This document (hereinafter – the Terms) is provided as an appendix to the Audit Services Agreement between the Client and ECOVIS Advisory LT, UAB (hereinafter – the Auditor), in order to clearly define the terms for granting access to and supporting the “Regrally” platform (SaaS) applied by the operator of the platform – Regrally Technologies, UAB.
1.1. The operator of the Software and the provider of the license is Regrally Technologies, UAB, legal entity code 306341431, Mėsinių g. 5, Vilnius, Republic of Lithuania (where applicable – the organizer of the platform infrastructure and/or its provision) (hereinafter – the Supplier).
1.2. The natural or legal person acquiring the license (the Client) (hereinafter – the Licensee).
1.3. The Supplier and the Licensee are hereinafter jointly referred to as the Parties.
2.1. Software – the “Regrally” online software (SaaS) intended for the compliance review and audit readiness process: (i) submission of expert-approved questionnaires and collection of answers and documents (evidence); (ii) automated analysis of submitted documents, where artificial intelligence functionalities search for evidence in documents, extract relevant information and prepare a structured summary with findings; (iii) identification of potential compliance risks and provision of recommendations; (iv) generation of reports for review.
2.2. Licensee Content – data, documents, responses, records, reports and other information uploaded to or generated within the Software by the Licensee (or its authorized users).
2.3. Operator of the Software – Regrally Technologies, UAB, legal entity code 306341431, Mėsinių g. 5, Vilnius, Republic of Lithuania (where applicable – the organizer of the platform infrastructure and/or its provision).
2.4. SLA (service level agreement) – an agreement establishing the Software availability, support, incident management and other service level indicators.
2.5. DORA terms package – an appendix to the Terms (Appendix No. 1), applicable where the Licensee is a financial entity (or another DORA entity) and the service falls within the scope of Regulation (EU) 2022/2554.
3.1. The Supplier grants the Licensee the right to use the Software within the scope of the License during the License term specified in a separate order document.
3.2. The Supplier confirms that it has the right to grant the Licensee the license provided for in these Terms (directly or through a lawful sublicensing right).
3.3. Unless otherwise specified in a separate order document, the License term may be automatically renewed for a period of 1 (one) month if neither Party notifies the other Party in writing of non-renewal no later than 5 (five) calendar days before expiry.
4.1. The Supplier grants the Licensee a non-exclusive, non-transferable, non-sublicensable, time-limited right to use the Software solely for the Licensee’s internal business purposes.
4.2. The Licensee shall not be entitled to:
4.2.1. copy, modify, decompile, disassemble or otherwise attempt to extract the source code of the Software, except to the extent imperatively permitted by applicable law;
4.2.2. provide the Software as a service to third parties, sell, lease, sublease, assign or otherwise dispose of the license;
4.2.3. remove or alter authorship, trademark or other proprietary notices;
4.2.4. use the Software for unlawful purposes or in violation of the rights of third parties.
4.3. The Licensee is responsible for the actions of its users (employees, representatives) and for the security of login credentials.
5.1. The Supplier grants the Licensee access to the Software through an online interface by issuing user accounts or other login credentials.
5.2. The Supplier may update, improve or modify the functionality of the Software (including the user interface), provided that this does not materially reduce the scope of the License granted to the Licensee.
5.3. Where the Licensee is a DORA entity, the appendix on the implementation of the DORA terms shall apply.
5.4. The Supplier does not undertake to ensure uninterrupted operation unless the DORA terms package applies and provides for an SLA. Scheduled works, updates or maintenance may temporarily restrict access.
5.5. Where an SLA applies, the Parties agree that the service level indicators, measurement methodology and scope of support shall be binding.
5.6. The Supplier ensures incident logging, escalation, notification and (where applicable) compliance with the provisions of Appendix No. 1 (DORA terms package); additional assistance during an incident shall be provided without additional charge.
5.7. The Supplier shall notify the Licensee in advance, in accordance with Appendix No. 1, of any material service changes (e.g., changes in data location, material changes in functionality, changes of critical subcontractors, changes in security architecture) that may have a material impact on the performance of the Terms or the SLA; where Appendix No. 1 does not apply, such notice shall be given no later than 30 calendar days in advance, except for urgent security updates.
6.1. The price, payment deadlines and other commercial terms shall be specified in a separate order document. Unless otherwise specified in the order document, the invoice shall be paid within 14 (fourteen) calendar days from the date of receipt.
6.2. In the event of late payment, the Supplier shall have the right to charge default interest of 0.02% of the outstanding amount for each day of delay and/or temporarily suspend access, after prior notice.
7.1. The Software, its components, design, databases, documentation, trademarks and other rights in the Software belong to the operator of the Software and/or its licensors. These Terms do not grant the Licensee any ownership rights in the Software.
7.2. All rights in the Licensee Content belong to the Licensee. The Supplier does not acquire ownership rights in the Licensee Content.
7.3. The Supplier may use the Licensee Content only to the extent necessary to provide and support the Software, ensure security and provide assistance, and only for the purposes set out in the Terms and Appendices.
8.1. The Licensee understands that the Software may use automated algorithms and/or artificial intelligence solutions that generate outputs based on the information provided by the Licensee.
8.2. Data provided by the Licensee is not used to train or improve artificial intelligence models and is not disclosed or shared for any purposes other than the provision of the Software and related services under these Terms, except where
(i) this is necessary for the provision of the services (e.g., through the use of subprocessors / infrastructure service providers indicated in the Appendices), or
(ii) this is required by applicable law or competent authorities.
8.3. The Licensee is responsible for the lawfulness of the data provided to the Software and for ensuring that it has the right to use and provide such data.
9.1. Confidential Information means any information not publicly disclosed that the Parties receive in the performance of the Terms (including technical, commercial, organizational, financial, legal information and information related to software architecture, configurations and security measures).
9.2. Each Party undertakes to protect the other Party’s Confidential Information and not to use it for any purposes other than the performance of these Terms.
9.3. Confidential Information may be disclosed only to the extent required by law or competent authorities, after prior notice to the other Party, unless prohibited by law.
9.4. The confidentiality obligations shall remain in force for 3 (three) years after termination of the Supplier’s services, unless a longer period is required by law.
10.1. In processing personal data under these Terms, the Parties shall comply with the GDPR (EU) 2016/679 and other applicable laws.
10.2. Where the Supplier processes the Licensee’s personal data on behalf of the Licensee (as a processor), the personal data processing terms (DPA) under Article 28 GDPR shall apply, as published at [Link].
10.3. The Supplier shall notify the Licensee immediately, but no later than within 24 hours of becoming aware, of any personal data breach related to the Licensee’s data, once the Supplier becomes aware of it.
11.1. The Software is provided “as is”, to the extent permitted by applicable law. The Supplier does not warrant that the Software will meet all of the Licensee’s needs or operate without errors.
11.2. The Supplier shall be liable only for direct losses resulting from wilful misconduct or gross negligence, and the Supplier’s aggregate liability under these Terms shall in any event not exceed the amount paid by the Licensee for the Supplier’s services during the last 12 months (or, if the Supplier’s services have been provided for a shorter period, the amount paid during the actual period).
11.3. The Supplier shall not be liable for indirect losses (loss of profit, loss of reputation, loss of data, business interruption, etc.), unless mandatory provisions of law provide otherwise.
12.1. These Terms shall be governed by the law of the Republic of Lithuania. Disputes shall be resolved through negotiations and, if no agreement is reached, in the courts of the Republic of Lithuania according to the registered office of the Supplier.
12.3. These Terms shall be deemed to have been provided in a durable medium and may be accepted by electronic means and without separate signature by the Parties.
12.4. The appendices to the Terms form an integral part of the Terms. Where Appendix No. 1 (DORA terms package) applies, its provisions regarding compliance with DORA requirements shall prevail over other provisions of the Terms to the extent necessary to ensure DORA compliance.
This Appendix sets out the key contractual provisions under Article 30 of Regulation (EU) 2022/2554 (DORA).
1.1. This Appendix shall apply only where the Licensee is a DORA entity and the assessment carried out by the Licensee confirms that these Terms are to be regarded as a contract for ICT third-party services.
1.2. In providing the service, the Supplier undertakes to enable the Licensee to exercise the rights set out in this Appendix and to obtain the necessary information, to the extent related to the provision of the service and aspects controlled by the Supplier.
2.1. The scope of the service, functionality, environments and other parameters are set out in the Terms.
2.2. Sub-outsourcing is permitted only to the extent necessary for the provision of the service. The Supplier must inform the Licensee in advance of changes to critical subcontractors and grant the right to reasonably object (as specified in Section 7).
3.1. SLA measurement: availability is calculated on a calendar-month basis. “Unavailability” means that the Licensee cannot use the core functionalities due to a service failure. Scheduled works and force majeure are excluded.
| Indicator | Standard (default) |
|---|---|
| Service availability (prod) | 99.5% per calendar month |
| Scheduled maintenance | Notice 48 hours in advance; window up to 4 hours |
| Support hours | 8x5 (business days 9:00–18:00 LT) |
| P1 – critical incident | Response: 1 hour; target resolution: 8 hours |
| P2 – high | Response: 4 hours; target resolution: 2 business days |
| P3 – medium | Response: 1 business day; target resolution: 10 business days |
| P4 – low | Response: 2 business days; target resolution: as agreed |
| Backups | Daily; retention 30 days |
| Recovery objectives | RPO: 24 hours; RTO: 24 hours |
| Vulnerability management | Critical patches deployed within 14 days |
| SLA reports | Each calendar quarter |
3.2. The Supplier shall promptly inform the Licensee of any changes or circumstances that may have a material impact on the provision of the service under the SLA (e.g., changes in ownership or control, risks to financial capacity, material infrastructure changes).
4.1. Data hosting regions, replication policy and backup location (where applicable) are specified in the Terms. Transfer of data to another region or third country is permitted only after prior notification to the Licensee and receipt of its written consent, except in urgent cases for incident management where there is no alternative.
4.2. The Supplier applies access control on a least-privilege basis, logs administrative actions and retains logs for the period specified in the SLA or Order Form.
5.1. The Supplier implements technical and organizational measures ensuring an appropriate level of security for the service provided (e.g., encryption in transit, access control, vulnerability management, monitoring, backups).
5.2. The Supplier maintains BCP/DR plans, carries out testing and provides summary reports to the Licensee upon request. RTO/RPO targets are set in the SLA.
6.1. The Supplier shall notify the Licensee of an ICT incident related to the service and capable of affecting the Licensee’s operations or data immediately, but no later than within 24 hours of becoming aware of it, and in critical cases – within the timeframes set in the SLA.
6.2. The Supplier provides assistance during an incident without additional charge or for a pre-agreed fee, including RCA and a corrective action plan.
7.1. The Supplier shall inform the Licensee in advance of planned changes to critical subcontractors (unless otherwise specified – no later than 30 calendar days in advance) and grant the right to reasonably object where the change increases risk or violates the Licensee’s requirements.
7.2. The Supplier ensures that subcontractors are subject to requirements no less stringent than the provisions of this Appendix, including audit rights, incident notification, and security and continuity obligations.
8.1. The Licensee, its designated auditors and competent or resolution authorities shall have the right to receive information and to perform inspections and audits in relation to the provision of the service, security and compliance. The scope and frequency of audits shall be determined on a risk-based basis.
8.2. The Supplier shall ensure the practical exercise of audit rights: provision of documentation, remote inspections and, where necessary, on-site inspections. Where restrictions are required due to the rights of other clients or confidentiality, the Parties may agree on alternative assurance measures (e.g., independent audit reports, certificates, test results), without limiting the Licensee’s right to obtain sufficient assurance.
9.1. The Supplier undertakes to cooperate with the Licensee’s competent and resolution authorities, provide information and enable inspections within the scope of this Appendix.
9.2. Where the Licensee is required to perform threat-led penetration testing (TLPT) and the scope of such testing includes the service, the Supplier shall reasonably cooperate and participate in the testing in accordance with the Licensee’s instructions, to the extent technically feasible and not contrary to law.
10.1. The Licensee shall have the right to discontinue the services provided by the Supplier on additional grounds where: (i) a material security breach or persistent failure to meet the SLA is identified; (ii) significant changes to the service or sub-outsourcing occur that increase risk; (iii) the Supplier cannot ensure audit / access rights; (iv) a competent authority issues a binding instruction to terminate or modify the service.
10.2. The exit strategy includes a mandatory transition period, the duration of which is specified in the Order Form (if not specified – not less than 60 calendar days), during which the Supplier continues to provide the service so that the Licensee can migrate to another solution or an internal solution.
10.3. The Supplier shall provide data export in documented formats and, if agreed in the Order Form, migration assistance at a pre-agreed rate.
11.1. The Supplier shall appoint contact persons for (i) service provision and SLA, (ii) security and incidents, and (iii) audits and requests from authorities. Contacts shall be indicated in the Order Form and updated immediately upon change.
12.1. This Appendix forms an integral part of the Terms and applies where the Licensee is a DORA entity and the service falls within the scope of DORA, as determined by the Licensee.
12.2. This Appendix shall apply together with the Terms without separate signature.