Skip to main content
PrivateFor business
About KivraSvenska

DORA SUPPLEMENT FOR BUSINESS USERS

1. BACKGROUND AND PURPOSE

1.1 This Annex (“DORA Annex”) forms part of the General Terms and Conditions for Business Users (“Terms”) and governs the additional requirements resulting from Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector (“DORA”). The DORA Annex applies to Business Users covered by DORA in accordance with Section 11 of the Terms.

1.2 The information and communications technology services (“ICT Services”) that Kivra provides to the Business User are specified in the Terms and are referred to in this DORA Annex as the “Service”.

1.3 The parties agree that the Service provided by Kivra does not support “critical or important functions” for the Business User as defined in DORA. Accordingly, only the requirements of DORA Article 30.2 apply to this Annex.

1.4 Kivra applies an information security management system (ISMS) based on the principles of the ISO/IEC 27000 series. Information about Kivra's security work is provided upon reasonable request.

2. THE SERVICE AND SUB-CONTRACTORS (DORA ART. 30.2(a))

2.1 Kivra provides a service that enables the Business User to convey electronic messages and other digital items to private individuals and companies that have entered into a user agreement with Kivra for the use of a digital mailbox in accordance with what is described in the Terms.

2.2 Kivra reserves the right to engage and change subcontractors for the performance of the Service. A current list of data processing locations and essential subcontractors will be provided upon request by the Business User.

2.3 Kivra shall inform the Business User of any significant changes to subcontractors or changes in the delivery model that can reasonably be expected to affect the Business User's ICT risk. Such information shall be provided through Kivra's general customer communications or in another appropriate manner.

3. LOCATIONS OF THE SERVICE AND DATA PROCESSING (DORA ART. 30.2(b))

3.1 Kivra provides the Service using infrastructure and data storage within the EU/EEA. No data is transferred outside the EU/EEA without the Business User's express prior written consent.

3.2 Kivra shall inform the Business User of planned changes to the countries where data is processed or stored in accordance with clause 2.3 above.

4. SECURITY AND DATA PROTECTION (DORA ART. 30.2(c))

4.1 Kivra takes appropriate technical and organizational measures to ensure the availability, authenticity, integrity and confidentiality of data processed within the framework of the Service, including personal data.

4.2 In the event of any conflict between the provisions of this DORA Annex and the Data Processor Agreement, the provisions of the Data Processor Agreement shall prevail.

5. SERVICE LEVELS (DORA ART. 30.2(e))

5.1 The availability of the Service and other service levels are specified in the Terms.

6. HANDLING OF ICT-RELATED INCIDENTS (DORA ART. 30.2(f))

6.1 If an ICT-related incident occurs that affects the Service provided to the Business User, Kivra shall, without undue delay, provide assistance and relevant information to the Business User to support the Business User's own incident management and reporting obligations under DORA.

6.2 Such assistance, which may include information on the nature of the incident, root cause (if known), and measures taken or planned, shall be provided at no additional cost, unless otherwise agreed in writing by the Parties in advance.

6.3 Kivra provides ongoing information about the operational status of the Service onhttps://kivrastatus.se/.

7. COOPERATION WITH AUTHORITIES (DORA ART. 30.2(g))

7.1 Kivra shall, within the framework of what is reasonable, cooperate with the Business User's competent supervisory authorities and resolution authorities, including persons appointed by them, to the extent that such cooperation relates to the Service and is necessary for the Business User to be able to fulfill its regulatory obligations.

8. DATA ACCESS AND RETURN (DORA ART. 30.2(d))

8.1 Upon termination of the Terms between the Parties, for any reason, Kivra shall, at the request of the Business User, assist the Business User in securely retrieving or deleting the Business User's data held by Kivra. The data shall be capable of being returned in a standardized, machine-readable and generally usable format.

8.2 In the event of Kivra's insolvency, bankruptcy or similar proceedings, Kivra shall, to the extent permitted by mandatory law, take reasonable steps to enable the Business User to recover their data.

9. TERMINATION (DORA ART. 30.2(h))

9.1 Termination of the DORA Annex between the Parties shall be in accordance with Section 14 of the Terms.

9.2 In addition to the termination rights set out in the Terms, the Business User has the right to terminate the DORA Supplement with immediate effect if any of the following circumstances exist:

(a) Kivra materially violates applicable laws, regulations or contractual terms;

(b) circumstances are identified that are deemed to have a significant impact on the performance of the Service, including significant changes to the contractual obligations or Kivra's situation;

(c) Kivra has demonstrated deficiencies in its overall ICT risk management, particularly with regard to the availability, authenticity, integrity and confidentiality of data; or

(d) The Business User's competent supervisory authority can no longer exercise effective supervision over the Business User due to the conditions or circumstances linked to the contractual relationship between the Parties.

10. SECURITY AWARENESS (DORA ART. 30.2(i))

10.1 Given the nature of the Service (digital distribution and mailbox service), Kivra's staff are not directly involved in the Business User's ICT security program. However, Kivra conducts its own security awareness and training programs for its staff.

11. OTHER

11.1 If the nature or scope of the Service changes in such a way that, in the judgment of the Business User or Kivra, it may be classified as supporting critical or important functions under DORA, the Parties shall enter into negotiations to update this DORA Annex without undue delay.

11.2 This DORA Appendix is ​​valid as long as the Terms between the Parties are in force and will automatically terminate when the Terms terminate.