Get in touch

Draftable Support

Start Your 5-Day Free Trial

By submitting this form, I consent to receiving communications from Draftable.
Thanks!
Your message has been sent.
Oops! Something went wrong while submitting the form.
Draftable Support

DORA Addendum

Version Date 27 April 2026

This DORA Addendum (Addendum) is entered into between Draftable Pty Ltd (ACN 162 786 484) of Level 4, 180 Flinders Street, Melbourne, Victoria 3000, Australia (Draftable) and the customer identified in the Order Form or services agreement to which this Addendum is attached or incorporated (Customer). Draftable and the Customer are each a Party and together the Parties.

This Addendum supplements the agreement between the Parties for Draftable's products and services (the Agreement). It applies where the Customer is a financial entity subject to Regulation (EU) 2022/2554 (DORA), and Draftable is acting as an ICT third-party service provider to the Customer within the meaning of DORA. In the event of any conflict between this Addendum and the Agreement, this Addendum prevails to the extent (and only to the extent) required to comply with DORA.

Critical or important functions. The Parties acknowledge that the services Draftable provides under the Agreement (document comparison and related software-as-a-service) do not, on their own, support the performance of critical or important functions of the Customer within the meaning of Article 3(22) DORA. The provisions of Article 30(3) DORA accordingly do not apply, and this Addendum is drafted to give effect to the requirements of Article 30(2) DORA. If the Customer reasonably determines that Draftable's services do support a critical or important function, the Parties will negotiate in good faith an uplift to this Addendum (a form of which is available on request).

1. Description of services and locations.

1.1 Services. The ICT services Draftable provides to the Customer and the service levels applicable to those services are as set out in the Agreement. Together with the locations identified in clause 1.2 and the subprocessor arrangements referred to in clause 1.3, this constitutes a complete description of the functions and ICT services provided for the purposes of Article 30(2)(a) DORA.

1.2 Processing locations. Draftable will provide the services and process Customer Data from data centres located in the European Union, the United States and Australia. Draftable may change processing locations from time to time, including between data centres within the same region. Draftable will give the Customer reasonable prior notice of any change that would result in Customer Data being processed in a country materially different from those listed in this clause.

1.3 Subprocessors.  Draftable's use of subprocessors, and the Customer's rights in relation to changes to subprocessors, are as set out in the Data Processing Addendum between the Parties (the DPA).

2. Data protection and security.

2.1 Customer Data. Draftable will protect the availability, authenticity, integrity and confidentiality of Customer Data in accordance with industry-standard technical and organisational measures, including those set out in the DPA. Draftable will keep those measures under regular review and update them to reflect industry standards and evolving threats.

2.2 Personal Data. To the extent Draftable processes personal data on behalf of the Customer, the DPA governs that processing. Nothing in this Addendum is intended to derogate from the DPA.

2.3 Access on insolvency. If Draftable becomes insolvent, ceases to trade or its services to the Customer otherwise terminate unexpectedly, Draftable will (subject to applicable law and to receipt of any fees properly due) maintain the Customer's access to Customer Data for a period of at least thirty (30) days from the relevant event, to allow the Customer to retrieve or export it. After that period Draftable may delete Customer Data in accordance with its standard data retention practices, unless the Customer has requested earlier deletion.

3. ICT-related Incidents.

3.1 Notification.  Draftable will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of an ICT-related incident within the meaning of Article 3(8) DORA that materially affects the services provided to the Customer. Notification will be made to the Customer's designated security contact and will include the information reasonably available to Draftable at the time, with updates as further information becomes available.

3.2 Significant cyber threats.  Draftable will inform the Customer of significant cyber threats within the meaning of Article 3(13) DORA where, in Draftable's reasonable assessment, those threats could materially affect the services provided to the Customer.

3.3 Customer's regulatory reporting.  The Customer is solely responsible for assessing whether an ICT-related incident is reportable to a competent authority and for making any such report. Draftable will provide the Customer with reasonable cooperation and information that the Customer reasonably requires to discharge its regulatory reporting obligations under DORA, at no additional charge.

3.4 Further support.  Any support beyond what is reasonably required for the Customer's regulatory reporting (including dedicated forensic services, on-site attendance or bespoke remediation) will be provided on terms to be agreed between the Parties.

4.  Information, inspection and access rights

4.1 Information.  On the Customer's reasonable written request (no more than once in any twelve (12) month period unless required by a competent authority or following a material breach by Draftable of this Addendum or the Agreement), Draftable will provide the Customer with information reasonably necessary to enable the Customer to monitor Draftable's performance under DORA. Draftable may discharge this obligation by providing summary information about its security and resilience practices, or by providing its then-current SOC 2 or ISO 27001 reports or equivalent third-party audit reports (where available).

4.2 Audit.  Where the information described in clause 4.1 is not sufficient to enable the Customer or its competent authority to discharge their respective obligations under DORA, the Customer (or its competent authority, including the European Supervisory Authorities exercising oversight powers, or auditors mandated by either of them and acceptable to Draftable, acting reasonably) may audit Draftable's compliance with this Addendum. Audits will be conducted on reasonable prior written notice (not less than thirty (30) days save in the case of a competent authority requirement or a material incident), during business hours, in a manner that minimises disruption to Draftable's business and other customers, and subject to confidentiality obligations no less protective than those in the Agreement. Auditors must not be competitors of Draftable. The Customer will bear the costs of any audit it initiates, except where the audit identifies a material breach by Draftable, in which case Draftable will bear the reasonable and documented costs.

4.3 Cooperation with competent authorities. Draftable will cooperate with the Customer's competent authorities (including, where applicable, resolution authorities) to the extent required by DORA, including by providing information and access reasonably necessary for those authorities to discharge their supervisory functions. Auditor copies and transcripts may be made only to the extent necessary for the relevant audit or supervisory purpose and must not include data or intellectual property of any other Draftable customer.

4.4 Survival.  Draftable's obligations under this clause 4 survive termination of the Agreement for a period of two (2) years.

5.  Service levels and operational resilience

5.1 Service levels.  The service levels applicable to the services are as set out in the Agreement. Draftable monitors performance against those service levels and will make summary performance information available to the Customer on reasonable request.

5.2 Business continuity.  Draftable maintains business continuity and disaster recovery arrangements appropriate to the services. Draftable tests those arrangements at least annually and will share a summary of the outcome of testing with the Customer on reasonable request.

5.3 Awareness and training.  Draftable ensures that its personnel involved in the provision of the services receive appropriate ICT security and digital operational resilience training. The Customer is not required to deliver that training, but the Parties may agree the scope and form of any joint training where that is genuinely useful.

6.  Termination and exit

6.1 Termination rights.  The termination rights in the Agreement continue to apply. In addition, the Customer may terminate the Agreement on written notice to Draftable in any of the following circumstances:

(a)  a material breach by Draftable of this Addendum or the Agreement that, if capable of remedy, has not been remedied within thirty (30) days of written notice from the Customer specifying the breach;

(b)  a material change in Draftable's circumstances (including a change of control to a competitor of the Customer or to a person subject to sanctions applicable to the Customer) that, in the Customer's reasonable assessment, is likely to materially impair Draftable's ability to perform the services in compliance with this Addendum, where the issue has not been resolved within thirty (30) days of written notice from the Customer;

(c)  a binding direction from a competent authority of the Customer requiring termination of the services or of arrangements of the kind contemplated by the Agreement; or

(d)  any other ground identified in Article 28(7) DORA.

6.2 Exit assistance.  On termination of the Agreement for any reason, Draftable will provide the Customer with reasonable assistance to enable the orderly wind-down or transition of the services, on the terms (including any applicable fees for assistance beyond standard offboarding) set out in the Agreement and the DPA.

7.  General

7.1 Term.  This Addendum takes effect on the effective date of the Agreement (or, if later, the date this Addendum is executed by both Parties) and continues for the term of the Agreement.

7.2 Interpretation.  Capitalised terms used but not defined in this Addendum have the meanings given to them in the Agreement or, if not defined there, in DORA. References to articles are references to articles of DORA.

7.3 Liability.  Draftable's liability under or in connection with this Addendum is subject to the limitations and exclusions of liability set out in the Agreement.

7.4 No third-party rights.  This Addendum does not confer any rights on any person other than the Parties, except that competent authorities of the Customer may exercise the rights expressly granted to them under clause 4 to the extent required by DORA.

7.5 Governing law.  This Addendum is governed by, and is to be construed in accordance with, the law that governs the Agreement.