Financial Services Industry Addendum (DORA)

This Digital Operational Resilience Act Addendum (“ DORA Addendum”) applies only to Customers that (i) are financial entities (or otherwise fall within the scope of) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“ DORA”), and (ii) are established in the European Economic Area (“ EEA”) (each, an “ FSI”). This DORA Addendum is intended to address the requirements applicable to Kali AI as an ICT third-party service provider under DORA.

To the extent applicable, this DORA Addendum forms part of the Master Service Agreement (“ Agreement”) and governs the information and communication technology services procured by Customer under the Agreement (“ ICT Services”). If there is any conflict or inconsistency between this DORA Addendum and the Agreement, this DORA Addendum will prevail solely to the extent required to comply with DORA; in all other respects, the Agreement will prevail.

1. DEFINITIONS

Capitalized terms used but not defined in this DORA Addendum will have the meanings set out in (i) DORA, or (ii) the Agreement (including, as applicable, the Service Level Agreement (“ SLA”) and the Data Protection Agreement (“ DPA”)).

The following definitions apply in this DORA Addendum:

1.1. “ Financial Services” means financial services and activities including, without limitation, banking, lending, insurance, payment services, investment services (including brokerage and dealing), trading (including securities and derivatives), operation of trading venues and exchanges, issuance of electronic money, and other services involving the investment, lending, trading, custody, or management of money and financial assets.

1.2. “ ICT-related Incident” means a single event or a series of linked events, unplanned by Customer, that compromises the security of the network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the ICT Services or other services provided by Customer.

1.3. “ Regulator(s)” means any competent authority, resolution authority, or other supervisory or regulatory authority with legally binding jurisdiction over Customer and/or, as applicable, Kali AI in its capacity as provider of the ICT Services.

1.4. “ Service Levels” means the service levels detailed in the SLA.

1.5. “ Sub-processor” means any third party engaged by Kali AI to Process Customer Data, as listed at: https://kali-ai.com/trust/subprocessors.

1. SCOPE OF ICT SERVICES

2.1. Kali AI provides a cloud-based platform that offers tools to deploy, design, orchestrate, manage, and monitor automated generative AI solutions (including conversational and agentic AI), as further described in the Agreement and the applicable Order Form.

2.2. Customer shall notify Kali AI in writing if Customer determines that the ICT Services support a critical or important function for purposes of Article 30(3) of DORA. If Customer does not provide such written notice, the ICT Services will be treated as not supporting a critical or important function solely for purposes of applying any provisions of this DORA Addendum that are expressly limited to ICT services supporting critical or important functions.

2.3. Customer acknowledges and agrees that responsibility for compliance with DORA remains with Customer. Kali AI's obligations under this DORA Addendum are intended to support Customer's DORA compliance with respect to the ICT Services and do not replace or diminish Customer's obligations under DORA.

2.4. The locations where the ICT Services are provided, including where Customer Data is Processed or stored, are described in the Sub-processor list at: https://kali-ai.com/trust/subprocessors. Kali AI will provide prior notice through the Account if Kali AI makes any material change to such locations.

3. SUBCONTRACTING

3.1. Customer acknowledges and agrees that Kali AI may subcontract the performance of all or any part of its obligations under the Agreement (including the provision of the ICT Services) to its Affiliates, Sub-processors and other third-party subcontractors (collectively, “Subcontractors”), provided that Kali AI complies with the requirements set out in this Section 3.

3.1.1. Prior to appointing a Subcontractor that will provide or support the ICT Services and/or have access to, Process, or store Customer Data, Kali AI will perform reasonable due diligence, including on such Subcontractors' security standards, to ensure compliance with Kali AI's standards for data security. Such diligence may include review of relevant risk assessments, audit reports or certifications, and physical, technical, organizational, and administrative controls.

3.1.2. Kali AI will review its Sub-processors on an annual basis.

3.1.3. Where reasonably practicable, Kali AI will include in its agreements with relevant Subcontractors provisions that are no less protective than those applicable to Kali AI under the Agreement and this DORA Addendum in respect of the ICT Services. Such provisions will include, where reasonably practicable, rights to obtain information and assurance (including audit or inspection rights) sufficient to enable Customer and/or its Regulators to meet applicable requirements under DORA, including in connection with an ICT-related Incident.

3.2. Kali AI shall remain fully responsible for the acts and omissions of its Subcontractors.

3.3. A list of Subcontractors is available at all times at: https://kali-ai.com/trust/subprocessors. Kali AI will notify Customer of material changes to subcontracting arrangements affecting Customer Data. If Customer reasonably determines that such change materially increases risk to Customer, Customer may object to such changes in writing within thirty (30) days after notice. In the absence of an objection within such period, Customer is deemed to have accepted such change.

3.4. Except as expressly set out in this Section 3.3 or as required under DORA, Customer acknowledges that Kali AI is not obligated to provide Customer with general veto rights over Kali AI's subcontracting decisions.

4. SECURITY AND CUSTOMER DATA

4.1. Kali AI shall implement and maintain appropriate technical and organizational measures designed to ensure the availability, authenticity, integrity, and confidentiality of Customer Data, as further described (and updated from time to time) at: https://kali-ai.com/trust/controls#internal-security-procedures.

4.2. To the extent Customer Data includes Personal Data, such Personal Data will be Processed in accordance with the DPA: /legal/dpa.

4.3. During the Term, Customer shall be entitled to access and retrieve Customer Data in accordance with the Agreement and the Documentation. In the event of (i) insolvency, resolution, or discontinuation of Kali AI's business operations, or (ii) termination or expiry of the Agreement or the applicable ICT Services, Kali AI shall, during the Transition Period (as defined in the Agreement), ensure that Customer can access, recover, and receive a return of Customer Data in a commonly used and easily accessible format.

4.4. Kali AI maintains ICT security awareness programs and digital operational resilience training for its personnel involved in the provision of the ICT Services. Kali AI places a strong emphasis on security awareness and training for all employees, recognizing the importance of understanding their information security responsibilities. A mandatory annual security awareness training program is in place for all employees. This training covers critical areas such as common security risks and threats, compliance with regulations, data protection and customer privacy, and awareness of social engineering tactics, including fraud and phishing.

4.5. Kali AI will not be required to participate in Customer's internal security training or awareness programs, provided that Kali AI supplies information reasonably necessary to demonstrate that Kali AI's internal training program sufficiently addresses the security awareness objectives relevant to the ICT Services. If Kali AI is unable to provide such information or if the parties reasonably determine that material gaps remain, Kali AI will use commercially reasonable efforts to participate in Customer's relevant training initiatives, provided that Customer makes such training available to Kali AI at no charge.

5. ICT INCIDENT MANAGEMENT

5.1. Kali AI shall notify Customer without undue delay after becoming aware of an ICT-related Incident that materially impacts the ICT Services. Such notice will include, to the extent reasonably available at the time, a description of the ICT-related Incident, the ICT Services affected, the likely impact, and the mitigation and remediation steps taken or planned.

5.2. Kali AI shall provide Customer with reasonable assistance in connection with any ICT-related Incident that (i) relates to the ICT Services, and (ii) is caused by Kali AI's act or omission.

5.3. An ICT-related Incident will not be deemed attributable to Kali AI to the extent it is caused by (i) Customer's failure to maintain appropriate security arrangements; (ii) Customer's failure to comply with minimum system requirements notified by Kali AI; or (iii) Customer's use of the ICT Services other than in accordance with the Agreement, the Documentation, or Kali AI's written instructions. Kali AI may provide support and assistance with respect to such incidents at its sole discretion.

6. REGULATOR AND CUSTOMER AUDIT AND MONITORING RIGHTS

6.1. Kali AI shall reasonably cooperate with Regulators and any representative appointed by them in matters related to Kali AI's obligations under this DORA Addendum, to the extent required by applicable laws and subject to the confidentiality provisions in the Agreement.

6.2. In the event a Regulator initiates an information request to Kali AI regarding the ICT Services provided to Customer, Kali AI shall reasonably cooperate with such request to the extent required for the Regulator's assessment of compliance with DORA, provided that Customer provides Kali AI with reasonable prior written notice of such request to the extent permitted by applicable law.

6.3. Customer acknowledges and agrees that, due to the rights of Kali AI's customers, Kali AI cannot provide Customer or any Regulator with unrestricted rights of access, inspection, and audit, or the right to take copies of documents, as contemplated by Article 30(3)(e) of DORA. Accordingly, pursuant to Article 30(3)(e)(ii) of DORA, the Parties agree to the following alternative assurance measures:

6.3.1. Third-Party Certifications and Audit Reports - Subject to confidentiality obligations, Kali AI agrees, upon Customer's written request (and no more than once per calendar year), to provide copies of relevant third-party certifications maintained by Kali AI, including ISO 27001, SOC 2, and other applicable compliance certifications, or copies of third-party or internal audit reports covering the systems and key controls relating to the ICT Services.

6.3.2. Compliance Questionnaires - Kali AI shall provide written responses, on a confidential basis, to reasonable requests for information made by Customer, including responses to information security and audit questionnaires, in each case as reasonably required to confirm Kali AI's compliance with the Agreement.

6.3.3. Customer agrees to rely on third-party certifications, third-party or internal audit reports, and compliance questionnaires made available by Kali AI to the extent permitted under DORA. Only where such information and documentation does not evidence that Kali AI complies with its contractual obligations under this DORA Addendum may Customer request an onsite inspection or audit.

6.4. If Customer, notwithstanding the foregoing, requires an on-site audit to comply with DORA requirements or a Regulator's binding request, such audit shall be subject to the following conditions:

6.4.1. Customer shall submit a detailed audit plan at least ninety (90) days in advance of the proposed audit date to Kali AI, describing the scope, duration, and start date of the audit. Kali AI will review the audit plan and provide Customer with any concerns or questions, including to ensure the security, privacy, employment, and other relevant rights of Kali AI (including its digital assets, platform, Services, and customers).

6.4.2. The audit shall be limited to once per year, unless otherwise required by applicable law.

6.4.3. If the requested audit scope is addressed in a similar audit report or certification within the prior twelve (12) months and Kali AI confirms that there have been no material changes in the audited controls, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by such report.

6.4.4. The audit must be conducted during regular business hours at the applicable facility and may not interfere with Kali AI's business activities or Kali AI's confidentiality obligations to other customers. Where other customers' rights may be affected, Kali AI may require alternative assurance measures, including pooled audits.

6.4.5. The auditor conducting the audit on Customer's behalf must not be a competitor of Kali AI or associated with a competitor, and such third party is subject to Kali AI's prior written approval. The auditor must execute a written confidentiality agreement before conducting the audit. Customer may use the audit reports only for the purpose of meeting the regulatory requirement that gave rise to the audit. The audit reports and any other materials, documents, communications, or information relating to the audit are Kali AI's Confidential Information.

6.4.6. Customer will provide Kali AI with a copy of any audit reports generated in connection with any audit, unless prohibited by applicable law.

6.5. All audits shall be at Customer's sole expense. Any request for Kali AI to provide assistance with an audit shall be considered a separate service, and Kali AI reserves the right to charge Customer additional fees.

7. RESILIENCE TESTING, BCP AND DISASTER RECOVERY PLAN

7.1. Kali AI confirms that it regularly tests its resilience measures, including penetration testing, vulnerability assessments, and other controls, in accordance with industry standards and best practices.

7.2. Kali AI maintains and regularly tests business contingency plans (“ BCP”) to ensure continuity, as further detailed in the Information Security Policy available at https://kali-ai.com/trust.

7.3. As Threat-Led Penetration Testing (“ TLPT”) may have an adverse impact on the quality or security of the services that Kali AI provides to its other customers, Kali AI reserves the right to engage an external tester to perform pooled testing in accordance with Article 26(4) of DORA, rather than participate in Customer-led individual TLPT.

7.4. Kali AI also implements robust vulnerability management, conducting regular internal scans and quarterly production network scans, and ensuring timely remediation of high-risk vulnerabilities, including in source code as part of the SDLC. High or Critical issues are investigated and addressed in accordance with Kali AI's SDLC process or by any necessary means. Following remediation, a re-test is performed to verify that the relevant issues have been resolved.

7.5. Quarterly external network scans of the Services are conducted, and monthly vulnerability tests are conducted. Response times for known vulnerabilities are as follows: critical (as soon as possible and no later than one (1) week from identification), high (no later than one (1) month from identification), medium (no later than three (3) months from identification), and low (no later than three (3) months from identification).

7.6. Kali AI maintains backup policies and associated measures. Such backup policies include continuous monitoring of operational parameters relevant to backup operations. The servers also include an automated backup procedure. Kali AI maintains disaster recovery plans to restore customer-facing cloud products. Disaster recovery plans define Recovery Time Objectives (“ RTO”) and Recovery Point Objectives (“ RPO”) for the Services.

• RTO for Customer Data: 12 hours
• RPO for Customer Data: 1 day

8. TERMINATION RIGHTS, EXIT PLANS

8.1. In addition to the termination provisions in the Agreement, Customer may terminate the Agreement by providing at least thirty (30) days' prior written notice if: (i) a Regulator requires termination; (ii) there is a material change to the ICT Services such that they no longer comply with laws applicable to Customer as a regulated FSI; (iii) Customer demonstrates that there are weaknesses in the management or security of Customer Data or information, and such weaknesses are not cured within thirty (30) days after Customer provides Kali AI with notice; or (iv) a Subcontractor is replaced, despite Customer’s objection to such Subcontractor.

8.2. Prior to exercising any termination right, Customer shall provide Kali AI with documented evidence supporting the basis for termination (such as a copy of an internal risk assessment or a communication from a Regulator).

8.3. Customer shall pay Kali AI all fees and charges payable in respect of the provision of the ICT Services for the period up to and including the date of termination, including any outstanding fees on orders committed. Termination of the ICT Services under this Section shall not entitle Customer to any refund of prepaid fees, and Customer shall remain liable for all fees otherwise due under the applicable Order Form or the Agreement.

8.4. Customer acknowledges and agrees that, given the nature of the ICT Services, it is unlikely that extensive transition or exit assistance services will be required upon termination or expiry of the Agreement.

8.5. If Customer requires transition or exit assistance services upon termination or expiry of the Agreement, Kali AI agrees to provide such services, provided that the scope, duration, and nature of the services are commercially reasonable, are agreed in writing by the parties, and that Customer pays for such services in addition to the then-current Subscription fees. Customer is responsible for developing its own plan for the orderly transition from, and exit from, the ICT Services by leveraging available capabilities and features of the ICT Services.

9. MISCELLANEOUS

9.1. If any provision of this DORA Addendum is held or declared invalid, unlawful, or unenforceable by a competent authority or court, the remainder of this DORA Addendum shall remain in full force and effect.

9.2. Instructions, notices, and other communications under this DORA Addendum shall be made in accordance with the notice provisions of the Agreement.

9.3. Kali AI may update this DORA Addendum from time to time by publishing an updated version (including by posting it to Kali AI's website or through the Account). Unless otherwise stated by Kali AI, updates will become effective ten (10) days after publication. Notwithstanding the foregoing, if Kali AI makes a material revision to this DORA Addendum, Kali AI will provide Customer with notice (including via email or through Customer’s Account), and such revision will become effective thirty (30) days after such notice.

9.4. This DORA Addendum shall remain in effect for as long as the Agreement and an Order Form remain in effect and Customer is subject to DORA or is a FSI, and shall automatically terminate upon the earlier of: (i) the expiry or termination of the Agreement or the applicable Order Form; or (ii) the date on which Customer is no longer subject to DORA. However, the remaining provisions of this DORA Addendum shall continue in full force and effect unless otherwise agreed by the Parties.

9.5. Unless specifically agreed otherwise in writing, Kali AI may charge reasonable fees for activities undertaken in fulfillment of its obligations under this DORA Addendum that are in addition to the services already contracted under the Agreement.

9.6. This DORA Addendum is governed by the law and jurisdiction provisions of the Agreement, except to the extent otherwise required by applicable laws and regulations administered by a Regulator with binding authority to regulate, supervise, or govern Customer's financial services activities under DORA, including resolution authorities of regulated entities.