The DORA Addendum supplements the main agreement with DeepL by incorporating the provisions required to comply with Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (Digital Operational Resilience Act, “DORA”).
It is not a standalone contractual document. Instead, together with the main agreement and other contractual amendments, it forms a single, unified contractual framework that shall be regarded and interpreted as one agreement.
Together, they fulfill the requirements of Article 30 of Regulation (EU) 2022/2554 (DORA):
Service Description
The agreed services and any Service Level Agreements (where contractually specified) are set out exclusively in the main agreement and the DPA. The Addendum refers to these provisions accordingly.
Processing Locations
The relevant processing locations are set out in the DPA and are comprehensively governed therein.
ICT Security Measures
DeepL implements and maintains appropriate security measures. Details are described in the main agreement and/or DPA.
Support Obligations
In the event of DORA-relevant ICT incidents, DeepL will support you to a reasonable extent, in particular by providing relevant information in a timely manner and by assisting in the analysis and investigation of the incident.
Sub-processors
DeepL is entitled to engage sub-processors. The sub-processors engaged are listed in Annex 1 of the DPA. Changes will be communicated to you in advance with reasonable notice (2 weeks), giving you the opportunity to object.
Termination & Exit
The term corresponds to the main agreement. DORA-compliant termination rights are fully governed.
Q) Does the Addendum also cover critical or important functions?
A) DeepL generally assumes that its services support non-critical and non-important functions within the meaning of DORA. Our Addendum therefore focuses on contractual provisions relevant to ICT services supporting non-critical and non-important functions. Financial institutions need to assess whether an ICT service supports a critical or important function within their organisation (i.e. whether they would be unable to operate or significantly impaired without that service).
Q) Can we audit DeepL's sub-processors directly or require them to participate in our ICT training programmes?
A) DeepL is unable to grant you direct audit rights over its sub-processors or to obligate them to participate in ICT security awareness programmes or digital operational resilience training that you have implemented. As sub-processors are not party to your agreement with DeepL, such obligations fall outside the scope of what DeepL can contractually commit to. DeepL does ensure that each sub-processor is bound by a written agreement imposing data protection and security obligations substantially equivalent to those set out in the DPA. We carefully select our subprocessors and audit all critical subcontractors in accordance with ISO 27001.
Q) What audit rights do we have?
A) Your audit rights are fully governed by the DPA, to which the Addendum refers. You are entitled to conduct one audit per calendar year. On-site inspections are possible. Additional audits may take place after prior agreement with DeepL and reimbursement of costs. All audits require reasonable prior notice and are subject to confidentiality obligations.
Q) Under what circumstances can the Addendum be terminated?
A) The Addendum runs with the main agreement. An isolated termination of the Addendum is excluded unless: you fall outside the scope of DORA, the Addendum may be terminated by either party with 4 weeks’ notice. In addition, extraordinary termination for good cause is possible, for example in cases of material breach, demonstrated ICT security deficiencies, or regulatory supervisory impediments.
Q) Does DeepL support us in incidents or regulatory cooperation?
A) Yes. DeepL commits to cooperating with the relevant supervisory authorities and to supporting you in DORA-relevant incidents. This support is provided to the extent that is reasonable given the risks associated with the services.
For additional Information on DeepL Pro’s technical and organizatorial measures and data security please visit the DeepL Trust Center. Here you will find information on our ISO27001 and SOC 2 Type II certificates, Penetration Testing, about our data centers, and the data flow etc.
This document does not replace the Addendum. The signed contractual text shall always prevail.