Survicate supports regulated financial-sector customers with vendor due diligence under the EU Digital Operational Resilience Act (DORA).
For Enterprise plan customers, we offer a DORA Compliance Addendum designed to supplement our Terms of Service and Data Processing Agreement and address the key contractual requirements under Article 30(2) DORA.
What is included?
The DORA Compliance Addendum covers key areas relevant to DORA-related third-party risk and contractual oversight, including:
subcontractor governance, including advance notice of changes and the right to object;
data processing locations, including transparency regarding current processing locations and notice of material changes;
confirmation of Survicate’s Data Processing Agreement structure;
ICT risk management commitments;
service level commitments;
ICT and security incident notification; and
supervisory cooperation for regulated customers.
Data Processing Agreement
Survicate confirms in the Addendum that Schedule 3 of the Terms of Service constitutes a valid Data Processing Agreement under Article 28(3) GDPR and that the Addendum supplements that framework for DORA-related purposes.
Processing locations
The Addendum identifies Survicate’s primary customer data processing locations as:
Survicate S.A. headquarters in Warsaw, Poland
AWS EU (Ireland)
AWS EU (Frankfurt)
It also provides for prior notice of intended changes to processing locations.
ICT risk management and security controls
Under the Addendum, Survicate confirms that it maintains and operates an Information Security Management System (ISMS) certified to ISO/IEC 27001:2023. The Addendum further states that Survicate’s ISMS covers areas such as:
access management,
encryption,
incident response,
vulnerability management,
penetration testing,
disaster recovery, and
supplier risk management.
On reasonable request, Survicate may also provide supporting audit and compliance materials referenced in the Addendum.
Service commitments
For eligible customers, the DORA Compliance Addendum includes the following service resilience commitments:
99.5% monthly uptime
Recovery Time Objective (RTO): 24 hours
Recovery Point Objective (RPO): 4 hours
It also provides that customers will be notified without undue delay of any material service disruption or disaster recovery activation.
ICT and security incident notification
The Addendum states that Survicate will notify the customer without undue delay and in any case within 4 hours of becoming aware of a major ICT-related incident materially affecting the services or the security of customer data. The notification will include a description of the incident, likely impact, mitigation steps, and estimated resolution timeline.
DORA self-assessment matrix
Survicate has also prepared a DORA self-assessment matrix mapping the requirements of Article 30(2)(a)–(f) to its contractual and operational controls.
Availability
The DORA Compliance Addendum is available on the Enterprise plan for customers that require DORA-related contractual assurances as part of security and compliance due diligence.
If you need DORA-related documentation for your review, please contact our team.
Important note
Survicate’s DORA-related materials are intended to support customers that are themselves subject to DORA and need appropriate contractual commitments from ICT service providers. The relevant documentation is provided through the DORA Compliance Addendum for Enterprise customers and related due diligence materials.
📞 If you have any questions or need further assistance - feel free to reach out to our team via chat or email: support@survicate.com.