DORA Amendment
This DORA Amendment forms part of the agreement between customers, who are also financial entities, and Cardboard covering the customer's use of our services and establishes the framework for ICT risk management, incident reporting, and operational resilience in accordance with Regulation (EU) 2022/2554 (Digital Operational Resilience Act).
This DORA Addendum ("Addendum") is entered into and supplements the existing Service Agreement between the Parties. This Addendum ensures compliance with the Digital Operational Resilience Act (DORA), specifically Article 30.
1 Scope and purpose
This Addendum applies to ICT services provided by Cardboard ("Provider") to the end user who is also a financial entity as defined by DORA ("Financial Entity"), specifically:
- Virtual payment cards
- Subscription tracking
- Automated receipt collection
2 Service description
- Provider delivers ICT services through its platform, enabling virtual card issuance and payment setup.
- Core payment processing is performed by Adyen as the "Card Issuer".
- Core payment processing and card transactions will continue to function independently of Provider's platform availability through Card Issuer's infrastructure.
- Any material subcontracting of these services shall require prior written notification to the Financial Entity.
3 Data processing and protection
- All data processing and storage locations shall be documented and communicated to the Financial Entity.
- Provider shall notify Financial Entity in advance of any intended changes to processing locations.
4 Data protection
-
Provider shall ensure:
- Availability of payment setup services.
- Authenticity of payment processing data.
- Integrity of stored and processed payment data.
- Confidentiality of Financial Entity's payment data.
- All data protection measures, including those for personal data, are further detailed in the Data Processing Agreement between the Parties, which remains in full force and effect.
5 Data access and recovery
-
Provider shall ensure:
- Access to Financial Entity's payment data in an easily accessible format.
- Data recovery capabilities for payment-related information.
- Data return procedures in case of contract termination.
6 Service levels
-
Core payment processing
- Provider relies on the Card Issuer for core payment processing and card issuing services.
- Card transactions will continue to function independently of Provider's platform availability.
- Core payment processing service levels are governed by Card Issuer's service level agreement.
-
Cardboard platform services
- New card issuance: Processing within 1 business day.
- Support response times: See the following section.
7 Incident management and support
-
Incident classification
- Critical incidents: Issues affecting multiple customers' ability to set up new payments.
- High priority: Issues affecting single customer's payment setup functionality.
- Medium priority: System degradation without loss of core functionality.
- Low priority: Cosmetic or non-essential feature issues.
-
Response time commitments
- Critical incidents: Initial response within 1 hour during business hours
- High priority: Initial response within 2 hours during business hours
- Medium priority: Initial response within 4 business hours
- Low priority: Initial response within 1 business day
-
Payment processing incidents
- Provider will immediately notify Financial Entity of any incidents reported by the Card Issuer affecting payment processing.
- Provider will serve as liaison between Financial Entity and the Card Issuer for incident resolution.
- Provider will maintain documentation of all payment-related incidents.
-
Platform service incidents
- Provider will maintain an incident management system for tracking and resolution.
- Regular status updates will be provided based on incident severity.
- Post-incident reports will be provided for Critical and High Priority incidents.
-
Support costs
- All incident support, including emergency support, is included in the standard service fees.
- No additional charges will be applied for incident management and resolution.
-
Communication protocols
- Primary contact for incident reporting: hello@cardboard.inc
- Secondary communication channels to be agreed upon with each Financial Entity.
- Regular incident status meetings for ongoing Critical Incidents.
8 Regulatory cooperation
-
Provider shall fully cooperate with:
- Financial Entity's competent authorities
- Resolution authorities
- Persons appointed by such authorities
9 Termination rights
-
Upon termination:
- Provider will ensure orderly transition of any pending payment setups.
- Standard data export features will remain available during the notice period.
10 Security training
-
Provider shall:
- Participate in Financial Entity's ICT security awareness programs.
- Engage in digital operational resilience training as required.
11 Change management
-
Provider shall notify Financial Entity of any material changes to:
- Payment setup infrastructure.
- Integration with the Card Issuer's services.
- Security controls affecting payment processes.
- Notice period: Minimum 30 days for planned changes.
- Emergency changes will be communicated as soon as practicable.
12 Monitoring and audit rights
- Financial Entity shall have the right to:
- Monitor Provider's performance
- Conduct or commission audits with reasonable notice
- Receive regular reports on service performance
13 Amendments
This Addendum may be amended by mutual written agreement of the Parties, subject to regulatory requirements.
Last updated: 2025-02-18. Effective date: 2025-03-24.