Skip to content

DORA Annex»

Last updated: March 17, 2026

This DORA Annex (the "Annex") is incorporated by reference into Terms and Conditions, Master Services Agreement, or any other written agreement (the "Services Agreement") between Customer and Spacelift, Inc. ("Spacelift") for the purchase of services from Spacelift (as defined below).

This Annex applies only to the extent Customer uses Services in a manner falling within the scope of EU Digital Operational Resilience Act ("DORA") (Regulation (EU) 2022/2554) and to the extent Customer is subject to DORA. The Customer is responsible for identifying their regulatory obligations under DORA. Capitalized terms used but not defined in this Annex have the meaning given in the Services Agreement.

This Annex does not apply if Customer and Spacelift have executed a separate DORA agreement.

1. Definitions»

1.1. "Customer Data" means data as defined in the Services Agreement.

1.2. "Confidential Information" has the meaning given in the Services Agreement or any other confidentiality agreement applicable between the Parties.

1.3. "ICT Services" means ICT services as defined in Article 3 of DORA.

1.4. "Personal Data" means personal data as defined in Article 4(1) of the General Data Protection Regulation (EU) 2016/679.

1.5. "Processor" means a processor as defined in Article 4(8) of the General Data Protection Regulation (EU) 2016/679.

1.6. "Services" means the services provided by Spacelift to the Customer under the Services Agreement.

2. Purpose and Scope»

This Annex supplements the Services Agreement to address applicable requirements of DORA in relation to the provision of the Services by Spacelift. It sets out additional terms intended to support the Customer's compliance with DORA, on the basis that:

(i) Spacelift acts as an ICT third-party service provider within the meaning of DORA and the Services it provides fall within the definition of ICT services under DORA, and

(ii) the Customer, where applicable, is a financial entity subject to DORA.

3. ICT Services - Rights and Obligations»

3.1. Description of all functions and ICT Services. The description of Services and respective rights and obligations of the Parties in relation to the ICT Services, including applicable service levels and response times, are set out in the Services Agreement and/or in the Support Terms.

3.2. Information Security and Risk Management. Spacelift maintains appropriate technical and organisational measures designed to protect the confidentiality, integrity, availability and resilience of the ICT Services. A description of the key security controls and protections implemented by Spacelift (including, among others, access control, vulnerability and patch management, encryption and secure development practices) is made available through Spacelift's Trust Center.

3.3. ICT Security Awareness and Resilience Training. Spacelift shall provide annual training to its personnel on relevant security policies and procedures. In addition, Spacelift agrees to participate in any reasonable security awareness or digital operational resilience training required by the Customer, where such training is proportionate and relevant to the ICT Services provided, and subject to terms and conditions to be agreed between the Parties at the time.

3.4. Data Protection. Spacelift shall ensure the availability, authenticity, integrity, and confidentiality of data processed through the ICT Services. The confidentiality provisions of the Services Agreement apply to any Confidential Information the Customer shares with Spacelift. If, in the course of providing the Services, Spacelift acts as a processor of the Customer's Personal Data, the Data Processing Agreement made available on Spacelift's website shall apply, unless the Parties have executed a separate data processing agreement, in which case that agreement shall prevail.

3.5. Business Continuity and Recovery. Spacelift maintains business continuity and disaster recovery measures that are appropriate for the scale and criticality of the ICT Services. Upon request, Spacelift shall provide a general description of its business continuity and disaster recovery capabilities.

3.6. Incident Management and Notification

3.6.1. Incident Management. Spacelift maintains an incident response program addressing detection, assessment, response, and remediation of an ICT incident that is related to the ICT Services provided to the Customer ("ICT Incident").

3.6.2. Notification. Spacelift shall notify the Customer without undue delay after becoming aware of a confirmed ICT Incident that materially impacts the Customer's use of the Services. Notification may include a description of the ICT Incident, any known or potential impact on the Customer and mitigation or remediation steps taken by Spacelift.

4. Subcontracting»

The Customer acknowledges and agrees that Spacelift uses subcontractors, including cloud hosting providers, to support the provision of the ICT Services. Spacelift maintains an up-to-date list of material subcontractors (subprocessors) engaged in the provision of the ICT Services, together with the regions or countries in which they are located, as made available through Spacelift's Trust Center. Spacelift shall notify the Customer in advance, including through the Spacelift's Trust Center, if Spacelift intends to change the regions where subcontracted ICT Services or data processing activities occur, to the extent required under DORA, and notify the Customer of any newly engaged subprocessors, as made available through Spacelift's Trust Center.

5. Termination»

5.1. Termination Assistance. After termination of the Services Agreement, upon Customer's written request, Spacelift shall provide the Customer with the ability to export Customer Data. The Customer may exercise its ability to export Customer Data for a period of thirty (30) days following the effective date of termination, after which this right shall expire. Spacelift shall also erase Customer Data in accordance with the Services Agreement.

In addition, in the event of Spacelift's insolvency, resolution, or discontinuation of its business operations, Spacelift shall ensure that, upon Customer's written request, Customer retains the ability to access and export Customer Data (including personal and non-personal data).

For the avoidance of doubt, Spacelift's obligation to enable the export of Customer Data shall apply only to the extent such data has not been erased pursuant to a valid data subject request under Article 17 of the GDPR.

5.2. Termination Rights. The Parties acknowledge that all termination rights, termination notice requirements, and related procedures are set out in the Services Agreement.

6. Critical or Important Functions»

6.1. The Parties acknowledge that certain obligations under DORA apply specifically where the ICT Service supports a critical or important function of the Customer.

6.2. To the extent the Customer considers the ICT Services (or any portion thereof) to support a critical or important function within the meaning of DORA, the Parties shall mutually determine, document, and agree in writing, signed by duly authorised representatives of each Party on any additional obligations, controls, or measures required, prior to the relevant use of the ICT Services.

6.3. Unless and until such mutual determination and written agreement is executed, the Parties agree that the ICT Services are not designated as supporting critical or important functions.

7. Cooperation with Regulators»

Spacelift shall provide reasonable assistance to support the Customer in fulfilling lawful requests from competent regulatory authorities, to the extent such requests relate to the ICT Services provided by Spacelift. Nothing in this Annex requires Spacelift to disclose its proprietary information, trade secrets or information that would pose a security risk.

8. Liability and Limitations»

Liability under this Annex is subject to the exclusions and limitations set forth in the Services Agreement.

9. Conflicts»

If any provision of this Annex conflicts with the Services Agreement and any of its annexes, this Annex shall prevail solely with respect to DORA-related obligations.

10. Updates to this Annex»

The Parties acknowledge that DORA and any delegated legislation made pursuant to DORA may be amended, superseded, invalidated or replaced from time to time. Where a provision of DORA or such delegated legislation that is relevant to this Annex is superseded, invalidated or replaced by law or regulation, this Annex shall be interpreted in line with the updated legal requirements and, where necessary, updated accordingly. Spacelift may update this Annex to reflect such changes in DORA or related regulatory guidance.

11. Governing Law»

This Annex is governed by the governing law specified in the Services Agreement.