possible to the economic and regulatory purpose of the original provision and takes account of the requirements of DORA.

  4. This German version shall be authoritative, unless the Parties expressly agree on another language version as binding.