EU AND UK REGULATORY ANNEX

(Additional information Security and Digital Governance Terms)

This Annex describes the additional security and digital governance terms (including without limitation each party’s commitment) with respect to applicable requirements under the Security and Digital Governance Laws. Where the relevant Services provided under the Agreement are ICT Services subject to the applicable Security and Digital Governance Laws, the additional terms of this Annex are deemed incorporated into Customer’s Agreements executed with Ƶapp.

SECTION I – GENERAL

1. DEFINITIONS

1.1 Capitalized terms used but not defined in this Annex will have the meanings provided in the Agreement.

1.2 The terms “ICT Process”, “ICT Product”, “Network and Information Systems”, and 辱” shall have the meaning given to them in the Security and Digital Governance Law(s).

1.3 The following additional definitions should apply to this Annex:

  • “A𳾱Գ” means the service agreement signed by Ƶapp and the Customer that governs Ƶapp provision of the ICT Services to the Customer.
  • “Applicable Law”: means, with respect to each party to the Agreement, any national, federal, state, provincial, local, foreign, or other statute, law, ordinance, regulation, rule, code, order, or other legally binding requirement that applies to that Party in connection with the performance of its obligations or the conduct of its business under the Agreement.
  • “Aܻ徱” means any audit conducted by the Customer (or its Agent) pursuant to Clause 5 of this Section I.
  • “Customer Data” means any Transactional Data and other data of either (a) the Customer (or their Affiliates) and/or (b) (where applicable) any of their respective Third Party Service End User(s) which is processed as part of the provision or use of the Service.
  • ి鴡” shall be as defined in Section III.
  • “Good Industry Practice” means the exercise of that degree of skill and diligence which would reasonably and ordinarily be expected to be exercised by an operator engaged in the same type of undertaking (in providing similar transactional data transmission and processing services and operating similar networks and systems/infrastructure) under the same circumstances and conditions.
  • “SDG Incident (s)” means any security or digital governance related incident (or series of linked events) which involves (i) any actual impairment of, unauthorized access to or use to Services, Network and/or any Ƶapp Group Systems and Infrastructure which has an adverse effect on any element of the security of the Services, and (ii) where Transactional Data or other applicable Personal Data of Customer data, which is transmitted or otherwise processed as part of the Services results in (a) an actual accidental, unauthorized, or unlawful Processing, (b) an actual loss or disclosure of such data or (c) any compromise of such data occurs due to such actual security related incident.
  • “ICT Services” means the Services as described in the Agreement to which each Security and Digital Governance Law(s) applies.
  • “NIS 2 Directive” shall be as defined in Section II.
  • “Regulatory Body” shall be as defined in the Agreement or where note defined means any supervisory or government agency, body or authority having regulatory or supervisory authority over the relevant party or their respective assets, resources or business and/or provision or use of the Services and Equipment (including without limitation the PCI SSC).
  • “Regulatory Body Audit” means any Audit invoked by the Customer as a direct consequence of an audit or investigation by a Regulatory Body of the Customer and/or a Third Party Service End User.
  • “Security and Digital Governance Laws” means security and digital governance Laws implemented in the UK and/or the EEA (including without limitation the DORA and the NIS2 Directive, and any other related directives, regulations and national implementing Laws) which apply to the Services and the Ƶapp Group Systems and Infrastructure.
  • “Significant Cyber Threat” means a cyber threat which, based on its technical characteristics, has the potential to have a severe impact on the network and information systems of the Customer and/or a Third Party Service End User by causing considerable material or non-material damage (as more particularly defined under NIS 2 Directive) which affects the Services and/or Network (and associated Ƶapp Group Systems and Infrastructure),
  • “Significant SDG Incident” means a SDG Incident that (i) has caused or is capable of causing severe operational disruption or financial loss, or (ii) has affected or is capable of affecting other persons by causing material or non‑material damage.
  • “Third Party Service End User” means a third-party customer of the Customer or a Customer Affiliate, who has access to and is an authorised user of the Services and is regulated by and subject to the Law Security and Digital Governance Law(s).
  • “Ƶapp Group Customer” means such other third-party customer of Ƶapp or a Ƶapp Affiliate other than Customer, a Customer Affiliate or (where applicable) a respective Third Party Service End User.
  • “Ƶapp Group Systems and Infrastructure” shall be as defined in the Agreement or where not defined means any systems, connections, equipment or other infrastructure which is owned or operated by Ƶapp and which are used by Ƶapp in connection with either (a) the provision of Services, (b) access to the Network and/or (c) the receipt, transmission, storage and/or any other processing of Transactional Data or other Customer Data.
  • “Ƶapp Group Information Security Management System” or “Ƶapp Group ISMS” shall be as defined in the Agreement, or where note defined, means the Global Information Security Management System (ISMS) Charter which is adopted and maintained by Ƶapp and its relevant Affiliates (Ƶapp Group) in relation to the operation of Ƶapp Group businesses and the provision of the Services and Network (and associated Ƶapp Group Systems and Infrastructure). The Ƶapp Group ISMS incorporates the Ƶapp Group Security Measures.
  • “Ƶapp Group Security Measures” means the relevant detailed technical and organizational security controls, processes and procedures as documented in the individual Ƶapp Group ISMS and the associated programs and underlying security policies.

1.4 In the event of any conflict or inconsistency between the terms of this Annex and any other terms of the Agreements, this Annex shall prevail.

2. COMPLIANCE AND COOPERATION

2.1 Each Party shall comply with Security and Digital Governance Law(s)s applicable to its business and on reasonable request, cooperate with (i) any relevant competent governmental authority, and/or (ii) the other Party with respect to their respective compliance obligations under the Agreement, in light of Security and Digital Governance Law(s)s. In particular, each of Ƶapp and Customer shall inform and alert the other against any significant change or event, difficulty, risk or information that could have an adverse effect on the ICT Services or the performance of the Agreement (unless the sharing of such information is prohibited under Applicable Law).

2.2 The Parties acknowledge and agree that (i) the Services do not include or consist of legal advice or consulting with respect to matters of legal or regulatory compliance. Ƶapp shall have no obligation or liability for any loss, damage, cost or expense incurred by Customer as a result of Customer’s failure to comply with the Security and Digital Governance Laws applicable to its business, and (ii) the execution by Ƶapp of its obligations under this Annex is subject to active, regular and adequate collaboration from the Customer, who undertakes to provide all information necessary for the proper execution of the Services.

2.3 Change Request Process:

2.3.1 Should either Party request a change to the Services or should any Security and Digital Governance Law(s)s or relevant Regulatory Body decision, likely to impact the Services, any Ƶapp Group Systems and Infrastructure relating thereto and/or the Parties’ obligations under the Agreement, a written contract change request shall be submitted to the other (“Change Request”).

2.3.2 Ƶapp shall carry a feasibility study and provide a written proposal including details of (i) the likely impact, if any, of the Change Request on the Services, (ii) the proposed changes (if any) and (iii) the estimated costs or savings which would result from the Change Request.

2.3.3 If the Parties agree in principle such proposal, both Parties shall sign a change notice covering agreed amendments and timelines.

3. EFFECTIVE DATE

3.1 The terms in this Annex are effective on the date that the Security and Digital Governance Law(s) become effective and enforceable.

4. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES AND ANY NECESSARY UPDATES

4.1 Ƶapp agrees to maintain and (where necessary from time to time) update Ƶapp Group ISMS (and associated Ƶapp Group Security Measures) in accordance with Security and Digital Governance Law(s) and Good Industry Practice, applicable to its business.

4.2 For the avoidance of doubt, Ƶapp meets Good Industry Practice in the context of adopting adequate security measures in relation to the Services and Network (and associated Ƶapp Group Systems and Infrastructure) by (a) (where applicable) maintaining the Ƶapp Group ISMS (and associated Ƶapp Group Security Measures) which are complaint with PCI DSS (and other necessary PCI standards) and (ii) benchmarking Ƶapp Group Security Measures against security controls outlined in ISO 27001 and (where applicable) any other relevant European and international standards.

5. AUDIT

5.1 Upon Customer reasonable request and subject to the confidentiality obligations of the Agreement, Ƶapp shall make available to the Customer:

  1. third-party certifications and/or third-party or internal audited reports of its relevant controls;
  2. (where appropriate and subject to agreed additional fee) pooled audits, organized jointly with other clients or firms that use ICT services of Ƶapp, in order to optimise audit resources and minimise operational overhead for both Parties

5.2 Any other request from the Customer (including on-site audit or detailed questionnaires) shall be subject to Change Request and the following provisions:

  1. The Customer or any formally appointed third party of good reputation (hereafter its “Agent”) may, once annually, and in accordance with the applicable Security and Digital Governance Law, exercise rights of access, inspection and audit in relation to Ƶapp’s compliance with its obligations under this Annex, provided that:
    1. Customer can demonstrate in good faith that the reports and documentation referenced in Clause 5.1 of this Section I, (or, if applicable, any other audit reports or other information Ƶapp makes generally available to its customers) are not sufficient to meet its obligations under the Security and Digital Governance Law(s);
    2. A Significant SDG Incident has occurred
    3. Ƶapp has notified Customer that it is subject to a binding access request by a Regulatory Body related to Customer Data; or
    4. an Audit is formally requested by a competent Regulatory Body with jurisdiction over the Customer and/or a Third Party Service End User (The number of Regulatory Body Audits shall be unlimited PROVIDED THAT the scope of each Regulatory Body Audit is limited to the issues directly affected by and/or related to the Services and/or Ƶapp Group Systems and Infrastructure)
  2. The Customer will provide at least thirty (30) days’ advance written notice of its intention to conduct an audit under this Clause 5 (except in the case of a Regulatory Body Audit (as defined below) for which no notice period shall be required provided that Customer shall use reasonable endeavors to provide as much prior written notice as is reasonably practicable of any Regulatory Body Audit). Before any audit is carried out, the Parties, the Parties shall agree (acting reasonably) on the scope, timing, duration, fees, control and evidence requirements, and any physical locations involved. The Customer or its Agent shall identify the individuals participating and the ICT Services within scope
  3. Ƶapp may reasonably object for good cause to any personnel proposed by the Customer or its Agent. In such a case, the audit shall be suspended until alternative personnel are agreed.
  4. Audits shall be conducted during normal business hours, with reasonable advance notice, and in a manner that does not unreasonably interfere with Ƶapp’s operations and subject to applicable Ƶapp Group ISMS policies and any other relevant Ƶapp site policies and procedures. The Supplier may require execution of a confidentiality agreement before granting access. Where onsite inspection of data centers, systems or facilities is not permitted, the Supplier will collaborate with the Customer to agree an alternative approach that provides sufficient information for the Customer’s DORA audit obligations.
  5.  Nothing in this Clause 5 limits any non‑waivable audit, access and information rights of competent governmental authorities with jurisdiction over the Customer in relation to the Services; Ƶapp will reasonably cooperate with such authorities, subject to lawful confidentiality and security measures.
  6. The Customer shall not be given physical or unsupervised direct access to Ƶapp Group Systems and Infrastructure which are used in connection with the Services, to the extent such access would risk exposure of other customers’data or undermine security. Where necessary to meet applicable audit obligations (including under DORA or NIS 2), Ƶapp will provide appropriate evidence and facilitate proportionate logical access, supervised visits, interviews and reviews of relevant records relating to Services, subject to confidentiality, security and segregation controls. Where the Customer requires access to Customer Data contained on Ƶapp Group Systems and Infrastructure, or other information that cannot easily be separated from information protected for confidentiality, security or third‑party reasons, Ƶapp may provide redacted copies or aggregated materials, provided that such redaction does not materially undermine the legitimate purpose of the audit. Ƶapp will work with Customer in good faith to reach a mutually agreeable solution sufficient to allow Customer to comply with applicable audit requirements under the Security and Digital Governance Law(s).
  7. Any information, materials or knowledge gained by the Customer (or its Agent) as part of any audit shall be used only for and in connection with that audit and for no other purposes in any circumstances.
  8. Customer shall provide the results of any such Audit to Ƶapp. Where the Audit reveals a material breach by Ƶapp of this Annex, Ƶapp shall (i) use commercially reasonable efforts to address agreed-upon remediation and (ii) bear its own expenses of that portion of the audit related to the breach.
  9. In the event the Audit requested by Customer could affect other Ƶapp’s clients’ rights, the Parties shall discuss in good faith with the objective of agreeing in writing alternative levels of assurance and/or any additional or amended Audit terms.

6. GOVERNING LAW

6.1 This Annex is governed by and enforced in accordance with the choice of law set forth in the Agreement, unless a separate choice of law is required by Security and Digital Governance Law(s), in which case, for purposes of this Annex, the choice of law as so required shall control over the choice of law in the Agreement.

7. LIABILITY

7.1 Ƶapp and Customer agree that the total liability of each party and its Affiliates (as defined in the Agreement) arising out of or in connection with this Annex, whether based on breach of contract, tort or otherwise, is, as between the parties (including Affiliates), subject to the applicable provisions on limitation of liability in the Agreement. Further, Ƶapp shall not be liable for any violation by Customer of Security and Digital Governance Law(s)s or a failure by Customer to comply with the competent authority’s requirements.

SECTION II – NIS 2 DIRECTIVE

1. SCOPE AND DEFINITIONS

1.1 The terms and conditions set forth in Section II of this Annex apply where the Services are regulated under the NIS 2 Directive. For the avoidance of doubt, Section I is deemed incorporated to this Section II.

1.2 The following additional definitions should apply to this Annex:

  • “NIS 2 Directive” means Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of Cybersecurity across the EU, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148, and any corresponding implementing regulations.
  • “Applicable Suppliers” means direct and material supplier and service provider of Ƶapp.

2. GOVERNANCE

2.1 Ƶapp has management bodies within its security and global risk management offices that approve, oversee, and are responsible for the implementation of Ƶapp’s cybersecurity risk-management measures, including without limitation any security controls and measures outlined in the Ƶapp Group ISMS.

3. INFORMATION SECURITY PROGRAM – Ƶapp GROUP ISMS AND Ƶapp GROUP SECURITY MEASURES

3.1 Ƶapp has implemented and maintains Ƶapp Group ISMS incorporating Ƶapp Group Security Measures that:

3.1.1 are designed to:

  1. ensure the adequate security and confidentiality controls relating to the provision of Services and/or access to the Network and the associated Ƶapp Group Systems and Infrastructure to protect confidentiality, integrity and security of any Transactional Data and other Personal Data;
  2. protect against any anticipated threats or hazards to the security or integrity of (a) the environment in which the Services operate and (b) associated Ƶapp Group Systems and Infrastructure; and
  3. protect against unauthorized access to or use of Services, the Network and the associated Ƶapp Group Systems and Infrastructure; and

3.1.2 maintains associated Ƶapp Group ISMS policies which sets forth the procedures which Ƶapp adopt and follow for responding to any SDG Incident.

3.2 The Ƶapp Group ISMS and the associated Ƶapp Group policies are available for inspection upon request.

4. CYBERSECURITY RISK-MANAGEMENT MEASURES

4.1 As part of the adoption of the Ƶapp Group ISMS and the associated policies, Ƶapp has implemented and will maintain cybersecurity risk-management measures based on the following criteria:

4.1.1 any cybersecurity measures are:

  1. appropriate and proportionate to manage the risks posed to the Network and/or other environment in which the Services operate and any associated Ƶapp Group Systems and Infrastructure;
  2. take into account, where applicable, (i) PCI DSS (and other necessary PCI standards) and (ii) ISO27001 and any other relevant European and international standards; and
  3. the cost of implementation of any such cybersecurity measures;

4.1.2 cybersecurity measures are based on an “all-hazards” approach, which aims to protect any environment in which the Services operate and Ƶapp Group Systems and Infrastructure (including without limitation any physical environments) from SDG Incidents; and

4.1.3 Ƶapp Group ISMS cybersecurity measures relating to (a) the provision Services and/or (b) operation or access to the Network and any Ƶapp Group Systems and Infrastructure include at least the following:

  1. Ƶapp Group ISMS policies on risk analysis and information system security;
  2. applicable Ƶapp Group Security Measures to identify any risks of SDG Incidents, including SDG Incident handling procedures;
  3. business continuity management system (BCMS) which incorporates BCMS policies and procedures for (where applicable) (i) Service resilience, (ii) contingency and/or business resumption plans, (iii) disaster recovery of any Ƶapp Group Systems and Infrastructure which are applicable to the Service, (iv) crisis management, and/or (v) any other applicable risk controls;
  4. supply chain security, including security-related aspects concerning the relationships between Ƶapp and its Applicable Suppliers;
  5. security in Network and Ƶapp Group Systems and Infrastructure relating to the Services and the acquisition, development and maintenance relating thereto, including vulnerability handling and disclosure;
  6. policies and procedures to assess the effectiveness of Ƶapp’s cybersecurity risk-management measures;
  7. basic cyber hygiene practices, such as zero-trust principles, software updates, configuration of Equipment and/or Ƶapp Group Systems and Infrastructure, Network segmentation, identity and access management or user awareness, cybersecurity training for staff on a regular basis and raising awareness concerning cyber threats, phishing or social engineering techniques;
  8. security policies and procedures regarding the use of cryptography and encryption;
  9. human resources security, access control policies and asset management; and
  10. (where applicable) the use of multi-factor authentication or continuous authentication solutions in relation to the operation or access to the Network and any Ƶapp Group Systems and Infrastructure.

5. SUPPLY CHAIN

5.1 Ƶapp shall maintain supply chain security measures which have been implemented and detailed as part of the Ƶapp Group ISMS that take into account the following criteria: (a) the vulnerabilities specific to each Applicable Suppliers ; (b) the overall quality of products and cybersecurity practices of Ƶapp’s Applicable Suppliers , including their secure development procedures; and, where applicable, (c) the results of any coordinated security risk assessments of specific critical ICT Services, ICT Products or ICT Process supply chains carried out by EU Member States and any competent Regulatory Body.

5.2 Ƶapp performs due diligence on its Applicable Suppliers to assess their cybersecurity risk-management measures and executes agreements with such third party service providers with substantially similar cybersecurity and data governance requirements as this Annex.

5.3 Ƶapp shall provide reasonable evidence of such supply chain security measures within a reasonable time frame after Customer written request, subject to confidentiality obligations and a reasonable frequency cap (no more than once annually unless required by law or following a Significant SDG Incident.

6. SDG INCIDENT RESPONSE

6.1 Ƶapp shall maintain and monitor its Ƶapp Group ISMS so that in includes and implements an appropriate SDG Incident response plan, procedures and policy aligned with applicable Security and Digital Governance Laws that specifies actions to be taken when Ƶapp detects or becomes aware of any SDG Incdent and for identifying, managing, mitigating and reporting such SDG Incidents.

6.2 In the event there is any confirmed SDG Incident that affects the security, confidentiality or integrity of Transactional Data or other Personal Data relating to the Customer and the use of the Services, Ƶapp shall notify the Customer and provide information and updates in a manner and at a speed sufficient to enable the Customer to meet its supervisory reporting timelines under applicable Security and Digital Governance Laws, in accordance with the relevant processes and procedures as outlined in the applicable Ƶapp Group ISMS policy. The content and completeness of any such notification shall be assessed by reference to the information reasonably available to Ƶapp at the relevant time, and Ƶapp shall not be liable for any inaccuracy or incompleteness in any notification provided in good faith. For the avoidance of doubt, the Customer shall remain solely responsible for satisfying its own notification obligations to any CSIRT, competent authority or other Regulatory Body.

6.3 Notwithstanding the above, the Service Level Agreement shall apply to the management of any SDG Incident adversely affecting the availability of the Services.

6.4 Formal investigation of any SDG Incident involving the Services and the associated Network (and relevant Ƶapp Group Systems and Infrastructure) shall be carried out in accordance with the applicable Ƶapp Group ISMS policy. Such investigation and associated activities shall include Ƶapp: (a) providing reasonable details concerning the SDG Incident as it becomes available; (b) promptly investigate, mitigate, and implement any reasonable and necessary actions or remedial measures; and (c) meeting with appropriate Customer representatives on a periodic basis (with the relevant frequency of such meetings as reasonably agreed to by the Parties).

6.5 If Ƶapp becomes aware of a Significant Cyber Threat or a Significant SDG Incident impacting Customer, Ƶapp shall:

  1. Promptly and without undue delay notify affected Customer of such threat of incident and the recommended protective measures applicable (if any);
  2. Investigate and conduct a reasonable analysis of the cause(s) of such Significant Cyber Threat and/or Significant SDG Incident;
  3. Develop and implement an appropriate plan to remediate the cause of such Significant Cyber Threat to the extent such Significant Cyber Threat materialises and the cause is within Ƶapp’s control; and
  4. Assist with reasonable requests by the Customer to provide information about the Significant SDG Incident for the Customer to use in its required third party notifications at, if any are required under Security and Digital Governance Law(s).

6.5 Any such Ƶapp assistance shall include providing information, taking remedial actions, and supporting Customer in managing and mitigating the incident (to the extent SDG Incident cause is within Ƶapp’s control). Any such assistance shall be invoiced in accordance with the pre agreed fees set out by the parties, except where the SDG Incident is caused by a material breach by Ƶapp, in which case Ƶapp shall bear its own costs.

SECTION III – DORA

1. SCOPE AND DEFINITIONS

  1. The terms and conditions set forth in Section III of this Annex apply solely to EU Customers that meet the criteria and thresholds for financial entities regulated by DORA. For the avoidance of doubt, Section I is deemed incorporated to this Section III; specific paragraphs in Section II also apply if specifically referenced in this Section III. For the purposes of DORA, under the Agreement, (i) the Customer is acting as a financial entity and/or is servicing Third Party Service End User that is subject to DORA and (ii) Ƶapp is supplying ICT Services to the Customer that fall within the scope of DORA. It is understood by the Parties that Clauses 5 to 7 of this Section III shall apply where the Parties have determined that the ICT Services provided by Ƶapp are supporting “critical or important functions” of the Customer (or its Third Party Service End User), as defined under DORA.
  2. Where the Customer is not directly subject to DORA but is servicing a Third Party Service End User, Customer may exercise the rights set out in Clause 5 to 7 hereafter (including requesting Ƶapp to participate in an Audit or TLPT exercise) only if acting on behalf of, and pursuant to, the explicit instructions of such Third Party Service End User, and provided that Customer shall ensure that the Third Party Service End User (including any such third-party advisor engaged by it) fully complies with the terms of this Annex.

1.1 The following additional definitions should apply to this Annex:

  • ి鴡” means the Digital Operational Resilience Act (Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022.
    “Change Request Process” has the meaning given to it in Clause 2.3 of Section I.
  • Exit Plan” means the relevant plan agreed in writing between the Parties, upon expiry or termination of the Agreement, to facilitate the transition from the relevant Services which are provided under the Agreement to Customer or an alternative third party service provider appointed by Customer.
  • ٳܲDzԳٰٴǰ” means any third party to the Agreement to whom Ƶapp effectively subcontracts the performance of part of the primary ICT Services supporting critical or important functions of the Customer, and whose disruption would have a material adverse impact on the continuity of the service provision. Unless disclosed in the Agreement, Subcontractor shall exclude Electronic Communication Networks providers or other incidental third party suppliers for telecommunications networks/services and other infrastructure and facilities, used by Ƶapp in order to provide the ICT Services and/or provide access to the Network (and associated Ƶapp Systems and Infrastructure) to its clients.

2. ICT SERVICES AND LOCATION

2.1 The ICT Services provided by Ƶapp to Customer are described in the Agreement.

2.2 Ƶapp will provide the ICT Services from the locations indicated in the Agreement and shall update the Customer from time to time as changes occur.

2.3 For the avoidance of doubt, Transactional Data is routed to Ƶapp Network in Data Centers located in EU countries and the UK. Details of processing and storing of Transactional Data (if any) are set out in the Agreement.

3. SUBCONTRACTING OF ICT SERVICES

3.1 Subcontracted elements of the ICT Services provided by Ƶapp appointed Subcontractor are set out in the Agreement. Subcontracting changes that affect “critical or important functions” shall be updated from time to time.

3.2 Except in the case of a force majeure event or where a change is urgently required to ensure service continuity or the availability, authenticity, integrity or confidentiality of the Customer Data, the following shall apply:

3.2.1 Ƶapp shall notify Customer in advance any material change to the subcontracted components of Services that could adversely affect Ƶapp’ ability to meet its obligations under this Annex.

3.2.2 In the absence of Customer’s objections (acting in good faith and on valid and demonstrably reasonable commercial grounds) within thirty (30) days, the subcontracted components of Services change shall be deemed approved.

3.2.3 When engaging any Subcontractor, Ƶapp shall (i) evaluate the security, privacy and confidentiality practices of the Subcontractor prior to selection to establish that it is capable of providing the level of security required by this Annex, and (ii) oversee the Subcontractors to ensure that the contractual obligations are met.

3.3 Ƶapp may replace a Subcontractor on short advance notice where the reason for the change is outside of Ƶapp’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Ƶapp will inform Customer of the replacement Subcontractor as soon as possible following its appointment Customer’s objection and termination right in this Section applies accordingly.

3.4 Where Customer raises a reasonable and documented objection to a proposed Subcontractor change that materially affects a critical or important function, the Parties will discuss in good faith to agree alternative measures. If no mutually acceptable alternative is agreed within a reasonable period, Customer may terminate only the affected Service(s) on written notice, without early termination charges, subject to any Exit Plan obligations.

4. INCIDENT MANAGEMENT, SUPPORT AND SLAs

4.1 Ƶapp shall provide assistance and support to the Customer in connection with incident and any associated fault(s) affecting the ICT Service as set out in the Agreement and associated Service Level Agreement.

4.2 Any Product-specific support commitments relating to the are described in the relevant Order Form, if applicable.

The SDG Incident Response process as outlined in Clause 6 of Section II shall apply to any incidents that due the circumstances associated with the said incident fall into the category of a SDG Incident or a Significant SDG Incident. Where the Customer is (or supports) a financial entity subject to DORA, Ƶapp shall provide information and updates in a manner and at a speed sufficient to enable the Customer to meet its DORA supervisory reporting timelines.

5. BUSINESS CONTINGENCY MANAGEMENT SYSTEM (BCMS), DR PLANS AND ICT SECURITY MEASURES

5.1 Ƶapp adopted business contingency plans and ICT security measures, tools and policies are detailed in the Agreement. Where the Customer reasonably believes that amendments or additional business contingency plans and ICT security measures are required to be implemented by Ƶapp in order for the Customer to comply with DORA or other Applicable Law, or where Applicable Law changes during the term of the Agreement, the Customer shall follow Change Request Process.

5.2 Where not already covered by the Agreement, (i) Cybersecurity risk management measures described above in Section II.3 and Section II.4 and (ii) Ƶapp’s incident response commitments in Section II.6 shall apply.

6. ICT SECURITY TRAINING AND AWARENESS PROGRAMMES

6.1 Ƶapp shall ensure that its personnel receive ongoing security awareness training, proportional to the nature of Services provided.

6.2 Should Ƶapp access Customer’s information systems as part of the Services, Customer may request Ƶapp to participate, on reasonable notice, in any appropriate ICT security awareness programme and/or digital operational resilience training that the Customer provides or operates in connection with its business (“Training”). In this regard, the parties agree that:

  1. The frequency, timing and duration of such Training shall be agreed by the parties in advance;
  2. Ƶapp reserves the right to recover from the Customer its reasonably and properly incurred expenses; and
  3. Ƶapp’s participation in such Training shall not require it to do anything which may interfere, prevent or impede Ƶapp from providing the ICT Services or otherwise performing its obligations under the Agreement.

7. PENETRATION TESTING

7.1 As mandated under PCI DSS requirements (where applicable), Ƶapp regularly engages an independent, qualified and competent external tester of good reputation to conduct penetration testing on Ƶapp Group Systems and Infrastructure used for providing the ICT Services covered by the Agreement. Upon reasonable request from Customer, Ƶapp can share a redacted test report that includes summary of findings and, if any, remediating testing carried out.

7.2 Any other request from the Customer for the performance of specific penetration testing exercises shall be subject to Change Request and in accordance with the following 2 options:

7.2.1 The Parties acknowledge that threat led penetration testing (TLPT) under DORA is a financial entity led exercise. Where Customer (or its Third Party Service End User) is a financial entity required to conduct a TLPT under Article 26 of DORA and to the extent the Services support that financial entity’s critical or important functions, Ƶapp shall use its reasonable endeavours to participate in and cooperate with such TLPT exercises provided that the following conditions are met:

    1. the Customer shall promptly inform Ƶapp in writing that it intends to carry out a TLPT exercise and identify which ICT Services are within scope of such TLPT exercise;
    2. both Parties shall agree on the scope, fees and timing of the relevant TLPT exercise and Ƶapp may reasonably withhold agreement where the proposed TLPT would create unacceptable risk to Ƶapp Group Systems and Infrastructure or other Ƶapp customers;
    3. the Customer shall engage a qualified and competent external tester of good reputation that meets DORA TLPT competence and independence requirements, is reasonably acceptable to Ƶapp, and shall confirm to Ƶapp the identity of the external tester and ensure appropriate confidentiality, data protection and access undertakings are in place;
    4. any TLPT exercise on the Services shall be carried out in accordance with Application Law, Good Industry Practice and the agreed rules of engagement, and shall avoid production impacting techniques unless expressly agreed in writing by Ƶapp;
    5. as TLPT exercise could be perceived as a cyberattack or an unauthorised action against Ƶapp Group Systems and Infrastructure, any TLPT activity that is not pre authorised in writing by Ƶapp may be automatically blocked and may cause interruption to the Services. Ƶapp shall not be liable for any loss, damage, expense, costs or liability suffered by the Customer or its Third Party End Users as a result of any unplanned, unauthorised or out of scope TLPT activity, except to the extent caused by Ƶapp’s wilful misconduct or fraud, and
    6. the Customer shall defend, indemnify, and hold Ƶapp harmless from and against all liabilities and costs (including reasonable and properly incurred legal costs) arising from claims by any person or damage to Ƶapp Group Systems and Infrastructure to the extent caused by any Customer TLPT exercise in breach of this clause or the agreed rules of engagement, provided that this indemnity shall not apply to the extent such liabilities arise from Ƶapp’s wilful misconduct or fraud, and subject always to the liability caps and exclusions set out in the Agreement..

7.2.2 In lieu of the Customer conducting a TLPT exercise, Ƶapp may, engage an independent, qualified and competent external tester of good reputation to conduct the TLPT exercise on applicable Ƶapp Group Systems and Infrastructure and share a redacted test report that includes summary of findings and, if any, remediating testing carried out.

7.3 Where the results of the penetration testing exercises indicate weaknesses or deficiencies, Ƶapp shall use commercially reasonable efforts to address agreed-upon remediation plan. Ƶapp reserves the right to recover from the Customer any expenses that exceed the agreed normal provision of the ICT Services under the Agreement.

7.4 Nothing in this Clause 7 shall require Ƶapp to permit or engage with any TLPT exercise that unduly impacts the performance or security of live services that it provides to other customers or to the Ƶapp Group Systems and Infrastructure associated with the provision of such services.

8. TERMINATION

8.1 In addition to the termination rights set out in the Agreement and elsewhere in these terms and conditions, and subject to the termination process in the Agreement, Customer may terminate the affected Services (in whole or in part) on no less than thirty (30) days’ prior written notice where: (i) Ƶapp has failed to cure a material breach of Security and Digital Governance Laws or this Annex within a reasonable cure period; (ii) objectively evidenced circumstances (acting reasonably and in good faith) are identified that are reasonably likely to have a material adverse effect on Ƶapp’s performance of the ICT Services and cannot be remedied by alternative measures agreed by the Parties; (iii) objectively evidenced material weaknesses are found in Ƶapp’s overall ICT risk management that materially impact the availability, authenticity, integrity or confidentiality of Customer Data and remain unremedied within a reasonable period; or (iv) a competent governmental authority determines that, as a result of conditions related to Ƶapp or the Agreement, it can no longer effectively supervise the Customer and such determination cannot be resolved through proportionate remedial measures. Any termination under this Clause shall be proportionate to the issues identified and limited to the Services actually impacted.

8.2 Effect of Termination

  1. To the extent that data of a Party is stored as part as the Services, upon (i) termination of the Agreement, or (ii) insolvency, resolution or discontinuation of a party’s business operations, each party shall either forthwith return to the other in an easily accessible format such data or destroy the same (unless prohibited under Applicable Law).
  2. Exit Plan:
    1. Unless already agreed in the Agreement and where relevant and feasible, taking into account (i) the specific characteristics of the ICT Services and (ii) the causes of termination, Ƶapp will, work with the Customer on an Exit Plan to be agreed by the Parties. The Exit Plan will address, at a minimum, data extraction/return or deletion, cooperation with any replacement provider, sequencing to avoid undue disruption, and timelines. Exit assistance and any related tooling shall be provided on reasonable commercial terms.
    2. Before an exit becomes effective, the Parties will approve a mandatory adequate transition period as defined in the Exit Plan. During this transition period Ƶapp will continue providing the respective ICT Services, at the then current standard pricing, with a view to reducing the risk of disruption at Customer or to ensure its effective resolution and restructuring, allowing Customer to migrate to another supplier or change to in-house solutions consistent with the complexity of the Service provided.

9. DEALINGS WITH COMPETENT GOVERNMENTAL AUTHORITIES

9.1 Ƶapp shall provide (and procure that its Subcontractors shall provide) reasonable assistance and cooperation to competent governmental authorities with jurisdiction over the Customer, including resolution authorities and financial supervisors, in connection with verification of the compliance of the ICT Services with applicable Security and Digital Governance Laws (including DORA). Any such assistance is subject to lawful confidentiality and security measures, and Ƶapp’s right to recover its reasonable and properly incurred expenses, save where such cooperation is required due to Ƶapp’s material breach.

Updated: April 2026