DORA Schedule

Aradyne provides the Service as an ICT third-party service provider within the meaning of Article 3(19) of DORA. Nothing in this Schedule relieves the Subscriber of its own obligations under DORA, including its obligations to maintain an ICT risk-management framework (Article 6), to manage ICT third-party risk (Articles 28–29), to maintain a register of information on its contractual arrangements (Article 28(3)), and to classify whether the Service supports a critical or important function.

PART A — PROVISIONS FOR ALL FINANCIAL ENTITIES (Article 30(2))

A1. Description of Services and Subcontracting.

The functions and ICT services provided are the PeakSpitz software-as-a-service platform and the AI Assistant, as described in the Agreement and the Documentation. Aradyne may use sub-contractors (Sub-processors) to provide the Service; the current sub-contractors, the services they provide, and their processing locations are set out in Annex 3 of the Data Processing Addendum (“DPA”). Aradyne will give the Subscriber at least thirty (30) days’ prior notice of any intended change to a sub-contractor supporting the Service, and the Subscriber may object or terminate as set out in Section 5 of the DPA. Material subcontracting of ICT services supporting a critical or important function will not be undertaken without prior notice enabling the Subscriber to assess the resulting risk.

A2. Locations of Data Processing and Provision.

The regions in which the Service is provided and Subscriber Data is processed and stored are identified in Annex 3 of the DPA. Subscriber Data forming part of the Service is hosted within the European Economic Area (EEA) by default. Aradyne will notify the Subscriber in advance of any change to the country or region in which Subscriber Data is stored or the Service is materially provided.

A3. Protection of Data — Availability, Authenticity, Integrity, and Confidentiality.

Aradyne implements and maintains the technical and organisational measures described in Annex 2 of the DPA to ensure the availability, authenticity, integrity, and confidentiality of Subscriber Data, including the protection of Personal Data in accordance with the DPA and applicable data-protection law, and encryption of Subscriber Data in transit and at rest.

A4. Access, Recovery, and Return of Data.

On expiry or termination of the Agreement, and in the event of the insolvency, resolution, or discontinuation of Aradyne’s business operations, the Subscriber retains access to, and the ability to recover and export, its Subscriber Data in accordance with Section 9.3 of the Agreement and the Cloud Switching & Exit Schedule, in widely-used, openly-readable, machine-readable formats (including CSV and a structured JSON archive). Aradyne will return or delete Subscriber Data at the Subscriber’s choice as set out in Section 11 of the DPA.

A5. Service Levels.

The service levels applicable to the Service, including the availability commitment, support response times, and remedies, are set out in the Service Level Agreement (“SLA”).

A6. Assistance on ICT Incidents.

Aradyne will provide assistance to the Subscriber, at no additional cost or at a cost agreed in advance, in the event of an ICT incident that relates to the Service provided to the Subscriber, including by cooperating with the Subscriber’s incident handling and providing information required for the Subscriber’s incident reporting under DORA. Data Breaches affecting Personal Data are handled in accordance with Section 8 of the DPA.

A7. Cooperation with Competent Authorities.

Aradyne will cooperate fully with the Subscriber’s competent authorities and resolution authorities, including any person appointed by them, in connection with the Service provided to the Subscriber.

A8. Termination Rights and Notice Periods.

The Subscriber may terminate the Agreement in the circumstances set out in Section 13 of the Agreement, and in any event: (i) where Aradyne is in significant breach of applicable laws, regulations, or contractual terms; (ii) where circumstances are identified that may alter the performance of the functions provided, including material changes affecting the arrangement or Aradyne’s situation; (iii) where there are evidenced weaknesses in Aradyne’s ICT risk management relevant to the Service; and (iv) where the competent authority can no longer effectively supervise the Subscriber as a result of the arrangement. Aradyne will provide a minimum termination notice period sufficient to enable an orderly transition consistent with the Subscriber’s regulatory expectations, as further set out in Part B (Exit Strategy) where applicable.

A9. Participation in Security Awareness and Training.

Aradyne will participate, where reasonably requested, in the Subscriber’s ICT security-awareness programmes and digital operational resilience training relevant to the Service.

PART B — ADDITIONAL PROVISIONS FOR CRITICAL OR IMPORTANT FUNCTIONS (Article 30(3))

Part B applies where the Subscriber classifies the Service as supporting a critical or important function and has notified Aradyne accordingly.

B1. Performance Targets.

The full service-level descriptions, including precise quantitative and qualitative performance targets, are set out in the SLA and, where agreed, in the Order Form, to enable effective monitoring and timely corrective action.

B2. Notice and Reporting of Material Developments.

Aradyne will notify the Subscriber without undue delay of any development that may materially affect Aradyne’s ability to provide the Service in line with the agreed service levels, and will report ICT-related incidents affecting the Service in accordance with Section A6 and Section 8 of the DPA.

B3. Business Contingency and ICT Security.

Aradyne maintains business contingency and disaster-recovery arrangements and implements ICT security measures, policies, and standards appropriate to the Service, and will make available, on request, summary information and relevant audit reports (for example ISO/IEC 27001 certification or an independent SOC 2 report) demonstrating those measures.

B4. Threat-Led Penetration Testing.

Where the Subscriber is required to conduct threat-led penetration testing (TLPT) under DORA and the Service is within scope, Aradyne will participate in and fully cooperate with that testing, subject to reasonable scoping, scheduling, and safeguards agreed in advance to protect the Service and other customers.

B5. Rights of Access, Inspection, and Audit.

Aradyne grants the Subscriber, its appointed third parties, and its competent authorities and resolution authorities full rights of access, inspection, and audit in respect of the Service, including the right to obtain copies of relevant documentation and audit reports and to perform on-site inspections, subject to reasonable advance notice and security and confidentiality safeguards. Aradyne will not unreasonably restrict the exercise of these rights, and the agreed security and confidentiality safeguards do not limit the access, inspection, and audit rights required by Article 30(3) of DORA.

B6. Exit Strategy and Transition.

Aradyne maintains, and will support, an exit strategy enabling the Subscriber to exit the arrangement in an orderly manner without undue disruption to its business, without breaching regulatory requirements, and while preserving the continuity and quality of the functions provided. A mandatory, adequate transition period applies, during which Aradyne will continue to provide the Service and will provide the assistance, data export, and portability set out in Section 9.3 of the Agreement and the Cloud Switching & Exit Schedule.

EXECUTION

A financial-entity Subscriber should notify Aradyne at legal@aradyneltd.com, stating whether the Service supports a critical or important function, so that this Schedule can be executed as part of the Agreement. Pending execution, this Schedule applies to the extent required by DORA from the date the Subscriber notifies Aradyne that it is a financial entity.