Join any meeting from Microsoft Teams Rooms. Available now

Secure by design.
Secure by default.

We are committed to building security into everything we do. 

By integrating proactive, risk-based security measures from the outset, we aim to protect our organization, partners, and customers from evolving threats and vulnerabilities.

 

Digital Operational Resilience Act (DORA)

For inquiries related to DORA, please contact dora@pexip.com. Below are the frequently asked questions.

What is DORA (Digital Operational Resilience Act)?

The Digital Operational Resilience Act (DORA) is a European Union regulation that aims to strengthen the digital resilience of financial institutions by ensuring they can withstand, respond to, and recover from information and communications technology (ICT) incidents and cyber threats. It establishes a framework for managing ICT risk and applies uniform requirements across the financial sector, including banks, insurance companies, investment firms, and ICT service providers that support financial entities. 

Why is DORA important for financial services and ICT providers?

DORA is important because it addresses the increasing risks posed by cyber threats and technological disruptions in the financial sector. It establishes clear guidelines for ICT risk management, incident reporting, operational resilience testing, and third-party risk oversight. By ensuring robust cybersecurity and operational resilience, DORA enhances financial stability, protects consumers, and fosters trust in digital financial services. Additionally, ICT service providers that work with financial institutions must also adhere to DORA requirements, ensuring end-to-end resilience across the ecosystem. 

When did DORA go into effect, and who does it apply to?

DORA was officially adopted by the European Parliament and Council in 2022, and the regulation came into full effect on January 17, 2025. It applies to a wide range of financial entities operating within the EU, including: 
  • Banks 
  • Insurance and reinsurance companies 
  • Investment firms 
  • Credit institutions 
  • Payment institutions 
  • Crypto-asset service providers 
  • ICT third-party service providers that support financial institutions 
Organizations covered by DORA must ensure they meet its ICT risk management, incident reporting, and operational resilience testing requirements by the enforcement date. 

How does DORA impact our company and services?

Financial entities using Pexip services must ensure we meet DORA’s operational resilience, security, and risk management requirements. Financial entities may request to enter into a DORA addendum with Pexip which outlines the mandatory provisions for ICT service providers. Pexip will only enter into this agreement with financial entities.  

How do we comply with the mandatory provisions for all ICT contracts?

Article 30(2)(a) – (i) of DORA establishes a list of mandatory provisions for all ICT contracts. Pexip’s approach to complying with the mandatory provisions is outlined in the sections below.  

 

 

Service Descriptions 

 

The scope and description of Pexip services are provided within our contractual agreements, including key functionalities, dependencies, and service components. Supplemental information is also available within Pexip’s support center.

 

 

Supply Chain and Data Location 

 

Pexip evaluates and monitors its suppliers and service providers to ensure the security and reliability of our ICT supply chain. We maintain a list of suppliers we utilize and their applicability to our supply chain on our website. Entities may subscribe to updates to be notified when changes to our supply chain occur. Additionally, we maintain a record of the service delivery location and data storage and processing locations for each aspect of our service.  

 

Pexip information systems are located in geographically dispersed cloud environments. Agreements with these hosting providers are covered by virtue of contractual agreements, which specify baseline security requirements in accordance with ISO/IEC 27001:2022 or SSAE-18 SOC2 requirements. Pexip’s information security policies require hosting suppliers to meet and or exceed these baseline security requirements.   

 

Pexip maintains a published list of data center service locations within its subprocessor lists here: https://help.pexip.com/service/subprocessors.htm 

 

Pexip audits its hosting providers annually, keeping records of each supplier’s evidence of practice. Evidence is reviewed and updated at a minimum annually to ensure that all providers maintain compliance. The provision and management of the information systems hosted within these environments and the logical access are Pexip’s responsibility, whilst the physical security is the responsibility of the data hosting provider. 

 

 

Data availability, integrity and data protection 

 

We ensure data availability by implementing high-availability infrastructure with redundant hosting locations and disaster recovery mechanisms. Strong encryption, access controls, and authentication safeguard data confidentiality, while monitoring and detection for unauthorized modifications protect integrity. Our organization undergoes annual external audits to evaluate and provide assurance regarding our compliance with the requirements of ISO/IEC 27001, 27017, 27018, and 27701 reinforcing our adherence to security and privacy best practices. Pexip processes data in its data centres according to the data protection regulations commensurate with local laws.  Pexip provides continuity of operations by implementing redundant services within each data center facility and supports geographic redundancy by supporting data center failover to mitigate against service localized disruption.   

 

Pexip leverages subprocessors to provide the best experience and service to partners, end customers, and end users when using our products and services or when visiting our websites. A subprocessor is a third-party data processor engaged by Pexip, who has or potentially will have access to service data or personal data.  Pexip engages different types of subprocessors to perform various processing functions. A list of current and previous subprocessors is available for review here: https://help.pexip.com/service/subprocessors.htm  

 

Contracts between Pexip and its subprocessors shall specify the minimum technical and organizational measures that meet the information security and PII protection obligations of Pexip.  The Pexip Information Systems Security team evaluates the security, privacy and confidentiality practices of prospective subprocessors before employing them. In doing this, Pexip ensures subprocessors meet the rigorous requisites of contractual obligations and statutory duties according to its responsibilities to data controllers. xiii  

 

Pexip’s Privacy Notice describes the personal data that might be processed when using the Pexip products or services, and how it is protected. 

 

 

Access to data and termination rights 

 

Upon termination of services as specified in the contract between Pexip and the financial entity, upon the financial entities written request, upon fulfillment of all purposes agreed in the context of the contract between Pexip and the financial entity, Pexip, at the discretion and direction of the financial entity, will either delete, destroy, anonymize or return all in scope data to the financial entity and destroy or return any existing copies throughout its supply chain.  

 

 

Service level specifications 

 

Service levels at Pexip are specified within its contractual agreements. Financial entities should refer to their contract with Pexip or with the ICT service provider it purchased Pexip’s services through.  

 

 

ICT Incidents 

 

Incident management at Pexip ensures a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.   

 

As further clarified in Pexip’s contractual agreements, Pexip shall promptly notify its customer, and where applicable the Pexip partner,  if it becomes aware of an incident that impacts data that is the subject of the agreement between Pexip and its customer. Pexip shall at all times cooperate with the customer and shall follow their instructions with regard to such incidents, in order to enable the customer to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.  

 

Pexip provides mechanisms for information security event reporting. Customers may access the information here: https://www.pexip.com/trust-center/vulnerability-disclosure 

 

 

ICT Third Party Cooperation  

 

Pexip commits to full cooperation with financial regulators when required including: 

  • Providing necessary documentation and evidence of compliance. 
  • Participating in regulatory audits or inquiries. 
  • Supporting threat intelligence sharing initiatives.

 

 

Security Awareness and Training 

 

We conduct annual cybersecurity training for all members of our workforce. Reinforcing best practices in threat mitigation and regulatory compliance. Our workforce development programs integrate phishing simulations, cyber resilience drills, and compliance training to enhance readiness against cyber threats. Training content is aligned with industry best practices, ensuring our team remains well-equipped to support our customers' operational resilience and regulatory obligations.  

 

By aligning our security practices with DORA’s regulatory expectations, we help our financial sector customers meet their compliance obligations while ensuring that our ICT services remain resilient, secure, and privacy conscious.