DORA Regulatory Requirements Annex

This DORA Regulatory Requirements Annex (“Annex”) describes SonarSource’s commitments applicable to compliance with Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (“DORA”).

The Annex is incorporated into the Agreement between SonarSource and Customer. All capitalized terms used in the Annex but not otherwise defined have the meanings given to them in the Agreement and, if applicable, in the accompanying SonarSource Data Processing Addendum (“DPA”).

1. Definitions

  1. “Agreement” means the SonarSource Primary Customer Agreement set forth at sonarsource.com/legal/primary-agreement/ or other agreement between Customer and SonarSource governing Customer’s use of Sonar Products.
  2. “competent authority” means the national authorities designated by each EU Member State to supervise and ensure compliance of financial entities (as referred to under DORA) governed by DORA.
  3. “Customer” means the financial entity that is subject to DORA and that has accepted the Agreement.
  4. “data” means any of Customer’s information, in electronic form, that is uploaded to, or processed as part of, the Products, that includes both Customer Personal Data and non-personal data. For clarity, “data” excludes Results and Usage Data.
  5. “ICT-related incident” means the definition provided in DORA.

2. Information and System Security Requirements

  1. SonarSource’s obligations with regard to information and system security and protection of data are set out in the Agreement and, if applicable, the DPA.
  2. SonarSource has a security awareness program that includes security awareness and digital operational resilience training for relevant personnel on an annual basis. Within 30 days of receiving a written request from Customer, SonarSource will provide evidence demonstrating its completion of required training.
  3. SonarSource shall adhere to and comply with appropriate information security standards customary from professional services providers within SonarSource’s field of business (software inspection tools for code quality or security management). SonarSource shall maintain ISO27001 certification and/or AICPA SOC 2 attestation for the term of the Agreement. On Customer’s written request (which shall not be made more than once every 12 months), SonarSource shall provide evidence of SonarSource’s compliance with such information security standards (e.g., by providing a summary of its most recent independent certification or attestation reports).

3. Support and Assistance

SonarSource shall provide assistance to the Customer consistent with SonarSource’s standard support offering, when an ICT-related incident that is related to the Products provided to the Customer occurs, at no additional cost, unless a specific compensation has been agreed between the Parties.

4. Locations

  1. Agreed Locations. SonarSource provides support services (where Customer is eligible) from one or more of its office locations. The locations of storage and processing activities for Customer data are set forth at sonarsource.com/legal/sub-processors/; except that where the DPA applies, such storage and processing activities shall be as set forth in the DPA (collectively, the locations of storage and processing activities for Customer data and the office locations from which the support services are provided, the “Agreed Locations”).
  2. Change in Locations. SonarSource may propose changes to the Agreed Locations by providing written notice thereof to Customer or Customer’s authorized contact (as applicable), and Customer will have 14 days to object to such changes on reasonable grounds. The Trust Center, available at sonarsource.com/trust-center/, provides the option for Customer to subscribe to notifications of any such Agreed Locations changes. Where the Parties cannot solve the matter in good faith discussions within 30 days from the Customer’s objection, Customer may, as its sole and exclusive remedy, terminate the Agreement in accordance with the Agreement’s terms. During the abovementioned notice period and any agreed termination assistance period, SonarSource shall provide the Products from, and shall store and process the data in, the Agreed Locations.

5. Data Access

SonarSource shall assist Customer by providing it access to and assistance with the recovery and return of its data in the event of (i) insolvency, (ii) liquidation, (iii) cessation of business activities (each in relation to SonarSource), and (iv) termination of the contractual relationship between Customer and SonarSource. Such access, recovery and return shall be provided by means of a technical standard and machine-readable format chosen by SonarSource, conforming to industry standards.

6. Data Treatment

The requirements and measures on (i) availability, (ii) authenticity, (iii) integrity, and (iv) confidentiality in relation to the protection of data are contained in the Agreement and, if applicable, the DPA. Notwithstanding anything else contained in this Annex, to the extent the DPA is applicable, in the event of a conflict between the terms of this Annex and the provisions of the DPA, the DPA shall prevail.

7. Cooperation with Authorities

SonarSource understands that competent authorities and resolution authorities of Customer (together, the “Supervisory Authorities”) supervise the Customer. SonarSource shall fully cooperate with the Supervisory Authorities and any persons designated by them as required.

8. Termination of the Agreement

Without limiting the Parties’ termination rights and related notice periods agreed to in the Agreement, a breach of any of the scenarios envisaged by Article 28(7) of DORA shall be deemed to constitute a material breach under the Agreement.

9. Miscellaneous

Except as supplemented or modified by this Annex, the Agreement remains in full force and effect. Subject to Section 6 (Data Treatment), in the event of any conflict between these Terms and the Agreement, these Terms will control with respect to DORA.

Accéder à la page d’accueil de SonarSource
  • Suivez SonarSource sur Twitter
  • Suivez SonarSource sur Linkedin
language switcher
Français (French)
  • Documentation juridique
  • Trust Center

© 2025 SonarSource Sàrl. Tous droits réservés. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD et CLEAN AS YOU CODE sont des marques déposées de SonarSource Sàrl.