The agreement governing your use of the DORA GRC platform.
In these Terms of Service ("Terms"), the following definitions apply:
These Terms govern your access to and use of the DORA GRC Platform. By subscribing to or using the Platform, you confirm that you have the authority to bind your organisation to these Terms and that you accept them in full.
These Terms, together with our Privacy Policy and Data Processing Agreement, constitute the entire agreement between us regarding the Platform.
If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity. If you do not have such authority, you must not accept these Terms.
The Platform is offered in three tiers:
Upon subscription, we will provision a dedicated tenant environment for the Customer. We will create an initial administrator account with the credentials communicated securely to the Customer. The Customer is responsible for all activity under its accounts.
The Customer is responsible for managing Authorised Users and their roles (admin, analyst, viewer). The Customer must promptly remove access for any person who should no longer have access to the Platform.
Fees for the Platform are as set out on our pricing page or in a separate order form / invoice. All prices are in euros (EUR) and exclude applicable taxes unless stated otherwise.
Fees are payable in advance, monthly or annually as agreed. Payment is due within 14 days of invoice date. We may charge interest at the rate of 1.5% per month on overdue amounts, or the maximum rate permitted by law, whichever is lower.
We may adjust pricing by giving at least 60 days' written notice before the start of a new Subscription Period. The revised pricing will apply from the next renewal. If you do not accept the new pricing, you may terminate your Subscription at the end of the current period.
The Customer is responsible for all applicable taxes, duties, and levies (including VAT) arising from the use of the Platform, except for taxes on our net income.
You own your data. All Customer Data remains the exclusive property of the Customer. We claim no ownership rights over Customer Data. We will not use Customer Data for any purpose other than providing and improving the Platform as agreed.
We process Customer Data solely as a data processor on your behalf, in accordance with GDPR and our Data Processing Agreement. We will not sell, rent, or share Customer Data with third parties, except as required to provide the Platform or as required by law.
All Customer Data is stored within the European Union (Cloudflare EU infrastructure). We do not transfer Customer Data outside the EU/EEA except where necessary to provide the Platform and subject to appropriate safeguards (Standard Contractual Clauses).
We maintain automated backups of Customer Data. In the event of data loss, we will use commercially reasonable efforts to restore Customer Data from the most recent backup. Backup frequency and retention are described in our documentation.
We target 99.9% monthly uptime for the Platform, measured as the percentage of minutes in a calendar month during which the Platform is operational and accessible. Scheduled maintenance windows (communicated at least 48 hours in advance) are excluded from uptime calculations.
We monitor Platform availability using third-party uptime monitoring. Current status is available at our status page.
If monthly uptime falls below 99.9%, Enterprise customers are eligible for service credits as follows:
Credits must be requested in writing within 30 days of the incident. Credits are applied to future invoices and do not exceed the monthly fee for the affected period.
We implement and maintain appropriate technical and organisational measures to protect Customer Data, including:
For full details, see our Security Overview.
The Customer may use the Platform for its internal compliance management purposes, including managing DORA, EU CRA, and EU AI Act obligations, subject to the selected Subscription tier and these Terms.
The Customer shall not:
The Platform, including its software, design, documentation, and all related intellectual property, remains the exclusive property of DORA GRC. These Terms grant the Customer a limited, non-exclusive, non-transferable licence to use the Platform during the Subscription Period.
The Customer retains all intellectual property rights in Customer Data. The Customer grants us a limited licence to process Customer Data solely for the purpose of providing the Platform.
Each party agrees to keep confidential any information designated as confidential by the other party, or which a reasonable person would consider confidential given the nature of the information and circumstances of disclosure. This obligation does not apply to information that:
This confidentiality obligation survives termination of these Terms for a period of three (3) years.
To the maximum extent permitted by applicable law, the total aggregate liability of either party arising out of or in connection with these Terms shall not exceed the total fees paid or payable by the Customer in the twelve (12) months preceding the event giving rise to the claim.
Neither party shall be liable for indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunity, or goodwill, even if advised of the possibility of such damages.
The limitations in sections 11.1 and 11.2 do not apply to: (a) a party's breach of confidentiality obligations; (b) a party's indemnification obligations; (c) liability arising from wilful misconduct or gross negligence; or (d) liability that cannot be limited by applicable law.
We will defend and indemnify the Customer against any third-party claim alleging that the Platform infringes the intellectual property rights of a third party, provided the Customer: (a) promptly notifies us in writing; (b) grants us sole control of the defence; and (c) provides reasonable cooperation at our expense.
This indemnification does not apply to claims arising from: (a) modifications to the Platform not authorised by us; (b) use of the Platform in combination with non-approved third-party software; or (c) Customer Data.
The initial Subscription Period begins on the date the Customer's tenant is provisioned and continues for the duration specified in the order or invoice. Subscriptions renew automatically for successive periods of the same length unless either party gives written notice of non-renewal at least 30 days before the end of the current period.
Either party may terminate these Terms immediately by written notice if the other party: (a) commits a material breach that is not cured within 30 days of written notice; or (b) becomes insolvent, enters liquidation, or ceases to carry on business.
Upon termination: (a) all licences granted under these Terms immediately cease; (b) the Customer must stop using the Platform; and (c) we will make Customer Data available for export as described in Section 14.
Upon request following termination or non-renewal, we will provide the Customer with a complete export of all Customer Data in standard machine-readable formats (JSON, CSV). This export will be available for a period of 30 days after the effective date of termination.
After the 30-day export window, we will securely delete all Customer Data from our systems and active backups within 90 days, unless retention is required by applicable law or regulation (e.g., audit trail retention under DORA).
This commitment to data portability is consistent with DORA Article 28(8), which requires financial entities to maintain exit strategies for critical ICT third-party service providers.
We may update these Terms from time to time. Material changes will be communicated at least 30 days in advance via email to the Customer's registered administrator account. Continued use of the Platform after the effective date of the changes constitutes acceptance of the updated Terms.
If a material change adversely affects the Customer, the Customer may terminate the Subscription within 30 days of receiving notice of the change, without penalty.
These Terms are governed by and construed in accordance with the laws of Norway, without regard to conflict of law principles.
Any dispute arising out of or in connection with these Terms shall first be attempted to be resolved through good-faith negotiation. If the dispute cannot be resolved within 30 days, it shall be submitted to the exclusive jurisdiction of the courts of Oslo, Norway.
If you have questions about these Terms, please contact us:
Note: These Terms should be reviewed by your legal team before acceptance. For a Data Processing Agreement tailored to GDPR requirements, see our DPA.