Critical Terms
Digital Operational Resilience Act (DORA)
Nasdaq FinTech On-Premise
This Addendum (this “Addendum”) forms part of the definitive written agreement between Nasdaq and Customer, which hyperlinks to this Addendum (the “Agreement”). This Addendum is effective as of the date the hyperlink to this Addendum is incorporated into the Agreement (the “Addendum Effective Date”). For the purpose of this Addendum, Nasdaq” means the Nasdaq contracting entity identified in the Agreement, and “Customer” means the Customer contracting entity identified in the Agreement.
The parties hereto agree as follows:
A. Application of this Addendum.
The terms and conditions of this Addendum apply with respect to the provision of the Service(s) by Nasdaq to any entity in the Customer’s group provided that (i) such entity is a Financial Entity, (ii) the Services are deemed a ICT Service under DORA, and (iii) Customer has duly notified Nasdaq in writing of its classification of the Services under DORA .
This Addendum shall automatically terminate with respect to any such Service when the term of such Service terminates or expires pursuant to the terms of the Agreement.
B. Definitions and interpretation.
“Certifications and Reports” means a summary of third-party audits or certifications relating to the security controls of the Service, including any available Service Organization Control (SOC) Type 2 reports and ISO 27001:2013 certifications.
“Client Success Team” means the Nasdaq contact for support of a Service provided to Customer in connection with a Service from time to time.
“Customer Data” means data uploaded by or on behalf of Customer or any of its authorised users into the Services and Personal Data (as defined in the Data Processing Addendum).
“Critical or Important Function” has the meaning given in DORA.
“Data Processing Addendum” means the addendum to the Agreement concerning processing of Personal Data, as may be amended by the parties from time to time.
“DORA” means Regulation (EU) 2022/2554 on digital operational resilience for the financial sector.
“Financial Entity” means an entity captured by Art. 2(2) DORA and which is not excluded from the scope of DORA by Art. 2(3) or 2(4) DORA, for so long as such entity remains subject to DORA.
“ICT Service” has the meaning given in DORA.
“Personal Data” shall have the meaning set out in the Data Processing Addendum.
“Regulator” means a government, regulatory body, or competent authority with binding authority to regulate Customer’s activities as a Financial Entity, or resolution authority with respect to the Customer.
“Recovery and Resolution Regulation” means Directive (EU) 2014/59/EU of 15 May 2014, including Articles 68 and 71 therein.
“Services” means the services listed in the order form or other ordering document subject to the Agreement.
“Service Level Addendum” means the addendum comprising a part of the Agreement that sets out the relevant service levels for a Service, as may be amended by the parties from time to time.
“Software Product” means the applicable Nasdaq software product(s), as further specified in the applicable Agreement.
“Subcontracting RTS” means the regulatory technical standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) DORA.
“Subcontractor” shall be understood to capture subcontractors for the purpose of DORA and its associated technical standards. Related terms such as “Subcontracted” and “Subcontracting” shall be construed accordingly where used in this Addendum.
“Third Party Tester” shall mean a third party tester conducting a TLPT as further set out herein.
“Threat-led Penetration Test” or “TLPT” means a controlled, bespoke, intelligence-led (red team) test that uses a test script designed to mimic the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat to the Service.
“TLPT Authority” means the Regulator responsible for TLPT in a specific EU Member State as set out in DORA.
Capitalized terms used in this Addendum but not otherwise defined have the meanings ascribed to them elsewhere in the Agreement.
References in the clause and section headings of this Addendum to articles of DORA are for convenience only and shall have no impact on interpretation of the relevant clause or section of this Addendum.
Where this Addendum refers to Nasdaq “notifying” the Customer (or similar) of certain matters, Nasdaq may discharge such obligation by addressing the notification to any member of Customer’s group to which Nasdaq normally addresses communications relevant to the Services.
C. Terms for all ICT services, Art. 30(2) DORA (Key Contractual Provisions)
1. Description of all functions and ICT services – Art 30.2.(a). All functions and services are described and set forth in the applicable Agreement, Service Level Addendum and other relevant schedules to the Agreement.
2. Service Location – Art 30.2.(b). The locations where the services are to be provided are set forth in the applicable Agreement. The locations where Customer Data is to be processed, including the storage locations, are set forth in the applicable Data Processing Addendum and/or any other applicable addendum (including, where relevant, with respect to data processed or stored by Subcontractors). Nasdaq shall notify the Customer in advance if it envisages changing such locations.
3. Availability, Authenticity, Integrity, and Confidentiality of Customer Data – Art 30.2.(c). Nasdaq shall, in relation to Customer Data, implement a written information security program which conforms with internationally recognised information security standards and that addresses authenticity and integrity of such Customer Data. In addition, each party shall comply with its obligations related to confidentiality and data protection as provided for in the confidentiality provision of the Agreement and, if applicable, the Data Processing Addendum. The applicable Service Level Addendum also addresses availability of the Service.
4. Access, recovery and return in an easily accessible format of Customer Data – Art 30.2.(d). In the event of a Nasdaq insolvency, resolution in bankruptcy, or discontinuation of Nasdaq’s business (other than as a result of a divestiture to a third party) that results or is reasonably likely to result in termination of the Service pursuant to the Agreement, or any termination of the Agreement with respect to a Service, unless prohibited by applicable law or regulation, Nasdaq will make Customer Data processed by and within Nasdaq’s control available in a reasonable manner upon written request by the Customer, provided that, in respect of any Personal Data forming part of such Customer Data, this shall be without prejudice to the provisions of the Data Processing Addendum relating to the return or deletion of Personal Data.
5. Service Level Agreement – Art 30.2.(e). The service levels applicable to the Service (the “Service Levels”) are set out in the applicable Service Level Addendum. Updates and revisions to the Service Levels shall be reflected in updates to the Service Level Addendum (in accordance with the terms thereof).
6. Assistance in the Event of ICT incident – Art 30.2.(f). Nasdaq shall provide assistance to the Customer when an incident that is related to the Service occurs in accordance with the Agreement.
7. Cooperation – Art 30.2 (g). Taking into account the nature of the Service and the information available to Nasdaq, Nasdaq shall provide assistance as required to be provided by a service provider to a Financial Entity under DORA and fully cooperate with Customer Regulators (or persons appointed by any Customer Regulator).
8. Termination Rights – Art 30.2 (h) and Art 28.(7).
a. Specified Events Giving Rise to Customer Termination Right. In the following circumstances, Customer may terminate the Agreement with respect to the Service by providing reasonable, advance written notice to Nasdaq:
i. where Nasdaq is in material breach of any law or regulation applicable to Nasdaq or of its contractual obligations under the Agreement and where Nasdaq fails to correct any such violation within thirty (30) days of Nasdaq’s receipt of notice from Customer specifying such violation in sufficient detail for Nasdaq to understand the Customer’s concern and demanding correction;
ii. where the Customer provides Nasdaq with written notification of circumstances identified through the Customer’s monitoring of ICT third-party risk that are deemed capable of altering the performance of the Service, including material changes that affect the arrangement or the situation of Nasdaq, and where Nasdaq fails to take reasonable steps to remediate such circumstances within thirty (30) days of Nasdaq’s receipt of written notice from Customer specifying such circumstances in sufficient detail for Nasdaq to understand the Customer’s concerns and demanding correction;
iii. where Customer provides Nasdaq with evidence in writing of weaknesses pertaining to Nasdaq’s overall ICT risk management and in particular in the way Nasdaq ensures the availability, authenticity, integrity and, confidentiality, of Customer Data and Nasdaq fails to take reasonable steps to remediate such weaknesses within thirty (30) days of Nasdaq’s written receipt of notice from Customer specifying such evidenced weaknesses in sufficient detail for Nasdaq to understand the Customer’s concerns and demanding correction; or
iv. where a Customer Regulator can no longer effectively supervise Customer as a result of the conditions of, or circumstances related to, the contractual arrangements between Nasdaq and Customer concerning the Service and such Customer Regulator instructs Customer to terminate the Agreement with respect to such Service. When exercising termination rights under this clause 8(a)(iv) Customer must provide Nasdaq with reasonable evidence of such Customer Regulator instruction.
9. Training – Art 30.2 (i). Customer agrees that it shall, acting reasonably and in good faith, consider whether Nasdaq may by way of alternative to participating in the Customer’s training programmes at the Customer’s request and subject to mutually agreed terms instead provide Customer with details regarding Nasdaq’s own security awareness programmes and digital operational resilience training to provide reasonable comfort to Customer that such programmes and training are appropriate for the purpose of Art. 13(6) of DORA. Where additional training is required Customer may subject to mutually agreed terms request Nasdaq to participate in Customer’s security awareness programmes or digital operational resilience training where appropriate.
D. Additional Terms on ICT Services supporting Critical or Important Functions, Art. 30(3) DORA.
This Section D (Additional Terms on ICT services supporting Critical or Important Functions) shall apply only with respect to any Service that supports a Critical or Important Function of Customer. If Customer believes that a Service supports a Critical or Important Function of Customer, it shall notify Nasdaq in writing, and this Section D shall apply to such Services from the time of receipt of such notification by Nasdaq , unless Nasdaq disputes any classification in such notice, in which case the matter shall be resolved in accordance with the dispute resolution procedure set forth in the Agreement. Nasdaq will assume that Services are not, or are not supporting, Critical or Important Functions of Customer unless Customer provides such notice to Nasdaq.
1. Subcontracting with respect to ICT Services supporting Critical or Important Functions – Art. 30.2 (a) and Subcontracting RTS.
a. Use of Subcontractors. With respect to its Subcontractors, Nasdaq shall:
i. undertake due diligence on Subcontractors in accordance with Nasdaq’s established vendor due diligence processes as in effect from time to time;
ii. on the Customer’s reasonable written request, provide the Customer with such information regarding Subcontractors and any relevant Subcontracting chain, Nasdaq’s contractual arrangements with Subcontractors and on relevant performance indicators as the Customer may reasonably require for the purposes of the Customer’s compliance with DORA, in each case to the extent permitted considering any obligations of confidentiality to which Nasdaq is subject;
iii. monitor the relevant Subcontracted ICT Service and Subcontractors, to ensure Nasdaq in turn meets its obligations to Customer under the Agreement;
iv. ensure the continuity of the Service(s) where there is any failure of any Subcontractor (or further subcontractor in the Subcontracting chain) to fulfil its contractual obligations; and
v. assess all risks, including ICT risks, regarding the location of the Subcontractor, the Subcontractor’s parent company and the location(s) where the Subcontracted services are provided from.
b. Contractual arrangements with Subcontractors. Nasdaq shall use commercially reasonable efforts to include in written contractual agreements between Nasdaq and any Subcontractor terms:
i. to specify the monitoring and reporting obligations of the Subcontractor towards Nasdaq and, if deemed appropriate by Nasdaq, the Customer;
ii. specifying appropriate service levels, incident response and business continuity plans (including service levels with respect to such plans), and ICT and data security standards similar to those provided for under this Addendum,
iii. requiring that the Subcontractor grants to Customer and Customer’s Regulators equivalent audit, information and access rights as granted by Nasdaq to Customer pursuant to clause 6 of Section D (Right of Access and Audit), including the stipulations thereto, and requiring that the Subcontractor shall cooperate with Customer Regulator as necessary; and
iv. which are facilitative of Customer’s monitoring of the Subcontractor including, where deemed appropriate by Nasdaq, by way provision of information by Nasdaq to Customer regarding Subcontractors.
c. Notice and Customer’s Right to Object to New Subcontractors. Nasdaq shall notify Customer of its intention to engage any new Subcontractor or of material changes to Subcontracting arrangements in accordance with the notice procedures set forth in the Agreement or as otherwise provided in this Addendum (including, where relevant, by means of an Automated Notification Mechanism, as defined below). Customer, acting reasonably, will have ninety (90) days from the date of such notification to:
i. approve or not object to the engagement of such new Subcontractor or material change; or
ii. by providing written notice to Nasdaq, object to the engagement of such new Subcontractor or material change. The Customer shall ensure that such written notice includes information regarding the results of the Customer’s assessment of the risks that the Customer is or may be exposed to as a result of the proposed new Subcontractor or material change and reasonable requests for modifications.
If Customer objects to the engagement of a new Subcontractor or the introduction of material changes (e.g., because Customer believes reasonably and in good faith that Nasdaq’s Subcontracting would lead to a material increase in risk for Customer) and requests modifications, and Nasdaq fails to implement such modifications or provide Customers with information regarding an acceptable alternative within ninety (90) days of Nasdaq’s receipt of Customer’s notice of objection, Customer may terminate the Service with respect to which the new Subcontractor is engaged or the material changes relates by providing reasonable, advance written notice to Nasdaq. If Customer fails to notify Nasdaq of its objection within the time period set forth in this clause 1(c) Customer shall be deemed to have approved the use of the new Subcontractor or material changes.
d. Automated Notification Mechanism. For purposes of providing notice in accordance with clause 1(c) of this Section D and without prejudice to Customer’s right to object to new Material Contractors in accordance with clause 1(c), Nasdaq may implement mechanisms by which Customer can receive automated notifications of new Subcontractor engagements (each, an “Automated Notification Mechanism”) at no additional cost to Customer. If Nasdaq implements an Automated Notification Mechanism, Nasdaq shall notify Customer and provide detailed instructions on the use of such Automated Notification Mechanism. Customer agrees to register for and use any Automated Notification Mechanism promptly if it is made available by Nasdaq.
2. Service Level Agreement – Art 30.3 (a). The full Service Levels applicable to the Service include qualitative and quantitative performance targets within the agreed Service Levels, as set out in the Service Level Addendum along with updates and revisions thereof. Customer has the right to monitor the performance of the Service in the ordinary course of Customer’s use pursuant to the terms and conditions of the Agreement. In addition, the Client Success Team may provide additional support in respect of Service Level monitoring, information, and reports on Service performance, as well as regarding updates, impacts, and changes to the Service.
3. Nasdaq Reporting Obligations – Art 30.3 (b). Nasdaq shall notify Customer within a reasonable timeframe of any development of which Nasdaq becomes aware as having a material adverse impact on Nasdaq’s ability to effectively carry out the Service in line with the Service Levels.
4. Business Contingency Plan – Art 30.3 (c). Nasdaq shall maintain business continuity and disaster recovery plans intended to restore normal operations and the proper provision of the Service in the event of an emergency, subject to applicable law or regulation. The controls supporting such plans are validated through testing or audits, which are initiated for the Service at least annually and may be performed by Nasdaq’s internal audit team or qualified, independent, third-party auditors appointed by Nasdaq. Nasdaq shall also maintain (and ensure that any Subcontractors it uses to provide the Service maintain) ICT security measures, tools and policies that Nasdaq, acting reasonably, considers provide an appropriate level of security.
5. Threat-led penetration testing (TLPT) – Art 30.3 (d).
General – Upon request and subject to the terms herein, Customer may, no more than once every three years, request that Nasdaq assist Customer in its TLPT of the Software Product provided that; (a) Client is explicitly identified by the RTS guidelines to be in scope of TLPT, or (b) Customer has requested a decision from the relevant TLPT Authority in respect of the applicability of a TLPT for the Software Product and such TLPT Authority has not released Customer from its obligations under DORA to conduct a TLPT of the Software Product and such is evidenced by formal documentation to the extent possible and available; and (i) the Software Product is within a defined TLPT scope and scenario; (ii) Nasdaq’s assistance is required for purposes of Customer’s compliance with its obligations under DORA; and (iii) Nasdaq receives at least three months’ notice ahead of the anticipated start of the TLPT. Customer is solely responsible for any regulatory compliance in respect of the TLPT.
Scenarios and Scope – In the event Nasdaq receives a valid request of a TLPT as set out in the section above, the parties shall as soon as possible engage in good faith discussions to agree (a) the TLPT scope, timing, safeguards, methodology and applicable scenario, specifically in light the terms herein, (b) the scope of Nasdaq’s assistance and (c) the costs associated with the TLPT. Such terms shall be regulated in the separate statement of work, subject to the terms of the Agreement.
Stipulations – Any TLPT is subject to the following stipulations;
a) The TLPT scenarios shall be partial or final flag only;
b) The TLPT is limited to Software Product as deployed on premise under the Agreement. Customer may not conduct any TLPT testing on shared environments, help desks or similar; and
c) The TLPT shall occur; (a) during normal business hours; (b) in a manner that minimises disruption to Nasdaq’s business; (c) at all times under supervision by Nasdaq personnel; and (d) in accordance with reasonable instructions of Nasdaq and any applicable Nasdaq policies, as communicated by Nasdaq from time to time, whether in writing or otherwise.
Alternative Options – In the event Nasdaq identifies that the TLPT may cause a security threat or otherwise jeopardize the integrity or stability of Nasdaq’s business or customers, Nasdaq may require that the TLPT is conducted as a tabletop exercise. If the TLPT is reasonably expected to have an adverse impact on the quality or security of the Software Product or on the confidentiality of data related to the Software Product, Nasdaq may require that Customer relies on a pooled TLPT.
Third Party Tester – To the extent required by DORA and subject to approval by the relevant hosting provider, the TLPT may be conducted by a Third Party Tester jointly agreed and appointed by the parties and provided that such Third Party Tester; (a) is suitable and of good reputation in the industry; (b) possesses technical and organizational capabilities and demonstrates specific expertise in threat intelligence, penetration testing, and red team testing; (c) employs personnel with relevant industry certifications or whom are subject to professional codes of conduct or ethical frameworks; (d) carries professional liability insurance with insurance carrier(s) with sound financial ratings; and (e) is subject to confidentiality undertaking similar to the terms of the Agreement.
Results and Report – Prior to sharing any TLPT results, remediation plans, findings and report as such pertains to the Service (collectively “Report”) with any third party, Customer shall (i) provide Nasdaq the Report for review and commentary, (ii) consider Nasdaq’s comments in good faith and take all reasonable efforts to ensure such are reflected in the final Report or any summary thereof and (iii) allow Nasdaq adequate time to remedy any security findings required per the remediation plan. Customer shall keep Nasdaq informed of any developments, information or similar from the Regulator in respect of the Report or summary thereof to the extent such concerns the Service.
Confidentiality – Any information, detail or aspect concerning the Software Product, including infrastructure and technology, as presented, detailed or set out in the Report or a summary thereof remains Nasdaq’s Confidential Information. Customer shall take all actions available to it under law to ensure such information remains confidential when shared with any Regulator.
Costs and Indemnity – Customer shall, in addition to the costs agreed in the relevant statement of work, be responsible for any additional costs, including costs related to the Third Party Tester, that Nasdaq may incur as a result of the TLPT. Furthermore, Customer shall defend, indemnify, and hold Nasdaq, its Affiliates and their respective employees, officers, directors, other agents and any cloud provider or data center provider (“Nasdaq Indemnities”) harmless from and against any claim, liability, damages and costs (including reasonable attorney’s fees) arising from the TLPT. This indemnity shall not be subject to any limitation of liability that may be set out in the Agreement.
6. Right of Access and Audit – Art 30.3 (e).
a. Customer Audit. Nasdaq uses independent external auditors to audit and test the Software Product, which result in the production by those auditors of certifications and audit reports, including the Certifications and Reports (collectively, such externally-prepared certifications and reports, and any summaries of them produced by Nasdaq, being the “External Reports”). Upon Customer’s written request by email to the Client Success Team. Nasdaq will provide Customer or its auditors with copies of the latest External Reports (with redactions if and to the extent required in order to comply with applicable law or regulation or duties of confidentiality owed to third parties).
b. If further information beyond External Reports is required by Customer to comply with its audit obligations under the rules of a Regulator, Customer will inform Nasdaq in writing and Nasdaq will provide to Customer such information as may reasonably be required as promptly as practicable.
c. If the parties agree, that in addition to the External Reports and any additional information provided by Nasdaq pursuant to paragraph b above: (i) full access to Nasdaq’s relevant business premises , including the right to take copies of documentation on-site identified by Nasdaq that it considers contains information that is critical to the operations of Customer; and/or (ii) unrestricted rights of inspection and auditing related to the Service used by Customer (the foregoing clauses (i) and (ii) are together, the “Right of Access and Audit”) is necessary in order to comply with the rules of the Regulator, then Nasdaq shall, subject to the remaining provisions of this Clause 6 of Section D (Additional Terms on ICT services supporting Critical or Important Functions), grant to the Customer’s appointed third party such Right of Access and Audit, provided that it applies only to Nasdaq and its Subcontractors.
d. Regulatory Audit. Nasdaq:
i. will, and will use commercially reasonable efforts to procure that its Subcontractors will, permit the Customer’s Regulator and such Regulator’s appointed representatives with the Right of Access and Audit, subject in all cases to the remaining provisions of this Clause 6 of Section D (Additional Terms on ICT services supporting Critical or Important Functions); and
ii. acknowledges that nothing in this Addendum will limit or restrict a relevant Regulator’s information gathering and investigatory powers under DORA.
e. Audit Conditions. Customer, or its Regulator (in either case, a “Requester”) will exercise the Right of Access and Audit, and Nasdaq will fully cooperate with such Requester, subject to the following conditions (which will apply unless, in the case of an exercise of the Right of Access and Audit by a Regulator, the relevant condition(s) is incompatible with the rights and duties of such Regulator in relation to such Right of Access and Audit):
i. the Requester will not exercise the Right of Access and Audit more than once in any 12 month period during the term of the Agreement, unless required to do so by applicable law or as a result of an emergency or crisis situation;
ii. the Requester will exercise the Right of Access and Audit in a proportionate manner, taking into account the complexity of the Service, the risks arising from the Service, the criticality or importance of the Service, the potential impact of the Service on the continuance of Customer’s activities, and the impact of the Right of Access and Audit on Nasdaq;
iii. the Requester will (a) exercise the Right of Access and Audit and determine the frequency and areas to be audited using a reasonable, risk-based approach and adhere to relevant, commonly-accepted, national and international audit standards; and (b) provide details of the nature and scope of the Right of Access and Audit to Nasdaq at least ninety (90) days in advance of exercising the Right of Access and Audit, unless doing so would seriously impair or undermine the purpose of the Right of Access and Audit;
iv. the Requester will exercise the Right of Access and Audit: (a) during normal business hours; (b) in a manner that minimises disruption to Nasdaq’s business; (c) at all times under supervision by Nasdaq personnel; and (d) in accordance with reasonable instructions of Nasdaq and any applicable Nasdaq policies, as communicated by Nasdaq from time to time, whether in writing or otherwise;
v. during an on-site visit at Nasdaq’s relevant business premises, Nasdaq may identify documentation that it considers contains information that is critical to the operations of Customer and provided the Requester treats such documentation confidentially, the Requester may take copies of that documentation for the purposes of finalising its audit;
vi. the relevant Regulator may, and Customer shall, appoint a third party to exercise the Right of Access and Audit, provided, in each case that (a) the third party is not a competitor of Nasdaq (as determined by Nasdaq, acting reasonably) and (b) such third party has appropriate and relevant skills and knowledge to perform the relevant audits and assessments of the Service effectively and competently;
vii. the Requester will, before a planned onsite visit, provide notice to Nasdaq in a reasonable time period, (taking into account the nature and scope of the requested exercise of its Right of Access and Audit), which shall not be shorter than ninety (90) days, of the onsite visit to a relevant business premise, unless an early prior notification has not been possible due to an emergency or crisis situation or would seriously impair or undermine the purpose of the Right of Access and Audit,
and provided in all cases that, if any exercise of the Right of Access and Audit could or may be likely to, in each case, in Nasdaq’s opinion, create a material risk for Nasdaq, or any of its customers or affiliates (including due to its impact on service levels, availability of data, or confidentiality), then in lieu of the exercise of the Right of Access and Audit, the Requester and Nasdaq will agree on an alternative way to address the request that provides the Requester a similar level of assurance to the exercise of the Right of Access and Audit , but which ensures such risks are avoided or mitigated.
f. Confidentiality. All information disclosed, whether orally, in writing, or otherwise, under this Clause 6 of Section D, including any audit results, is Nasdaq Confidential Information. Customer shall ensure that any Customer representative, third-party auditor, or Regulator entering any designated facility or reviewing any information in connection with the Right of Access and Audit are bound by confidentiality obligations and use restrictions with Customer that are materially similar to those contained in the Agreement. If requested by Nasdaq, Customer shall facilitate a Customer representative, third-party auditor and/or Regulator entering into a confidentiality agreement directly with Nasdaq.
7. Exit strategies – Art 30.3 (f) and Recital 76.
a. Transition Period. If Customer terminates the Service for any reason, or if the Service expires for any reason, except if Nasdaq terminates the Service as a result of an uncured material breach of the Agreement by Customer, then Customer may elect to extend the term of the Service on a month-to-month basis for up to twelve (12) months, or longer if expressly required by a Regulator in writing, by providing notice of such election to Nasdaq. During such period, Nasdaq shall continue to provide, and Customer shall continue to receive and pay for, the Service pursuant to the terms and conditions of the Agreement (with Customer’s payments to reflect any increases in fees payable to Nasdaq otherwise provided for in the Agreement which would have applied during this period, notwithstanding any termination). In addition, during such period: (i) Customer will be able to retrieve Customer Data within Nasdaq’s control from the Service; or (ii) such Customer Data will otherwise be made available by Nasdaq in a reasonable manner, provided that, in respect of any Personal Data forming part of such Customer Data, this shall, in each case, be without prejudice to the provisions of the Data Processing Addendum relating to the return or deletion of Personal Data. Any retrieval work will be mutually agreed and subject to a separate service order or statement of work between the parties.
b. Migration. During the Transition Period set forth in clause 7(a) of this Section D above, Nasdaq will cooperate with the Customer in good faith in order to allow Customer to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
c. Resolution. The parties acknowledge that a Regulator or other resolution authority may, where relevant, exercise powers in connection with the Recovery and Resolution Regulation, to intervene in the business of a party and to introduce measures to enable the continuity of critical functions of the Customer (including to implement crisis prevention or crisis management measures).
E. Costs, Fees on Termination
In the event Customer requests assistance in connection with exercising any of its rights set out below from Nasdaq in addition to any assistance included in the general provision of the Service, Nasdaq shall be entitled to reimbursement for the reasonable costs and fees, including third party costs, incurred as a result of such assistance. This clause applies to;
a) Data Recovery;
b) ICT Incident;
c) Training;
d) Right to Access and Audit; and
e) Exit Strategies.
Nothing above shall limit Customer’s responsibility for costs in respect of TLPT as set out in Section D, Clause 5.
Fees on Termination
Except in circumstances where Customer terminates under clause 8(a)(i) (Material breach of Laws and Regulations) of Section D all fees with respect to the then current term under the Agreement (including as they relate to periods following the date of termination) shall be immediately due and payable by Customer to Nasdaq on termination.
F. Additional outsourcing provisions
This Section F (Additional outsourcing provisions) shall apply only with respect to any Service identified by Customer and notified to Nasdaq in writing as an outsourcing of critical or important functions, and shall apply from the time of receipt of such notification by Nasdaq.
1. Outsourcing notification requirements: Nasdaq shall notify Customer within a reasonable timeframe of any development in relation to such Service of which Nasdaq becomes aware as having a material adverse impact on Nasdaq’s ability to effectively carry out the Service in compliance with this Addendum or any provision of the Agreement requiring Nasdaq to comply with applicable laws and regulations.
2. Insurance. Nasdaq shall maintain such insurance coverage as it considers appropriate from time to time.
G. Miscellaneous.
1. Governing law and Dispute Resolution. This Addendum is governed by the laws that govern the Agreement, and any dispute between the parties will be handled as set forth in the Agreement.
2. Conflicts. For purposes of this Addendum, the rights and obligations of the parties in this Addendum are in addition to, and not in replacement of, the rights and obligations of the parties in the Agreement. In the event of a conflict between this Addendum and other provisions of the Agreement, this Addendum will prevail with respect to the Service that constitutes ICT Services under DORA except that the Data Processing Addendum will control with respect to Personal Data as specified therein. Except as amended and supplemented by this Addendum, the Agreement will remain in full force and effect.
3. Counterparts. This Addendum may be executed in counterparts, each of which will be deemed an original and which taken together will be deemed to constitute one and the same agreement. The parties may sign and deliver this Addendum by facsimile or electronic transmission.
4. Updates to DORA. Where a provision of DORA or delegated legislation made pursuant to DORA is superseded, invalidated or replaced by law or regulation, the Parties shall negotiate with each other in good faith with a view to replace any affected provision of this Addendum.