Digital Operational Resilience Act Addendum
Download PDF versionProduct Information
Introduction
This Addendum is provided to clarify the alignment of Oxygen XML Editor software and its related support services with the requirements of Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector (DORA).
For the purposes of this Addendum, the term "Oxygen XML Editor" shall be understood to refer collectively to all standalone, on-premise software products included in the Oxygen XML Editor Suite, including Oxygen XML Editor, Oxygen XML Developer, Oxygen XML Author, and Oxygen XML JSON Editor, unless explicitly stated otherwise.
In recognition of our role as an ICT third-party service provider, this document constitutes a binding commitment regarding the contractual terms and conditions required under Article 30(2) of the DORA Regulation. For our clients within the financial sector, these provisions complement the End-User License Agreement (EULA) and the Support and Maintenance Pack (SMP) terms. In the event of any discrepancy between the general contract terms and the provisions below, the following shall prevail for Financial Entity clients.
The table below outlines how our contractual framework addresses the mandatory digital operational resilience requirements:
DORA Article 30(2) Compliance Framework
| DORA Article 30(2) Requirement | Compliance in Oxygen XML Editor EULA |
| a) a clear and complete description of the functions and ICT services to be provided by the third party ICT service provider; | Found in the EULA Section 1 (Definitions/Software) and the official Product Specification. It defines the Software as an editing, publishing, and development tool for XML-based technologies. |
| (b) the locations, namely the regions and countries, where the contracted or subcontracted functions or ICT services are provided and the data are processed, including the location of storage, and the requirement for the third party ICT service provider to give prior notice to its end-users who are financial institutions if it plans to change such locations; | Not Applicable (Local Execution): Oxygen is an on-premise standalone application. Data is processed and stored locally on the Financial Institution's infrastructure. No data is transmitted to Syncro Soft unless explicitly initiated by the user (e.g., for support). |
| (c) the provisions on the protection of data, including personal data, in relation to availability, authenticity, integrity and confidentiality; | Client-Controlled: Since the software is installed on-premise, the Financial Institution maintains full control over data integrity and confidentiality. Syncro Soft's Privacy Policy covers only the minimal business contact data required for licensing. |
| (d) provisions to ensure the access, recovery and return of personal and non-personal data, in an easily accessible format, processed by end-users that are financial institutions in the event of the insolvency, winding-up or cessation of business activities of the third party ICT service provider or in the event of termination of contractual arrangements; | Native Portability: The software uses open standard formats (XML, XSLT, DITA). In the event of contract termination or business cessation, all data remains on the client's servers in non-proprietary, easily accessible formats. No "data return" is needed as the provider never holds the data. |
| e) the description of the service levels, including updates and modifications; | Found in the EULA Section 8 Support and Maintenance Agreement (SMP). It details the rights to receive major and minor versions, bug fixes, and technical support response times during the active subscription/maintenance period. |
| (f) the obligation of the third party ICT service provider to provide support to the financial institution end-user in the event of an ICT security incident related to an ICT service provided to its end-users that are financial institutions, at no additional cost or pre-established cost; | Covered under Technical Support in the SMP. If an incident is related to the software's functionality, Syncro Soft provides support via its standard or premium support channels at no additional cost for active SMP subscribers. |
| (g) the third party ICT service provider's obligation to cooperate fully with the competent authorities and resolution authorities of its end-users that are financial institutions, including their nominees; | Syncro Soft complies with applicable EU laws. As a vendor, we cooperate with regulatory requests regarding the software's security specifications, provided such requests are within legal frameworks. |
| (h) the termination rights and minimum notice periods for the termination of contractual arrangements in accordance with the requirements of the competent authorities and resolution authorities; | Found in EULA Section 12 (Termination). The agreement specifies how the Financial Institution can terminate the license. |
| (i) the conditions for the participation of third party ICT service providers' end-users who are financial institutions in the ICT security awareness programmes and digital operational resilience training courses of third party ICT service providers, as referred to in Article 13(6) of the DORA Regulation; | Syncro Soft offers extensive Documentation, Video Tutorials, and Webinars. For DORA-specific resilience training, clients can opt for professional training services offered by Syncro Soft or certified partners. |
| (j) the conditions for correcting known security vulnerabilities in the software concerned within the grant period; | Managed through the End of Life Policy. Critical security vulnerabilities are addressed via "Minor Releases" available to all users with an active Support and Maintenance Pack. |
| (k) how to report an ICT-related incident affecting the service provided or the data concerned to the users of the service concerned. | Incidents or vulnerabilities can be reported via the Official Support Portal or at . Syncro Soft notifies users of critical security updates via its website, newsletter, and in-app update notifications. |
