General Terms

The parties hereto agree as follows:

A. Application of this Addendum.

The terms and conditions of this Addendum apply with respect to the provision of each of  the Services by Nasdaq (or, where relevant, to such of the Services as Nasdaq and Customer agree constitute ICT Services) to any entity in the Customer’s group which is a Financial Entity.

References in this Addendum to the “Customer” are to be construed as references to each Financial Entity in the Customer’s group to which Nasdaq provides Services.

This Addendum shall automatically terminate with respect to any such Service when the term of such Service terminates or expires pursuant to the terms of the Agreement.

B. Definitions and interpretation.

“Customer Data” means data uploaded by or on behalf of Customer or any of its authorized users into the Services and Personal Data (as defined in the Data Processing Addendum).

“Data Processing Addendum” means the addendum to the Agreement concerning processing of Personal Data, as may be amended by the parties from time to time.

“DORA” means Regulation (EU) 2022/2554 on digital operational resilience for the financial sector.

“Financial Entity” means an entity captured by Art. 2(2) DORA and which is not excluded from the scope of DORA by Art. 2(3) or 2(4) DORA, for so long as such entity remains subject to DORA.

“ICT Service” has the meaning given in DORA.

“Personal Data” shall have the meaning set out in the Data Processing Addendum.

“Regulator” means a government, regulatory body, or competent authority with binding authority to regulate Customer’s activities as a Financial Entity, or resolution authority with respect to the Customer.

“Service Level Addendum” means the addendum comprising a part of the Agreement that sets out the relevant service levels for a Service, as may be amended by the parties from time to time.

“Subcontractor” shall be understood to capture subcontractors for the purpose of DORA and its associated technical standards. Related terms such as “Subcontracted” and “Subcontracting” shall be construed accordingly where used in this Addendum.

Capitalized terms used in this Addendum but not otherwise defined have the meanings ascribed to them elsewhere in the Agreement.

References in the clause and section headings of this Addendum to articles of DORA are for convenience only and shall have no impact on interpretation of the relevant clause or section of this Addendum.

Where this Addendum refers to Nasdaq “notifying” the Customer (or similar) of certain matters, Nasdaq may discharge such obligation by addressing the notification to any member of Customer’s group to which Nasdaq normally addresses communications relevant to the Services.

C. Terms for all ICT services, Art. 30(2) DORA (Key Contractual Provisions)

1. Description of all functions and ICT services – Art 30.2.(a). All functions and services are described and set forth in the applicable Agreement, Service Level Addendum and other relevant schedules to the Agreement.
2. Service Location – Art 30.2.(b).  The locations where the services are to be provided are set forth in the applicable Agreement.  The locations where Customer Data is to be processed, including the storage locations, are set forth in the applicable Data Processing Addendum and/or any other applicable addendum (including, where relevant, with respect to data processed or stored by Subcontractors).  Nasdaq shall notify the Customer in advance if it envisages changing such locations.
3. Availability, Authenticity, Integrity, and Confidentiality of Customer Data – Art 30.2.(c). Nasdaq shall, in relation to Customer Data, implement a written information security program which conforms with internationally recognised information security standards and that addresses authenticity and integrity of such Customer Data. In addition, each party shall comply with its obligations related to confidentiality and data protection as provided for in the confidentiality provision of the Agreement and, if applicable, the Data Processing Addendum. The applicable Service Level Addendum also addresses availability of the Service. 
4. Access, recovery and return in an easily accessible format of Customer Data – Art 30.2.(d). In the event of a Nasdaq insolvency, resolution in bankruptcy, or discontinuation of Nasdaq’s business (other than as a result of a divestiture to a third party) that results or is reasonably likely to result in termination of the Service pursuant to the Agreement, or any termination of the Agreement with respect to a Service, unless prohibited by applicable law or regulation, Nasdaq will make Customer Data within Nasdaq’s control available in a reasonable manner upon written request by the Customer, provided that, in respect of any Personal Data forming part of such Customer Data, this shall be without prejudice to the provisions of the Data Processing Addendum relating to the return or deletion of Personal Data.
5. Service Level Agreement – Art 30.2.(e). The service levels applicable to the Service (the “Service Levels”) are set out in the applicable Service Level Addendum. Updates and revisions to the Service Levels shall be reflected in updates to the Service Level Addendum (in accordance with the terms thereof). 
6. Assistance in the Event of ICT incident – Art 30.2.(f). Nasdaq shall provide assistance to the Customer when an incident that is related to the Service occurs in accordance with the Agreement.
7. Cooperation – Art 30.2 (g). Taking into account the nature of the Service and the information available to Nasdaq, Nasdaq shall provide assistance as required to be provided by a service provider to a Financial Entity under DORA and fully cooperate with Customer Regulators (or persons appointed by any Customer Regulator). 
8. Termination Rights – Art 30.2 (h) and Art 28.(7).

 a. Specified Events Giving Rise to Customer Termination Right. In the following circumstances, Customer may terminate the Agreement with respect to the Service by providing reasonable, advance written notice to Nasdaq:

i. where Nasdaq is in material breach of any law or regulation applicable to Nasdaq or of its contractual obligations under the Agreement and where Nasdaq fails to correct any such violation within thirty (30) days of Nasdaq’s receipt of notice from Customer specifying such violation in sufficient detail for Nasdaq to understand the Customer’s concern and demanding correction; 

ii. where the Customer provides Nasdaq with written notification of circumstances identified through the Customer’s monitoring of ICT third-party risk that are deemed capable of altering the performance of the Service, including material changes that affect the arrangement or the situation of Nasdaq, and where Nasdaq fails to take reasonable steps to remediate such circumstances within thirty (30) days of Nasdaq’s receipt of written notice from Customer specifying such circumstances in sufficient detail for Nasdaq to understand the Customer’s concerns and demanding correction;

iii. where Customer provides Nasdaq with evidence in writing of weaknesses pertaining to Nasdaq’s overall ICT risk management and in particular in the way Nasdaq ensures the availability, authenticity, integrity and, confidentiality, of Customer Data and Nasdaq fails to take reasonable steps to remediate such weaknesses within thirty (30) days of Nasdaq’s written receipt of notice from Customer specifying such evidenced weaknesses in sufficient detail for Nasdaq to understand the Customer’s concerns and demanding correction; or

iv. where a Customer Regulator can no longer effectively supervise Customer as a result of the conditions of, or circumstances related to, the contractual arrangements between Nasdaq and Customer concerning the Service and such Customer Regulator instructs Customer to terminate the Agreement with respect to such Service. When exercising termination rights under this clause 8(a)(iv) Customer must provide Nasdaq with reasonable evidence of such Customer Regulator instruction.

9. Training – Art 30.2 (i). Customer agrees that it shall, acting reasonably and in good faith, consider whether Nasdaq may by way of alternative to participating in the Customer’s training programmes at the Customer’s request  and subject to mutually agreed terms instead provide Customer with details regarding Nasdaq’s own security awareness programmes and digital operational resilience training to provide reasonable comfort to Customer that such programmes and training are appropriate for the purpose of Art. 13(6) of DORA. Where additional training is required Customer may subject to mutually agreed terms request Nasdaq to participate in Customer’s security awareness programmes or digital operational resilience training where appropriate.

D. Costs & Fees on Termination

In order to receive assistance from Nasdaq in connection with the exercise of the following rights, the Customer agrees to pay fees, costs and expenses for such assistance as will be reasonably priced on a subscription basis reflecting the estimated effort by Nasdaq (such fees to be set out in a separate statement of work including the applicable fees and subscription terms):

1. clause 4 of Section C (Data recovery)
2. clause 6 of Section C (Assistance with an ICT Event) for assistance beyond the scope of the Services in Agreement (any additional assistance and associated costs beyond the scope of the Agreement to be determined ex-ante (in advance) and mutually agreed by the parties); and
3. clause 9 of Section C (Training).

   Fees on Termination

Except in circumstances where Customer terminates under clause 8(a)(i) (Material breach of Laws and Regulations) all fees with respect to the then current term for the Service (including as they relate to periods following the date of termination) shall be immediately due and payable by Customer to Nasdaq on termination.

E. Miscellaneous.

1. Governing law. This Addendum shall be governed by the laws of, and the parties agree to submit to the courts of, the same jurisdiction as applicable with respect to Nasdaq’s provision of the service under the Agreement.
2. Conflicts. For purposes of this Addendum, the rights and obligations of the parties in this Addendum are in addition to, and not in replacement of, the rights and obligations of the parties in the Agreement. In the event of a conflict between this Addendum and other provisions of the Agreement, this Addendum will prevail with respect to the Service that constitutes ICT Services under DORA, except that the Data Processing Addendum will control with respect to Personal Data as specified therein. Except as amended and supplemented by this Addendum, the Agreement will remain in full force and effect.
3. Updates to DORA. Where a provision of DORA or delegated legislation made pursuant to DORA is superseded, invalidated or replaced by law or regulation, the Addendum shall be updated accordingly.