Digital Operational Experience Act (DORA)

Last updated: July 22, 2025

PURPOSE: 

THIS ADDENDUM SUPPLEMENTS THE MASTER SERVICE AGREEMENT BETWEEN LOGICMONITOR (“WE” OR “OUR”) AND “YOU”, THE CUSTOMER, AND APPLIES ONLY TO THE EXTENT THAT YOU HAVE AGREED TO OUR ONLINE TERMS AND CONDITIONS AND ARE DIRECTLY SUBJECT TO REGULATION UNDER REGULATION (EU) 2022/2554 (DORA). IF YOU ARE NOT DIRECTLY REGULATED UNDER DORA, THIS ADDENDUM DOES NOT APPLY, HOWEVER, LOGICMONITOR WILL MAKE COMMERCIALLY REASONABLE EFFORTS TO PROVIDE YOU WITH INFORMATION AND DOCUMENTATION TO ASSIST YOU IN YOUR DORA-RELATED COMPLIANCE ACTIVITIES.

1. Definitions
   1. Adequate Assurance Mechanisms: the suite of independent third-party assessments, reports, certifications and attestations that we maintain and make available to you to demonstrate the confidentiality, integrity and availability of our ICT systems and the personal data we process; these include a SOC 2 Type II report covering security, availability, confidentiality, processing integrity and privacy of your data; an ISO/IEC 27001:2013 certification demonstrating our Information Security Management System meets international best-practice requirements; the assessments and certifications listed in Table 2 – Applicable Third-Party Audits; and any additional industry-accepted frameworks or certifications we deem equivalent under Article 28(5) of Regulation (EU) 2022/2554 (DORA), aligned with the proportionality principle of the European Banking Authority (EBA) Guidelines on ICT and Security Risk Management (EBA/GL/2019/02 § 5.3).
      
   2. Availability Zones (AZs): a data center, or group of data centers, designed so that a failure in one AZ will not cause a failure in another.
      
   3. Critical ICT Third-Party Service Provider (CTPP): an ICT service provider deemed critical by the European Supervisory Authorities under DORA.
   4. Critical Subcontracting: Any arrangement whereby an ICT third-party service provider further subcontracts ICT services that support critical or important functions, or material parts thereof, of a financial entity it serves. Such subcontracting triggers the enhanced due-diligence, risk-assessment and contractual requirements set out in Article 30(2)(a) of Regulation (EU) 2022/2554 (DORA) and the related Commission Delegated Regulation on ICT subcontracting rules. These are services whose disruption could impair the security or continuity of the financial entity’s operations.
      
   5. DORA: the EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554), establishing a comprehensive resilience framework for the financial sector.
      
   6. DORA Audit or DORA Inspection: an audit or inspection conducted by competent authorities under DORA.
      
   7. Exit Plan or Orderly Exit Window: the action plan we’ll follow to ensure you can transition services under realistic, feasible scenarios.
      
   8. ICT: information and communication technologies.
      
   9. ICT Risk: any risk that may negatively impact the confidentiality, integrity, availability, or continuity of our ICT systems and the Services.
      
   10. Reportable Incident (or Incident): an event that meets the criteria for reporting under DORA, based on impact to critical functions and affected clients.
       
   11. Recovery Point Objective (RPO): the maximum amount of data loss (measured in time) incurred in the event of a disaster, as specified in the Security Practices.
       
   12. Recovery Time Objective (RTO): the maximum amount of time to restore Services after an incident, as specified in the Security Practices.
       
   13. Resiliency Objectives: the combined targets for RPO and RTO as specified in the Security Practices.
       
   14. Restricted Data: as defined in the Agreement.
       
   15. Third-Party Audit: an audit by a reputable independent firm to assess our controls and processes.
   16. Security Practices: the comprehensive set of security controls, policies, procedures, and processes that LogicMonitor maintains and publishes at https://www.logicmonitor.com/security-practices, or as otherwise specified in the applicable Agreement.
       
   17. Services: the products and services we provide to you under the Agreement.
2. DORA Compliance
   1. We commit to complying with the relevant provisions of DORA, including:
      1. Risk Management. We will maintain a risk-management framework to identify, assess, manage, and monitor ICT risks, and to review the effectiveness of our risk-mitigation measures.
         
      2. Incident Reporting. We will promptly notify you of any reportable incident, investigate its cause, and help remediate the issue as described in the Security Practices.
         
      3. Business Continuity. We will maintain a comprehensive business-continuity plan, including disaster-recovery testing, as described in the Security Practices.
         
   2. Testing. We will conduct regular testing of our ICT systems and processes. See Table 1 – Testing Methods below.
      
   3. Information Sharing. We will reasonably cooperate with you and share information necessary for your DORA compliance.
      
   4. Exit Plan. At no additional charge, upon termination of our Agreement, we will provide you with an orderly exit plan, which includes a defined exit window following termination that you may use to export or download your data for transition to another platform. LogicMonitor may, at its discretion, provide reasonable assistance to facilitate this process, but will not be required to transfer your data directly into a competitor’s product or system.
      
   5. Subcontracting. We will not materially outsource or modify any Critical Subcontracting for any portion of the Services without written notice and appropriate safeguards (as required by our Data-Processing Agreement). For clarity, we may engage third-party subprocessors to deliver the Services. For purposes of DORA, Amazon Web Services (“AWS”) is the only critical ICT subcontractor under this Agreement. All other subprocessors listed in the LogicMonitor Data Handling Supplement (https://www.logicmonitor.com/data-handling-supplement) are not deemed critical subcontractors under DORA and instead remain subject only to the restrictions and requirements (if any) set forth in the applicable Data Processing Addendum. We will provide you with reasonable advance written notice if we intend to add or replace AWS as our critical subcontractor.
      
   6. Regulator-Directed Termination. If a competent authority explicitly directs termination under DORA, we will comply and refund you any unused fees on a prorated basis.
      
   7. ICT Third-Party Service Provider Monitoring. We will monitor our critical ICT third-party providers and notify you of any events that may impact our Services beyond the measures above.
      
   8. Ongoing Performance Updates. If required by a competent authority, we will provide ongoing performance updates through our reporting and technical-oversight processes.

---

Table 1 – Testing Methods

The table below outlines our primary testing methodologies designed to assess system weaknesses, validate the effectiveness of our security controls, and ensure timely remediation of any identified vulnerabilities. Each method supports our overarching objectives of maintaining operational resilience, protecting data integrity, and delivering reliable service. We continuously review and adjust the scope, cadence, and providers of these tests to keep pace with evolving threats, technology advancements, and regulatory guidance. You will receive reasonable advance notice of any significant changes to our testing approach.

Method / Type	Description
Penetration testing	Annual penetration testing is conducted by a reputable third-party firm.
Application Security Testing	Ongoing application security testing and scanning will be conducted on a documented cadence, with validated defects classified by severity.
Infrastructure scanning / testing	Ongoing infrastructure vulnerability scanning will be conducted on a documented cadence, and reports will be generated and documented.

Table 2 – Applicable Third-Party Audits

Below is a summary of the third-party audits and certifications we maintain to provide you with independent assurance over our information-security, privacy, and operational controls. From time to time, these audits may be subject to reasonable updates, adjustments, or revisions to reflect changes in standards or our control environment. We will give you reasonable advance written notice of any material changes, and may substitute any audit listed below with an equivalent third-party audit covering the same subject matter.

Certification / Audit	Description
AICPA SOC 2 Type 2	Conducted annually by a third party; report available upon request or via our Trust Center.
ISO/IEC 27001:2013	Confirms our information-security management system meets international standards.
ISO/IEC 27017:2015	Validates our security controls specific to cloud services.
ISO/IEC 27018:2014	Demonstrates our commitment to protecting personal data in cloud environments.
Out of Scope Audit	Details
PCI DSS	Not applicable.  Our Services do not process any payment-card transactions or maintain covered accounts.
Covered Account Audit	Not applicable.  Our Services do not process transactions on behalf of a bank or handle payment information.

Table 3 – Availability Features

The table below describes core features we’ve implemented that are designed to ensure availability, fault tolerance, and data protection across our platform. These mechanisms are intended to work together to minimize downtime, safeguard against data loss, and maintain service continuity in the event of infrastructure failures or unexpected disruptions. We regularly evaluate these features with respect to industry practices and evolving requirements—and we’ll provide you with advance notice of any material changes.

Feature	Description
Data Redundancy	We maintain multiple copies of your data to minimize the risk of data loss.
Multi-AZ Deployment	We deploy our platform across multiple AZs within Amazon Web Services (AWS).
Fault Tolerance & Scalability	We adjust capacity and distribute workloads across AZs to maintain optimal performance and availability.
Geographic Dispersion	We use AZs that are physically separated to reduce localized disruption risk.

3. Sensible Coordination & Alternate Assurance Mechanisms
   1. Non-Critical Provider Classification. The LogicMonitor Envision Platform is generally not classified as a critical ICT third-party service provider under DORA or the EBA’s ICT and Security Risk-Management Guidelines, because LogicMonitor delivers monitoring and observability services rather than directly executing or processing customer transactions or other core business functions. Our platform provides oversight and visibility without handling transactional data itself.
      
   2. Alternative Assurance Mechanisms. We will maintain certifications and reports from recognized frameworks to meet your assurance requirements under DORA, including:
      
      1. SOC 2 Type II
         
      2. ISO/IEC 27001 (Information Security)
         
   3. These certifications together constitute our alternate assurance package, unless an exception is expressly noted.
      
   4. Targeted Audit Access (Material Exceptions). If we identify a material exception, you may request a targeted audit that will:
      
      1. Occur no more than once every 24 months;
         
      2. Be conducted by an accredited, independent third party bound by confidentiality; and
         
      3. Be limited to controls materially relevant to the Services we provide to you.
         
   5. Coordination & Disruption Minimization. Any audit will be coordinated to avoid unnecessary disruption and limited to information or systems directly relevant to your Services.
      
   6. No Surprise Access or On-Site Inspection. We will not allow unannounced access or inspections, except as required by law and solely to the extent necessary to comply with such order.
4. Security Governance & Frameworks
   1. Security Practices. We will maintain the security controls described on our Security Practices page (https://www.logicmonitor.com/security-practices) or, where different, those set forth in the applicable Agreement. These controls are designed to cover network and infrastructure security, application security, access management, encryption, monitoring, incident response, and vulnerability management. We continuously update and enhance these measures in line with industry practices, regulatory requirements, and evolving threats, and will notify you of any material changes to our published security practices or those specified in your Agreement.
   2. Strategic Governance. We align our security-governance program with business needs, which is designed to provide coordination and visibility into our risk register and management processes.
      
   3. Documentation. We maintain documented risk-management policies, procedures, and controls, and make them reasonably available, as necessary, to help you meet your DORA obligations.
      
   4. Contractual Embedding. Our risk-management and security-governance commitments are embedded in the Agreement, supported by written policies and periodic audits.
   5. Code of Conduct. We maintain the following codes of conduct and update them as needed:
      1. Our Code of Conduct
         
      2. Our Business-Partner Code of Conduct
5. Contractual Obligations
   1. We will implement measures designed to:
      1. Maintain the security and privacy of your data;
      2. Comply with all applicable legal and regulatory requirements of DORA;
      3. Maintain appropriate technical and organizational security measures;
      4. Promptly report any reportable incidents to you;
      5. Use commercially reasonable efforts to continue all of our current assurance activities, as shown above.