Description

Requirement reference

Bitdefender Agreements / Policies

Minimum requirements

A clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;

Art 30 2(a)

A complete description of the Bitdefender services cand be consulted on the website available here: https://www.bitdefender.com/en-us/business/ or on Section 3 of the latest Bitdefender SOC2 report available  upon request.

The product and its features are publicly presented at https://www.bitdefender.com/business/support/en/77209-79436-welcome-to-gravityzone.html

Should subcontracting be done, provisions on subcontracting will be found in the EULA available here: https://www.bitdefender.com/en-us/site/view/eula-business-solutions

The locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to

be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-

party service provider to notify the financial entity in advance if it envisages changing such locations

Art 30 2(b)

Details on location can be found in the Privacy Policy available here  https://www.bitdefender.com/en-us/site/view/legal-privacy-policy-for-bitdefender-business-solutions, in the Data Collection Policy and in the SOC 2 report available upon request.

Provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including

personal data

Art 30 2(c)

Details can be found in the General Terms and conditions of the DPA available at https://www.bitdefender.com/en-us/site/view/data-processing-agreement-for-bitdefender-solutions which applies in the event Bitdefender is processor. Details concerning confidentiality obligations with respect to the information disclosed by the financial entities or Bitdefender can be found in the EULA available here: https://www.bitdefender.com/en-us/site/view/eula-business-solutions

Details can also be found in the SOC 2 report available upon request.

Provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data

processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business

operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements

Art 30 2(d)

Bitdefender has established a business continuity/disaster recovery process. A business impact analysis is performed annually, and the business continuity plan is updated to include changes to critical systems. Bitdefender maintains a disaster recovery plan for each critical system. The business continuity and disaster recovery plans are tested annually.

Details can be found in the SOC 2 report available upon request and in the Back-up and recovery Policy  available upon request.

Service level descriptions, including updates and revisions thereof

Art 30 2(e)

Details can be found in the Enterprise Support Policy available at

https://www.bitdefender.com/site/view/enterprise-support-policies.html where you can find the standard support service level, severity definitions for incidents, target response times and assistance.

If you are using managed detection and response services (MDR), specific service levels can be found in the EULA available here: https://www.bitdefender.com/en-us/site/view/eula-business-solutions

The obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost,

or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial

entity occurs

Art 30 2(f)

Conditions for enterprise support are stipulated in the Enterprise Support Policy available at

https://www.bitdefender.com/site/view/enterprise-support-policies.html as well as in the EULA available at https://www.bitdefender.com/en-us/site/view/eula-business-solutions in the section warranties.

Incident and response policy is applicable in case of a security incident; whereas the policy is not publicly available, we can provide it upon request.

The obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the

resolution authorities of the financial entity, including persons appointed by them

Art 30 2(g)

Bitdefender maintains a high level of transparency and cooperation, which is crucial for the financial entity's compliance with DORA and overall operational resilience, hence we will fully cooperate  with the competent authorities and the resolution authorities of the financial entity, including appointed persons.

Termination rights and related minimum notice periods for the termination of the contractual arrangements, in

accordance with the expectations of competent authorities and resolution authorities;

Art 30 2(h)

The financial entity has the possibility of termination for breach with a minimum notice period as specified in the EULA available at  https://www.bitdefender.com/en-us/site/view/eula-business-solutions

the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness

programmes and digital operational resilience training in accordance with Article 13(6).

Art 30 2(i)

According to Art 13 (6) the trainings and programs for ICT service providers are “where applicable”.  Should Bitdefender be in accordance with the specific decision of the financial entity, Bitdefender will fully cooperate in order to be compliant.