People operationsPower your HR operations, end to end
Finance & planningConnect pay, people, and planning
IT managementControl access, security, and systems

DORA Addendum

Last updated: 15 September 2025

This Addendum is entered into with the understanding that it complies with the requirements of the EU's Digital Operational Resilience Act ("DORA"), including, but not limited to, Article 30's key contractual provisions. The Parties acknowledge that this Agreement includes provisions related to specific DORA requirements, e.g., service level descriptions, data protection, incident response, termination rights to support compliance with DORA.

Humaans Terms of Service (the "Agreement"), are incorporated herein by reference, and shall remain in full force and effect to the extent they are consistent with DORA. The terms of this Addendum shall otherwise supersede any potential inconsistent terms under the Agreement.

Any capitalized terms used but not defined herein have the same meaning as the same or substantially equivalent term in the Agreement or DORA Article 2.

Recitals

1. This Addendum applies only when the Customer is subject to DORA and has subscribed to the Agreement for the receipt of certain services from Humaans as described in the Agreement ("Services").

2. When DORA applies to the Customer, Humaans is an Information and Communication Technology ("ICT") Third Party Service Provider providing ICT Services.

3. Humaans’s Services support Customers’ internal HR functions and therefore Humaans does not consider itself to be a Critical ICT Third-Party Service Provider and does not support a Critical or Important Function under DORA.

4. This Addendum, in addition to the Agreement, supports Humaans and Customer in complying with the key contractual provisions of Article 30(2) of DORA.

Definitions

Critical ICT Third-Party Service Provider means an ICT third-party service provider designated as critical in accordance with Article 31 of DORA.

Critical or Important Function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under the applicable financial services law.

ICT Services are the digital and data services provided through ICT systems to one or more internal or external user on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.

Addendum

1. Description of Services. Humaans is a cloud-based human resources information system (HRIS) that bundles HR features, such as storing and managing employee records and documents, and facilitation of HR processes such as time tracking, performance reviews and more into one system. Humaans does not provide a Critical or Important Function as defined by DORA. Humaans is permitted to subcontract Services.

2. Location of ICT Services. Humaans provides ICT Services in London, United Kingdom. The Customer data is stored in GCP Belgium and other EU data center locations. Humaans will provide the Customer notice, through its published subprocessor list in the Data Processing Addendum, regarding the locations where the contracted or subcontracted functions are to be provided and where data is processed and stored.

3. Data Protection. Humaans shall maintain commercially reasonable administrative, physical, and technical safeguards for protection of the Service, and the security of Customer Data, including availability, authenticity, integrity and confidentiality of Customer Data.

4. Access, Recovery, and Return of Customer Data. The Agreement provides that the Customer will continue to have the ability to download the Customer Data uploaded to the customer’s databases in the Humaans service for a period of up to 40 days after expiration or termination of the service (except where the service is terminated by Humaans for the customer’s nonpayment or violation of Sections 4.1 or 13 of the Agreement). The Customer will still have the ability to recover its data in the event of the insolvency, resolution, or discontinuation of the business operations of Humaans, or in the event of any termination of the contract. Where termination is as a result of the customer’s breach of its obligations, recovery of their data may be made conditional upon the rectification of such breach (i.e., in case of nonpayment, upon payment of the fees due).

5. Service Levels. Humaans shall use commercially reasonable efforts to make the Service available 24 hours a day, 7 days a week except for: (i) planned downtime; (ii) any unavailability caused by circumstances beyond Humaans’s or its subcontractors’ reasonable control (including force majeure events as defined in the Agreement); or (iii) downtime necessary to update the Service to ensure its security and integrity. This section does not create a contractual service level guarantee beyond the Agreement, but describes the basis on which Humaans supports customers in meeting their obligations under DORA. Outages will be detected, communicated, and resolved, including response and resolution times.

6. Assistance with ICT Security Incidents. Humaans will notify the Customer without undue delay upon becoming aware of an ICT-related incident affecting the Humaans Service. Humaans will promptly investigate the incident, take appropriate remedial measures, and provide the Customer with information reasonably required to enable the Customer to meet its own legal and regulatory obligations, including any reporting obligations under DORA or applicable data protection laws. Such assistance will be provided at no additional charge to the extent it forms part of Humaans’s standard incident response processes. Where the Customer requests additional, bespoke support beyond such standard processes, the scope and cost of that support will be agreed in advance in writing.

7. Cooperation with Authorities. Humaans will cooperate with the competent authorities to the extent legally required and reasonably practicable. Humaans will also cooperate with the resolution authorities of the customer, including persons appointed by them.

    1. 8. Termination Rights. The Customer is entitled to terminate the ICT Service in accordance with the Agreement. In addition to those rights, the Customer may also terminate in the event of any of the following circumstances under DORA Article 28(7):
      1. a) Significant breach by Humaans of applicable laws, regulations or contractual terms;
      2. b) Circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of Humaans;
      3. c) In the event of Humaans’s evidenced weakness pertaining to its overall ICT risk management and in particular the way it ensures the availability, authenticity, integrity, and confidentiality of data, whether personal or otherwise sensitive data, or non-personal data; or
      4. d) Where the competent authority can no longer effectively supervise the Customer that is an EU financial entity as a result of the conditions of, or circumstances related to, the respective contractual agreement.

9. Participation in Security Awareness Training. Humaans requires all employees to complete security awareness training at least annually. Upon reasonable request, Humaans will provide the Customer with a summary of its training program and confirmation of employee participation.