Skip to content

Digital Operational Resilience Act (DORA) Addendum

Because Zapier’s Terms of Service and Enterprise Agreement already incorporate Zapier’s DORA Addendum, you do not need to sign a separate copy. This DORA Addendum contains legal terms that apply to Zapier’s relationship with DORA-regulated, EU-based financial entities. We’ve updated the DORA Addendum as of April 25, 2025.

If you need a standalone copy of the DORA Addendum for your records or other compliance purposes, you can generate an electronically signed copy of the DORA Addendum. You will receive two emails from Zapier Dropbox Sign (noreply@mail.hellosign.com):

  1. The first will be a request to sign with the subject: “Signature Request - Zapier DORA Addendum with [Your Company Name].”
  2. Once you sign and agree to the DORA Addendum, you will receive a second email with the subject: “You just signed” that contains a fully signed PDF copy of the DORA Addendum.
  3. If you have any trouble receiving these messages, check your spam folder, wait at least five minutes for each email to arrive, and ensure you clicked the final “Agree” button after signing in Dropbox Sign.


***


Zapier Digital Operations Resilience Act (DORA) Addendum


This DORA Addendum (“Addendum”) supplements the Terms of Service or the Enterprise Agreement, as applicable, (the “Agreement”) between Zapier, Inc., as your supplier (“Zapier”), and you, as a European Union (“EU”)-based Zapier customer (“Customer”). This Addendum applies exclusively to Zapier customers subject to Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”) and takes precedence over any conflicting terms in the Agreement.

1. Definitions

Unless defined otherwise in this Addendum, capitalized terms shall have the meaning set forth in the Agreement.

1.1. “Agreement” refers to the Zapier Terms of Service (“Terms of Service”) or the Zapier Enterprise Agreement (“EA”), as applicable, entered into between Zapier and Customer.

1.2. “Competent Authority” refers to a competent authority as defined in Article 46 of DORA.

1.3. “ICT Incident” is defined in DORA and means a single event or series of linked events that compromise the security of network and information systems and adversely impact the availability, authenticity, integrity, or confidentiality of Customer’s data or services.

1.4. “Subcontractor” means a third party that provides any ICT service (as defined by DORA) to Zapier within the same ICT service supply chain connected with (and effectively underpinning) the provision of the Zapier Service, in accordance with the Implementing Technical Standards on the Register of Information under Article 28(9) of DORA. The term “Subcontracting” shall be construed accordingly.

2. Scope and Applicability

2.1 To the extent that Customer does not qualify as an EU “financial entity” as defined in Article 2(a)-(t) of DORA, or is excluded under Article 2(3) or 2(4) of DORA, this Addendum shall not apply.

2.2. Zapier acknowledges that Customer is subject to certain obligations under DORA in relation to Customer’s use of ICT services provided by ICT third-party service providers such as Zapier. Zapier agrees to cooperate with Customer to enable Customer to satisfy its applicable obligations under DORA.

2.3. Customer acknowledges and agrees that Customer is not, and during the Term is not expected to, use Zapier’s services to support a critical or important function of Customer.

3. Article 30 Section 2 Requirements

3.1. Service Description: The description of the Service is provided as part of the Service Documentation.

3.2. Location of Data: Zapier provides the Service from AWS servers in the United States, and certain data may be processed by our Subprocessors (defined below), unless otherwise agreed by the parties from time to time. Zapier processes Customer Content in accordance with the Data Processing Addendum (“DPA”). Each Zapier subprocessor (the “Subprocessors”), and the locations where Zapier and each such subprocessor processes data, can be found on the Subprocessors page on Zapier’s website. Zapier shall not change the country or region for provision of the Services or processing of Customer Content without providing reasonable prior notice to Customer. Customer may receive notifications of any change to the list of Zapier subprocessors by signing up at the Zapier Trust Center.

3.3. Data Protection and Security: Zapier will implement and maintain appropriate technical and organizational measures to ensure the availability, authenticity, integrity, and confidentiality of Customer Content as described in, including recovery and secure deletion of data upon termination, all in accordance with the DPA.

3.4. Data Access, Recovery, and Return: In the event of Zapier’s insolvency or discontinuation of business operations, Zapier provides Customer with access and technology to download, transfer, or delete its Customer Content during the term of the Agreement, as described in Zapier’s data retention policies.

3.5. Service Level Agreement: The provisions of Section 8 of the Agreement shall apply to the Service provided by Zapier to Customer and shall constitute the service level agreements as required under DORA (the “Service Levels”).

3.6. ICT Incidents: Zapier will cooperate with Customer relating to an ICT Incident resulting in unauthorized access or disclosure of Customer Content stored on the Service. Zapier reserves the right to charge reasonable fees (including personnel cost as determined by Zapier in accordance with its then-current rates) for support provided.

3.7. Cooperation with Competent Authorities: If requested by a Competent Authority under DORA, Zapier will cooperate with Competent Authorities in relation to Customer’s compliance as required under DORA.

3.8. Termination Rights: The Customer may terminate the Agreement in accordance with the termination provisions of the Agreement. To the extent that DORA requires that Customer have any termination rights under the Terms of Service that are not already included in the Agreement, Customer shall have those additional termination rights as required by DORA. Termination, however effected, shall not relieve Customer of any payment obligations for Services rendered prior to termination.

3.9. Security Awareness Training: Zapier will provide its personnel with security awareness program and digital operational resilience training program. To the extent required by DORA and subject to mutual agreement between the parties (including as to reasonable costs), Customer can engage Zapier support personnel to participate in Customer’s ICT risk management training, provided that such training is reasonable and directly relevant to the Zapier Services, can be attended virtually, and provides for input from Zapier to adapt the training for relevance and reasonableness.

3.10. Subcontracting: Customer agrees that Zapier may engage Subcontractors in respect of the Service and the provisions of this clause shall apply to any such Subcontracting. Zapier will remain fully responsible under the Agreement for the provision of the Service to Customer. Subcontractors that process data can be found on the Subprocessors page on Zapier’s website and Customer may receive notifications of any change to the list of Zapier subprocessors by signing up at the Zapier Trust Center.

4. Audits

4.1. Audit Right: To the extent necessary and required under DORA, you may, at your sole expense, conduct a reasonable audit pursuant to a mutually agreed-upon audit plan with Zapier that is consistent with the requirements of this Section 4.

4.2. Exercise of Audit Right: You may exercise such audit right: (a) to the extent Zapier’s provision of third- party audit reports (e.g., Service Organization Control (SOC) 2 reports) do not provide sufficient information to verify Zapier’s compliance with this Addendum and/or the DPA; and (b) where required by DORA or a relevant government authority.

4.3. Conditions: Each such audit must: (a) be conducted by you or through a third-party auditor on your behalf that will enter into a confidentiality agreement with Zapier; (b) be limited in scope to matters reasonably required to assess Zapier’s compliance with this Addendum, the DPA and/or your regulatory obligations under DORA; (c) occur no more than once annually (unless required by a Competent Authority or DORA); (d) cover only processing facilities directly controlled by Zapier; (e) restrict findings to your Personal Information (as defined in the DPA) only; and (f) treat any results as confidential information to the fullest extent permitted by applicable law.

4. Miscellaneous

5.1. Confidentiality: Confidential Information shared in connection with this Addendum shall be treated as “Confidential Information” as defined in, and in accordance with, the Agreement.

5.2. Conflict: In the event of any conflict between this Addendum and the Agreement, the terms of this Addendum shall prevail.

5.3. Termination of Addendum: This Addendum shall terminate automatically upon the expiration or termination of the Agreement.