Introduction
Instabase welcomes the Digital Operational Resilience Act (“DORA”) as an important and necessary regulation safeguarding the operational resiliency of EU financial entities. Instabase’s security and operational continuity program meets and exceeds the highest standards in the industry, including compliance with DORA.
At Instabase, ensuring the operational availability of our products is of the utmost importance. This page provides an overview of how DORA applies to Instabase and the steps we have taken to address DORA requirements.
What is DORA?
The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the digital resilience of financial entities. It entered into application on January 17, 2025 and ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.
Who does DORA apply to?
DORA is mainly applicable to financial entities (as defined in DORA Article 2) located within the EU. However, some requirements, such as those listed in DORA Article 30, apply to ICT vendors who provide services to EU financial entities, regardless of where they are established or where their processing activities take place.
How does DORA apply to Instabase?
Instabase provides an application platform that can be used to understand unstructured data and automate procedural tasks. DORA shall only apply when an EU financial entity uses Instabase as an ICT service (within the meaning of article 3(21) of DORA) in a manner that is subject to DORA.
Do Instabase products support a “critical or important function” of EU financial entities?
According to DORA Article 3 ‘critical or important function’ is defined as a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorization, or with its other obligations under applicable financial services law.
Instabase provides customers a tool for analyzing unstructured data, but it does not directly impact core financial services delivered to customer’s clients. Disruptions to Instabase services would not materially impair an EU financial entity’s operations. Because Instabase’s product is intended to perform narrow procedural tasks, such as transforming unstructured data into structured data, the tasks are of such narrow and limited nature that they pose only limited risks to financial entities.
Instabase services are not considered as critical or important functions for customers as defined in article 3(22) of DORA, and Instabase is not considered a critical ICT third-party service provider as defined in article 3(23) of DORA. Due to these elements and considering the impact of DORA for critical and important services, Instabase is not a critical ICT service provider.
What steps has Instabase taken to ensure DORA compliance?
Our long-standing commitment to transparency, in combination with existing processes have prepared us for DORA in many ways. Including:
- At any time, Customers can download the online Enterprise License Agreement. In addition, and as mentioned in the Enterprise License Agreement, Customers can obtain at any time and free of charge from Instabase a copy of the Contract on a durable medium.
- Pricing Terms are readily available within Customer contracts, and by viewing the Instabase website page detailing the features and options included in each subscription plan (currently located at https://instabase.com/pricing
- Customers can access at any time the list of Instabase sub-processors (within the meaning of the GDPR), which is available at https://www.Instabase.com/subprocessors (the “Sub-processors List”). Provisions regarding the use of sub-processors by Instabase (including the information to be disclosed, the notice of change to the Sub-processors List and the Customer’s right to object) are set out in the data processing agreement included in the Enterprise License Agreement. Instabase remains fully liable towards the Customer for any subcontracted part of the Services.
- The Services are provided at Instabase’s registered address, as described in the Standard Terms, and the location of Instabase’s sub-processors, as mentioned in the Sub-processors List. Changes in the location of the Services will be notified to the Customer in advance, in accordance with the process defined in the Standard Terms for any updates of (i) the Standard Terms or (ii) the Sub-processors List.
- Instabase provides transparent information on the Platform and its main features availability through regular release notes and reporting that can be requested by the Customer.
- The Customer’s data uploaded on the Platform will be kept by Instabase for the retention periods mentioned (i) in the data processing agreement included in the Standard Terms and (ii) in the Privacy Policy.
- The Customer will be able to export its data at any time during the Contract term by submitting a request to Instabase at privacy@instabase.com.
- Upon termination or expiration of the Contract, and to the extent Customer utilizes Instabase’s data storage, Instabase shall make Customer’s data available for download from Instabase’s data storage for a period of thirty (30) days.
- Instabase will inform the Customer via the Platform and/or the Instabase Cloud Console of any scheduled maintenance that may have an impact on the Services availability, with reasonable prior notice whenever possible.
- Instabase shall inform Customer without undue delay, and in any event within 72 hours, upon becoming aware of any development (“ICT Incident”) that might have a material impact on the Instabase’s ability to provide the Services in line with agreed service levels.
- Instabase will fully cooperate with the Customer’s supervisory authorities, resolution authorities and the persons appointed by them exercising their information, audit and access rights with respect to the Customer’s use of the Services.
What measures are in place to protect operational resiliency?
Instabase has implemented a number of technical, organizational and contractual measures to ensure operational resiliency. In particular:
- We have implemented a comprehensive security program designed to protect Customer Data, which is outlined in Instabase’s Security Measures.
- Instabase provides high standards of security with relevant technical and organisational measures to protect the Customer’s data.
- Relevant commitments regarding authenticity, integrity and confidentiality of the data processed by Instabase are available in the Standard Terms (in particular in the data processing agreement).
- Instabase provides a detailed description of its security policies and processes at https://trust.Instabase.com (the “Trust Center”).
- Instabase ensures operational resilience by testing recovery systems, maintaining a continuity plan, and implementing cybersecurity controls.
- Instabase shall ensure it has a business continuity plan (hereinafter, a “BCP”) on the effective date of the Agreement and undertakes to comply with DORA’’s operational resilience requirements, as applicable to the Services provided.
- The BCP will be documented and regularly tested to ensure its effectiveness. The Personnel will be trained and prepared for its implementation.
- Instabase implements and maintains employee security and data privacy training programs. The security and data privacy awareness training programs are reviewed and updated by Instabase at least annually.
- Instabase provides information about its control environment to customers through technical papers, reports, certifications, and third-party attestations available through the Instabase Trust Center. This documentation helps customers understand the controls Instabase has in place that are relevant to the Instabase services customers use, and how those controls have been validated. This information can help financial entities assess controls in their extended IT environment.
- Financial entities using Instabase services can request and evaluate third-party attestations and certifications issued for Instabase, in order to service their due diligence requirements. Third-party attestations and certifications of Instabase help customers review the design and operating effectiveness of control objectives and provide visibility and independent validation of the control environment by a qualified, independent third party.
- Financial entities using Instabase services can request and evaluate third-party threat-led penetration test reports issued for Instabase by an accredited third party assessor.