Dora Mapping
Background
European Union (EU) financial entities and their critical Information and Communications Technology (ICT) providers must comply with the Digital Operational Resilience Act (DORA) by January 17, 2025. GoTo has developed this document to help our financial services customers meet their DORA obligations.
Mappings for Article 30 (Key Contractual Provisions):
GoTo has created this document to assist our financial services customers in evaluating how our services align with the Article 30 requirements of DORA. This document will:
- Outline the mandatory contractual elements specified in Article 30;
- Demonstrate how our services and documentation map to each requirement; and
- Provide commentary to help you understand how you can address the requirements using the GoTo services and/or the GoTo documents referenced below.
The following documents are referenced below:
- GoTo Terms of Service and Order Documentation (forms the GoTo Services Agreement or Services Contact)
- Service Descriptions
- Regional Supplement
- Technical and Organizational Measures (TOMs)
- Sub-Processor Disclosure
- GoTo's Data Processing Addendum (DPA)
- Code of Conduct and Business Ethics
The following GoTo resources are referenced below:
- GoTo’s Trust & Privacy Center which includes the following: Product-specific TOMs, Sub-processor Disclosures, executable DPA
- VIP Support*: contact our Sales representatives for more information https://www.goto.com/company/contact-us
*Note VIP Support may not be available for all products & services - Status Page: https://www.goto.com/company/trust/status
| No. | Standard | Framework Reference | Description | GoTo Commentary | GoTo Contract Reference and Resources |
|---|---|---|---|---|---|
| 1 | Services Contract | Article 30 (1) | The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format. | The respective rights and obligations of the
parties are set out in writing in the GoTo Terms
of Service contract including the Service
Descriptions incorporated therein and the
ordering documentation, all available to
customer at the time of purchase or when
requested. To manage ICT risk, financial entity customers have the option of purchasing our VIP Support, which offers assurances and documentation around response and resolution time, by contacting our Sales representatives for more information at https://www.goto.com/company/contact-us. Customers can also monitor service availability by visiting https://www.goto.com/company/trust/status. |
Terms of Service
Order Documentation
Service Descriptions
VIP Support* Status Page |
| 2 | Subcontracting | Article 30 (2) (a) | The contractual arrangements on the use of ICT services shall include a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting. | The Order sets forth the services purchased
and incorporates the GoTo Terms of Service
which includes reference to our Service
Description which describes each
product/service we offer. Section 4.2 of the GoTo Terms of Service provides that data processing information is set forth in more detail on our Trust & Privacy Center (https://www.goto.com/company/trust) where you can review applicable data processing locations and Sub-Processor Disclosures, as well as Service-specific information about our technical and organizational security measures (located in the Technical and Organizational Measures or "TOMs" documentation). |
Order Documentation Terms of Service Service Descriptions Sub-Processor Disclosures TOMs |
| 3 | Location | Article 30 (2) (b) | The contractual arrangements on the use of ICT services shall include the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations. | The locations of GoTo's Sub-processors are available in the Trust & Privacy Center (https://www.goto.com/company/trust). GoTo's DPA describes GoTo's commitments and obligations in relation to its Sub-processors including appointment process, notice of changes, and objection rights. The GoTo infrastructure is designed to increase service reliability and reduce the risk of downtime. As described in GoTo’s DPA, Customer may subscribe to notices of changes to our Sub-processors or TOMs on GoTo’s Trust & Privacy Center here https://www.goto.com/company/trust. |
Sub-Processor Disclosures DPA |
| 4 | Data and Security | Article 30 (2) (c) | The contractual arrangements on the use of ICT services shall include provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data. | GoTo's TOMs provide that GoTo maintains
robust global privacy and security programs
and organizational, administrative and
technical safeguards designed to: (i) ensure
the confidentiality, integrity and availability of
Customer Content; (ii) protect
against threats and hazards to the security of
Customer Content; (iii) protect against any
loss, misuse, unauthorized access, disclosure,
alteration and destruction of Customer
Content; and (iv) maintain compliance with
applicable law and regulations, including data
protection and privacy laws. |
TOMs |
| 5 | Data and Security | Article 30 (2) (d) | The contractual arrangements on the use of ICT services shall include provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements. | GoTo's DPA provides that upon Customer's written request and where permissible by law, GoTo shall either return to Customer any Customer Content or direct Customer on how to conduct a self-service data export. GoTo's applicable TOMs also provides this information (Deletion and Return of Content). GoTo’s Terms of Service, Section 3.3 also provides a period for the Customer to retrieve its Content upon contract termination. | DPA TOMs Terms of Service |
| 6 | Services and Service Level | Article 30 (2) (e) | The contractual arrangements on the use of ICT services shall include service level descriptions, including updates and revisions thereof. | To manage ICT risk, financial entity customers
have the option of purchasing our VIP Support, which offers assurances and documentation regarding response and resolution time. Contact our Sales representatives for more information https://www.goto.com/company/contact-us. Customers can also monitor service availability by visiting https://www.goto.com/company/trust/status. |
VIP Support* Status Page |
| 7 | Business Continuity and Operational Resilience | Article 30 (2) (f) | The contractual arrangements on the use of ICT services shall include the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs. | GoTo's DPA describes the support that GoTo
will provide to customer in the event of an ICT
incident at no additional cost. It also specifies
GoTo’s obligation to notify the customer should
such an incident occur. Customers can also monitor service availability by visiting https://www.goto.com/company/trust/status. |
Status Page DPA |
| 8 | Supervisory Authorities | Article 30 (2) (g) | The contractual arrangements on the use of ICT services shall include the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them. | Section 5 of the GoTo Terms of Service provides
that as necessary and in accordance with
applicable law, GoTo will cooperate with local,
state, federal and international government
authorities with respect to the Services. Additionally, the GoTo DPA also provides that GoTo will fully cooperate with supervisory authorities, resolution authorities, and their appointees exercising their information and audit rights in connection with the Services. |
Terms of Service DPA |
| 9 | Termination | Article 30 (2) (h) | The contractual arrangements on the use of ICT services shall include termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities. | The notice periods applicable to the
termination of the Services are set out in
Section 3.1 of our GoTo Terms of Service and
the incorporated Regional Supplement, which includes specific country requirements. |
Terms of Service Regional Supplement |
| 10 | Business Continuity and Operational Resilience | Article 30 (2) (i) | The contractual arrangements on the use of ICT services shall include the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6). | GoTo's DPA specifies our internal training obligations, responsibilities, and duties in relation to security and privacy. Our GoTo TOMs provides information on GoTo's privacy and security awareness programs and specifically that newly hired employees, contractors and interns are informed of security policies and the GoTo Code of Conduct and Business Ethics during onboarding. Additionally, all GoTo employees, contractors and subsidiaries must review and adhere to GoTo's Code of Conduct and Business Ethics. | DPA TOMs Code of Conduct and Business Ethics |
| 11 | Services and Service Level | Article 30 (3) (a) | The contractual arrangements on the use of ICT services supporting critical or important functions shall include full-service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met | To manage ICT risk, financial entity customers
have the option of purchasing our VIP Support,
which offers assurances and documentation
regarding response and resolution time.
Contact our Sales representatives for more
information
https://www.goto.com/company/contact-us. Customers can also monitor the availability of GoTo services by visiting https://www.goto.com/company/trust/status. |
VIP Support* Status Page |
| 12 | Monitoring and Notification | Article 30 (3) (b) | The contractual arrangements on the use of ICT services supporting critical or important functions shall include notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels | Service notifications and alerts are posted on
https://www.goto.com/company/trust/status Other notification obligations are set out in GoTo's DPA, (Sub-processor notifications and Security Incident notifications related to Customer Content). |
Status Page DPA |
| 13 | Business Continuity and Operational Resilience | Article 30 (3) (c) | The contractual arrangements on
the use of ICT services
supporting critical or important
functions shall include requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework. |
GoTo's DPA states that GoTo shall implement
and maintain appropriate technical and
organizational measures for protection of the
security (including protection against a
Security Incident), confidentiality, and integrity
of Customer Content, as set forth in the
applicable Technical and Organizational
Measures (Schedule 4). GoTo's TOMs provide that GoTo’s implementation of safeguards, features and practices involves: I. Building products that take security and privacy by design and default into account, and including additional layers of security in order to protect Customer Content; II. Maintaining organizational controls that operationalize internal policies and procedures related to standards compliance, incident management, application security, personnel security and regular training programs; and III. Ensuring privacy practices are in place to govern data handling and management in accordance with applicable law, including the GDPR, CCPA, LGPD, as well as and our own Data Processing Addendum (DPA) and applicable GoTo policies and commitments. By building security safeguards into the product, we strive to protect GoTo Customer Content from threats and ensure security controls are appropriate to the nature and scope of the Services. |
DPA TOMs |
| 14 | Data and Security | Article 30 (3) (d) | The contractual arrangements on the use of ICT services supporting critical or important functions shall include the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27. | GoTo's TOMs specifies that in addition to in-house testing, GoTo contracts with external firms to conduct regular security assessments and/or penetration testing. | TOMs |
| 15 | Audit, Access, and Information | Article 30 (3) (e) | The contractual arrangements on
the use of ICT services
supporting critical or important
functions shall include the right
to monitor, on an ongoing basis,
the ICT third-party service
provider’s performance, which
entails the following: •
unrestricted rights of access,
inspection and audit by the by
other contractual arrangements
or
implementation policies; • the right to agree alternative assurance levels if other clients’ rights are affected; • the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections performed by the competent authorities, the lead overseer, financial entity or an appointed third party; • the obligation to provide details on the scope and procedures to be followed and frequency of such inspections and audits. |
GoTo's DPA, Third Party Certifications and Audits, provides GoTo shall make available to customer its third-party certifications and/or customer, or its appointed third party, may reasonably request an audit. GoTo commits to performing a competent and independent third-party (such as an AICPA or ISO-accredited auditor) assessment of its relevant security controls at least annually, as further specified in the provision describing Standards Compliance of the applicable TOMs, and shall provide a copy of the results of that assessment (or proof thereof) once per calendar year to Customer (so long as Customer is not a direct competitor of GoTo and subject to appropriate confidentiality obligations), upon Customer’s written request | DPA TOMs |
| 16 | Termination | Article 30 (3) (f) | The contractual arrangements on the use of ICT services supporting critical or important functions shall include exit strategies, in particular the establishment of a mandatory adequate transition period: during which the ICT third-party service provider will continue providing the respective functions or ICT services with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring; • allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided. | Section 3.3. of the Terms of Service provides
that, upon request, GoTo will provide limited
access to the Services for a period not to
exceed 30 days, to enable you to retrieve your
Content from the Services.
The GoTo DPA also provides that upon Customer's written request and where permissible by law, GoTo shall either return to Customer any Customer Content or direct Customer on how to conduct a self-service data export. Further, the applicable TOMs describes how a Customer may request assistance with return and/or deletion of their Customer Content. However, if a regulated entity would like support, upon request, GoTo will provide advisory and implementation services to assist in migrating workloads or otherwise transitioning use of the Services. |
Terms of Service
DPA TOMs Transition Assistance |
| 17 | Audits | Article 30 (3) | By way of derogation from point (e), the ICT third-party service provider and the financial entity that is a microenterprise may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time. | GoTo's DPA, Third Party Certifications and Audits, provides GoTo shall make available to customer its third-party certifications and/or customer, or its appointed third party, may reasonably request an audit. GoTo commits to performing a competent and independent third-party (such as an AICPA or ISO-accredited auditor) assessment of its relevant security controls at least annually, as further specified in the provision describing Standards Compliance of the applicable TOMs, and shall provide a copy of the results of that assessment (or proof thereof) once per calendar year to Customer (so long as Customer is not a direct competitor of GoTo and subject to appropriate confidentiality obligations), upon Customer’s written request. | DPA TOMs |
Additional Support
This document was created to illustrate how our services meet your DORA obligations. If you require additional support regarding your DORA obligations including to request a signed DORA addendum to your Services Contract, contact your GoTo Support representative for more information https://www.goto.com/company/contact-us.