1. Home
  2. Help
  3. DORA and ICT Third-Party Risk Statement

DORA and ICT Third-Party Risk Statement

 

 

This article explains how CleanTalk may support customers that are subject to Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, commonly known as the Digital Operational Resilience Act or DORA.

CleanTalk may help customers with reasonable DORA-related ICT third-party vendor risk and due diligence requests, including information related to security, service availability, incident response, data protection, subcontractors and service continuity.

This article does not constitute legal advice and does not replace a customer's own DORA compliance assessment.

 

What Is DORA?

DORA is an EU regulation focused on digital operational resilience in the financial sector. It requires financial entities to manage ICT risks, including risks related to external ICT third-party service providers.

For financial companies, this may include checking how external service providers handle security, availability, incident response, data protection, subcontractors, service continuity and exit support.

 

Does DORA Apply to CleanTalk?

CleanTalk is not a financial entity under DORA.

Depending on the customer's use case and internal vendor classification, CleanTalk may be treated by the customer as an ICT third-party service provider for DORA-related vendor risk and due diligence purposes.

Customers remain responsible for determining whether their use of CleanTalk services falls within the scope of their DORA-related ICT third-party risk management obligations.

 

How CleanTalk Supports Customers with ICT Third-Party Risk

CleanTalk helps customers reduce ICT and security risks by protecting websites, forms, registrations, comments and other digital touchpoints from spam, bots, abuse and automated malicious activity.

For customers that are subject to DORA-related requirements, CleanTalk may provide reasonable information for vendor risk and due diligence reviews, including information about:

  • security practices;
  • service availability;
  • support process;
  • incident response;
  • data protection;
  • subprocessors and infrastructure dependencies;
  • service continuity;
  • exit and termination support.

Having this information available may help customers complete internal vendor risk and compliance checks faster.

 

Security and Operational Resilience

CleanTalk maintains commercially reasonable technical and organisational measures designed to support the security, availability, confidentiality, integrity and resilience of its services.

These measures may include, where applicable:

  • access controls;
  • service monitoring;
  • infrastructure security controls;
  • spam and bot protection mechanisms;
  • incident response procedures;
  • backup and recovery practices;
  • logging and operational monitoring;
  • service maintenance and update processes;
  • internal security review processes.

CleanTalk may provide additional security information, vendor questionnaires or reasonable due diligence documentation upon request, subject to confidentiality, security, legal and commercial limitations.

 

SLA, Incident Response and Service Continuity

CleanTalk provides its services in accordance with the applicable Terms of Service, service documentation, subscription plan and support conditions.

Where required by a customer's vendor risk process, CleanTalk may provide reasonable information regarding:

  • service availability;
  • support channels;
  • incident handling;
  • maintenance practices;
  • expected response procedures;
  • service dependencies;
  • escalation process;
  • continuity measures.

Where CleanTalk becomes aware of an incident that materially affects the provision, security or availability of the relevant service to an affected customer, CleanTalk will use commercially reasonable efforts to notify the affected customer in accordance with applicable contractual terms, support procedures and legal requirements.

Any specific service levels, remedies, support commitments or availability commitments must be expressly agreed in writing between CleanTalk and the customer.

 

Data Protection and Subprocessors

CleanTalk processes customer data in accordance with its applicable Privacy Policy, Data Processing Addendum, Terms of Service and applicable data protection laws.

CleanTalk may use subprocessors, infrastructure providers, hosting providers, cloud services, communication tools, analytics tools, payment processors, support tools or other service providers where necessary to provide, secure, maintain or improve its services.

CleanTalk may provide information about relevant subprocessors or infrastructure dependencies where required by law, contract or reasonable vendor risk review.

Customers are responsible for determining whether any subprocessor or infrastructure dependency is relevant to their own regulatory, operational resilience or concentration risk assessment.

 

No Critical ICT Third-Party Provider Status

CleanTalk is not currently designated as a critical ICT third-party service provider under DORA.

The DORA oversight framework for critical ICT third-party providers applies only to ICT third-party service providers that have been formally designated as critical by the European Supervisory Authorities.

Nothing in this article should be interpreted as CleanTalk accepting designation as a critical ICT third-party service provider, assuming direct regulatory oversight obligations under the DORA critical provider framework, or accepting obligations that apply only to designated critical ICT third-party service providers.

If CleanTalk is formally designated as a critical ICT third-party service provider in the future, CleanTalk will review the applicable legal requirements and update its documentation as appropriate.

 

Customer Responsibility

Customers remain responsible for determining and fulfilling their own regulatory obligations, including any DORA-related obligations applicable to them.

CleanTalk's provision of documentation, due diligence responses, security information or vendor risk support does not transfer the customer's regulatory obligations to CleanTalk and does not constitute a guarantee of the customer's DORA compliance.

CleanTalk does not claim to be DORA certified and does not claim to provide full DORA compliance for customers.

 

Contact for DORA / Vendor Risk Requests

Customers may contact CleanTalk for DORA-related vendor risk, security, ICT third-party due diligence, SLA or documentation requests through the official support channel.

If you haven't found the answer to your question, please contact our support team:

https://cleantalk.org/my/support/open

 

Create an account
Your CleanTalk Dashboard

Was this information helpful?

Copied to clipboard