Addendum to SuperOffice CRM Online Master Subscription Agreement

This document is valid from 24 of June 2024. There are no previous versions of this document.

Dora Article 30; Key contractual provisions required in agreements with third party service providers. SuperOffice response is marked in italic. 

1. This annex shall apply in addition to the agreement the Customer has signed with SuperOffice (SuperOffice CRM Online service agreement with annex - see references in page 6). This annex explains the Customer's fulfilment of the requirements in the Digital Online Resilience Act (DORA) for key contractual provisions in agreements with third party service providers. This appendix refers each requirement set out in DORA article 30 to the relevant section(s) in the SuperOffice CRM Online Master Subscription Agreement responding to the requirement. SuperOffice is hereinafter referred to as SuperOffice, The financial institution is referred to as the Customer, and the SuperOffice CRM Online Master Subscription Agreement is referred to as the MSA. 

Key contractual provisions required

2. Each requirement is set out in black types below, and SuperOffice’s fulfilment of the requirement is set out in italic.

a) The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format.

The SuperOffice MSA with the relevant addendums entered into between SuperOffice and the Customer represents the agreement setting out the rights and obligations allocated between the parties. The standard service availability and support obligations are set out in Section 5 and 6 of the agreement. In additionaddition, Customers may enter into the premium support addendum, which is an Addendum to the SuperOffice CRM Online Master Subscription Agreement (MSA). The terms of the Addendum supersede the terms of Chapter 6, section 2 in the MSA . When entering into the Premium Support Agreement, the terms for Support as stated in Chapter 6 of the MSA are still in effect, except for section two.

The Premium Support Agreement is an extension (which as to be subscribed to in addition to the MSA) of the SuperOffice support services that includes extended opening hours, specified service levels on SuperOffice’s time to reply, and structured follow-up and reporting on the support services delivered. Premium Support also includes online case submission – via the CRM Online Service or via the SuperOffice Customer Community.

b) The contractual arrangements on the use of ICT services shall include at least the following elements:

  • (a) a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;

The SuperOffice MSA with the relevant addendums entered into between SuperOffice and the Customer represents the agreement setting out the rights and obligations allocated between the parties.

Section 1 stipulates the scope of the Agreement. SuperOffice is a CRM (Customer Relationship Management) work tool that helps the Customer organize and collect contact information in one place and gives the Customer full control over follow-ups, documents and e-mails, as specified in the SuperOffice CRM Online service agreement.

The SuperOffice service includes standard software that is delivered "as is", as well as operation and automatic upgrading of this in accordance with the terms of the SuperOffice CRM Online service agreement, and with quality targets as stated in this agreement.

According to Clause 3.7 in the Data Processing Agreement, SuperOffice will maintain a list of pre-approved sub-processors (Sub-Contractors). The Agreements and Policies of SuperOffice and list of pre-approved sub-processors is set out in the SuperOffice Trust Centre.

The conditions applying for such sub-processing, is stipulated in the Data processor agreement Section 3.7.

  • (b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third party service provider to notify the financial entity in advance if it envisages changing such locations;
  • (c) The locations are set out in the list of pre-approved sub-processors in the SuperOffice Trust Centre. The Data Processor Agreement section 3.7 sets out the notification requirements for SuperOffice, if SuperOffice plans to change Subcontractors. Provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;

The availability level is set out in the SuperOffice MSA section 5. The confidentiality requirements are set out in the SuperOffice MSA section 11 and in the Data Processor Agreement section3.5. Provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data are included in the Data Processor Agreement in its section 3, which i.a. also stipulates requirements regarding the availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data.

  • (d) provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;

Access, recovery and return of data by Insolvency, resolution or discontinuation, or in the event of termination of the MSA and the Data Processor agreement with SuperOffice, is covered in the MSA section 13, and in the Data Processor agreement section 5.

  • (e) service level descriptions, including updates and revisions thereof;

This is described in the MSA section 5 regarding Service Availability, section 6 regarding Support, and in the Premium Support addendum (subject to specific subscription)

  • (f) the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;

This is stipulated in the Data processor agreement section 3.3.4 (Assistance to the Customer and 3.3.5 (compensation for assistance)

  • (g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;

This is stipulated in the Data processor agreement section 3.1 and in section 3.3.4

  • (h) termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;

This is stipulated in section 13 of the MSA.

  • (i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programs and digital operational resilience training in accordance with DORA Article 13(6).

This will be adapted for each Customer based on the Customer ICT security awareness programs and digital operational resilience training in accordance with Article 13(6).

c) The contractual arrangements on the use of ICT services supporting critical or important functions shall include, in addition to the elements referred to in paragraph 2, at least the following:

  • (a) full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;

This is set out in the SuperOffice Premium support addendum. The addendum requires separate subscription by the Customer.

  • (b) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;

This is set out in the SuperOffice Premium support addendum. The addendum requires separate subscription by the Customer.

  • (c) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;

This is set out in the SuperOffice Data processor agreement section 3.3 cf. section 3.3.2.

  • (d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT (Threat Led Penetration Testing) as referred to in Articles 26 and 27;

This is set out in the Data processor agreement section 3.3.2, second paragraph last bullet point by the following wording:

“The Processor shall, in consultation with the Controller, consider:

a process for, on an ongoing basis, testing, assessing and evaluating regularly the effectiveness of technical and organisational measures for ensuring the security of the Processing “

  • (e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:

i. unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

Covered in Data processor agreement sections 3.1, section 3.3.1 second paragraph, section 3.3.4 and section 3.6.

ii. the right to agree on alternative assurance levels if other clients’ rights are affected;

There is no prohibition in the MSA or the Data Processor agreement against the right to agree on alternative assurance levels (other than monitoring by the Customer) for the monitoring of SuperOffice’s performance.

iii. the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party;

This is stipulated in the Data Processor Agreement section 3.6

and

iv. the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;

This is detailed in the Data processor agreement section 3.6

  • (f) exit strategies, in particular the establishment of a mandatory adequate transition period:

i. during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring;

The service will be available to the Customer for as long as the Customer has paid for the service, in accordance with the MSA Section 13, which also contains provisions regarding transfer of data.

ii. allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.

Upon the termination of the Agreement, the Customer´s main user (the Administrator), will be directed to a web-site where documents in a .zip file and the database in a .bak file can be downloaded. After 30 days following termination, all data belonging to the Customer will be removed from SuperOffice’s servers and facilities, unless SuperOffice is obligated to keep data due to requirements set down in mandatory law.

SuperOffice may assist the Customer in converting data to another format as specified by the Customer. SuperOffice will invoice accrued time as a result of such provision and conversion of data according to SuperOffice prevailing rates for such assistance. Such assistance requires that all outstanding payments are settled by the Customer.

3. Use of subcontractors and follow-up and requirements to an agreement to ensure that subcontractors comply with requirements according to GDPR and DORA (the Data Processor Agreement)

This is described in the SuperOffice CRM Online service agreement (MSA) and the Data Processor Agreement (DPA).

https://www.superoffice.com/trust-center/agreements/msa/ https://www.superoffice.com/trust-center/agreements/dpa/

An updated overview of approved subcontractors with associated contact information can be found here:

https://www.superoffice.com/trust-center/agreements/sub-processors/

The person signing the Agreement on behalf of the Customer guarantees to have the necessary authority to enter into this Agreement.

This document is signed digitally. The current version as well as previous versions can be found here:

https://www.superoffice.com/trust-center/agreements/dora