This website requires JavaScript.

DORA Compliance

FAQs

Acting in the payment industry, Spendesk fully understands the importance for financial entities to comply with the Digital Operational Resilience Act (DORA).

These frequently asked questions aim to clarify Spendesk’s role as non-critical service provider under DORA.

"DORA" is Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector (entire text is available here).

DORA applies to the financial services industry across the EU. It establishes a set of requirements to mitigate ICT-related risks and enhance digital resilience in the European financial system.

DORA entered into force on 16 January 2023 and will apply as of 17 January 2025.

DORA is primarily applicable to financial entities (within the meaning of article 2(2) of DORA) located in the EU.

DORA shall only apply when an EU financial entity uses Spendesk services as ICT services (within the meaning of article 3(21) of DORA) in a manner that is subject to DORA.

No. Spendesk platform helps customers optimise internal financial processes (e.g., managing expenses, payments and procurement), but it does not directly impact core financial services delivered to their own clients. Disruptions to Spendesk services would not pose a systemic risk to a financial entity.

Therefore, Spendesk services are not critical or important as defined in article 3(23) of DORA. Due to these elements and considering the impact of DORA for critical and important services, Spendesk is not a critical ICT service provider.

Spendesk shall comply with the requirements of the framework set out in article 30(2) of DORA related to non-critical and non-important ICT services.

As a non-critical service provider, we must ensure operational resilience, maintain strong data security measures, notify customers of significant disruptions and cooperate with financial entities’ supervisory authorities.

We ensure operational resilience by testing recovery systems, maintaining a continuity plan, and implementing cybersecurity controls.

See our Trust Center for more details.

In case of disruption, Spendesk will notify the impacted financial entity of any ICT related incident and will manage the incident in accordance with the “Security Incident Response Plan”.

See our Trust Center for more details.

Spendesk is a scaling SaaS provider with thousands of customers many of which are subject to DORA. For scalability purposes, Spendesk cannot review and sign individually each customer’s template of DORA clauses.

The clauses below were drafted specifically to comply with DORA and to match with the specificities of Spendesk services.

No. As mentioned in article 1(a) of the Addendum to Spendesk’s terms and conditions below, these clauses are automatically applicable, as soon as a customer of Spendesk qualifies as a financial entity (within the meaning of article 2(2) of DORA).

EU - Digital Operational Resilience Act (DORA) addendum to Spendesk’s terms and conditions

Version applicable as from 17.01.2025

This addendum is provided in the context of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector (“DORA”), where the Customer is acting as a financial entity, as defined in article 2(2) of DORA (a “Financial Entity”).

Spendesk and the Customer agree to enter into this addendum (the “Addendum”) to define their respective rights and obligations applicable under DORA, regarding the provision of Spendesk Services. This Addendum is a supplement to Spendesk general terms and conditions of use available at https://www.spendesk.com/en/legals/terms/customers (the “Standard Terms”).

Table of contents

1. Scope of this Addendum

a. Purpose and duration

This Addendum applies to the extent the Customer is a Financial Entity, using Spendesk Services provided under the Standard Terms, as ICT services (within the meaning of article 3(21) of DORA) in a manner that is subject to DORA.

This Addendum shall be automatically applicable, as from 17th January 2025 (DORA application date), under the strict condition that the Customer qualifies as a Financial Entity.

This Addendum shall not be applicable before the Customer receives the required license or authorisation to act as a Financial Entity. This Addendum shall stop to be applicable with immediate effect in case of withdrawal of the required license or authorisation required to act as a Financial Entity.

b. Non-critical and non-important ICT services

The Parties specifically acknowledge and agree that:

(i) the Services shall not be considered as critical or important functions for the Customer as defined in article 3(22) of DORA; and

(ii) Spendesk shall not be considered a critical ICT third-party service provider as defined in article 3(23) of DORA.

This Addendum is built in accordance with the framework set out in articles 30(1) and 30(2) of DORA, applicable to non-critical and non-important ICT services.

2. Definitions and interpretation

In this Addendum, capitalised terms not specifically defined have the meaning attributed to them (a) in the Standard Terms or (b) failing that, in article 3 of DORA.

All references to websites in this Addendum refer to the specified websites and their respective successor or related locations designated by Spendesk, as may be updated from time to time.

In any event of inconsistency between the Standard Terms and this Addendum, this Addendum shall prevail. All other provisions of the Standard Terms remain unchanged and in full force and effect.

3. Rights and obligations

(article 30(1) of DORA)

The Parties’ rights and obligations are set out in the Contract which includes:

(i) the Standard Terms (including its annexes);

(ii) the Pricing Terms (corresponding to (a) the pricing agreement agreed between the Parties for accessing the Platform and the Services, and (b) the pricing terms for the Payment Services set out in Annex 1 of the Standard Terms); and

(iii) this Addendum or any additional contractual document entered into by the Parties.

At any time, the Customer can download (i.e., print as PDF) the online Standard Terms and the Addendum. In addition, and as mentioned in the Standard Terms, the Customer can obtain at any time and free of charge from Spendesk a copy of the Contract on a durable medium.

4. Services description and subcontracting

(article 30(2)(a) of DORA)

The Services provided by Spendesk to the Customer are described in detail in:

(i) the Standard Terms;

(ii) the Pricing Terms (including the pricing agreement listing the subscription plan and Services selected by the Customer); and

(iii) Spendesk website page detailing the features and options included in each subscription plan (currently located at https://www.spendesk.com/en/pricing/).

Considering that the Services do not support critical or important functions for the Customer, Spendesk is not required under DORA (i) to request approval from the Customer for subcontracting and (ii) to disclose subcontracting conditions.

However, the Customer can access at any time the list of Spendesk sub-processors (within the meaning of the GDPR), which is available at https://www.spendesk.com/en/legals/subprocessors (the “Sub-processors List”). Provisions regarding the use of sub-processors by Spendesk (including the information to be disclosed, the notice of change to the Sub-processors List and the Customer’s right to object) are set out in the data processing agreement included in the Standard Terms.

Spendesk remains fully liable towards the Customer for any subcontracted part of the Services.

5. Location of the provision of the service

(article 30(2)(b) of DORA)

Spendesk and its sub-processors may store and process data where they are located.

The Services are provided (and the data is stored) at the following locations:

(i) Spendesk’s registered address, as described in the Standard Terms; and

(ii) the location of Spendesk’s sub-processors, as mentioned in the Sub-processors List.

Changes in the location of the Services will be notified to the Customer in advance, in accordance with the process defined in the Standard Terms for any updates of (i) the Standard Terms or (ii) the Sub-processors List.

6. Availability, authenticity, integrity and confidentiality

(article 30(2)(c) of DORA)

Spendesk provides transparent information on the Platform and its main features availability (uptime, availability rate per month, list of incidents) via the website https://status.spendesk.com (the “Status Page”).

Spendesk provides high standards of security with relevant technical and organisational measures to protect the Customer’s data.

Relevant commitments regarding authenticity, integrity and confidentiality of the data processed by Spendesk are available in the Standard Terms (in particular in the data processing agreement).

In addition, Spendesk provides a detailed description of its security policies and processes at https://trust.spendesk.com (the “Trust Center”).

7. Access, recovery and return of data

(article 30(2)(d) of DORA)

The Customer’s data uploaded on the Platform will be kept by Spendesk for the retention periods mentioned (i) in the data processing agreement included in the Standard Terms and (ii) in the Privacy Policy.

The Customer will be able to export its data at any time during the Contract term through the standard features available on the Platform. Concerning the Content subject to the Digitisation Service (accounting receipts and invoices), it can be downloaded as described in Spendesk Help Center.

For two (2) weeks following the effective termination date of the Contract, Spendesk will provide for free, upon written request from the Customer, a folder including the export of its accounting and payment data uploaded on the Platform, in a format readable with generally available standard software. After this period and if the data has not been deleted in accordance with the applicable retention periods, Spendesk reserves the right to invoice reasonable fees to cover the operational cost for any further Customer’s request for data export.

8. Service levels description

(article 30(2)(e) of DORA)

The Parties agree that the Contract includes relevant service level descriptions, including updates and revisions thereof. Spendesk will provide these Services with due care, irrespective of the place of performance.

Relevant information on the Platform and its main features availability (uptime, availability rate per month, list of incidents) is available via the Status Page. Through this link, any individual can subscribe to updates on Spendesk Platform incidents (updates provided by email, SMS or Slack).

Spendesk will inform the Customer via the Platform and/or the Status Page of any scheduled maintenance that may have an impact on the Services availability, with reasonable prior notice whenever possible.

9. Assistance to the Customer

(article 30(2)(f) of DORA)

Spendesk will assist the Customer as follows:

(i) Spendesk will notify the Customer promptly, (a) via the Platform and/or the Status Page and (b) by email to the Main User (unless the Main User unsubscribed to all emails notifications), of any ICT incident (within the meaning of article 3(8) of DORA) impacting the Services subscribed by the Customer or its data; and

(ii) Spendesk will manage the ICT incident, if it affects the data, systems or networks controlled by Spendesk, in accordance with the “Security Incident Response Plan” (or any similar policy as updated from time to time) available in the Trust Center.

Spendesk will provide the above assistance at no additional cost beyond the cost for technical support as agreed in the Pricing Terms.

10. Cooperation with the supervisory authorities of the Customer

(article 30(2)(g) of DORA)

Spendesk will fully cooperate with the Customer’s supervisory authorities, resolution authorities and the persons appointed by them exercising their information, audit and access rights with respect to the Customer’s use of the Services.

Audits will be conducted in accordance with Spendesk external audit policy as available in the Trust Center.

11. Termination rights under the Contract

(article 30(2)(h) of DORA)

The Parties agree that in addition to the termination conditions set out in the Standard Terms, any circumstance listed in article 28(7) of DORA shall be considered as a “material breach” allowing a potential early termination of the Contract, in accordance with the process defined in the Standard Terms.

12. Security awareness programmes and digital operational resilience training

(article 30(2)(i) of DORA)

The Customer acknowledges that Spendesk is directly subject to DORA, acting as the agent of a Financial Entity: Spendesk Financial Services (subsidiary of Spendesk, licensed as a payment institution by the ACPR under number 17518).

As such, Spendesk implements and maintains employee security and data privacy training programs. The security and data privacy awareness training programs are reviewed and updated by Spendesk at least annually.

13. Amendment of this Addendum

Spendesk reserves the right to amend this Addendum at any time, in accordance with the amendment process defined in the Standard Terms. Such amendment will not reduce the overall security or operational resilience of the Services provided by Spendesk to the Customer.

Any amendment will be notified to the Customer in advance, in accordance with the Standard Terms. If the Customer does not accept the proposed amendments, it may terminate the Contract, in accordance with the termination conditions set out in the Contract.

14. Applicable law and jurisdiction

This Addendum as well as any dispute or claim arising out of, or in connection with this Addendum (including non-contractual disputes or claims) will be governed by the same law as the applicable Standard Terms and will be subject to the exclusive jurisdiction mentioned in the Standard Terms.