Effective Date: May 16, 2026
EU DIGITAL OPERATIONAL RESILIENCE ACT (DORA) ADDENDUM
This DORA Addendum (the 'Addendum') is incorporated into and forms part of the VisualCron End User License Agreement ('EULA', the 'Agreement') between Licensor ('Supplier') and Licensee ('Customer') governing the provision and support of the software and/or support services. The Addendum is intended to support Customer's compliance with applicable requirements concerning digital operational resilience for financial entities and their ICT third‑party providers. Capitalized terms not defined in this Addendum have the meaning given in the Agreement. In the event of conflict between this Addendum and the Agreement in respect of the subject matter herein, this Addendum will prevail.
Definitions and Interpretation
a. Customer means the entity that purchases or uses the Services under the Agreement.
b. ICT Incident means an event that compromises or is reasonably likely to compromise the security or availability of the Services or Customer Data.
c. Services means the software, support, and ICT services provided by Supplier under the Agreement.
d. Supplier means the entity providing the Services under the Agreement.
e. DORA means Regulation (EU) 2022/2554 of the European Parliament and the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, including the related regulatory technical standards, each as amended, supplemented, superseded and/or replaced from time to time;
1. Scope and Roles
This Addendum applies to Supplier's provision of the VC Software Package and associated support services as defined in and governed by the Agreement. The functions and ICT services covered by this Addendum (the "Functions") are set forth in the Agreement and consist of: (i) the grant of a license key enabling Customer to download, install, and operate the VC Software Package on Customer's on-premises server infrastructure; (ii) software updates, patches, and new version releases made available to Customers with an active Subscription in good standing; and (iii) technical support services limited to the VC Software Package functions for Customers with an active Subscription in good standing, as further described in the Agreement.
The VC Software Package installations and functions are onsite at Customer's location. Customer manages the application and where the data is stored. Supplier is an ICT third-party service provider to Customer within the meaning of DORA. Supplier will implement and maintain controls, processes, and cooperation mechanisms reasonably necessary to enable Customer to meet its applicable DORA obligations with respect to the Functions as described herein.
2. Governance and Oversight
Supplier will maintain an information security and operational resilience governance framework with defined roles and responsibilities, executive oversight, and policies approved at an appropriate management level. Supplier will assign a qualified contact responsible for coordinating with Customer on resilience and incident matters and will make such contact available for audits, reviews, and supervisory inquiries relevant to the Services as they relate to Supplier's software development and release practices in accordance with Section 7.
3. Operational Resilience and ICT Risk Management
Supplier will implement, maintain, and periodically review a documented ICT risk management framework proportionate to the nature and complexity of the Services as delivered. Because the Services consist of on-premises software installed and operated solely within Customer's own infrastructure, Supplier's ICT risk management obligations under this Addendum relate exclusively to Supplier's software development, release, and support practices and do not extend to Customer's network, systems, or data environment. Supplier's framework will address risk identification and assessment related to the software development lifecycle, control selection and implementation within Supplier's own development and release environment, vulnerability identification and remediation in the VC Software Package, and periodic reassessment of development and release security practices.
Supplier will maintain monitoring of known vulnerability databases and security advisories relevant to the VC Software Package and will take reasonable steps to assess and address identified vulnerabilities in a risk-proportionate timeframe. Supplier will notify Customer of any material security vulnerability affecting the VC Software Package that Supplier becomes aware of and for which a patch or mitigation is available or in development.
4. Business Continuity and Disaster Recovery
Supplier will maintain written business continuity and disaster recovery plans appropriate to Supplier's own operations and reasonably necessary to ensure continued delivery of the Services, including software licensing, updates, and technical support. For the avoidance of doubt, because all Customer Data resides on Customer's own infrastructure, data backup, restoration, and recovery obligations with respect to Customer Data are solely Customer's responsibility and are not addressed by this Section.
Supplier's continuity plans will address Supplier's ability to continue issuing license keys, providing software updates and patches, and delivering technical support in the event of a disruption to Supplier's operations. Supplier will conduct periodic reviews of its continuity plans.
5. Testing and Assurance
Supplier will perform periodic security testing of the VC Software Package prior to release, including and, where appropriate to the nature of the release, functional security testing. Supplier will remediate material security findings in a risk-proportionate manner before making an affected release generally available or will communicate known limitations and available mitigations to Customer where immediate remediation is not practicable.
Because the Services are delivered as on-premises software operating within Customer's own infrastructure, penetration testing and resilience testing of Customer's operational environment is solely Customer's responsibility. Supplier does not operate shared infrastructure on behalf of Customer and has no obligation to participate in or support Customer-initiated penetration testing of Customer's own systems. Where Customer requires information about the security characteristics of the VC Software Package for the purposes of its own ICT risk assessment or testing program, Supplier will provide, upon reasonable written request, available security documentation, such as release notes identifying security-relevant changes, remediation summaries for material security findings, or third-party security certifications or attestations held by Supplier, in each case subject to appropriate confidentiality protections and Supplier's reasonable discretion to protect proprietary information. Supplier makes no representation that any such documentation will satisfy the requirements of any particular regulatory framework applicable to Customer.
6. Incident Management and Reporting
Supplier will maintain and operate an incident management process for detecting, classifying, responding to, and recovering from ICT‑related incidents, including security incidents and operational outages. Supplier will cooperate in good faith with Customer to support Customer's incident classification and regulatory reporting obligations, including providing additional information reasonably requested for reports to competent authorities, subject to applicable law and security restrictions. Technical service support will be provided at $500 USD/per hour. Supplier will provide a fee estimate before commencing extended support activities, where circumstances permit, and will not exceed five (5) hours of billable assistance without Customer's prior written authorization.
7. Audit, Information, and Access Rights
The Services consist of on-premises software installed and operated solely within Customer's own infrastructure. Supplier does not operate, control, or have access to Customer's systems or Customer Data. Audit rights under this Addendum are therefore limited to Supplier's software development and release practices.
Upon reasonable written request, Supplier will provide Customer with a written description of its software development practices relevant to the Services. Where required by a competent supervisory authority, Supplier will cooperate in good faith to provide information within Supplier's control sufficient to satisfy applicable regulatory requirements, subject to appropriate confidentiality protections.
8. Subcontractors and Supply Chain
Supplier may engage subcontractors to support the delivery of the Services; Supplier remains fully responsible for their performance. Supplier will flow down obligations substantially equivalent to those in this Addendum to subcontractors involved in the development, maintenance, or distribution of the VC Software Package. Supplier will maintain a record of material subcontractors supporting the Services and, upon request, provide Customer with an up‑to‑date list. Supplier will notify Customer in advance of the addition or replacement of any material subcontractor materially affecting the Services. Where required by law, Supplier will support Customer's assessments of supply‑chain risks in relation to such subcontractors.
9. Data Location, Access, and Portability
All Customer Data is locally stored on the Customer's on-premises network. As such, Customer is aware of the location of all Customer Data that is stored or processed for the provision of the Services, and Supplier does not have the ability to relocate any Customer Data. To the extent Customer grants Supplier personnel or subcontractors access to Customer Data or systems, Supplier will ensure such access is restricted to individuals with a need-to-know and is subject to appropriate confidentiality measures.
Upon termination or expiration of the Agreement, Supplier will provide Customer with reasonable documentation assistance at then-current rates to support an orderly exit. For the avoidance of doubt, Supplier does not have the ability to delete or return Customer Data, since all Customer Data is locally stored on Customer's systems. In the event Supplier does have access to any Customer Data, Supplier shall delete and/or return such data in accordance with the Agreement and will provide a certificate of deletion upon request.
10. Service Levels and Change Notification
The service levels applicable to the Services, including support availability and response commitments, are set forth in the Agreement. Any updates or revisions to applicable service levels will be documented in writing and will replace prior service level descriptions in accordance with the Agreement. Support under the Agreement is limited to the VC Software Package functions for a Subscription in good standing, and each version of the software is supported for one year after its release date. These limitations are incorporated into and form part of the service level understanding between the parties under this Addendum.
Supplier will provide reasonable advance written notice to Customer of any development that might have a material impact on the Supplier's ability to effectively provide the services, or that could materially affect Customer's use of or reliance on the Services. Such notice will include sufficient information for Customer to assess the impact and plan any necessary adjustments to its environment.
11. Regulatory Cooperation
Supplier will, upon reasonable request, cooperate with Customer in its interactions with competent supervisory authorities regarding the Services, including providing information reasonably necessary to demonstrate operational resilience measures, responding to regulatory questionnaires within reasonable timeframes, and facilitating meetings or interviews with appropriate Supplier personnel. Nothing in this Addendum requires Supplier to disclose information that would compromise Supplier's or its other customers' security, confidentiality, or trade secrets, or to violate applicable law. In addition, Supplier will cooperate fully and directly with any competent authority or resolution authority of Customer, including persons appointed by them, to the extent required by applicable law and in connection with the Services, subject to the confidentiality and security exceptions set forth in Section 14.
12. Training
Where appropriate, Supplier shall participate in Customer's ICT security awareness programs and digital operational resilience training. Upon reasonable written request from Customer, and where such participation is relevant to the Services, Supplier will make appropriate personnel available for such programs, at mutually agreed times and without undue burden on Supplier's operations.
13. Information Security Incidents Involving Personal Data
The Services consist of on-premises software operated solely within Customer's own infrastructure; Supplier does not process personal data on behalf of Customer in the ordinary course of providing the Services. Accordingly, this Addendum does not constitute a data processing agreement, and Supplier is not a data processor with respect to Customer Data.
In the limited event that Supplier personnel are granted access to Customer systems for support purposes and incidentally encounter personal data, Supplier will treat such data as Confidential Information in accordance with the confidentiality provisions of the Agreement, will not use or retain it beyond what is necessary to perform the support activity, and will promptly notify Customer if Supplier becomes aware of any unauthorized access to or disclosure of such personal data arising from Supplier's support activities.
14. Confidentiality and Security Exceptions
All information exchanged under this Addendum is subject to the confidentiality provisions of the Agreement. Supplier may withhold, redact, or summarize information as reasonably necessary to protect the security of Supplier's systems and other customers, to preserve law enforcement sensitivities, or to comply with legal restrictions, while still providing sufficient information to enable Customer to meet applicable obligations.
15. Termination
Customer may terminate this Addendum and the Agreement with immediate effect upon written notice to Supplier if any of the following circumstances occur: (a) Supplier commits a material breach of applicable laws, regulations, or the terms of this Addendum or the Agreement, and fails to remedy such breach within thirty (30) days of receiving written notice from Customer specifying the nature of the breach; (b) Circumstances arise that materially and adversely alter Supplier's ability to perform the Services as contracted, including material changes to Supplier's operational or financial situation, which Customer has identified through its ICT third-party risk monitoring; (c) Supplier demonstrates evidenced and material weaknesses in its ICT risk management practices directly related to the delivery of the Services; (d) A competent supervisory authority determines that it can no longer effectively supervise Customer as a direct result of the conditions of, or circumstances related to, this Agreement or Addendum; or (e) A direct or indirect change of Control of Supplier occurs that has, or is reasonably likely to have, a material adverse effect on Customer's ability to comply with applicable laws and regulations or on the ICT security or continuity of the Services. Termination under subsections (a) through (e) above takes effect as specified therein. For Subscriptions that renew automatically, Customer may elect not to renew by providing Supplier with written notice of non-renewal at least thirty (30) days before the applicable renewal date, which will prevent automatic renewal and cause the Agreement to expire at the end of the then-current term. For Subscriptions that require manual renewal, the Agreement expires at the end of the then-current subscription term unless Customer affirmatively renews. No notice of non-renewal is required where the Agreement expires by its own terms without automatic renewal. These notice provisions are intended to satisfy the minimum notice period requirements applicable to Customer under DORA Article 30(2)(h) and shall be interpreted consistently with that obligation.
For purposes of this Section, "Control" means the ability to direct or cause the direction of the management or policies of Supplier, whether through ownership, contract, or otherwise.
Termination under this Section 15 does not entitle Customer to any refund of prepaid fees, and Customer shall remain liable for all fees accrued and due as of the effective date of termination. Neither party shall be liable to the other for damages, penalties, or break fees arising solely from a termination exercised in good faith under subsections (d) or (e) above at the direction of or as required by a competent authority. All other accrued rights and obligations of the parties as of the termination date shall survive.
16. No Regulatory Status and Law
Supplier does not represent that it is subject to direct authorization, registration, or oversight by Customer's competent authorities. This Addendum is intended solely to establish contractual measures that support Customer's compliance with applicable law. The governing law and dispute resolution provisions of the Agreement apply to this Addendum.
-END-