Financial Services Industry Addendum (DORA)

FINANCIAL SERVICES INDUSTRY ADDENDUM (DORA)

Updated Date:

Feb 12, 2026, 12:00 AM

This Digital Operational Resilience Act Addendum (“ DORA Addendum”) applies only to Customers that (i) are financial entities (or otherwise fall within the scope of) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“ DORA”), and (ii) are established in the European Economic Area (“ EEA”) (each, an “ FSI”). This DORA Addendum is intended to address the requirements applicable to Kalli AI as an ICT third-party service provider under DORA.

To the extent applicable, this DORA Addendum forms part of the Master Service Agreement (“ Agreement”) and governs the information and communication technology services procured by Customer under the Agreement (“ ICT Services”). If there is any conflict or inconsistency between this DORA Addendum and the Agreement, this DORA Addendum will prevail solely to the extent required to comply with DORA; in all other respects, the Agreement will prevail.

1. DEFINITIONS

Capitalized terms used but not defined in this DORA Addendum will have the meanings set out in (i) DORA, or (ii) the Agreement (including, as applicable, the Service Level Agreement (“ SLA”) and the Data Protection Agreement (“ DPA”)).

The following definitions apply in this DORA Addendum:

1.1. “ Financial Services” means financial services and activities including, without limitation, banking, lending, insurance, payment services, investment services (including brokerage and dealing), trading (including securities and derivatives), operation of trading venues and exchanges, issuance of electronic money, and other services involving the investment, lending, trading, custody, or management of money and financial assets.

1.2. “ ICT-related Incident” means a single event or a series of linked events, unplanned by Customer, that compromises the security of the network and information systems and has an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the ICT Services or other services provided by Customer.

1.3. “ Regulator(s)” means any competent authority, resolution authority, or other supervisory or regulatory authority with legally binding jurisdiction over Customer and/or, as applicable, Kalli AI in its capacity as provider of the ICT Services.

1.4. “ Service Levels” means the service levels detailed in the SLA.

1.5. “ Sub-processor” means any third party engaged by Kalli AI to Process Customer Data, as listed at: https://kali-ai.com/trust/subprocessors.

1. SCOPE OF ICT SERVICES

2.1. Kalli AI provides a cloud-based platform that offers tools to deploy, design, orchestrate, manage, and monitor automated generative AI solutions (including conversational and agentic AI), as further described in the Agreement and the applicable Order Form.

2.2. Customer shall notify Kalli AI in writing if Customer determines that the ICT Services support a critical or important function for purposes of Article 30(3) of DORA. If Customer does not provide such written notice, the ICT Services will be treated as not supporting a critical or important function solely for purposes of applying any provisions of this DORA Addendum that are expressly limited to ICT services supporting critical or important functions.

2.3. Customer acknowledges and agrees that responsibility for compliance with DORA remains with Customer. Kalli AI's obligations under this DORA Addendum are intended to support Customer's DORA compliance with respect to the ICT Services and do not replace or diminish Customer's obligations under DORA.

2.4. The locations where the ICT Services are provided, including where Customer Data is Processed or stored, are described in the Sub-processor list at: https://kali-ai.com/trust/subprocessors. Kalli AI will provide prior notice through the Account if Kalli AI makes any material change to such locations.

3. SUBCONTRACTING

3.1. Customer acknowledges and agrees that Kalli AI may subcontract the performance of all or any part of its obligations under the Agreement (including the provision of the ICT Services) to its Affiliates, Sub-processors and other third-party subcontractors (collectively, “Subcontractors”), provided that Kalli AI complies with the requirements set out in this Section 3.

3.1.1. Prior to appointing a Subcontractor that will provide or support the ICT Services and/or have access to, Process, or store Customer Data, Kalli AI will perform reasonable due diligence, including on such Subcontractors' security standards, to ensure compliance with Kalli AI's standards for data security. Such diligence may include review of relevant risk assessments, audit reports or certifications, and physical, technical, organizational, and administrative controls.

3.1.2. Kalli AI will review its Sub-processors on an annual basis.

3.1.3. Where reasonably practicable, Kalli AI will include in its agreements with relevant Subcontractors provisions that are no less protective than those applicable to Kalli AI under the Agreement and this DORA Addendum in respect of the ICT Services. Such provisions will include, where reasonably practicable, rights to obtain information and assurance (including audit or inspection rights) sufficient to enable Customer and/or its Regulators to meet applicable requirements under DORA, including in connection with an ICT-related Incident.

3.2. Kalli AI shall remain fully responsible for the acts and omissions of its Subcontractors.

3.3. A list of Subcontractors is available at all times at: https://kali-ai.com/trust/subprocessors. Kalli AI will notify Customer of material changes to subcontracting arrangements affecting Customer Data. If Customer reasonably determines that such change materially increases risk to Customer, Customer may object to such changes in writing within thirty (30) days after notice. In the absence of an objection within such period, Customer is deemed to have accepted such change.

3.4. Except as expressly set out in this Section 3.3 or as required under DORA, Customer acknowledges that Kalli AI is not obligated to provide Customer with general veto rights over Kalli AI's subcontracting decisions.

4. SECURITY AND CUSTOMER DATA

4.1. Kalli AI shall implement and maintain appropriate technical and organizational measures designed to ensure the availability, authenticity, integrity, and confidentiality of Customer Data, as further described (and updated from time to time) at: https://kali-ai.com/trust/controls#internal-security-procedures.

4.2. To the extent Customer Data includes Personal Data, such Personal Data will be Processed in accordance with the DPA: /legal/dpa.

4.3. During the Term, Customer shall be entitled to access and retrieve Customer Data in accordance with the Agreement and the Documentation. In the event of (i) insolvency, resolution, or discontinuation of Kalli AI's business operations, or (ii) termination or expiry of the Agreement or the applicable ICT Services, Kalli AI shall, during the Transition Period (as defined in the Agreement), ensure that Customer can access, recover, and receive a return of Customer Data in a commonly used and easily accessible format.

4.4. Kalli AI maintains ICT security awareness programs and digital operational resilience training for its personnel involved in the provision of the ICT Services. Kalli AI places a strong emphasis on security awareness and training for all employees, recognizing the importance of understanding their information security responsibilities. A mandatory annual security awareness training program is in place for all employees. This training covers critical areas such as common security risks and threats, compliance with regulations, data protection and customer privacy, and awareness of social engineering tactics, including fraud and phishing.

4.5. Kalli AI will not be required to participate in Customer's internal security training or awareness programs, provided that Kalli AI supplies information reasonably necessary to demonstrate that Kalli AI's internal training program sufficiently addresses the security awareness objectives relevant to the ICT Services. If Kalli AI is unable to provide such information or if the parties reasonably determine that material gaps remain, Kalli AI will use commercially reasonable efforts to participate in Customer's relevant training initiatives, provided that Customer makes such training available to Kalli AI at no charge.

5. ICT INCIDENT MANAGEMENT

5.1. Kalli AI shall notify Customer without undue delay after becoming aware of an ICT-related Incident that materially impacts the ICT Services. Such notice will include, to the extent reasonably available at the time, a description of the ICT-related Incident, the ICT Services affected, the likely impact, and the mitigation and remediation steps taken or planned.

5.2. Kalli AI shall provide Customer with reasonable assistance in connection with any ICT-related Incident that (i) relates to the ICT Services, and (ii) is caused by Kalli AI's act or omission.

5.3. An ICT-related Incident will not be deemed attributable to Kalli AI to the extent it is caused by (i) Customer's failure to maintain appropriate security arrangements; (ii) Customer's failure to comply with minimum system requirements notified by Kalli AI; or (iii) Customer's use of the ICT Services other than in accordance with the Agreement, the Documentation, or Kalli AI's written instructions. Kalli AI may provide support and assistance with respect to such incidents at its sole discretion.

6. REGULATOR AND CUSTOMER AUDIT AND MONITORING RIGHTS

6.1. Kalli AI shall reasonably cooperate with Regulators and any representative appointed by them in matters related to Kalli AI's obligations under this DORA Addendum, to the extent required by applicable laws and subject to the confidentiality provisions in the Agreement.

6.2. In the event a Regulator initiates an information request to Kalli AI regarding the ICT Services provided to Customer, Kalli AI shall reasonably cooperate with such request to the extent required for the Regulator's assessment of compliance with DORA, provided that Customer provides Kalli AI with reasonable prior written notice of such request to the extent permitted by applicable law.

6.3. Customer acknowledges and agrees that, due to the rights of Kalli AI's customers, Kalli AI cannot provide Customer or any Regulator with unrestricted rights of access, inspection, and audit, or the right to take copies of documents, as contemplated by Article 30(3)(e) of DORA. Accordingly, pursuant to Article 30(3)(e)(ii) of DORA, the Parties agree to the following alternative assurance measures:

6.3.1. Third-Party Certifications and Audit Reports - Subject to confidentiality obligations, Kalli AI agrees, upon Customer's written request (and no more than once per calendar year), to provide copies of relevant third-party certifications maintained by Kalli AI, including ISO 27001, SOC 2, and other applicable compliance certifications, or copies of third-party or internal audit reports covering the systems and key controls relating to the ICT Services.

6.3.2. Compliance Questionnaires - Kalli AI shall provide written responses, on a confidential basis, to reasonable requests for information made by Customer, including responses to information security and audit questionnaires, in each case as reasonably required to confirm Kalli AI's compliance with the Agreement.

6.3.3. Customer agrees to rely on third-party certifications, third-party or internal audit reports, and compliance questionnaires made available by Kalli AI to the extent permitted under DORA. Only where such information and documentation does not evidence that Kalli AI complies with its contractual obligations under this DORA Addendum may Customer request an onsite inspection or audit.

6.4. If Customer, notwithstanding the foregoing, requires an on-site audit to comply with DORA requirements or a Regulator's binding request, such audit shall be subject to the following conditions:

6.4.1. Customer shall submit a detailed audit plan at least ninety (90) days in advance of the proposed audit date to Kalli AI, describing the scope, duration, and start date of the audit. Kalli AI will review the audit plan and provide Customer with any concerns or questions, including to ensure the security, privacy, employment, and other relevant rights of Kalli AI (including its digital assets, platform, Services, and customers).

6.4.2. The audit shall be limited to once per year, unless otherwise required by applicable law.

6.4.3. If the requested audit scope is addressed in a similar audit report or certification within the prior twelve (12) months and Kalli AI confirms that there have been no material changes in the audited controls, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by such report.

6.4.4. The audit must be conducted during regular business hours at the applicable facility and may not interfere with Kalli AI's business activities or Kalli AI's confidentiality obligations to other customers. Where other customers' rights may be affected, Kalli AI may require alternative assurance measures, including pooled audits.

6.4.5. The auditor conducting the audit on Customer's behalf must not be a competitor of Kalli AI or associated with a competitor, and such third party is subject to Kalli AI's prior written approval. The auditor must execute a written confidentiality agreement before conducting the audit. Customer may use the audit reports only for the purpose of meeting the regulatory requirement that gave rise to the audit. The audit reports and any other materials, documents, communications, or information relating to the audit are Kalli AI's Confidential Information.

6.4.6. Customer will provide Kalli AI with a copy of any audit reports generated in connection with any audit, unless prohibited by applicable law.

6.5. All audits shall be at Customer's sole expense. Any request for Kalli AI to provide assistance with an audit shall be considered a separate service, and Kalli AI reserves the right to charge Customer additional fees.

7. RESILIENCE TESTING, BCP AND DISASTER RECOVERY PLAN

7.1. Kalli AI confirms that it regularly tests its resilience measures, including penetration testing, vulnerability assessments, and other controls, in accordance with industry standards and best practices.

7.2. Kalli AI maintains and regularly tests business contingency plans (“ BCP”) to ensure continuity, as further detailed in the Information Security Policy available at https://kali-ai.com/trust.

7.3. As Threat-Led Penetration Testing (“ TLPT”) may have an adverse impact on the quality or security of the services that Kalli AI provides to its other customers, Kalli AI reserves the right to engage an external tester to perform pooled testing in accordance with Article 26(4) of DORA, rather than participate in Customer-led individual TLPT.

7.4. Kalli AI also implements robust vulnerability management, conducting regular internal scans and quarterly production network scans, and ensuring timely remediation of high-risk vulnerabilities, including in source code as part of the SDLC. High or Critical issues are investigated and addressed in accordance with Kalli AI's SDLC process or by any necessary means. Following remediation, a re-test is performed to verify that the relevant issues have been resolved.

7.5. Quarterly external network scans of the Services are conducted, and monthly vulnerability tests are conducted. Response times for known vulnerabilities are as follows: critical (as soon as possible and no later than one (1) week from identification), high (no later than one (1) month from identification), medium (no later than three (3) months from identification), and low (no later than three (3) months from identification).

7.6. Kalli AI maintains backup policies and associated measures. Such backup policies include continuous monitoring of operational parameters relevant to backup operations. The servers also include an automated backup procedure. Kalli AI maintains disaster recovery plans to restore customer-facing cloud products. Disaster recovery plans define Recovery Time Objectives (“ RTO”) and Recovery Point Objectives (“ RPO”) for the Services.

• RTO for Customer Data: 12 hours
• RPO for Customer Data: 1 day

8. TERMINATION RIGHTS, EXIT PLANS

8.1. In addition to the termination provisions in the Agreement, Customer may terminate the Agreement by providing at least thirty (30) days' prior written notice if: (i) a Regulator requires termination; (ii) there is a material change to the ICT Services such that they no longer comply with laws applicable to Customer as a regulated FSI; (iii) Customer demonstrates that there are weaknesses in the management or security of Customer Data or information, and such weaknesses are not cured within thirty (30) days after Customer provides Kalli AI with notice; or (iv) a Subcontractor is replaced, despite Customer’s objection to such Subcontractor.

8.2. Prior to exercising any termination right, Customer shall provide Kalli AI with documented evidence supporting the basis for termination (such as a copy of an internal risk assessment or a communication from a Regulator).

8.3. Customer shall pay Kalli AI all fees and charges payable in respect of the provision of the ICT Services for the period up to and including the date of termination, including any outstanding fees on orders committed. Termination of the ICT Services under this Section shall not entitle Customer to any refund of prepaid fees, and Customer shall remain liable for all fees otherwise due under the applicable Order Form or the Agreement.

8.4. Customer acknowledges and agrees that, given the nature of the ICT Services, it is unlikely that extensive transition or exit assistance services will be required upon termination or expiry of the Agreement.

8.5. If Customer requires transition or exit assistance services upon termination or expiry of the Agreement, Kalli AI agrees to provide such services, provided that the scope, duration, and nature of the services are commercially reasonable, are agreed in writing by the parties, and that Customer pays for such services in addition to the then-current Subscription fees. Customer is responsible for developing its own plan for the orderly transition from, and exit from, the ICT Services by leveraging available capabilities and features of the ICT Services.

9. MISCELLANEOUS

9.1. If any provision of this DORA Addendum is held or declared invalid, unlawful, or unenforceable by a competent authority or court, the remainder of this DORA Addendum shall remain in full force and effect.

9.2. Instructions, notices, and other communications under this DORA Addendum shall be made in accordance with the notice provisions of the Agreement.

9.3. Kalli AI may update this DORA Addendum from time to time by publishing an updated version (including by posting it to Kalli AI's website or through the Account). Unless otherwise stated by Kalli AI, updates will become effective ten (10) days after publication. Notwithstanding the foregoing, if Kalli AI makes a material revision to this DORA Addendum, Kalli AI will provide Customer with notice (including via email or through Customer’s Account), and such revision will become effective thirty (30) days after such notice.

9.4. This DORA Addendum shall remain in effect for as long as the Agreement and an Order Form remain in effect and Customer is subject to DORA or is a FSI, and shall automatically terminate upon the earlier of: (i) the expiry or termination of the Agreement or the applicable Order Form; or (ii) the date on which Customer is no longer subject to DORA. However, the remaining provisions of this DORA Addendum shall continue in full force and effect unless otherwise agreed by the Parties.

9.5. Unless specifically agreed otherwise in writing, Kalli AI may charge reasonable fees for activities undertaken in fulfillment of its obligations under this DORA Addendum that are in addition to the services already contracted under the Agreement.

9.6. This DORA Addendum is governed by the law and jurisdiction provisions of the Agreement, except to the extent otherwise required by applicable laws and regulations administered by a Regulator with binding authority to regulate, supervise, or govern Customer's financial services activities under DORA, including resolution authorities of regulated entities.