Read The Future of Wallets Report Now Available Here

Get started
Last Update : DECEMBER 3, 2024

Terms and Conditions

These Terms and Conditions are issued under and forms part of the Dfns Service Agreement or other Dfns agreement which references this policy, and capitalized terms not defined have the meanings set forth in such Dfns agreement.

Dfns.co (the “Site”) is published By by Dfns, a simplified stock company with a share capital of 1,526.35 euros, registered with the Trade and Companies Registry of Paris under number 888 176 575 and whose registered office is located at 142 rue de Rivoli, Paris 75001 (France). The director of publication is Clarisse Hagège, President of the Company.

The site is hosted by Webflow.
Contact: contact@dfns.co

By accessing the Site and by using the information therein, you acknowledge and agree to be bound by and to abide by the following Terms of use Terms and Conditions.

Introduction & Purpose

Dfns, a simplified joint stock company, registered under number 888 176 575 with the Trade and Companies Register of Paris, having its registered office at 142, rue de Rivoli, 75001 Paris, France (“Dfns”, “we”, “us”, “our”) is the publisher and owner of the wallet-as-a-service (WaaS) platform for digital assets (the “Platform”) accessible via app.dfns.io, api.dfns.io, app.dfns.ninja, and/or api.dfns.ninja on which users can access specific services offered by Dfns (the “Specific Services”).

We drafted these terms and conditions so that you are aware of the rules and operation of the platform and services. These terms and conditions constitute a legally binding agreement between you, acting on behalf of a company or other entity as its representative (the ”User”, “you”, or “your”) and Dfns in connection with your use of the Platform and services offered by Dfns. 

Please read them carefully.

Definitions

Capitalized terms used herein and not otherwise defined shall have the meaning set forth in Appendix 1, whether used in the singular or plural.

Services

Dfns will provide the Services specified in this Agreement to you with all professional care and diligence and in accordance with Dfns’ Service Level Agreement available here: https://www.dfns.co/sla.

Access to the services

  1. Creation of an account

To access and use the Platform, you have to create a User account.  You must take all necessary precautions to ensure the confidentiality, security and correct use of your login and authentication credentials, to prevent them from being disclosed or used by unauthorized third parties. Any connection to your account and / or transmission of data made through your account will be deemed to have been made by you and under your sole responsibility.

  1. Free Trial

After creating your User account, you can start using the Services. The User benefits from a Free Trial for a thirty (30) day period from the creation of the User account. During this Free Trial, you have no Fee to pay to Dfns. 

  1. Choice of the Subscription option

At the end of this Free Trial, Dfns offered you the choice between four categories of Subscriptions which are described on its pricing page (available here: https://www.dfns.co/pricing). Please read the applicable conditions to these options of Subscription carefully to make the proper choice depending on your needs.For the first two options of Subscription, you are free to subscribe and pay in accordance with this Agreement. If you decide to opt for one of the two upgraded options of Subscriptions you will have to contact Dfns’ sales team. In any case, at the end of your Free Trial, you may choose to directly contact Dfns’ sales team.      

Obligations of the Parties

  1. Obligations of Dfns

Dfns undertakes that (i) the Services provided will comply with Applicable Law, (ii) the Services will meet the services levels detailed in this Agreement, and (iii) in the event of errors or omissions affecting the Services exclusively attributable to Dfns, Dfns will correct the error or omission without undue delay. Dfns undertakes to employ a sufficient number of qualified personnel for the proper performance of the Services.

  1. Obligations of the User

The User undertakes (i) to use the Services exclusively in accordance with the terms and limits agreed to in the Agreement, (ii) not to share personal User’s login and authentication credentials      with any third party, (iii) to secure its login and authentication credentials, as well as all API keys, and (iv) to comply with Applicable Laws. The Parties agree that in the event of: 

  • any unauthorized or fraudulent use of the Services not caused by the User, Dfns may suspend the Services;
  • any fraudulent use of the Services by the User,  Dfns may at its own discretion, suspend the Services or terminate the Agreement. The User warrants that it has full capacity and authority to enter into this Agreement in the name and on behalf of its company or organization benefiting from the Services.
  1. Obligations of the Parties

The Parties undertake to cooperate and in particular to communicate to the other any information, document or difficulty of which it becomes aware that may affect the proper performance of the Agreement. Each Party warrants to the other that it has the necessary consents, permits and authorizations for the proper performance of its obligations under the Agreement.

Restriction of use

  1. To the extent permitted by Applicable Law, the User shall not and shall not permit Authorized End-Users to:
  • make the Services available to third party, or use the Services for the benefit of any person other than the User or authorized End-Users;
  • sell, resell, license, sub-license, distribute, make available, rent or lease the Services; 
  • use the Services to store or transmit infringing, defamatory or otherwise illegal content, or to store or transmit content that violates the privacy rights of third parties;
  • use the Services to store or transmit malicious code (including viruses, worms, spyware, Trojan horses, etc.); 
  • use the Services to store or transmit viruses, worms, Trojan horses, etc., or any other malicious code;
  • attempt to obtain unauthorized access to the Services or associated systems or networks;
  • allow any direct or indirect access to or use of the Services in a manner that circumvents contractual usage limitations, or use any of the Services to access or use any subject matter of Intellectual Property Rights owned by Dfns, except as permitted by this Agreement;
  • copy the Services or any part, feature, function or user interface of the Services;
  • access the Services to design a competing product or service or to conduct a comparative study with a product or service not provided by Dfns; or 
  • reverse engineer the Services. 
  1. The intentional breach of this Section by the User or any Authorized End-User, or more generally, the use of the Services in a manner that does not comply with this Agreement and that would constitute an imminent threat to the security, integrity or availability of its Services may lead Dfns to immediately suspend the Services. 

Price & payment

  1. Subscription Fee.
    The User shall pay Dfns the Fees indicated on the pricing page (available here: https://www.dfns.co/pricing) depending on the Subscription the User has chosen. Unless otherwise specified in this Agreement, payment obligations are non-cancellable, all sums paid are non-refundable.
  2. Payment.
    After choosing your Subscription option (available on the pricing page: https://www.dfns.co/pricing), you will be able to choose your payment option available on the Platform.
  3. Payment terms.
    The Fees are exclusive of all taxes, duties or other fiscal charges of any kind whatsoever, but not limited to, value-added, sales and license taxes, as well as withholding taxes, which may be claimed by any jurisdiction whatsoever (the “Taxes”). You shall  pay all Taxes associated with orders made under this Agreement. 

Any delay in payment shall automatically and without prior notice give rise to interest immediately payable at three (3) times the legal rate of interest from the date on which such payment was due until the date of actual payment. Dfns reserves the right to charge a fixed indemnity of forty (40) euros and to add any additional sum. 
If the event of late payment of more than thirty (30) days after the beginning of the Subscription period, Dfns reserves the right to immediately suspend the Services. 

Intellectual Property Rights

  1. Dfns’ rights.
    Dfns is the exclusive owner of all rights relating to the Platform and Specific Services, including all Intellectual Property Rights therein, including documents, software, technology, hardware, products, processes, widgets, algorithms, documentation, user interfaces, know-how and other trade secrets, techniques, designs, inventions and other tangible or intangible technical information. The Specific Services and the Platform made available to the User under this Agreement are and shall remain the exclusive property of Dfns or its licensors. No rights other than those expressly granted under this Agreement are granted to the User.
  2. License.
    Dfns grants the User a right of access and use the Platform and the Specific Services made available to you, for the duration of this Agreement and for your internal management needs. This right of access and use is worldwide, personal, non-exclusive, non-transferable and non-sublicensable, except to allow Authorized End-Users to use the Platform and Specific Services, subject to the terms and conditions of this Agreement. 

    The Parties acknowledge and agree that the rights granted by this Agreement are granted on the basis that (i) the User undertakes to communicate and enforce the terms and conditions of the Agreement to Authorized End-Users and that, in any event, (ii) the User is liable for the activities, acts or omissions of all Authorized End-Users and for their compliance with the terms and conditions of the Agreement. 
  1. User Feedback.
    The User grants to Dfns a worldwide, royalty-free license to use and incorporate into its Services any suggestions, enhancement requests, recommendations, corrections or any other feedback provided by the User related to the provision of the Services under this Agreement for the term of the applicable Intellectual Property Rights.
  2. User Data.
    All User Data is the sole property of the User.

Indemnification

Dfns, at its expense, shall defend, indemnify, and hold the User harmless from and against any and all third party claims for damages, judgments, liabilities, fines, penalties, losses, claims, costs, and expenses including, without limitation, reasonable attorneys’ fees, finally awarded by a court of competent jurisdiction, after all rights of appeal are exhausted, against the User which directly relate to a claim, action, lawsuit, or proceeding made or brought against the User by a third party alleging the infringement of such third party’s Intellectual Property Rights by way of the User’s use of the Services provided by Dfns to the User, provided that (i) the User provides Dfns with prompt written notice of such claim; (ii) the User provides reasonable cooperation to Dfns in the defence and settlement of such claim; and (iii) Dfns has sole authority and control to defend or settle such claim. 

This Section shall not apply if the alleged claim arises, in whole or in part, from (a) a use or modification of the Services by the User; (b) a combination, operation or use of the Services with any other software, hardware or technology not provided by Dfns, if the claim would not have arisen but for such combination, operation or use; or, (c) any User Data. 

Should the infringement be declared by a final ruling, Dfns, at its own discretion and expense, will: (i) obtain a right for the User to keep using the Services; or, (ii) modify or replace the Services to make it non-infringing without materially reducing its functionality; or (iii) terminate the Agreement and refund any prepaid Fees for the outstanding period of the term of the Agreement. The provisions of this Section state Dfns’ entire liability and the User’s exclusive remedies for any claim that the Services infringe a third party’s Intellectual Property Rights.

Data Protection

Each of the Parties undertakes to comply with the provisions of Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April (the “GDPR”), as well as all applicable data protection regulation. 

Under this Agreement, the Parties agree that Dfns processes personal data on behalf of the User to provide the Services, and to this respect the Parties have concluded and undertakes to comply with the Data Processing Agreement attached hereto.

Confidentiality

  1. Protection of Confidential Information.
    The Receiving Party will provide the same degree of care as it provides for the confidentiality of its own Confidential Information of the same nature (and at a minimum reasonable care), (i) not to use the Disclosing Party's Confidential Information for any purpose other than those within the scope of this Agreement and (ii) unless authorized in writing by the Disclosing Party, to limit access to the Disclosing Party's Confidential Information to its employees and subcontractors, who need access to the Confidential Information for purposes related to this Agreement and who are bound by confidentiality undertakings with the Receiving Party containing stipulations at least as strict regarding the Confidential Information as those contained in this Agreement.
  2. Mandatory Disclosure.
    The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent that it is compelled to do so by law, provided that it gives the Disclosing Party prior notice of such compelled disclosure (to the extent permitted by law) and provides reasonable assistance, at the Disclosing Party's expense, if the Disclosing Party wishes to contest the compelled disclosure. 
  3. Injunctive relief.
    If the Receiving Party discloses or uses (or threatens to disclose or use) any Confidential Information of the Disclosing Party of this Section, the Disclosing Party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts.

Term and Termination

  1. Term.
    When creating your User account and clicking the corresponding box, you agree to be bound by this Agreement. If you do not agree to the terms of this Agreement or if you are not authorized to act on behalf of your organization, you must not accept this Agreement and you may not use the Services.
  2. Termination for breach.
    A Party may terminate this Agreement (i) in the event of a material breach by the other Party which has not been remedied before the expiry of a thirty (30) day notice period sent by registered letter with acknowledgement of receipt, (ii) to the extent permitted by Applicable Law, immediately and in writing when the other Party is the subject of collective proceedings, whether voluntary or involuntary (receivership, amicable or judicial liquidation, assignment for the benefit of creditors), or initiates or is the subject of any proceedings, legal action or similar event, as a result of a debt, before a court. 
  3. Effect of termination.
    If this Agreement is terminated by the User in accordance with Section Termination for breach, Dfns will refund to the User all Fees paid in advance for the entire period remaining after the effective date of termination of the Agreement. If this Agreement is terminated by Dfns in accordance with the Section Termination for breach, the User shall be liable to pay (and payment shall be forfeited) all Fees remaining due prior to the termination of the Agreement, for the entire period remaining to run. Termination shall in no event release the User from its obligation to pay all Fees due to Dfns for the period prior to the effective date of termination.
  4. Restitution and Deletion of User Data.
    Dfns will make available to the User, free of charge, the User Data for a period of thirty (30) days following termination or expiration of the Agreement. After such a thirty (30) day period, Dfns will delete all User Data in its systems or otherwise in its possession or control.

Following termination or expiration of the Agreement, Dfns will: 

  • for the User Data provided for the creation of the User account, make it available to the User, free of charge for a period of thirty (30) days, then delete it within the delays in accordance with the applicable retention periods under Data Protection Laws; 
  • for the User Data related to the use of the Services by the User (e.g. histories), make it available to the User, free of charge for a period of thirty (30) days, then delete it.

Third Parties

The Platform may contain links to third parties services, these links will be provided solely for information purposes, without Dfns having any control over the content or data of these services.

As Dfns cannot control these external sources, Dfns cannot be liable for the content, advertising, products, services or any other material available on or from these external sources.

Furthermore, Dfns shall not be liable for any damages or losses, actual or alleged, arising out of or in connection with the use of or reliance on the content, goods or services available on such external sources.

In addition, depending on the options of Subscription you choose, you may be able to benefit from services from third parties. The Parties acknowledge that Dfns shall not be liable for any of the services provided by third parties in the context of your use of the Services. 

Miscellaneous

  1. Force majeure.
    Neither of the Parties shall be liable by reason of any failure or delay in the performance of its obligations hereunder (except for the payment of money for the Services rendered) on account of events beyond the reasonable control of such Party, within the meaning of Article 1218 of the Civil Code and defined by French Courts, and which may include, without limitation, denial-of-service attacks, cyberattacks, pandemics, strikes, shortages, riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, governmental action, labour conditions, earthquakes and material shortages (each a “Force Majeure Event”). Upon the occurrence of a Force Majeure Event, the non-performing Party shall be excused from any further performance of its obligations effected by the Force Majeure Event for so long as the event continues, and such Party continues to use commercially reasonable efforts to resume performance. The affected Party shall immediately provide notice to the other Party of the commencement and termination of the force majeure event.
  2. Entire Agreement.
    This Agreement constitutes the entire agreement and understanding of the Parties with respect to the subject matter hereof, and supersede all prior oral or written agreements between the Parties in respect thereof.
  3. Hierarchy.
    In the event of any dispute or inconsistency between the following documents, the descending order of legal precedence shall be as follows: (1) the Specific Terms and Conditions, (2) the body of these General Terms and Conditions, (3) any appendices other than the Specific Terms and Conditions, and (4) any amendment to this Agreement. 
  4. Independence of the Parties.
    Dfns agrees to provide the Services as an independent contractor. Nothing in this Agreement shall be interpreted to establish any employment, partnership or joint venture relationship between Dfns and/or the User or any of its Affiliates.
  5. Waiver.
    No waiver by either Party with respect to any breach or default or of any right or remedy and no course of dealing, shall be deemed to constitute a continuing waiver of any other breach or default or of any other right or remedy, unless such waiver be expressed in writing and signed by the Party to be bound.
  6. Severability. Should any provision of this Agreement be declared void or unenforceable by any competent court or jurisdiction, the remaining provisions shall remain in full force and effect, to be read and construed as if the void or unenforceable provisions were originally deleted.
  7. Assignment.
    Each Party shall not assign this Agreement in whole or in part, without the prior written authorization of the other Party. This Agreement will be binding upon and inure to the benefit of the Parties and their respective successors, trustees, administrators, and permitted assignees.
  8. Survival.
    The Sections “Price & Payment”, “Intellectual Property Rights”, “Indemnification”, “Confidentiality”, “Liability” and “Termination” shall survive the termination or expiration of this Agreement.
  9. Insurance.
    Dfns takes out and maintains, at its own expense, for the duration of the Agreement, an insurance policy covering Dfns activities up to the following amounts: (i) for crime insurance up to 10,000,000 Euros in aggregate and (ii) for professional liability and cybersecurity insurance up to 2,500,000 Euros in aggregate. Dfns undertakes to provide a copy upon your request.

Applicable law and competant jurisdiction

This Agreement, as well as any and all claims arising from this Agreement or any of the proposals, negotiations, communications or understandings regarding this Agreement, shall be governed by and construed in accordance with the laws of France, without regard to any conflict or choice of law principles. The application of the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded. In the event that a dispute arises in connection with this Agreement, and in particular as to the validity, interpretation, performance or termination thereof, the Parties agree to use their best efforts to attempt to resolve it amicably within thirty (30) days from the date of notification of the dispute by one of the Parties, without this affecting the right of the Parties to take any legal action that they deem appropriate, in particular in the event of an emergency. Failing this, the dispute shall be submitted to the exclusive jurisdiction of the Courts of Paris, except in the case of mandatory procedural rules, and notwithstanding multiple defendants or third-party claims, even for emergency, provisional or conservatory proceedings, in summary proceedings or ex parte applications.

Appendices

  • Appendix 1 - Definitions
  • Appendix 2 - Data Processing Agreement
  • Appendix 3 - DORA Appendix

Appendix 1 - Definitions

Affiliates” means any company that controls, is controlled by or is under the common control of a Party, within the meaning of Article L. 233-3 of the French Commercial Code.

Agreement” means these general terms and conditions, and the Appendices attached thereto including any applicable Specific Terms. 

Applicable Laws” means all applicable laws, regulations, regulatory requirements and codes of practice of any relevant jurisdiction, as amended and in force from time to time, including but not limited to AML and KYC.

Authorized End-Users” means the User’s employees, independent contractors or clients who (i) agree to be bound by the terms of this Agreement and (ii) are specifically authorized by the User to access and use the Services, within the limits of the Agreement and the selected Subscription. The number of Authorized End-Users depends on the option of Subscription you select. 

“Confidential Information” means all information disclosed by one party (the “Disclosing Party”) to the other (the “Receiving Party”), whether orally or in writing, that is designated as confidential or should reasonably be regarded as confidential in view of its nature and the circumstances of its disclosure. User's Confidential Information includes User Data; Dfns' Confidential Information includes, but is not limited to, the Services; each Party's Confidential Information includes the terms of this Agreement, as well as technical and technological information, APIs, algorithms, Intellectual Property Rights, business processes disclosed by the disclosing Party. However, Confidential Information does not include information that (i) is generally known to the public or subsequently becomes known to the public without breach of the Disclosing Party's confidentiality obligations, (ii) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of the Disclosing Party's confidentiality obligations, (iii) is received from a third party without breach of the Disclosing Party's confidentiality obligations or (iv) is independently developed by the Receiving Party.

Fee” means the total amount to be paid by the User to Dfns for the Subscription.

Intellectual Property Rights” or “IP Rights” means all vested and future rights of copyright and related rights, design rights, database rights, patents, rights to inventions, trademarks- and get-up (and goodwill attaching to those trademarks- and that get up), domain names, applications for and the right to apply for any of the above, moral rights, goodwill (and the right to sue for passing off and unfair competition), rights in know-how, rights in confidential information, rights in computer software, databases and semiconductor topographies, and any other intellectual or industrial property rights or equivalent forms of protection, whether or not registered or capable of registration, and all renewals and extensions of such rights, whether now known or in future subsisting in any part of the world.

Platform” means the Wallet-as-a-Service (WaaS) platform for digital assets owned by Dfns and accessible via app.dfns.io, api.dfns.io, app.dfns.ninja, and/or api.dfns.ninja.

Parties” means Dfns and the User collectively, and a “Party” means Dfns or the User individually.

Services” means the subscription to the Platform and the provision of the Specific Services where relevant. 

Service Level Agreement” means the agreement related to the service levels applied to the Services, and available here: https://www.dfns.co/sla.

Subscription” means a license to access and use the Services. Under this Agreement, three categories of Subscriptions with different options and accessible Specific Services are offered to the Users: an initial free 30-day trial Subscription, a first Subscription with limited options, and a second Subscription with more options. Find details about these subscriptions on the pricing page of the Dfns website here: https://www.dfns.co/pricing. For other subscription options, please reach out to our sales team.

User Data” means the data provided by the User to Dfns within the Services.

Appendix 2 - Data Processing Agreement

  1. INTERPRETATION 

Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement. In this DPA, unless the context requires otherwise: 

  • Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental  requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or  otherwise updated from time to time. 
  • Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information  Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as  it may be revised according to Section 18 of the Mandatory Clauses. 
  • CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any  amendments and any implementing regulations thereto that become effective on or after the effective date of this  Data Processing Addendum. 
  • Controller” has the meaning given in the GDPR. 
  • Data Processing Services” means the Processing of CCPA Personal Information for any purpose permitted by  the CCPA, such as for a permitted “business purpose,” as such term is defined in the CCPA, or for any other  purpose expressly permitted by the CCPA. 
  • Data Subject” means the individual or household to whom User Personal Data relates. 
  • EU Data Protection Laws” means all applicable legislation protecting the fundamental rights and freedoms of  persons and their right to privacy with regard to the Processing of GDPR Personal Data, including (as applicable): the GDPR; Swiss Data Protection Laws; and the UK Data Protection Act 2018.
  • European Economic Area” or “EEA” means the Member States of the European Union together with the United  Kingdom, Iceland, Norway, and Liechtenstein. 
  • GDPR” means Regulation (EU) 2016/679 (the “EU GDPR“) or, where applicable, the “UK GDPR” as it forms part  of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union  (Withdrawal) Act 2018. 
  • Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum. 
  • Personal Data” means any data or information defined as “personal data” in the GDPR.. 
  • Processing” means any operation or set of operations which is performed on Personal Data or on sets of  Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted  accordingly. 
  • Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or  access to, any User Personal Data. 
  • Services” means the service(s) provided by Dfns to the User under the Agreement, including the Data Processing Services. 
  • Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) of the Standard  Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914. 
  • Subprocessor” means any Processor engaged by Dfns who agrees to receive from Dfns any User Personal  Data. 
  • Supervisory Authority” has the meaning given in the GDPR. 
  • Swiss Data Protection Laws” means the Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss  Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these  laws that may enter into force from time to time. 
  • UK” means the United Kingdom of Great Britain and Northern Ireland. 
  • US Data Protection Laws” means, to the extent applicable, federal and state laws relating to data protection,  the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States. 

Except as otherwise provided in this DPA, this DPA shall apply to all  Processing of User Personal Data by or on behalf of Dfns. 

  1. PERSONAL DATA PROCESSING

Role of the Parties. For the purposes of the Data Protection Laws, the Parties acknowledge and agree that Dfns acts as Processor (as defined in the GDPR) and the User acts as Controller. Dfns and the User shall comply with Applicable Data Protection Laws, including but not limited to EU Data Protection Law (including GDPR), and US Data Protection Laws (including CCPA). 

  1. Instructions for Personal Data Processing 

Dfns will only Process Personal Data in accordance with: a) the Agreement, to the extent necessary to provide the Service to the User, and b) the User’s written instructions, unless Processing is required by Data Protection Laws or Member State law to which Dfns is subject, in which case Dfns shall, to the extent permitted by applicable law, inform the User of that legal requirement before  Processing that Personal Data. 

  1. Processing Personal Data outside the scope of this DPA or the Agreement will require prior written agreement  between the User and Dfns on additional instructions for Processing. 
  2. Required consents and notices 

Where required by Applicable Data Protection Laws, the User will ensure that it has obtained/will obtain all  necessary consents, and has given/will give all necessary notices to Data Subjects, for the Processing of Personal Data by Dfns in accordance with the Agreement. The User acknowledges that Dfns is reliant on the User for direction as to the extent to which Dfns is  entitled to use and process the Personal Data. Consequently, Dfns will not be liable for any claim brought  against the User by a Data Subject arising from any act or omission by Dfns to the extent that such act or  omission resulted from the User’s instructions or the User’s use of the Service. 

  1. STANDARD CONTRACTUAL CLAUSES
    1. Prohibition on Transfers of Personal Data. To the extent that the Processing of Personal Data by Dfns involves the export of such Personal Data to a country or territory outside the EEA, Switzerland or the UK, other  than to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in  relation to the Processing of personal data as determined by the European Commission or UK Information Commissioner  (as applicable) (an “International Transfer“), such transfer shall, subject to Sections 3.4 and 3.5 of this DPA, be  governed by the Standard Contractual Clauses. In the event of any conflict between any terms in the Standard  Contractual Clauses, this DPA and the Agreement, the Standard Contractual Clauses shall prevail. The  Standard Contractual Clauses apply where there is an International Transfer to a country or territory that does not ensure  an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data as determined by the European Commission, Swiss Federal Data Protection and Information Commissioner  or UK Information Commissioner (as applicable). 
    2. For the purposes of the Standard Contractual Clauses and subject to Sections 3.4 and 3.5 of this DPA: 
      a) Annex I.A (List of parties) shall be deemed to refer to the User and Dfns; 
      b) Annex I.B (Description of Transfer) shall, for the purposes of the Standard Contractual Clauses, be deemed to  incorporate the information in Annex 1 of this DPA; 
      c) Annex I.C (Competent Supervisory Authority) shall be deemed to refer to the French Commission Nationale de l’Informatique et des Libertés) (CNIL);
      d) Annex II (Technical and Organizational Measures) shall be deemed to incorporate the information in Annex II of  this DPA; and 
      e) Annex III (List of Sub-processors) shall be deemed to incorporate the information in Clause 10.1
    3. Subject to Sections 3.4 and 3.5 of this DPA, the Parties acknowledge and agree that:
      a) for the purposes of clause 8.1(a) of the Standard Contractual Clauses, the Agreement and this  DPA shall be the User’s instructions for the processing of Personal Data; 
      b) for the purposes of clause 9 of the Standard Contractual Clauses, the User gives Dfns general authorisation  to engage Subprocessors and the relevant time period in clause 9(a) shall be thirty (30) days; 
      c) for the purposes of clause 12 of the Standard Contractual Clauses, Dfns’s liability for breach of any terms and  conditions under this DPA and the Standard Contractual Clauses shall be subject to the liability limitations agreed in the Agreement; and 
      d) for the purposes of clause 17 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be  governed by the law of the EU Member State in which the data exporter is established. 
    4. Transfers within the scope of UK GDPR. With respect to any transfers of Personal Data falling within the  scope of the UK GDPR from the User (as data exporter) to Dfns (as data importer): 
      a) the Approved Addendum as further specified in this Section 3.4 shall form part of this DPA, and the Standard  Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the  extent necessary according to Clause 12 of the Mandatory Clauses; 
      b) In deviation to Table 1 of the Approved Addendum and in accordance with Clause 17 of the Mandatory Clauses,  the parties are further specified in Annex 1 of this DPA. 
      c) The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are  further specified in Section 3.3 of this DPA as amended by the Mandatory Clauses. 
      d) Annex I A and B of Table 3 to the Approved Addendum are specified by Annex I of this DPA, Annex II of the  Approved Addendum is further specified by Annex II of this DPA, and Annex III of the Approved Addendum is  further specified by Annex III of this DPA. 
      e) Dfns (as data importer) may end this DPA, to the extent the Approved Addendum applies, in accordance with  clause 19 of the Mandatory Clauses;
      f) Clause 16 of the Mandatory Clauses shall not apply. 
    5. Transfers within the scope of Swiss Data Protection Laws. With respect to any transfers of GDPR Personal  Data falling within the scope of the Swiss Data Protection Laws from the User (as data exporter) to Dfns (as data  importer): 

      a) This Section 3.5 will apply to any Processing of User Personal Data that is subject to Swiss Data Protection  Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR. Where this Section 3.5 uses terms  that are defined in the SCCs, those terms will have the same meaning as in the SCCs. 

      b) This Section 3.5 will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that it fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article  6(2)(a) of the Swiss Data Protection Laws, as the case may be. This Section 3.5 will not be interpreted in a way  that conflicts with rights and obligations provided for in Swiss Data Protection Laws. Any references to legislation  (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This  includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this  DPA has been entered into.

      c) In the event of a conflict or inconsistency between this Section 3.5 and the provisions of the SCCs or other  related agreements between the Parties, existing at the time this DPA is agreed or entered into thereafter, the  provisions which provide the most protection to Data Subjects will prevail. 

      d) In relation to any Processing of GDPR Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Section 3.5 amends the SCCs to the extent necessary so they operate: 

      1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection  Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s Processing when making that  transfer; and 

      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or  Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be. e) To the extent that any Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, the  SCCs shall be interpreted as follows: (i) References to the “Clauses” or the “Standard Contractual Clauses” shall mean the SCCs as amended by  this Section 3.5. (ii) Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the  purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer.” 
  1. References to “Regulation (EU) 2016/679” or “that Regulation” or “GDPR” are replaced by “Swiss Data  Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced  with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable. 
  2. References to Regulation (EU) 2018/1725 are removed. 
  3. References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with  “Switzerland”. 
  4. Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Swiss  Federal Data Protection and Information Commissioner insofar as the transfers are governed by Swiss Data  Protection Laws; 
  5. Clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data  Protection Laws“. 
  6. Clause 18 is replaced to state: “Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts  of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data  importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree  to submit themselves to the jurisdiction of such courts.” 
  7. Until the entry into force of the revised Swiss Data Protection Laws, the SCCs will also protect Personal  Data of legal entities and legal entities will receive the same protection under the SCCs as natural persons. 
  8. To the extent that any Processing of Personal Data is subject to both Swiss Data Protection Laws and the  GDPR, the DPA including the SCCs as further specified in this Section 3.5 will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by this Section 3.5, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under  Section 3.5(e)(vii) above. 
  9. User warrants that it and/or User Affiliates have made any notifications to the Swiss Federal  Data Protection and Information Commissioner which are required under Swiss Data Protection Laws. 
  1. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
    1. Data Subject Requests 
      Unless otherwise required by Applicable Data Protection Laws, Dfns shall promptly notify the User of any request received by Dfns or any Subprocessor from a Data Subject in respect of the Personal Data of the Data Subject, and shall  not respond to the Data Subject. 
  1. Dfns shall, where possible, assist the User with ensuring its compliance under applicable EU Data Protection Laws, and in particular shall: 
    • a) provide the User with the ability to correct, delete, block, access or copy the Personal Data of a Data Subject, or 
    • b) promptly correct, delete, block, access or copy Personal Data within the Service at the User’s  request. 
  1. Data Subject Rights 
    Where applicable, and taking into account the nature of the Processing, Dfns shall use reasonable efforts to assist  the User by implementing appropriate technical and organizational measures, insofar as this is possible, for  the fulfillment of the User’s obligation to respond to requests for exercising Data Subject rights laid down in the GDPR. 
  1. SUBPROCESSORS
    1. User agrees that Dfns may use the following as Subprocessors to Process User Personal Data:

      • Amazon Web Services, Inc. 
      • Docusign, Inc. 
      • Salesforce, Inc. 
      • Google LLC 
    2. User agrees that Dfns may use subcontractors to fulfill its contractual obligations under the Agreement and User generally authorizes the engagement of third party Subprocessors. Dfns shall notify User  from time to time of the identity of any Subprocessors it engages. If User (acting reasonably) does not approve of a  new Subprocessor, then without prejudice to any right to terminate the Agreement, User may request that Dfns moves the User Personal Data to another Subprocessor and Dfns shall, within a reasonable time following receipt of  such request, use reasonable efforts to ensure that the Subprocessor does not Process any such User Personal Data.  If it is not reasonably possible to use another Subprocessor, and User continues to object for a legitimate reason,  either Party may terminate the Agreement on thirty (30) days written notice. If User does not object  within thirty (30) days of receipt of the notice, User is deemed to have accepted the new Subprocessor. 
    3. Except as set out in Sections 8.1 and 8.2, Dfns shall not permit, allow or otherwise facilitate Subprocessors to  Process User Personal Data without User’s prior written consent. 
    4. With respect to any Subprocessors engaged by Dfns to Process User Personal Data, Dfns shall: 
      a) enter into a written agreement with the Subprocessor which imposes equivalent obligations on the Subprocessor  with regard to their Processing of User Personal Data, as are imposed on Dfns under this DPA; and 
      b) at all times remain responsible for compliance with its obligations under the DPA and shall be liable to User  for the acts and omissions of any Subprocessor as if they were Dfns’s acts and omissions. 
  1. DATA PROTECTION IMPACT ASSESSMENT 
    1. To the extent required under applicable Applicable Data Protection Laws, Dfns shall provide reasonable assistance to  User with any data protection impact assessments and with any prior consultations to any Supervisory Authority or  other regulatory authority with jurisdiction over User, in each case taking into account the nature of the Processing  and information available to Dfns. 
  2. SECURITY 
    1. Security Obligations. 
      a) Taking into account the state of the art, the costs of implementation and the nature, scope, context and  purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural  persons, Dfns will implement and maintain the technical and organizational measures set out in ANNEX II.  
      b) Upon request by User, Dfns shall make available any information reasonably necessary to demonstrate  compliance with this DPA. 
    2. Security Incident Notification 
      If Dfns becomes aware of a Security Incident, Dfns will (a) notify User of the Security Incident within seventy-two (72) hours; and (b) investigate the Security Incident and provide User (and any law enforcement or regulatory  official) with reasonable assistance as required to investigate the Security Incident. Except as required by  applicable law, the obligations set out in this Section 10.2 shall not apply to Security Incidents caused by  User. 
    3. Dfns Employees and Personnel
      Dfns shall treat the User Personal Data as confidential, and shall ensure that any employees or other  personnel have agreed in writing to protect the confidentiality and security of User Personal Data. 
    4. Audits 
      Dfns will, upon reasonable request from User with at least 60 days’ prior notice, and no more than once per  annum, allow for and contribute to audits, including inspections, conducted by User (or a third party auditor  on behalf of, and mandated by, User) provided (i) such audits or inspections are not conducted more than  once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (ii) are conducted to cause minimal disruption to Dfns’s operations and business. Any expenses or costs associated  with such audits or inspections shall be incurred by User, unless for audits conducted for Security Incidents and/or conducted upon request of the Supervisory Authority. 
    5. Government Disclosure 
      Dfns shall notify the User of any request for the disclosure of any User Personal Data by a governmental  or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited  by applicable law or a legally binding order of such body or agency. 
  1. TERMINATION
    1. Deletion of data 
      a) Unless otherwise agreed by the User, following termination or expiration of the Agreement, Dfns shall, in  accordance with its obligations under the Agreement, delete all User Personal Data from Dfns’s systems. 
      b) Notwithstanding the foregoing, Dfns may retain User Personal Data (i) as required by applicable laws or (ii)  in accordance with its standard backup or record retention policies, and always provided that Dfns shall ensure the  confidentiality of all such User Personal Data in accordance with this DPA and the Agreement and shall ensure  that such User Personal Data is only Processed as necessary for the purpose(s) specified in such applicable laws and for no other purpose.
  1. ANNEX I 

DETAILS OF THE PROCESSING AND TRANSFER OF USER PERSONAL DATA 

A. LIST OF PARTIES
Data exporter  

  • User
  • User’s name and contact details shall be as specified in the Agreement. 
  • Activities relevant to the data transferred under these Clauses: Performance of the Cloud Service pursuant to the  Agreement and as further described in the Agreement. 
  • Role: Controller 

Data importer 

  • Dfns’s entity name and contact details shall be as specified in the Agreement. 
  • Activities relevant to the data transferred under these Clauses: Performance of the Cloud Service pursuant to the  Agreement and as further described in the Agreement. 
  • Role: Processor 

B. DESCRIPTION OF TRANSFER 
Categories of data subjects whose personal data is transferred 

  • User’s employees, personnel, authorized users and any other data subjects whose data User or its  authorized users submits, transfers, loads or otherwise provides to Dfns via the Cloud Service. 

Categories of personal data transferred 

  • Business-related datasets that User or its authorized users submits to the Cloud Service. Special categories of personal data (if applicable): 
  • The transferred personal data includes the following special categories of data: N/A 
  • The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks  involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having  followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional  security measures are: N/A 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): 

  • The transfer is performed on a continuous basis and is determined by User’s configuration of the Cloud Service.

Nature of processing: 

  • The User Personal Data will be subject to the following basic processing activities: transmitting, collecting,  storing and analyzing data in order to provide the Cloud Service to User, and any other activities related to  the provision of the Cloud Service or specified in the Agreement. 

Purposes of the data transfer and further processing: 

  • to provide the Cloud Service to User pursuant to the Agreement. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine  that period: For the term of the Agreement. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As stipulated in Section 3 of the DPA. The Subprocessors may have access to the Personal Data for the term of this  DPA or until the service contract with the respective Sub-processor is terminated or the access by the  Subprocessor has been excluded as agreed between Dfns and User. C. COMPETENT SUPERVISORY AUTHORITY Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs: The competent supervisory authority is the supervisory authority specified in Section 4.2(c) of this DPA.

  1. ANNEX II 

TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

1. Dfns maintains internal policies and procedures, or procures that its Subprocessors do so, which are  designed to: 
(a) secure any User Personal Data Processed by Dfns against accidental or unlawful loss, access or  disclosure; 
(b) identify reasonably foreseeable and internal risks to security and unauthorised access to the User  Personal Data Processed by Dfns; 
(c) minimise security risks, including through risk assessment and regular testing. 

2. Dfns will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of  the security of their network and the adequacy of their information security program as measured against  industry security standards and its policies and procedures. 
3. Dfns will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the  security of their network and associated Services to determine whether additional or different security  measures are required to respond to new security risks or findings generated by the periodic reviews.

  1. ANNEX III 

LIST OF SUBPROCESSORS For more information about Dfns’s subprocessors, please refer to Section 5 of the DPA. The subprocessor’s contact  information will be provided by Dfns upon request.

Appendix 3 - Data Processing Agreement

This Appendix applies when the User is a financial entity subject to a specific regulatory framework for the financial sector and prudential control and shall comply with DORA. As part thereof, the provision of digital and data services to User is subject to specific contractual, operational and regulatory requirements under DORA.

  1. Applicability

This Addendum applies where Dfns provides User and, as the case may be, its Affiliates, with the ICT services that are subject to DORA as long as User is a Regulated Financial Institution and is subject to oversight by the Regulator in relation to the ICT Services being provided under the Agreement. To extent relevant, the obligations as set forth herein apply mutatis mutandis to Dfns employees, staff and / or subcontractors. 

  1. Definitions and interpretation

    a) Definitions
    Unless otherwise set out below, each capitalized term in this Appendix shall have the meaning set out in the Agreement. In this Appendix, unless the context requires otherwise:

    Incident” means a single unplanned event or a series of linked unplanned events that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by Dfns;

    "Critical or Important Function"     means a function, the disruption of which would materially impair the financial performance of the User, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of the User with the conditions and obligations of its authorisation, or with its other obligations under DORA. 

    "Critical Service"     means a Service that supports a Critical or Important Function and is designated by the User as a Critical Service.

    "Regulator"     means any competent authority and resolution authority within the meaning of DORA, entitled to exercise prudential supervision over User and thereby has the legal power to assess User's compliance with Applicable Laws.

    “DORA”     means the Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector as well as any mandatory sector specific regulation, law, circular, communication, guidance or industry standard applicable to User.

    "Services"     means those tasks, operations and functions that (i) qualify as an ICT Service under DORA and (ii) are to be performed by Dfns under the Agreement.

    "Threat-led Penetration Testing (TLPT)"     means the cybersecurity tests organised by the User or its designee further to which the User or its designee tests the cybersecurity of specific critical production systems of the Customer on the basis of a framework that mimics the tactics, techniques and procedures of real- life threat actors perceived as posing a genuine cyber threat. TLPTs aim to deliver a controlled, bespoke, intelligence-led (red team) test of the User’s critical live production systems;

    "Subcontracting”     means any arrangement whereby Dfns assigns, transfers or otherwise disposes of the Agreement (even under an universal transfer) or delegates its rights, obligations and/or duties hereunder in whole or in part to a third party. For the avoidance of doubt, any acquisition, purchase or licensing of equipment such as hardware or software does not constitute a "subcontracting" hereunder. 

    "Subcontractor"     means the third party that has entered into a Subcontracting arrangement with Dfns. 

    b) Interpretation
    In the event of inconsistencies or ambiguities in relation to any provision of the Agreement, the obligation shall be interpreted in such a manner that it is compliant with DORA.
  1. Obligations applicable to all Services

a) Services
Dfns shall provide those Services that are expressly described in the Agreement. Such Services will be performed in the manner set forth in the Agreement and, as the case may be, the Service Level Agreement.

b) Service Performance and Service Levels

  1. Performance standards
    Unless expressly provided otherwise in the Agreement, Dfns shall perform the Services at least in accordance with good industry practices, with appropriate diligence and care and by using properly skilled and trained staff.
    For Services for which a service level is defined in the Service Level Agreement, Dfns shall provide such Services in accordance with the agreed upon service levels. The Service Level Agreement clearly sets forth (i) the performance criteria for specific Services, (ii) the measuring and reporting intervals for such service levels and (iii) potential actions to be undertaken as to facilitate Supplier's compliance with the agreed service levels.
  2. Performance Monitoring
    Dfns shall enable User to monitor Dfns' performance of the Services on a regular basis. To that end, Dfns shall, at the intervals set forth in the Service Level Agreement, make service level reports available to User as to enable User to verify Dfns' compliance herewith.

c) Subcontracting, Services Location and Data Residency

  1. Subcontracting
    Unless expressly stated otherwise in the Agreement and without prejudice to the specific provisions regarding (i) the sub-processing of personal data and (ii) the provisions relating to Critical Services, Dfns is authorised to Subcontract the Services or parts thereof.
  2. Service Location
    Supplier will provide the Services from the locations as described in the Agreement or, as the case may be, with regard to the personal data, the Data Processing Agreement. In the absence of a clear description of the service location in the Agreement, the Services will be provided from within the European Economic Area.
    Should Dfns aim to change the location from where the Services are being provided to a location outside the European Economic Area, it shall inform the User thereof in advance. In any case, Dfns shall see to it that such change in location would not prevent User's compliance with DORA.
  3. Data Residency
    Dfns will store and process User's data on the location(s) as is mutually agreed upon in writing between the Parties. In the absence of a specific agreement in relation thereto, Dfns agrees to store and process User's data within the European Economic Area. Should Dfns aim to change the location where the data is being stored or processed, it shall inform User thereof in advance and shall see to it that such change in location would not prevent User's compliance with DORA.

d) Confidentiality and Security of Customer Data

Without prejudice to the specific obligations regarding personal data which, as the case may be, would be specified in the Data Processing Agreement, the following provisions shall apply to User Data.

  1. Confidentiality
    Dfns, its Subcontractor(s) and their personnel shall be bound by appropriate obligations regarding security and confidentiality. Dfns ensures its Subcontractor(s) and all personnel involved in the performance of the Agreement is at all times bound by confidentiality undertakings that are no less protective than the confidentiality undertakings set forth in the Agreement.
  2. Security
    Dfns shall implement the security, integrity and authenticity mechanisms that are appropriate in light of the Services to perform and, as the case may be, shall implement the security requirements and policies as communicated by and agreed upon with the User from time to time. 

e) Data Protection
To the extent that the Services would entail the processing of personal data, as defined under GDPR, the Parties will agree on the Data Processing Agreement attached to the Agreement and agree to implement such other actions as required to comply with the GDPR.

f) Restitution of data
Upon any event of termination of the Agreement or any event of discontinuity or insolvency of Dfns (an “Exit Event”), Supplier shall, in accordance with the modalities agreed upon between the Parties, return User Data to either User or a party designated by User, in the limited agreed in the Agreement and to the extent permitted by DORA. Notwithstanding anything provided to the contrary either by contract or by law, Dfns and, as the case may be, its receiver or any party acting for and on behalf of Dfns or its creditors, shall abstain from exercising any rights, including as the case may be, retention rights or suspension rights in relation to User Data. To the extent the Parties agree on the provision of Termination Assistance services, the restitution of data as set forth in this Section will take place in accordance with the modalities set forth in Section Termination Assistance below.

g) ICT incident support
To the extent that an Incident occurs in relation to the Services provided by Dfns, Dfns will, in accordance with the modalities set out in the Service Level Agreement, provide assistance to the User.

h) Cooperation with RegulatorsDfns hereby acknowledges that the Regulators, or any persons appointed by them, having jurisdiction over User (or, as the case may be, the clients of User), have investigative powers enabling them to directly seek assistance and cooperation from User. To that end, Dfns will, in accordance with Applicable Laws, comply and, as the case may be, cooperate with and respond to any requests issued by the Regulator. 
Dfns will use best efforts to cooperate with such authorities in the context of their inspections or, more generally, for all requests that they would have in the context of their supervisory or resolution powers. In particular, where User is a credit institution, Dfns acknowledges the information gathering and investigatory powers of the Regulators (including the resolution authorities), namely:

  • the information gathering power of resolutions authorities under Article 63(1) (a) of Directive 2014/59/EU establishing a framework for the recovery and resolution of credit institutions and investment firms; and,
  • the information gathering and investigatory powers of competent authorities under Article 65(3) of Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms.  

To extent possible, User shall provide Dfns with reasonable notice (and not less than ten (10) business days) ahead of any inspection or audit that would be conducted by the Regulators. 

3. Termination

  1. Termination for Cause 
    The parties undertake to comply with the provisions related to termination provided for in the Agreement. 
  1. Additional Grounds for Termination
    Notwithstanding anything provided to the contrary, User may terminate the Agreement in whole or in part and without a prior intervention of a court, if:
  • impediments capable of altering the performance of the Services are identified and Parties fail to resolve such impediments within (10) days following written notice thereto;
  • material changes occur that affect the performance of the Agreement or Dfns. For the purpose hereof, a material change is any change material affecting Dfns and/or the performance of the Agreement that would detrimentally affect User's compliance with Applicable Laws (a "Material Change").
  • there are substantial and evidenced weaknesses in Dfns' (a) management of User Data or (b) security measures implemented for managing User Data, processes or infrastructure; or 
  • due to a decision of the Regulator, User may no longer continue the performance of the Agreement;
  • change in DORA occurs that materially affects the ability of either Party to perform its obligations or exercise its rights under the Agreement.  

To the extent that User terminates the Agreement on the basis of one or more of the grounds for termination set forth under points (i) – (v) above, User shall pay the termination charges as defined under the Agreement. In the absence of defined termination charges, User shall be held to pay the remaining charges for the Services until the expiration of the contractual term. 
Should any of the grounds for termination as set forth above be solely attributable to Dfns and provided that such non-compliance would constitute a material breach as set forth under above, User may terminate the Agreement in accordance with Section Termination for Cause. 

  1. Termination Assistance
    Upon an Exit Event, User may request Dfns to provide to the User or its designee, those termination assistance services that are agreed upon between the Parties and which are necessary to prevent any discontinuity of User's business or the provision of regulated services to User's end-customers ("Termination Assistance").If User requests for the provision of Termination Assistance Services, the Parties shall, at the latest upon an Exit Event, mutually agree upon an Exit Plan setting forth the specific actions to be performed as part of the Termination Assistance. Such Exit Plan shall be attached to the Agreement and shall include the Parties' respective roles and responsibilities, the conditions for acceptance of the hand-over of the Services to the User or its designee and the milestones for the completion of such specific actions. Unless expressly provided otherwise, Termination Assistance services shall be provided by Dfns and charged to User at the personnel rates, or other rates, as specified in the Agreement. 
  2. User Security Awareness Programme
    To the extent that User has compulsory ICT security awareness programmes and digital operational resilience training in place, User may request that Dfns’ key staff that is engaged in the performance of the Services, participate in such training. To that end, the Parties shall jointly agree on the modalities for the participation to such trainings including: 
  • Dfns’ employees or representatives that are required to participate to the training;
  • specific aspects in terms of the location of the training, if so trainings are provided in a physical environment;
  • the languages of such training;

Dfns’ participation to such training will be charged on the basis of Dfns’ applicable time and material rates and User shall reimburse all of Dfns’ reasonable expenses in relation to the participation of such training.

Request a demo

One of our security experts will get in touch as soon as possible.

Thanks for your interest.

Please, check your inbox.