DORA Addendum

Capitalized terms that are used but not defined in this DORA Addendum have the meanings given to them in the Agreement.

“Agreement” means the Main Services Agreement or other agreement between Customer and Amplitude which governs Customer’s use of the Amplitude Services and Customer’s Order Form(s).

“DORA” means Regulation (EU) 2022/2554 on digital operational resilience for the financial sector.

“Financial Entity” means an entity captured by Art. 2(2) DORA and which is not excluded from the scope of DORA by Art. 2(3) or 2(4) DORA, for so long as such an entity remains subject to DORA.

“ICT Incident” has the meaning given to “ICT-related Incident” in DORA.

“ICT Service” has the meaning given in DORA.

“Personal Data” or “Personal Information” have the meaning set out in the Data Processing Addendum between the parties.

“Regulator” means a government, regulatory body, or competent authority with binding authority to regulate Customer’s activities as a Financial Entity, or resolution authority with respect to the Customer.

The Parties hereby agree that the provisioning of Amplitude Services is subject to the following key contractual provisions as set forth in Article 30(2) of DORA (Key Contractual Provisions). The Parties further agree that Amplitude Services do not constitute an ICT service supporting critical or important functions within the meaning of DORA and are not subject to the contractual obligations set forth in Article 30(3) of DORA.

A. Description of all functions and ICT services – Art. 30(2)(a). All functions and services are described and set forth in the applicable Agreement.

B. Service Location – Art. 30(2)(b). The locations where Amplitude Services, the Amplitude subprocessor functions and location of the ICT services are set forth at https://amplitude.com/subprocessor-list.

C. Availability, Authenticity, Integrity, and Confidentiality of Customer Data – Art. 30(2)(c). As set forth in Annex II of the Data Processing Addendum between Amplitude and Customer, Amplitude will employ and maintain security protections in accordance with industry standards, including but not limited to technical and organizational measures to protect the availability, authenticity, integrity, and confidentiality of Customer Data.

D. Access, recovery and return in an easily accessible format of Customer Data – Art. 30(2)(d). In the event of a Amplitude insolvency, resolution in bankruptcy, or discontinuation of Amplitude’s business that results or is reasonably likely to result in termination of Amplitude Services pursuant to the Agreement, or any termination of the Agreement, Amplitude will provide reasonable assistance to access, recover and retrieve Customer Data in the orderly transition away from Amplitude Services.

E. Service Level Descriptions – Art. 30(2)(e). Amplitude shall monitor the availability of Amplitude Services and shall document records of such availability at . Amplitude shall notify Customer of any events that have a material impact on the availability of Amplitude Services. Customer may subscribe to receive updates whenever Amplitude creates, updates or resolves an incident by clicking on the subscribe button on .

F. Assistance in the Event of ICT incident – Art. 30(2)(f). If Amplitude becomes aware of an ICT Incident, Amplitude will promptly notify Customer without undue delay Amplitude shall promptly take reasonable steps to investigate, identify the cause of an ICT Incident, mitigate and remediate any ICT Incident,. Amplitude’s notice to Customer shall include, but not be limited to, the nature and consequences of the ICT Incident, the measures taken and/or proposed by Amplitude to mitigate or contain the ICT Incident, the status of Amplitude’s investigation, and the categories and approximate number of data records concerned. Communications by or on behalf of Amplitude in connection with a ICT Incident are not an acknowledgement by Amplitude of fault or liability with respect to the ICT Incident.

G. Cooperation – Art. 30(2)(g). Taking into account the nature of Amplitude Services and the information provided by Customer to Amplitude, Amplitude shall fully cooperate with the competent authorities and the resolution authorities of Customer.

H. Termination Rights – Art. 30(2)(h) and Art. 28(7).

1. The periods for notice of termination specified in the Agreement shall remain unaffected.
2. In addition to any rights of termination described in the Agreement, in the following circumstances, Customer may terminate the Agreement with respect to Amplitude Services by providing written notice to Amplitude:

a. where Amplitude is in material breach of its contractual obligations under the Agreement and where Amplitude fails to correct any such violation within thirty (30) calendar days of Amplitude’s receipt of notice from Customer specifying such violation in sufficient detail for Amplitude to understand the Customer’s concern and demanding correction;

b. where Customer provides Amplitude with evidence in writing of weaknesses pertaining to Amplitude’s overall ICT risk management and in particular in the way Amplitude ensures the availability, authenticity, integrity and confidentiality of Customer Data (whether personal or otherwise sensitive data, or non-personal data) and Amplitude fails to take reasonable steps to remediate such weaknesses within thirty (30) calendar days of Amplitude’s written receipt of notice from Customer specifying such evidenced weaknesses in sufficient detail for Amplitude to understand the Customer’s concerns and demanding correction; or

c. where Customer Regulator can no longer effectively supervise Customer as a result of the conditions of, or circumstances related to, the contractual arrangements between Amplitude and Customer concerning Amplitude Services and such Customer Regulator instructs Customer to terminate the Agreement with respect to such Service. When exercising termination rights under this clause 2(H)(2)(c), Customer must provide Amplitude with reasonable evidence of such Customer Regulator instruction.

I. Training – Art 30(2)(i). Upon written request by Customer, Amplitude may provide Customer with details regarding Amplitude’s own security awareness programs and digital operational resilience training appropriate for the purpose of Art. 13(6) of DORA. Where additional training is required, Customer may, subject to mutually agreed terms, request Amplitude to participate in virtual Customer’s security awareness programs or digital operational resilience training where appropriate.

In order to receive assistance from Amplitude in connection with the exercise of the following rights, the Customer agrees to pay fees, costs, and expenses for such assistance as reasonably determined by Amplitude and such fees may be set out in a separate statement of work:

(i) Section 2.D. (Data recovery);

(ii) Section 2.F (Assistance with an ICT Incident) for assistance beyond the scope of Amplitude Services Agreement (any additional assistance and associated costs beyond the scope of the Agreement to be determined ex-ante (in advance) and mutually agreed by the parties); and

(iii) Section 2.I (Training).

Except in circumstances where Customer terminates under Section 2(H)(2) all fees with respect to the then current subscription term for Amplitude Services that Amplitude provides shall be immediately due and payable by Customer to Amplitude on termination.