DORA Addendum

Effective: February 1, 2026

This Digital Operational Resilience Act (“DORA”) Addendum forms part of the Terms and Conditions which governs Client’s Genius Scan SDK License (“Agreement”). To the extent that there is any conflict between the terms of the DORA Addendum and any other terms of the Agreement, the DORA Addendum will prevail.

This DORA Addendum will apply to the extent Client is subject to DORA.

Definitions

• DORA: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector.
• Financial Entity: An entity captured by Art. 2(2) DORA and which is not excluded from the scope of DORA by Art. 2(3) or 2(4) DORA, for so long as such an entity remains subject to DORA.
• ICT Service: The Genius Scan SDK license provided by The Grizzly Labs.
• Competent Authority: Any national or European supervisory authority responsible for the supervision of the Financial Entity under DORA.
• Critical or Important Function: A function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities.

Description of Services and Locations

The Agreement describes the functions and services to be provided. The Grizzly Labs guarantees that the ICT Service includes appropriate security standards to ensure the availability, authenticity, integrity, and confidentiality of data.

The Provider shall process and store the Client’s data only in the locations specified in the Provider’s third-party dependencies list. Any transfer of data to a new location (specifically outside the EU/EEA) requires prior notification to the Client.

ICT Security and Resilience

Security Standards: The Provider shall implement and maintain appropriate technical and organizational measures to ensure the security of its ICT systems, including mechanisms for encryption, vulnerability management, and network security.

Business Continuity: The Provider shall maintain a comprehensive Business Continuity Policy (BCP) and Disaster Recovery Plan (DRP). Upon request, the Provider shall provide a summary of such plans to the Client.

Testing: The Provider shall regularly test its business continuity and security plans. If the Client is required by a Competent Authority to conduct Threat-Led Penetration Testing (TLPT), the Provider agrees to reasonably cooperate with such testing where the Provider’s services support a Critical or Important Function.

Incident Management

Reporting: The Provider shall notify the Client without undue delay (and in no event later than 24 hours) after becoming aware of any “ICT-Related Incident” that has a material impact on the ICT Services provided to the Client.

Content of Notice: Such notice shall include, at a minimum: (a) the nature of the incident; (b) the impact on the services; and (c) the remedial actions taken or proposed.

Assistance: The Provider shall provide reasonable assistance to the Client in fulfilling the Client’s own incident reporting obligations to Competent Authorities under DORA Articles 17–20.

Audit and Inspection Rights

Right of Access: In accordance with Article 30(3)(e) of DORA, the Provider grants the Client, and any Competent Authority (including the European Central Bank, EBA, EIOPA, or ESMA where applicable), the right to:

• Access and inspect relevant documents and premises directly related to the provision of the ICT Services.
• Conduct audits (either by the Client’s internal auditors or appointed third-party auditors).

Cooperation: The Provider shall cooperate fully with such audits and inspections. Where the Provider possesses valid security certifications (e.g., ISO 27001, SOC 2 Type II), the Client may agree to rely on these reports to minimize operational disruption, provided they cover the scope required by DORA.

Subcontracting

Restrictions: The Provider shall not subcontract the whole or a material part of an ICT Service supporting a Critical or Important Function without the Client’s prior written approval (not to be unreasonably withheld).

Chain of Responsibility: The Provider ensures that any subcontractor is bound by contractual obligations regarding information security and audit rights substantially similar to those in this Addendum.

Service Levels and Performance Monitoring

Performance Targets: The ICT Services shall meet the Service Level Agreements (SLAs) defined in the Agreement.

Monitoring: The Provider shall continuously monitor the performance of the ICT Services and provide the Client with reports upon request regarding compliance with the agreed service levels.

Termination and Exit Strategies

Termination Rights: In addition to the termination rights in the Agreement, the Client may terminate the agreement upon written notice if:

• The Provider commits a material breach of this Addendum or applicable laws.
• A Competent Authority instructs the Client to terminate the arrangement.
• The Provider creates significant weaknesses in the Client’s digital operational resilience.

Exit Assistance: Upon termination, the Provider shall provide reasonable assistance to transition the ICT Services to the Client or a replacement provider. This includes the secure return or deletion of Client data in a machine-readable format.

Governing Law

This Addendum is subject to the governing law defined in the Agreement, except where mandatory EU regulations (DORA) prevail.