This DORA Addendum (“Addendum”) addresses the regulatory requirements that EU financial institutions, as defined in Art. 1 and 2 DORA, are required to meet and that are prescribed by the EU Digital Operational Resilience Act (“DORA”) in the context of the support services provided by Pure Storage (“ICT Services”) and shall supplement the provisions of the Pure Storage End User Agreement and the Pure Storage Customer Support Guide (together “Main Agreements”).
1. Critical ICT Services. The ICT Services may support critical and important functions of the Customer; a “critical or important function” means a function, (i) the disruption of which would materially impair the Customer’s financial performance, or the soundness or continuity of its services and activities, or (ii) the discontinued, defective or failed performance of which would materially impair the Customer’s continuing compliance with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.
2. Subcontracting.
2.1 Pure is entitled to involve third parties (including affiliates) to provide any part of the ICT Services (“Subcontracting”). Pure will inform the Customer in case of Subcontracting the ICT Services to a new third party in advance.
2.2 Pure shall inform the Customer of any material changes to the arrangements with subcontractors supporting critical or important functions at the Customer as part of the ICT Services. The Customer shall not be entitled to object to such changes, unless the Customer can establish that these material changes expose the Customer to an unreasonable risk in accordance with its own risk assessment. If Pure establishes that such changes are reasonably required to provide the ICT Services Pure shall be entitled to reject the objection made by the Customer.
2.3 Upon request, Pure shall make available to the Customer (i) a list of the subcontractors used for the provision of the ICT Services supporting any critical or important functions at the Customer, and (ii) to the extent available, further details requested by the Customer on the relevant subcontractor(s), enabling the Customer to monitor potential risk related to the ICT Services performed..
2.4 Each agreement between Pure and a subcontractor shall be made in writing and shall allow Pure to ensure the continuity of the ICT Services, including in case of failures of such subcontractors. Such agreement with each subcontractor shall include the subcontractor’s monitoring and reporting obligations towards Pure, requirements on business contingency plans, and ICT security standards to be met by the subcontractor in line with the Customer’s regulatory framework.
2.5 Pure shall be entitled to charge the Customer on a time and material basis for any activities performed upon Customer’s request with respect to the Subcontracting in accordance with this Clause 2.
3. Standard of services, changes.
3.1 The Customer confirms that the relevant Support Levels as set out in the then current Pure Storage Customer Support Guide are sufficient to allow the Customer effective monitoring of the ICT Services.
3.2 Pure will use only appropriately trained and qualified personnel for the ICT Services.
3.3 Pure will notify the Customer of any intended changes to the locations from where the ICT Services are provided. In case of Subcontracting, Pure shall assess the risks associated with the location of the involved subcontractor and its parent company, if any.
4. Technical and organizational security measures
4.1 Relevant Pure or Subcontractor support personnel will participate in training on the digital operational resilience of the Customer. These trainings shall be offered by the Customer in virtual form. The Customer shall notify Pure and/or the relevant Subcontractor of such training providing reasonable time in advance and shall offer Pure and/or the relevant Subcontractor alternative dates for training sessions.
4.2 Pure shall implement and maintain an Information Security Management System ("ISMS") based on established industry standards. The ISMS comprises the planning, implementation, operation, monitoring, reporting, maintenance, and continuous improvement of measures to ensure the appropriate security of Pure’s IT systems involved in the provision of ICT Services, as well as the confidentiality, integrity and availability of data received by Pure from the Customer, if any. The respective security components and procedures used for the ISMS shall be at the sole discretion of Pure. Pure will, upon written request, provide additional information on its ISMS to the Customer.
5. Security measures for critical or important functions.
5.1 Business Continuity Plan. (a) Pure shall implement and test reasonable business contingency plans with respect to the ICT Services. (b) Pure shall have in place security measures, tools and policies that provide an appropriate level of security for the provision of services to the Customer. Pure shall be entitled to amend or change those security measures, tools and policies, without the Customer’s consent, to effectively implement functions or service levels relating to its other customers. (c) Upon written request from Customer Pure shall participate in and cooperate with the Customer on their ‘threat-led penetration testing’ (“TLTP”). TLTP means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led test of the financial entity’s critical live production systems. Customers are required to pay Pure for such participation and cooperation, to be calculated on a time and material basis.
5.2. Response and recovery. (a) Pure shall take appropriate measures to implement and maintain business operations to limit losses in the event of a serious business interruption (“Response and Recovery Plans”) and to continue its operations in this event (“Business Continuity Plans”). (b) Upon written request by the Customer, Pure will provide more information about its Response and Recovery Plans as well as its Business Continuity Plans, to the extent this information is necessary for the provision of the ICT Services. (c) Pure shall regularly update and test its Response and Recovery Plans as well as its Business Continuity Plans for adequacy and effectiveness and analyse and document any challenges or failures resulting from the tests.
6. Managing security incidents.
6.1 Pure shall take reasonable measures to support the Customer in handling any ICT-Related Incidents which are related to the ICT Services. An “ICT-Related Incident” is a single event or a series of linked events unplanned by the Customer which compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the ICT Services provided by the Customer.
6.2 In the event of an ICT-Related Incident, the Customer shall reimburse Pure for the support provided pursuant to this Clause 6 on a time and material basis.
6.3 Without prejudice to the provisions on handling ICT-Related Incidents in this Addendum, Pure shall notify the Customer in textform without undue delay of any development that might have a material impact on Pure’s ability to effectively provide the ICT Services supporting critical or important functions of the Customer in line with agreed ICT Service levels.
7. Audit and information rights.
7.1 The Parties agree that the Customer will accept Pure's certificates and audit reports as proof of information security if the Customer is satisfied, that: (a) the scope of the certificates or audit reports on the systems identified is sufficient and that key controls are carried out by Pure and compliance with the relevant regulatory requirements is indicated, (b) the content of the certificates or audit reports is thoroughly assessed and reviewed by Pure on an ongoing basis and that they are kept up to date, (c) the key systems and controls are ensured to be covered in future versions of the certification or audit report; and (d) the certificates and the tests of the operating effectiveness of the key controls in place are performed and issued in accordance with generally accepted relevant professional standards.
7.2. In the event the Customer is not satisfied with the certificates and audit reports provided by Pure, Customer may exercise its audit rights as set out in this Clause 7.2. below: (a) The Customer shall have a right of access, inspection and audit if they are critical to the operations of Pure (each such access, inspection and audit, a “Customer Audit”). The Customer may also use an appointed third party to carry out a Customer Audit. Pure shall fully cooperate during any Customer Audit. To satisfy such an obligation to cooperate, Pure shall provide those documents, and shall enable access to those premises which specifically relate or are specifically used for the provision of ICT Services. (b) When carrying out a Customer Audit, the Customer shall inform Pure in writing, no later than 4 weeks prior to the Customer Audit of the time, scope and procedure to be followed during the Customer Audit. Customers may only carry out a Customer Audit once per calendar year. (c) When performing any Customer Audit, the Customer and/or its appointed third party shall be subject to appropriate confidentiality obligations. Such confidentiality obligations shall be agreed with Pure prior to the Customer Audit and shall be a condition for carrying out such Customer Audit. Each Customer Audit shall be strictly limited to the documents which are concerned with the provision of the ICT Services; Pure shall be entitled to refuse access, inspection and audit by the Customer of any documents which pertain to other Pure customers. The same shall apply to any premises and systems in case of on- site inspections.
7.3 In case of Subcontracting, the Customer shall have the right to carry out Customer Audits pursuant to this Clause 7 at Pure’s relevant subcontractors involved in the provision of ICT Services. The Customer agrees that such right shall be satisfied by complying with the alternative assurance described in Clause 7.1 above, applied correspondingly to the relevant subcontractor.
7.4 Every Party shall bear its own costs regarding any audit conducted under this Section 7.
8. Information obligations and cooperation with supervisor.
8.1 If a competent supervisory authority issues a valid and binding order to Pure regarding the ICT Services of the Customer, Pure shall fully and immediately comply with such administrative orders and submit to the jurisdiction of this supervisory authority in this respect.
8.2 The competent supervisory authority shall have a right of access, inspection and audit at Pure, and shall be entitled to take copies of relevant documentation on-site if they are critical to the operations of Pure. The effective exercise of such access, inspection and audit shall not be impeded or limited by other contractual arrangements or implementation policies. In case of Subcontracting, Pure shall procure that the relevant subcontractor involved in the provision of ICT Services shall grant the competent supervisory authority the same right of access, inspection and audit.
8.3 Pure shall fully cooperate during any onsite inspections and audits performed by the competent authorities and with the Lead Overseer (as defined in Article 3 (61) of the DORA).
9. Cooperation obligations of the Customer.
9.1 The Customer´s cooperation obligations include: (a) To be available for (i) queries regarding Pure's provision of the ICT Services, (ii) providing Pure and/or the relevant Subcontractor with all information and documents required for the provision of the ICT Services, and (iii) making decisions required under regulatory standards to which the Customer is subject, and informing Pure thereof in time; (b) To notify Pure and/or the relevant Subcontractor of the current contact details of the Customer´s responsible information security staff to be contacted in the event of information security threats and ICT-Related Incidents; and (c) To notify Pure and/or the relevant Subcontractor of relevant security incidents and vulnerabilities that could have an impact on Pure and/or the relevant Subcontractor or its ICT Services.
9.2 Should the Customer not comply, without undue delay, with its cooperation obligations set out in this Clause, Pure and/or the relevant Subcontractor shall be excused from performing the affected ICT Services and/or other obligation pursuant to this Addendum, to the extent that such failure by Customer to comply with its cooperation obligation results Pure and/or the relevant Subcontractor not being reasonably able to perform such ICT Service or fulfil their other obligations.
10. Term and termination.
10.1 This Addendum is effective as per the effective date of the Main Agreements and valid for an indefinite period (“Term”). The Customer confirms that the Term is in line with the expectations of the supervisory authorities who are competent for the ICT Services.
10.2 This Addendum may be terminated by each party upon giving 30 days prior written notice to the end of a calendar year.
10.3 The right to extraordinary termination for cause remains unaffected.
10.4 Without affecting any other rights of termination, the Customer may terminate this Addendum for cause, in whole or in part, without limitation, if: (a) Pure is in significant breach of any applicable law, regulations, or provisions under or in connection with this Addendum, despite Pure having had the opportunity to restore compliance within a reasonable period of time; (b) Circumstances are identified while monitoring the ICT Services and related risks which are deemed capable of altering Pure's performance of the agreed ICT Services, including material changes affecting this Addendum or the situation of Pure; (c) There is an evidenced weakness in Pure's overall ICT risk management and in the manner, it ensures the availability, authenticity, integrity and confidentiality of data, whether personal or otherwise sensitive data or non-personal data; or (d) A competent supervisory authority instructs the Customer to terminate the Addendum, including if a supervisory authority is no longer able to effectively supervise the Customer due to the Addendum; (e) Pure has involved a subcontractor, or has implemented material changes to Subcontracting, supporting critical or important functions at the Customer in accordance with Clause 2. The Customer’s termination right set out in Clause 10.4 shall apply correspondingly if any of the circumstances described in Clause 10.4 apply to a subcontractor of the Service Provider.
11. Exit support.
11.1 Upon request, Pure will support the Customer in documenting and testing an exit in case of any expiry or termination of this Addendum and the Main Agreements. Pure shall, during a transition period of up to 6 months commencing upon the date of expiry or termination of this Addendum and the Main Agreements: (a) continue providing the respective ICT services, with a view to reducing the risk of disruption at the Customer or to ensure the Customer’s effective resolution and restructuring, as the case may be; and (b) allow the Customer to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the ICT Services provided.
11.2 Pure shall be entitled to charge the Customer for the exit support described in this Clause 11 on a time and material basis.
12. Final provisions.
12.1 This Addendum shall be governed by the laws of Ireland, excluding conflicts of law principles under Irish law and the United Nations Convention on Contracts for the International Sale of Goods.
12.2 No delay or entire or partial omission by any Party in exercising any right, power or remedy provided by law or under this Addendum shall affect that right, power or remedy or operate as a waiver thereof. The Parties shall not be entitled to exercise any retention right with respect to its obligations under this Addendum.
12.3 If provisions of this Addendum are, or should become entirely or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions. The foregoing shall also apply, if the provisions of this Addendum should be incomplete. Instead of the invalid or unenforceable provision, or in order to close the incompleteness or gap, a way of interpretation shall be used, which, to the extent legally permissible, as closely as possible reflects the intentions of the Parties concluding this Addendum or, considering the meaning and purpose of this Addendum, the potential intentions of the Parties had they considered the invalidity, unenforceability, incompleteness or gap at the time of concluding this Addendum.
12.4 In the event of contradictions between this Addendum and the Main Agreement(s), the provisions of this Addendum shall take precedence to ensure compliance with the applicable regulatory requirements, in particular with DORA.