Skip to content
ACTServ Technology Ltd
Legal
Data Processing

ACTServ GRC DORA ICT Third-Party Services Terms

Contractual provisions supporting DORA ICT third-party risk-management requirements.

Version 1.0Approved as of 01 January 2026Contractual document

These terms apply where Customer is a financial entity subject to Regulation (EU) 2022/2554 (“DORA”). Terms such as “critical or important function”, “ICT services” and “ICT-related incident” have the meanings given in DORA. Customer remains responsible for determining whether the Services support a critical or important function and documenting that designation in the Engagement Letter.

Description of ICT services

The Services and supported functions are described in the Order Form, including subscribed modules, integrations, entities, users, service locations and any designation as supporting a critical or important function.

Service and data locations

Production backend processing and data storage are located in the European Union (Ireland). Frontend delivery and application execution are located in European Union regions (France and Germany). Material locations and subcontractors are maintained in the Subprocessor Schedule. ACTServ will provide advance notice of material location changes where required.

Security of data and services

ACTServ will maintain measures designed to protect availability, authenticity, integrity, confidentiality, accessibility and traceability, including mandatory MFA, role-based access, tenant-aware controls, logging, encrypted integration credentials, incident response and backups.

Access, recovery, return and deletion

Customer may access and export Customer Data through standard Platform functionality during the Subscription Term and for 30 days after termination. Exports are provided in easily accessible, standard machine-readable formats. Customer is responsible for completing export. ACTServ will provide reasonable additional transition assistance at rates agreed in advance in the Engagement Letter or Order Form.

ACTServ will ensure that Customer Data can be accessed, recovered and returned in an easily accessible format in the event of the insolvency, resolution or discontinuation of the business operations of ACTServ, or upon termination of the agreement.

Service levels

The Service Level Agreement and Support Policy apply. Customer-specific or enhanced service levels for a critical or important function must be stated in the Order Form.

ICT incidents and assistance

ACTServ will notify Customer without undue delay after becoming aware of an ICT-related incident that materially affects the Services or Customer Data. ACTServ will provide available information concerning nature, impact, affected services, containment, recovery and relevant updates, and reasonable assistance with Customer’s regulatory assessment and reporting.

Incident notification and the information reasonably required for Customer’s regulatory reporting duties are provided at no additional cost. Where Customer requests further incident-related assistance beyond ACTServ’s own remediation obligations, such assistance is provided at rates determined in advance in the Engagement Letter or Order Form.

Business continuity

ACTServ will maintain and periodically review proportionate business-continuity, backup, recovery and incident-management arrangements. Daily production backups are retained for seven days. No specific RTO or RPO applies unless stated in the Order Form.

Cooperation with authorities

ACTServ will cooperate with competent authorities, resolution authorities and persons appointed by them to the extent required by applicable law and relevant to the Services.

Audit, access and inspection

ACTServ will provide information reasonably necessary for Customer’s ICT third-party oversight, including certifications, security information, questionnaires and independent reports where available. Where insufficient, Customer, its appointed auditor or competent authority may exercise reasonable audit and inspection rights.

Audits will be coordinated to protect other customers, security and confidentiality and avoid unreasonable disruption. These safeguards will not prevent effective exercise of mandatory regulatory rights. For hyperscale subcontractors, equivalent assurance may include independent reports, certifications, pooled audits and provider-supported regulatory-access mechanisms.

Resilience testing and TLPT

ACTServ will reasonably cooperate with digital operational resilience testing relevant to the Services. Any penetration test or threat-led penetration test involving ACTServ systems must be coordinated through agreed rules of engagement, scope, timing, safety controls and provider restrictions, without limiting mandatory authority rights.

Awareness and training

ACTServ personnel complete security-awareness and operational-resilience training consistent with ACTServ’s ISO/IEC 27001 certified Information Security Management System.

Where relevant and reasonably requested, ACTServ will participate in Customer incident coordination, awareness or resilience activities. Bespoke or extensive participation is chargeable at rates agreed in advance.

Subcontracting

Customer authorises the subcontracted functions and providers listed in the Subprocessor Schedule. ACTServ remains responsible for its obligations, performs proportionate due diligence and monitoring, and seeks appropriate flow-down obligations concerning security, continuity, incident notification, cooperation, audit and data protection.

Material subcontractor changes

ACTServ will provide at least 30 days’ prior notice of a material change supporting a critical or important function unless emergency, law, security or circumstances outside reasonable control require shorter notice. Customer may object within 15 days based on substantiated DORA, security or data-protection risk. The Parties will seek mitigation.

Termination rights

Customer may terminate the affected Service where required by DORA, including material uncured breach, evidenced material weakness in ACTServ’s overall ICT risk management, inability of competent authorities to exercise effective supervision as a result of the agreement, unauthorised material subcontracting, an unresolved material subcontractor objection or a lawful instruction of a competent authority.

Except where a competent authority requires immediate termination or remediation is impossible, Customer must give written notice describing the circumstances and allow ACTServ thirty (30) days to remediate before termination takes effect. Customer will receive a pro-rata refund of unused prepaid Fees where termination is caused by ACTServ’s breach; in other cases, Fees committed for the current Subscription Term remain payable except where applicable law provides otherwise.

Exit and transition

The Parties will cooperate on an orderly exit designed to reduce disruption. Standard self-service export is included. Custom extraction, transformation, migration, extended parallel operation, workshops and replacement-provider support are chargeable at rates agreed in advance, unless required to remedy ACTServ’s breach.

Where the Services support a critical or important function, the Parties will record an adequate transition period in the Engagement Letter. During an agreed transition period following termination, ACTServ will continue providing the affected Services at the then-current Fees to enable migration to another provider or in-house arrangements.

Register of information

ACTServ will provide reasonably available information needed for Customer’s DORA register of information, including legal-entity details, service description, locations, material subcontractors, dates, notice periods, Fees and audit and exit arrangements.

Order of precedence

If these DORA Terms conflict with the MSA, these terms prevail only for matters governed by DORA. A customer-specific DORA schedule in the signed Engagement Letter prevails over these standard terms.