DORA FAQs

Sitecore assists financial entity customers by:

• Offering robust security measures to ensure the resilience and availability of its services.
• Providing clear documentation and support for incident management, including security incident notifications.
• Incorporating specific contractual terms or addendums that address DORA requirements, where necessary.

Specific details can be found in Sitecore’s DORA Addendum for Cloud Products, which is available through your Account Executive.

Yes, Sitecore’s standard Data Processing Agreement (DPA) contains terms around incident response regulatory cooperation specific to DORA and data processing locations.

Sitecore follows industry best practices for incident detection, response, and communication. We recognize the strict incident notification timelines that may apply under DORA (e.g., 24 hours) and have adapted our existing security practices to support customers in meeting their compliance obligations. Specific details can be found in Sitecore’s DORA Addendum for Cloud Products, which is available through your Account Executive.

Sitecore implements a comprehensive security program, including:

• Regular risk assessments and audits.
• Business continuity and disaster recovery plans.
• Monitoring and alerting systems to detect and address potential threats promptly.
• Compliance with globally recognized security standards, such as ISO 27001 and SOC 2 see our full list of certifications here.

In the context of Sitecore’s cloud services, we consider "subcontractors" to align with our subprocessors. These are third-party entities listed by product in Sitecore’s online subprocessor list, which process Customer Data (i.e. data provided to Sitecore by Customer through use of the cloud services) on behalf of Sitecore to deliver the cloud service. See specific details in Sitecore’s DORA Addendum for Cloud Products.

Yes, Sitecore can provide relevant information about security incidents and operational resilience to support customers’ DORA reporting obligations, as set forth in Sitecore’s DORA Addendum for Cloud Products. However, customers remain responsible for ensuring compliance with DORA, including submitting reports to their regulators.

Sitecore’s on-premises software is not by its nature “a service” but a license to use certain IPR. Once our on-prem software is installed in your IT environment, Sitecore is no longer in control of the software or data processed by means of the software in your IT environment. This is also the case in respect of Sitecore’s support, which you access via our Sitecore portal and where we do not require access to your IT environment. In the context of DORA, it is therefore an ICT Asset and not an ICT Service. Consequently, the DORA contractual requirements set out in Articles 28 - 30 do not apply to the on-prem software. Instead, and in accordance with Article 3(7), the financial entities are required to take the on-prem software into account when establishing the ICT management framework and protecting the on-prem software from various risks emerging from, for example, unauthorized use or access.

Sitecore facilities the financial entities compliance with Article 3(7) and our DORA Addendum for on-premises software helps financial entity customers in meeting the obligations. The DORA Addendum for on-premises software will be made available for signature through your Account Executive.