This DORA Compliance Rider ("Rider") supplements the existing license agreement ("Agreement") between Atomikos BV ("Atomikos") and the Customer ("Customer") for the use of Atomikos software products. This Rider addresses the requirements set out under Regulation (EU) 2022/2554 ("DORA").

1. Operational Resilience

Atomikos shall implement reasonable measures to ensure the operational resilience of its software components. These measures include automated binary integrity checks, secured CI pipelines, regular vulnerability scanning, and failover protections as documented in Atomikos' security overview.

2. Incident Notification

Atomikos will notify the Customer of any ICT-related incident that materially impacts the Customer’s production use of Atomikos software without undue delay and in any case as soon as reasonably practicable after detection, where such impact is known to Atomikos.

3. Audit Rights

Atomikos shall, upon written request by the Customer, provide a summary description of its applicable operational resilience and security controls relevant to the software licensed under this Agreement, for the sole purpose of enabling the Customer to meet its obligations under Regulation (EU) 2022/2554 (DORA).

Such assistance:

* Shall be limited to existing written materials that Atomikos uses in the ordinary course of business (e.g. security overview, release procedures); * Shall be provided no more than once annually and only if not previously supplied in the preceding twelve (12) months; * Shall not require the creation of new documentation, interviews, on-site access, or the disclosure of any source code, internal systems, customer data, or commercially sensitive material.

Atomikos shall not be required to support any audit unless and until it is formally designated a “critical ICT third-party service provider” under Article 31 of DORA.

4. Support for Resilience Testing

Atomikos will cooperate with the Customer’s digital operational resilience testing, including threat-led penetration testing (TLPT), subject to mutually agreed scope. This cooperation shall not require disclosure of source code or proprietary security controls.

5. Subcontracting Disclosure

Atomikos confirms that its software delivery and operations are not subcontracted to third parties without prior notice. If future subcontracting becomes necessary, Atomikos shall inform the Customer and allow the Customer to object on reasonable grounds.

6. Termination for Regulatory Compliance (Article 28(7) DORA)

The Customer may terminate this agreement, solely to comply with its obligations under Article 28(7) of Regulation (EU) 2022/2554 (DORA), if and only if one of the following conditions is met:

* (a) A final decision by a competent court or supervisory authority confirms that Atomikos has committed a material breach of applicable law or contractual obligations directly related to this agreement; or * (b) A written notice from a competent EU supervisory authority confirms that this agreement prevents effective regulatory supervision of the Customer, and no acceptable mitigation is possible.

In either case, the Customer shall:

* Provide a written termination notice clearly identifying the applicable ground; * Deliver such notice via registered mail or courier with acknowledgment of receipt (“signed on delivery”) to Atomikos’ legal address; * Grant Atomikos a minimum cure period of thirty (30) calendar days from confirmed receipt to investigate and correct the identified issue, unless such correction is objectively impossible.

Termination shall not take effect if the matter is remedied within the cure period. Any dispute concerning this clause shall be resolved in accordance with the governing law and jurisdiction specified in the main agreement. Any termination under this clause shall not entitle the Customer to a refund of any prepaid or unused fees, which remain non-refundable in accordance with the main Agreement.

7. Exit Support

Upon termination of the Agreement, Atomikos shall provide the Customer with reasonable technical assistance to ensure the secure removal of Atomikos software components and, where applicable, the extraction of relevant configuration data.

---

This Rider is effective as of the date of mutual execution or deemed acceptance and forms part of the Agreement. In case of conflict, this Rider shall prevail for the purposes of DORA compliance.

Annex: Frequently Asked Questions about DORA Compliance Scope

This section is for informational purposes only and does not modify the terms of the DORA Compliance Rider.

This annex provides clarifying guidance on how Atomikos interprets and supports the regulatory obligations under Regulation (EU) 2022/2554 (DORA), particularly Articles 28 and 30.

1. Does Atomikos treat all clients equally under DORA?

Yes. Atomikos offers a uniform DORA compliance model applicable to all clients, reflecting our role as an independent software vendor (ISV). We do not offer custom DORA clauses beyond those already included in our published rider.

2. What does Atomikos consider a legal obligation under DORA?

We align our contractual commitments with the proportional requirements applicable to non-hosting software vendors. This includes incident notification, security documentation, subcontracting transparency, and reasonable support for oversight.

3. What if a client requests more (e.g., audit rights, regulator access, vetoes)?

Where such requests go beyond DORA’s proportional requirements — such as infrastructure access, regulator-facing rights, or governance participation — we treat these as overly customer-specific and therefore outside our offering.

4. Can Atomikos adapt to a client's internal risk policy?

We understand that some clients have internal policies that exceed what DORA requires. Atomikos aligns with the legal framework of the regulation itself, not with individual interpretations or policy extensions.

5. Does Atomikos provide a Software Bill of Materials (SBOM)?

DORA does not require an SBOM. However, Atomikos maintains internal records of software dependencies and known vulnerabilities. Upon request, we may provide a non-contractual SBOM covering key runtime components. This document is for transparency only and does not form part of this Agreement.

6. Does Atomikos follow Technical and Organisational Measures (TOMs Summary)

Detailed technical information (e.g. full Technical & Organisational Measures register, detailed SBOM, audit reports, or TLPT scope) contains sensitive operational data and is not published. Such materials are available to Customers, competent authorities, or other authorised parties upon request, subject to a confidentiality agreement and secure transfer arrangements.

7. Does Atomikos provide security training for its personnel?

Atomikos engineers develop foundational components used by financial institutions worldwide and are directly responsible for designing and implementing core security features. Our approach is based on advanced internal expertise and first-hand experience, not off-the-shelf frameworks.

We have created state-of-the-art security checks that were unavailable elsewhere — had such solutions existed, we would have procured them. For example, mainstream Maven repository solutions did not offer the level of JAR file integrity validation that we required — so we built our own.

While we do not rely on standardised external training programmes, Atomikos ensures that personnel stay informed of relevant security topics through internal knowledge-sharing, active threat monitoring, and direct implementation of resilient design patterns.

To complement this, Atomikos engages independent third parties to perform regular penetration testing on critical infrastructure components.

This approach aligns with DORA’s proportionality principle and the high-assurance expectations applicable to critical software vendors.

8. Does Atomikos rely on subcontractors or external service providers?

Atomikos does not depend on any external entity for the development, operation, or delivery of its core software products. All essential functions are handled internally by Atomikos BV. We may use replaceable third-party service providers for ancillary purposes such as secure hosting. These providers do not access customer data and can be substituted without disruption.

Atomikos also accepts voluntary code contributions from the developer community. However, such contributions are not relied upon for core product delivery and are always governed by a Contributor License Agreement (CLA) that ensures Atomikos retains the necessary IP rights and that no third-party IP risk is introduced for our customers.

This setup ensures continuity, legal clarity, and compliance with the resilience and oversight principles of DORA Article 30(2)(b) and (g).

---

Commercial Applicability

This section explains our commercial position and is not part of the binding DORA Compliance Rider.

DORA coverage is offered as an optional, paid supplement to Atomikos' standard license terms.

* New customers who require DORA coverage will be subject to a yearly DORA compliance supplement, charged in addition to the latest subscription pricing. * Renewing customers without prior DORA support, and who wish to include DORA coverage, must first upgrade to the current subscription pricing model and will then be subject to the same yearly DORA supplement.

These commercial adjustments reflect the additional legal and compliance scope introduced by DORA and ensure that our obligations remain proportionate and sustainable across all clients.