Financial Services Addendum
Effective Date:
1. Purpose and Scope
This Financial Services Addendum (the "Addendum") supplements the agreement between Soteri LLC ("Soteri") and a customer that is a regulated financial entity (the "Customer") for the use of Soteri's cloud-based security scanning and access control products (the "Services"). It is intended to support the Customer's compliance with:
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector ("DORA"), in particular Article 30;
the European Banking Authority Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) (the "EBA Guidelines"); and
analogous requirements imposed on financial entities by their competent authorities.
This Addendum is incorporated by reference into the Customer's agreement with Soteri and applies only to the extent the Customer is subject to DORA, the EBA Guidelines, or equivalent financial-services regulation. In the event of conflict between this Addendum and any other agreement between the parties, this Addendum controls for matters within its scope.
2. Relationship to Other Soteri Documents
This Addendum does not restate obligations already addressed in other Soteri documents. The following documents are incorporated by reference and, taken together with this Addendum, constitute Soteri's contractual framework for regulated financial customers:
Topic | Source Document | Location |
|---|---|---|
End User License Agreement | Soteri EULA | |
Personal data processing (GDPR) | Soteri Data Processing Addendum | |
International data transfers | EU-U.S. Data Privacy Framework (incl. UK Extension and Swiss-U.S. framework) | |
Security controls and attestations | SOC 2 Type II report; security documentation | |
Sub-processor list | Sub-processor register | |
Service levels | Soteri Service Level Agreement |
3. Description of Services and Service Locations
3.1 Services. Soteri provides cloud-based security scanning and access control products delivered as applications that operate within the Customer's instance of a third-party collaboration platform (e.g., Atlassian Cloud). The Services scan content and configuration within the Customer's instance to detect security issues and enforce access policies. A current description of each product, including functional scope, is maintained at soteri.io.
3.2 Service Locations. The Services are operated from data centers located in the United States. A current list of sub-processors, including the jurisdictions in which they process Customer data, is maintained at Soteri's Cloud App Data Subprocessors.
3.3 Data Processed. The categories of data processed by the Services, and the purposes of processing, are described in the Soteri Data Processing Addendum.
4. Sub-outsourcing
Soteri's engagement of sub-processors in the provision of the Services — including the current sub-processor register, advance notice of changes, the Customer's right to object, and the data protection and security obligations imposed on sub-processors — is governed by Section 4 of the Soteri Data Processing Addendum and the Soteri's Cloud App Data Subprocessors page incorporated therein.
5. Data Availability, Integrity, Confidentiality, and Return
5.1 Security. Soteri maintains a written information security program consistent with its SOC 2 Type II attestation. A description of technical and organizational measures is available through the Trust Center.
5.2 Availability and Integrity. Soteri operates the Services with redundancy and monitoring appropriate to the nature of the Services.
5.3 Return and Deletion. Upon termination or expiration of the Services, Soteri will, at the Customer's election, return or delete Customer data in accordance with the Soteri Data Processing Addendum. This obligation applies equally in the event of Soteri's insolvency, resolution, or discontinuation of the Services.
5.4 Continuity of Access. Soteri will not assert any right of retention over Customer data. The Customer's ability to access, export, and retrieve Customer data in accordance with Section 5.3 and the Soteri Data Processing Addendum will not be impaired by a fee dispute, by Soteri's insolvency or resolution, or by Soteri's discontinuation of the Services.
6. Incident Reporting
6.1 Notification. Soteri will notify the Customer without undue delay after becoming aware of a personal data breach or security incident affecting the Customer's data, in accordance with the Soteri Data Processing Addendum.
6.2 DORA-Aligned Information. To support the Customer's incident reporting obligations under DORA, Soteri's notifications will include, to the extent known at the time of reporting and updated as further information becomes available: a description of the incident, the systems and data categories affected, the actual or estimated impact, measures taken or proposed, and a point of contact.
6.3 Cooperation. Soteri will cooperate reasonably with the Customer in the Customer's investigation and reporting of incidents to competent authorities.
7. Cooperation with Competent Authorities
Soteri will cooperate with the Customer's competent authorities (including, as applicable, the European Central Bank, the European Banking Authority, the European Supervisory Authorities, national competent authorities, and resolution authorities) to the extent required by applicable law. This includes providing information reasonably necessary to enable supervision of the Customer's use of the Services, subject to applicable confidentiality obligations.
8. Audit and Inspection Rights
8.1 Primary Evidence. Soteri provides its SOC 2 Type II report, security documentation, and other assurance materials through its Trust Center. The parties agree that these materials are intended to satisfy the Customer's routine audit and assessment needs.
8.2 Customer Audits. Where the Customer, acting reasonably and on the basis of a documented regulatory requirement, determines that the materials described in Section 8.1 are insufficient, Soteri will respond in good faith to reasonable additional information requests and will cooperate with an audit conducted by the Customer or a qualified third-party auditor (other than a competitor of Soteri) subject to reasonable notice, scope, frequency, and confidentiality limitations.
8.3 Regulatory Audits. Soteri will grant the Customer's competent authorities and resolution authorities (and any persons appointed by them) the access, information, and inspection rights required by DORA, the EBA Guidelines, or other applicable law, including, where legally required, the right to conduct on-site inspections of Soteri's premises.
8.4 Costs. Each party bears its own costs in connection with audits conducted under this Section, except that excessive or repetitive audits requested by the Customer may be subject to reasonable cost recovery by Soteri.
9. Exit
Data return and deletion obligations on termination or expiration of the Services are addressed in Section 5.3. Continuity of Customer access to Customer data is addressed in Section 5.4.
10. Termination
10.1 Customer Termination Rights. In addition to any termination rights in the Customer's agreement with Soteri, the Customer may terminate the Services on written notice if:
(a) Soteri commits a material breach of this Addendum or the Soteri Data Processing Addendum that is not cured within thirty (30) days of written notice;
(b) a competent authority of the Customer issues a binding order or direction requiring termination;
(c) Soteri becomes subject to insolvency proceedings; or
(d) the Customer reasonably determines, on the basis of a documented regulatory requirement, that continued use of the Services would place the Customer in breach of applicable law.
10.2 Effect of Termination. The obligations in Sections 5.3 (Return and Deletion) and 5.4 (Continuity of Access) survive termination.
10.3 No Modification of Commercial Terms. Termination under this Section grants the Customer the right to discontinue use of the Services. Refunds, credits, and other commercial settlements on termination are governed by the Customer's agreement with Soteri and applicable billing arrangements (including with Atlassian Marketplace or another authorized reseller), and are not modified by this Addendum.
11. Service Levels
Service levels applicable to the Services are set forth in the Service Level Agreement.
12. Security Awareness and Training
12.1 Soteri Personnel Training. Soteri maintains an internal ICT security awareness and digital operational resilience training program for its personnel, as described in its SOC 2 Type II report. This program is intended to meet the training expectations applicable to Soteri's role in providing the Services.
12.2 Participation in Customer Programs. Where the Customer determines, in accordance with Article 13(6) of DORA, that participation by Soteri personnel in the Customer's ICT security awareness or digital operational resilience training programs is appropriate, Soteri will cooperate in good faith. Trainings will be charged with a fee of $150 per hour. Participation will be conducted remotely and asynchronously where reasonably practicable.
13. Governing Law
This Addendum is governed by the law specified in the Customer's agreement with Soteri, without prejudice to mandatory provisions of Union or member state law applicable to the Customer as a financial entity.
14. Changes to this Addendum
Soteri may update this Addendum from time to time to reflect changes in applicable law, Soteri's operations, or industry practice. Material changes will be communicated through the Trust Center at least thirty (30) days in advance of their effective date. Continued use of the Services following the effective date of an update constitutes acceptance of the updated Addendum.