Digital Operational Resilience Addendum
Version 1.0This Addendum supplements the terms and conditions set forth in the WSO2 Software License Agreement, Orders, statement of work and other contractual documents executed between You and WSO2 under the Agreement (“Agreement”).
This Addendum applies only if Your use of the Subscription is subject to the Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”).
All Services provided to You by the applicable WSO2 entity pursuant section 16.9 of the Agreement shall be performed in accordance with the Agreement, as supplemented by this Addendum.
Whereas:
- (1) DORA applies from 17th January 2025 to the financial sector entities listed in Article 2 of DORA.
- (2) You come within the scope of DORA; and
- (3) WSO2 is an ICT third-party service provider as defined in DORA, providing You with the Services mentioned in the respective Orders executed between WSO2 and You;
- (4) WSO2 has not been identified as a critical ICT third party service provider.
Accordingly, it is hereby mutually agreed as follows:
1. Definitions:
- 1.1 ICT Third-Party service provider, critical ICT third-party service provider, Competent authority, are as defined in the DORA.
- 1.2 “Personal Data” shall mean data as defined in the General Data Protection Regulation (EU) 2016/679 (GDPR) and any successor legislation to the GDPR.
- 1.3 “Services” shall mean the Subscription services and any other services purchased by You from WSO2 under the terms of the Agreement.
- 1.4 “Service provider” shall mean any ICT subcontractor that is a legal person that has entered into a contractual arrangement with WSO2 for the provision of services to WSO2 which support the Services purchased by You.
- 1.5 “Your Data” shall mean all data provided by You to WSO2 during the Subscription Term for the provision of the Services and includes Personal Data and non Personal Data.
- 1.6 “Insolvency Event” means, in relation to WSO2, WSO2: (i) becoming insolvent or unable to pay its debts; (ii) proposing a voluntary arrangement, having a receiver, administrator or manager appointed over the whole or any part of its business or assets; (iii) suffering the presentation of any petition, the making of any order or the passing of any resolution for its winding up (except for the purposes of a bona fide solvent amalgamation or reconstruction), bankruptcy or dissolution or otherwise proposing or entering into any composition or arrangement with its creditors or any class of them; (iv) ceasing to carry on business or claiming the benefit of any statutory moratorium; or (v) in respect of (i) to (iv), undergoing any similar or equivalent process in any jurisdiction
2. Interpretation.
- 2.1 Capitalized terms used but not defined in this Addendum shall have the same meanings as provided in the Agreement.
- 2.2 Section headings are provided solely for convenience and shall not affect the interpretation or construction of this Addendum.
3. Service Level descriptions.
- Services. The Parties acknowledge that the Agreement sets out a clear and complete description of all Services.
- Locations. The Parties acknowledge that the Service Provider List included in Annex 1 to this Addendum which sets out (a) the locations, namely the regions or countries, from which the Services, including sub-contracted functions, are provided; and (b) the locations where Your Data is processed, including storage location (the locations in (a) and (b) together, the “Locations”). Notices regarding changes to any Locations shall be made through the mechanism provided for in paragraph 16.
- Service Levels. WSO2 shall perform the Services so as to meet or exceed any relevant service levels as set out in the Agreement (the “Service Levels”). Any changes to the Service Levels will be notified to You as stated in section 5.4 of the Agreement.
4. Processing of data.
- WSO2 shall comply with all applicable data protection laws and regulations in relation to processing of Your Data. WSO2 shall maintain, at all times, the accessibility, availability, authenticity, integrity, confidentiality, and security of Your Data as stated in Annex 2. Your Data shall be treated as strictly confidential and WSO2 shall ensure that any Service provider granted access to Your Data are subject to written confidentiality obligations no less protective than those set forth in this Addendum. WSO2 further agrees to implement and maintain state-of-the-art technical and organizational security measures and to provide its personnel with appropriate training and ongoing awareness programs to safeguard against unauthorized access, use, or disclosure of confidential information. These measures shall be consistent with the security and access control requirements detailed herein. WSO2 may from time to time at its discretion, update or enhance the measures described herein to align with the industry standards and the scope of the Services provided. WSO2 shall ensure that any such updates do not result in a material degradation of the protection afforded to You.
5. Reporting.
- WSO2 shall provide communications and legally required assistance to You regarding breaches that have a material or serious service impact on the confidentiality, integrity, or availability of the Services, including the nature and resolutions thereof. In the event of a major breach, WSO2 will follow the guidance under the European Banking Authority.
6. Cooperation.
WSO2 shall provide reasonable assistance to You in the event that You receive any order, request or inquiry from a Competent authority relating to the Services and/or this Addendum. Such assistance shall include, without limitation, the timely provision of all relevant information and documents required by the Competent authority; participate in review meetings, and full cooperation with any Competent authority or its appointed representatives at no additional cost to You, unless otherwise agreed in advance in writing, with any such costs being determined on an ex-ante basis.
7. Training.
WSO2 conducts annual security training programs for its personnel. Where appropriate, upon Your written request, WSO2’s personnel who are directly involved in the provision of the Services may participate in Your relevant security awareness and digital operational resilience training programs. The terms and conditions governing such participation shall be agreed upon in advance by You and WSO2.
8. ICT-Related Incident Assistance.
In the event of an ICT-Related Incident arising in relation to the Services, WSO2 shall without undue delay inform Customer of the ICT-Related Incident and provide reasonable assistance to Customer in the event of an ICT-Related Incident that is related to the Services (“Incident Assistance”).
9. Penetration testing.
Given that the scope would be products deployed on a Subscriber’s on-prem environment, no penetration test will be performed by WSO2 on the Subscriber. WSO2 shall maintain a comprehensive digital operational resilience testing programme which also includes scans (perimeter VAPT to meet ISO requirements PCI-DSS ASV scans are performed on in-scope systems and internal VAPT scans) and vulnerability assessments (https://wso2.cachefly.net/wso2/sites/all/trust/wso2-security-commitment-for-on-premises-customers.pdf). Additionally Software follows the Secure Software Development Lifecycle [https://security.docs.wso2.com/en/latest/security-processes/secure-software-development-process/], utilizing security scanning technologies to ensure the security of the Software. WSO2 shall consider relevant ICT risks and the criticality of information assets and services when conducting the testing programme. WSO2 shall ensure that tests are undertaken by independent internal or external parties and establish procedures and policies to identify, assess and remedy issues revealed throughout the performance of the tests. The appropriate tests on digital operational resilience shall be conducted as needed.
10. Insurance.
WSO2 will maintain necessary insurance covers and proof of such insurance covers and limits will be provided to You upon Your written request.
11. Engaging Service providers.
- WSO2 will be engaging Service providers to support and assist the delivery of the Services purchased by You. As of the effective date of this Addendum, the list of such Service providers is as stated in Annex 1. Your acceptance of this Addendum shall constitute Your consent to WSO2’s engagement of the listed Service providers. WSO2 shall provide You with 30 days prior written notice of any changes to the list of Service providers, where such changes may adversely impact the Services or WSO2’s ability to provide the Services. If You have any objections to the proposed changes, such objections must be communicated in writing to WSO2 within the 30 day notice period. Failure to raise any objections within this period shall be deemed as Your acceptance of, and no objection to, the proposed changes.
- WSO2 shall engage Service providers only after conducting a due diligence to assess their suitability. This assessment shall include an evaluation of their storage location, security measures and the capability to deliver the contracted services in accordance with WSO2’s obligations under this Agreement.
- WSO2 shall enter into a binding written agreement with each Service provider. Such agreements shall require the Service providers to comply with all applicable laws, regulatory requirements as well as contractual obligations including, but not limited to confidentiality, data protection, data security, incident response, business continuity, resilience testing and audit rights.
- Notwithstanding any consent provided by You to the engagement of a Service provider, WSO2 shall remain fully responsible for the acts and omissions of its Service providers in connection with the performance of the Services, to the same extent as if such acts or omissions were those of WSO2 itself.
12. Termination Rights:
- 12.1 You may terminate the Agreement in respect of the affected Services on written notice to WSO2:
- if WSO2 commits a material breach of (i) applicable laws and regulations, or (ii) any provisions of the Agreement, related to the performance of the Services which is incapable of remedy, or, if capable of remedy, WSO2 fails to remedy such breach within thirty (30) days after receipt of a written notice specifying the breach and requiring it to be remedied;
- if you reach the reasonable conclusion, following consultation with WSO2 and the monitoring of ICT Third-Party Risk, that circumstances exist which are, in your reasonable opinion, capable of altering WSO2’s performance of the Services in a manner detrimental to you or your business, including material changes that affect the arrangement or situation of WSO2;
- in the event of evidenced weakness relating to WSO2’s overall ICT Risk management, in particular in respect of the measures implemented to protect the availability, authenticity, integrity and confidentiality of Your Data, provided that WSO2 has not been able to cure such weakness within thirty (30) days from being notified; or
- where the Competent Authority can no longer effectively supervise you as a result of the conditions of, or circumstances related to, the Agreement.
- 12.2 Consequences of Insolvency, Resolution, Discontinuation of the Services or Termination.
Any termination in accordance with this Paragraph 12 (b) and (d) shall take effect after receipt of a written notice specifying the termination reason and WSO2 having failed to remedy the cause of the termination reason within thirty (30) days after receipt of that written notice.
Upon the occurrence of an Insolvency Event or upon the termination of the Agreement, WSO2 shall upon written request from You, either return to You or securely delete or anonymize (and certify this in writing), all Your Data within the control of WSO2. If You request to return Your Data, WSO2 shall return any physical copies of Your Data in its extant format and any electronic copies of Your Data in an easily accessible format. Notwithstanding the foregoing, Your Data in archival systems shall be deleted in line with WSO2’s standard back-up deletion routines. This Paragraph 12.2 shall survive termination or expiry of the Agreement.
13. Exit Strategies:
Upon Your written request, WSO2 shall provide the Services on the same terms for a period agreed in writing between the parties following the termination or expiration of the Agreement and Services, solely for the purpose of facilitating an orderly transition. Such continuation shall be subject to Your payment of all applicable fees for the transition period, as mutually agreed in writing.
At Your request, the parties shall agree upon and implement an exit management plan, which shall detail WSO2’s obligations and timelines. WSO2 shall take all reasonable efforts to meet all agreed timelines.
14. Audit.
Once per calendar year and upon Your written request with reasonable prior notice, You may conduct a review of WSO2’s processes, policies, documentation and certifications that support the implementation of the security measures and procedures referenced in this Addendum. Such review shall be conducted through a questionnaire provided by You.
If, following the review of the questionnaire, You are not satisfied with the results of the questionnaire, You may engage an independent third party auditor selected by You in consultation with WSO2, to conduct an audit for the sole purpose of verifying WSO2’s compliance with this Addendum. WSO2 shall cooperate fully with such audit and shall provide the auditor with relevant information, documentation and artefacts relating solely to the Services purchased by You. The auditor will be subject to confidentiality and security obligations reasonably imposed by WSO2.
Access to WSO2 systems shall not be provided to the auditor; instead, WSO2 shall provide relevant extracts or summaries of any necessary records or documentation. The audit shall be conducted in a manner that does not unreasonably interfere with WSO2’s business operations or the services provided to its other customers.
All costs and expenses associated with the audit shall be borne by You. If the audit reveals any non compliance with this Addendum, WSO2 shall, within a reasonable period, prepare and implement a corrective action plan to remedy the identified issues.
15. Information security, business continuity and disaster recovery.
WSO2 shall implement an information security management system based on recognized industry best security standards.
Furthermore, the Service Provider shall have a business continuity management system (“BCMS”) in accordance with recognized international standards to ensure the continuation of business operations with regard to the provision of Services to You in the event of disruptions, emergencies or crises. WSO2 shall test and update its BCMS at least annually and shall conduct regular reviews on an ongoing basis to ensure its continued effectiveness.
16. General
- The Parties agree that the terms of this Addendum shall be incorporated into and form part of the Agreement. To the extent that any of the terms of this Addendum conflict with any of the terms and conditions of the Agreement, the terms of this Addendum shall prevail with regards to the scope of DORA.
- WSO2 reserves the right to update or modify these terms at any time. Any changes will be effective immediately upon posting on this website. It is the responsibility of the Subscriber to review these terms periodically to ensure you are aware of any updates. Subscriber’s continued use of our Services after any changes constitutes your acceptance of the revised terms.
- All terms under section 16 of the Agreement will be incorporated into this Addendum.
- Any notices relating to this Addendum can be sent to: [email protected].
Annex 1 List of Subprocessors
| Subprocessor | Purpose of processing | Location | DORA compliance documentation |
| Salesforce Inc | For account management | USA | https://trust.salesforce.com/ |
| ServiceNow Inc | For providing support services to subscribers and managing support cases | USA | https://www.servicenow.com/company/trust.html#compliance |
The Services purchased by You will be provided by WSO2 remotely and through its group companies globally to provide agile Services and to meet the Service Levels. The Services therefore can be provided from any one of WSO2 group countries listed https://wso2.com/contact/.
Annex 2 Technical Organizational and Security Measures
Currently all WSO2 customers are limited to on-prem deployments. The WSO2 customer is responsible for the download and the installation of the WSO2 products. WSO2 will not have access to any of the deployments of the WSO2 customer’s environments and the WSO2 customer is responsible for their on-prem compliance for their infra & data (storage/transfer and processing).
The limited compliance scope for WSO2 would be the data provided by the customer during remote support & resiliency (patches, hotfixes, feature updates etc.) of WSO2 products provided by WSO2 to the customer in accordance with the Agreement. The scope of data in relation to the Subprocessor shall be as follows:
- Salesforce - Marketing PII
- ServiceNow - Customer support PII & other customer data
- WSO2 support services for customer on-prem deployments to maintain resiliency:
- API Management (true OAuth)
- API Management (true OAuth) Governance
- API Management (true OAuth) Integration
- Integration
- Open Banking
- Open Banking API Management (true OAuth)
Due to this deployment scope WSO2 is not currently a critical ICT (Information & Communication Technology) service provider.