Kong Financial Services Addendum

This Financial Services Addendum (“FS Addendum”) forms part of the applicable Kong Customer Agreement or other master agreement for the purchase of subscriptions to Kong Products entered into between Kong Inc. (“Kong”) and Customer or an Affiliate of Customer (“Agreement”). It sets out additional contractual terms and information to assist Customers who are Regulated Entities (defined below) in addressing their regulatory obligations when using the Kong Products specified herein, including under:

● Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (“DORA”);

● The European Banking Authority’s (EBA) Guidelines on Outsourcing Arrangements (“EBA Outsourcing Guidelines”);

● The European Insurance and Occupational Pensions Authority, Guidelines on Outsourcing to Cloud Service Providers (“EIOPA”); and

● The UK Prudential Regulation Authority, Supervisory Statement SS2/21 - Outsourcing and Third Party Risk Management (“PRA”).

This FS Addendum supplements certain terms of the Agreement, solely with respect to the applicable Kong Products listed below, if purchased by the Customer. Except as otherwise modified in this FS Addendum, all other terms and conditions of the Agreement will remain in full force and effect. In the event of a conflict between this FS Addendum and the Agreement, this FS Addendum will prevail for the purposes of the applicable Product.

Any terms capitalised but not defined herein will have the meaning given to them in the Agreement entered into between the parties. If no such definition is provided therein, such terms will have the meaning set out in Kong’s standard customer agreement available at https://konghq.com/legal/kong-customer-agreement.

PART A – GENERALLY APPLICABLE TERMS

1. DEFINITIONS.

1.1. “Customer Payload Data” means the actual Customer data (and not metadata or header data) contained within a packet or message that is processed by the Product. An analogy is the contents of an envelope as distinct from the address on the envelope; Customer Payload Data in this analogy is the contents of the envelope.

1.2. “ICT Service” means, in accordance with DORA, the digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis.

1.3. “Regulatory Authority" means any authority with regulatory jurisdiction over the Customer or a Customer Affiliate and / or any resolution authority.

1.4. “Regulated Entity” means a Customer who provides banking, credit, insurance and reinsurance, payment, electronic money, stock brokering or stock exchange services, and that is subject to the supervisory authority of one or more Regulatory Authorities.

1.5. “Kong Products” means any products identified in Section 2.2 below that are purchased by Customer for use under an Order Form.

1.6. “Financial Services Law” means laws and regulations which regulate the use of third party cloud services or technology by Regulated Entities

2. SCOPE AND APPLICABILITY

2.1. A Customer who is a Regulated Entity may exercise the rights granted under this FS Addendum solely to the extent the Customer can demonstrate that it is necessary to comply with applicable Financial Services Law, and only to the degree required to fulfil the specific objectives mandated by such law.

2.2. This FS Addendum may apply to the following Kong Products, if a subscription to the applicable Product is purchased by the Customer:

(a) Kong Gateway Enterprise. Kong Gateway Enterprise is Kong’s customer self-hosted (on-premises) API gateway management software. It is not a SaaS service. Customer Payload Data is processed by the on-premises software and is not transferred to, processed or stored by Kong.

(b) Kong Mesh. Kong Mesh is Kong’s customer self-hosted (on-premises) API service mesh software. It is not a SaaS service. Customer Payload Data is processed by the on-premises software and is not transferred to, processed or stored by Kong.

(c) Kong Konnect Platform. The Kong Konnect platform and its available applications enable customers to manage, control and observe their application programming interfaces (APIs) and related technologies and the software data planes the Customer may connect to the platform. The platform consists of the following elements and deployment models, based on the applicable Product purchased:

(i) Kong Konnect Control Plane. This refers to the Kong-hosted SaaS platform that customers may use to govern, secure and observe software applications running in the data plane. The Konnect Control Plane is hosted by Kong in AWS.

(ii) Data Plane. This is a generic abstraction term, for the software and its associated network environment that processes network traffic. The data plane is hosted by the Customer and not Kong, unless the Customer has purchased Dedicated Cloud Gateways.

(iii) Konnect Hybrid Deployment. This refers to a Kong Konnect deployment where the Customer uses the Kong Konnect Control Plane to manage, secure or observe the associated Kong or third party software self-managed by the Customer in the Customer Network Environment. With a Hybrid deployment, Customer Payload Data is under the Customer’s control in the Customer Network Environment. Customer Payload Data is not transferred to, processed or stored by Kong or the Kong-hosted Kong Konnect Cloud Service, unless the optional payload capture feature is enabled. See footnote.¹

(iv) Kong Konnect Dedicated Cloud Gateways. Kong Konnect Dedicated Cloud Gateways is a fully-hosted Cloud Service, where the Customer uses the Kong Konnect Control Plane to configure, secure and observe the single tenant Kong Gateway or Kong AI Gateway instances managed by Kong. With Dedicated Cloud Gateways, the Customer’s network traffic is processed through the single tenant Kong-hosted Kong Gateway or Kong AI Gateway instances managed by Kong. This traffic is proxied and not stored or at rest within the hosted Kong Gateway or Kong AI Gateway instances other than transitory caching.

(v) Kong Konnect Applications. In addition to the functionality of the Kong Konnect Control Plane application, Kong offers optional applications to extend the features or functionality of the Kong Konnect platform. These applications include the Konnect Developer Portal, Advanced Analytics, Kong Identity, and Service Catalog. These applications, if purchased, are hosted in the Customer’s designated AWS region as part of the Konnect Control Plane.

(d) Kong AI Gateway. Kong AI Gateway is Kong’s data plane software that helps customers secure, govern and observe their organization’s programmatic interactions with LLM models and agentic applications. It may be deployed self-hosted (on-prem) or through Kong Konnect as a Hybrid or Dedicated Cloud Gateways deployment.

(e) Kong Insomnia Enterprise. Kong Insomnia is a hybrid SaaS and on-prem API development and testing platform. The software is a desktop application, and the SaaS portion provides for central administration and optional storage of API specifications or projects and related data. Insomnia is not an ICT Service supporting a critical or important function in accordance with DORA, and accordingly Part B of this FS Addendum does not apply to Kong Insomnia.

3. SERVICE DESCRIPTIONS (DORA Article 30(2)(a) and DORA Article 30(2)(e))

3.1. The descriptions of ICT Services and, if applicable, service level for the Kong Products purchased by the Customer are set out in the following, each of which are incorporated by reference in the Agreement or Order Form for the purchase of the applicable Kong Product:

3.1.1. Product and Service Functions. The Documentation for the applicable Kong Product found at https://developer.konghq.com/

3.1.2. Kong Konnect Hybrid and Dedicated Cloud Gateways Service Level Agreement. Kong’s Service Level Agreement can be found at https://konghq.com/legal/service-level-agreement

4. LOCATION OF SERVICES AND DATA REQUIREMENTS (DORA Article 30(2)(b))

4.1. The locations where the ICT Services are to be provided and, if applicable, where Customer Payload Data or Customer Content is to be processed, including the storage location, are as follows:

4.1.1. Kong Gateway Enterprise, Kong Mesh. These are customer self-hosted software products deployed and operated entirely within the Customer's own infrastructure environment. All ICT Services are provided within the Customer Network Environment, and all data processing and storage occurs under the Customer's direct control. Kong does not process, store, or have access to Customer Payload Data processed through these self-hosted products.

4.1.2. Kong Konnect Control Plane. Kong offers hosting of Kong Konnect Control Planes in various Amazon Web Services (“AWS”) regions, as set out in the Documentation. The currently supported AWS hosting regions are the United States, Europe, Australia, India, the Middle East and Singapore. The Customer selects the hosting region for its Control Plane from the options made available in the Kong Konnect portal, and may restrict users' access in that region. Region selection and access restrictions are solely at the Customer’s discretion. Identity management and authentication to the Kong Konnect Control Plane is hosted in the United States.

4.1.3. Kong Konnect Hybrid Deployment Data Planes. In a Hybrid deployment, Customer Payload Data remains under the Customer’s control in the Customer Network Environment. Customer Payload Data is not transferred to, processed or stored by Kong or the Kong-hosted Kong Konnect Cloud Service, unless the optional payload capture feature is enabled. Please see footnote No. 1.

4.1.4. Kong Konnect Dedicated Cloud Gateways. With Dedicated Cloud Gateways, the Konnect Control Plane is hosted in the Customer’s designated region for their control plane. Please refer to the discussion in Section 4.1.2. The Kong Gateway or Kong AI Gateway instances are hosted by Kong in single tenant deployments in the third-party cloud service provider (AWS, Azure or GCP) regions of the Customer’s choice. Please refer to the Documentation for available cloud-provider regions.

4.1.5. Kong Konnect Applications. If purchased, Kong Konnect optional applications are hosted in the Customer’s designated Konnect Control Plane region. However, if the Customer has purchased the Konnect Developer Portal, the portal is hosted in the Customer’s designated control plane region, but to help ensure high availability, content from the portal is cached globally, regardless of the Customer’s Control Plane region selection.

4.1.6. Kong AI Gateway. Kong AI Gateway may be deployed by the Customer self-hosted (on-prem), Hybrid, or through Dedicated Cloud Gateways. If deployed self-hosted by the Customer, all ICT Services are provided within the Customer Network Environment, and all data processing and storage occurs under the Customer's direct control. Kong does not process, store, or have access to Customer Payload Data processed through these self-hosted products. If deployed in Kong Konnect Hybrid or Dedicated Cloud Gateways please refer to Section 4.1.3 and 4.1.4 as applicable.

4.1.7. Kong Insomnia Enterprise. Kong Insomnia is a hybrid SaaS and on-prem API development and testing platform. The software is a desktop application, and the SaaS portion provides for central administration and optional storage of API specifications or projects and related data and are currently hosted in the United States. Kong Insomnia also provides local and the Customer’s own Git storage alternatives for Project Data as well as the ability for Customer administrators to centrally control what storage and sharing options Customer teams can use. If local or the Customer’s own Git storage alternatives for Project Data are used by the Customer, Identity management and authentication are still hosted by Kong on the Google Cloud Platform (GCP) in the United States.

5. AVAILABILITY, AUTHENTICITY, INTEGRITY AND CONFIDENTIALITY (DORA Article 30(2)(c))

5.1. Kong Gateway Enterprise, Kong Mesh, and Kong AI Gateway (self-hosted). Kong Gateway Enterprise, Kong Mesh and Kong AI Gateway (self-hosted) are Customer self-hosted (on-premises) software products. As a result, the Customer is responsible for the availability, authenticity, integrity and confidentiality of data, including personal data, processed by the Customer through the Products.

5.2. Kong Konnect Control Plane and Dedicated Cloud Gateways. Kong’s uptime commitments for the availability of the Kong Konnect Control Plane and Kong Konnect Dedicated Cloud Gateways are set out in the Service Level Agreement (referenced in Section 3.1.2 above). Kong’s technical and organizational measures regarding the availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data, are set out in applicable section of the Agreement, and in Kong’s Technical and Organizational Security Measures available at https://konghq.com/compliance/technical-and-organizational-security-measures (“Technical and Organizational Security Measures”).

5.3. Kong Konnect Hybrid Deployment – Data Plane. In a Hybrid deployment, Kong does not collect or process Customer Payload Data processed by the Kong software instances in the Customer Network Environment, unless the optional payload capture feature is enabled. Please see footnote No. 1. As a result, the Customer is responsible for the availability, authenticity, integrity and confidentiality of data, including personal data, processed by the Customer in the data plane.

5.4. Kong Konnect Monitoring. Kong allows the Customer to monitor, on an ongoing basis, the performance of the Kong Konnect ICT Service, through Kong’s status page https://kong.statuspage.io (or any successor equivalent) (“Monitoring Site”). The Monitoring Site allows Customers to subscribe to notifications for updates regarding performance and availability.

5.5. Confidentiality. Each party’s obligations with respect to Confidential Information are set forth in the Agreement. Additionally, Kong’s personnel are required to commit in writing to confidentiality obligations that survive termination of employment. Kong’s specific commitments regarding the protection and confidentiality of data are further detailed in its Technical and Organizational Security Measures.

6. DATA RECOVERY AND RETURN (DORA Article 30(2)(d))

6.1. Kong Gateway Enterprise, Kong Mesh and Kong AI Gateway (self-hosted). Kong Gateway Enterprise, Kong Mesh and Kong AI Gateway (self-hosted) are Customer self-hosted (on-premises) software products. As a result, the Customer is responsible for ensuring access, storage and recovery of any data processed by the Product.

6.2. Kong Konnect – Control Plane for Hybrid and Dedicated Cloud Gateways Deployments. With a Hybrid or Dedicated Cloud Gateway deployment, the Customer will have up to 30 calendar days from the effective date of termination or expiration of the Agreement or an Order Form (if not renewed), if it has paid all amounts due under the Agreement, to access the Kong Konnect Control Plane solely to retrieve available Customer Content in the Cloud Services control plane, but may not use the Cloud Service to manage Software or for any other purposes, and for such retrieval purposes only the Agreement and the applicable Order Form will survive for such period.

6.3. Kong Konnect - Data Plane for Hybrid and Dedicated Cloud Gateways Deployments.

6.3.1. With a Hybrid deployment, the Customer hosts the data plane in its own Customer Network Environment. As a result, any data in the data plane is not under Kong’s custody or control, and Kong has no data recovery or return obligations with respect to the data.

6.3.2. With a Konnect Dedicated Cloud Gateways deployment, the Kong Gateway or Kong AI Gateway instances in the data plane are hosted by Kong in the designated regions of the available third party cloud providers. However, these gateways proxy, and do not store (other than transitory caching) the traffic that routes through the gateways in the data plane. As a result, Kong does not store the Customer’s data in the data plane, and has no capability or responsibility to recover or return data or traffic proxied through the data plane on termination or expiration of the Agreement or an Order Form, or at any other time.

6.4. Kong Insomnia Enterprise. Kong will have no obligation to store, cache or make available through the Kong Insomnia Product any Customer Content on termination or expiration of the Agreement.

7. ICT INCIDENT ASSISTANCE (DORA Article 30(2)(f)) & COOPERATION DORA Article 30(2)(g))

7.1. Kong’s Support Policy describes the support that Kong provides to the Customer in relation to Kong Products based on the Product and support purchased, which includes support in responding to ICT related Incidents (as defined in DORA). Section 4 of Kong’s Technical and Organizational Security Measures includes obligations for Kong to notify the Customer in accordance with applicable law if it becomes aware of an ICT related incident which results in a Customer data breach, and to subsequently update the Customer with information regarding evaluation of the root cause, potential impact, remediation actions taken, and actions planned to prevent a future similar event.

7.2. With respect to Kong Konnect Hybrid and Dedicated Cloud Gateways, Kong will, without undue delay and in accordance with its regulatory obligations, notify Customer upon becoming aware of any development that may have a material impact on Kong’s ability to effectively provide the ICT Services, including via the Monitoring Site.

7.3. Cooperation with Regulatory Authorities. Kong will cooperate with the Regulatory Authorities of the Customer, as may be required in accordance with applicable Financial Services Law, regardless of whether the Regulatory Authorities are based in another jurisdiction from Kong.

8. NOTICE PERIODS AND REPORTING OBLIGATIONS (DORA Article 30(3)(b))

8.1. Kong will promptly notify Customer of developments that would have a material impact on Kong’s ability to effectively provide the Cloud Services supporting critical or important functions in accordance with its legal obligations.

8.2. Kong also provides ongoing Cloud Services status updates and Customer can sign up to receive status notifications at the Monitoring Site.

9. TERMINATION RIGHTS (DORA Article 30(2)(h))

9.1. General Termination Rights. The termination rights, including minimum notice periods, if applicable, of each party are set out in the Agreement.

9.2. Termination Upon Instruction of Regulatory Authorities. Customer may terminate the Agreement or any affected Order Form upon written instructions of a Regulatory Authority, provided Customer provides written notice including evidence of such instructions to Kong. Customer will not be entitled to any refund of amounts paid and will remain responsible for amounts contracted but not yet paid, in the event of any such termination.

10. TRAINING (DORA Article 30(2)(i))

10.1. Kong conducts security awareness training programs for all new staff and all continuing staff on at least a yearly basis. Kong conducts digital operational resilience exercises and training programs for applicable staff on at least a yearly basis. In the event Customer requires Kong personnel to participate in Customer’s security training, Kong will make such personnel available at Customer’s cost.

11. INSURANCE

11.1. During the term of the Agreement, Kong will maintain in force, with a reputable insurance company, (a) professional indemnity insurance, (b) employer’s liability insurance and (c) products liability insurance (Tech Errors and Omissions and Cyber Liability Insurance). Kong will, on the Customer's request, produce a copy of the insurance certificate summary giving details of cover.

12. SUBCONTRACTING REQUIREMENTS (DORA Article 30(2)(a)

12.1. Kong will maintain a list of sub-contracts that have access to or are used in the provisioning of the Products at https://konghq.com/sub-processors and will add the names of new and replacement sub-processors to the list at least 30 days prior to the date those sub-processors start processing personal data.

12.2. When using subcontractors, Kong will be responsible for the acts and omissions of its subcontractors to the same extent as if Kong had itself carried out the relevant ICT Services. Kong will ensure that the failure of a subcontractor to meet its service levels or other contractual obligations does not affect the continuous provision of the ICT Services to the Customer.

12.3. Kong may use Kong Affiliates in the performance of Kong’s obligations under the Agreement. To the extent, any Affiliates are regarded as a subcontractor of Kong as provided in Article 30, Section 2(a) of DORA or otherwise, Customer hereby consents to the use of any existing or future Kong Affiliate as a Kong subcontractor for delivery of the ICT Services.

PART B - TERMS APPLICABLE TO ICT SERVICES SUPPORTING CRITICAL OR IMPORTANT FUNCTIONS

The provisions of this Part B apply where the Customer and Kong have expressly agreed, in the Agreement or in a duly executed amendment, that the Kong Products constitute ICT Services supporting a Critical or Important Function (as defined below) of the Customer. This Part B will not apply to Kong Insomnia Enterprise, which, by its nature as an API design and testing tool, is not required for and is not required to support a Critical or Important Function as defined herein.

1. ADDITIONAL DEFINITIONS

Where used in this Part B, the following terms have the following meanings:

1.1 “Critical or Important Function” means a function, the disruption of which would materially impair the financial performance of the Customer, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of the Customer with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.

1.2 “TLPT” means threat-led penetration testing, a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the Customer’s critical live production systems.

2. SUBCONTRACTING (DORA Article 30(3)

2.1. Additional Subcontractors or Changes to Subcontractors (Article 6 Subcontracting RTS).

2.1.1. Current Sub-processors and Notification of Sub-processor Changes. Customer consents to Kong engaging third party sub-processors to process Customer Content or Customer Payload Data as applicable within the applicable Kong Products. Kong will maintain a list of sub-processors at https://konghq.com/sub-processors and will add the names of new and replacement sub-processors to the list at least 30 days prior to the date those sub-processors start processing personal data.

2.1.2. Objection Right for new Sub-processors. Customer may object to Kong's appointment or replacement of a subcontractor within 10 days after the date Kong updates the list of subcontractors or otherwise provides notice of the update to Customer, provided the objection is in writing and based on reasonable grounds relating to the Customer’s digital operational resilience. In such an event, Customer and Kong agree to discuss commercially reasonable alternative solutions in good faith. If Kong is reasonably able to provide the Services to the Customer in accordance with the Agreement without using the sub-contractor and decides in its discretion to do so, the Customer will have no further rights under this Section in respect of the proposed use of the subcontractor. If Kong, in its discretion, requires use of the subcontractor and is unable to satisfy Customer’s objection regarding the proposed use of the new or replacement subcontractor, then Customer may terminate the applicable Order Form as its sole remedy effective upon the date Kong begins use of the new or replacement subcontractor solely with respect to the Services that will use the proposed new subcontractor. If Customer does not provide a timely objection to any new or replacement subcontractor in accordance with this Section, Customer will be deemed to have consented to the subcontractor and waived its right to object.

2.2. General Suppliers. Customer acknowledges that Kong may, during the ordinary course of business, procure third party goods and services and contract persons to provide services (both “General Suppliers”) that are not connected specifically to the provision of the ICT Services. Kong obtaining General Supplies will not be considered subcontracting and providers of General Supplies will not be considered Kong subcontractors for the purposes of this FS Addendum. For the avoidance of doubt, General Supplies includes, but is not limited to, the provision of software or other tools which are used by Kong for its internal business purposes, including associated maintenance and the provision of software or other tools which are used by Kong to support Kong’s ability to provide the Products, but that do not form part of the Products provided to the Customer.

3. BUSINESS CONTINUITY PLANS & SECURITY MEASURES (DORA Article 30(3)(c))

3.1. Business Continuity. Kong will maintain and implement business continuity and disaster recovery plans designed to support the continued delivery of the ICT Services to its customers, including the Customer, in the event of disruption. These plans will be tested at least annually and updated as necessary to remain effective and consistent with applicable regulatory requirements. A summary of Kong’s business continuity and disaster recovery measures can be found in Kong’s current Technical and Organizational Security Measures. Kong will maintain recovery time objectives (RTOs) and recovery point objectives (RPOs) consistent with reasonable industry standards, taking into account the nature of the ICT Services and applicable Financial Services Law.

3.2. Security Measures. Kong will maintain and operate information security measures, tools and policies appropriate to the Kong Products, including but not limited to controls for availability, integrity, authenticity and confidentiality of data, in accordance with industry standards and applicable Financial Services Law. Kong’s current Technical and Organizational Security Measures are published at https://trust.konghq.com.

4. THREAT LEAD PENETRATION TESTING (DORA Article 30(3)(d))

4.1. Right to Test. Subject to this Section, the Customer will be entitled, no more than once every 3 years, to conduct TPLT of the ICT Services, in accordance with Articles 26 and 27 of DORA.

4.2. Notice and Cooperation. Customer will provide Kong with not less than 30 days’ prior written notice of its intention to conduct TLPT. Kong will reasonably cooperate with Customer in connection with such TLPT, subject to the terms of engagement to be agreed in writing between the parties.

4.3. Conduct of Testing. TLPT will be carried out at Customer’s sole cost and expense, including the use of any external testers in accordance with Article 27 of DORA. Customer will ensure that TLPT is conducted in a controlled, non-harmful manner, with reasonable care to minimise disruption to Kong’s operations. TLPT will be subject to Kong’s reasonable security, risk management, and confidentiality requirements, including protections for Kong’s Confidential Information, intellectual property rights, and confidentiality obligations owed to third parties. Kong will not be liable for any delay, failure, or deficiency in the performance of the ICT Services to the extent caused by TLPT conducted in accordance with this Section.

4.4. On-Premises Products. For the avoidance of doubt, where Customer has purchased on-premises Products, or has installed Kong on-premises software as part of the Kong Products in the Customer Network Environment, TLPT of such on-premises Products or components will be the sole responsibility of the Customer. Kong will have no obligation to participate in or support TLPT of Customer’s on-premises Products.

4.5. Costs. All costs of TLPT, including (i) engagement of any external testers pursuant to Article 27 of DORA, and (ii) Kong’s resources required to support and participate in TLPT, will be borne exclusively by the Customer.

5. AUDIT AND MONITORING OF PERFORMANCE (DORA Article 30(3)(e))

5.1. Monitoring. Kong also enables ongoing monitoring of the availability and performance of the applicable Kong Products through its Monitoring Site (or any successor site). Customers may subscribe to notifications from this site. Further details regarding Kong’s monitoring and security controls are set out in the Technical and Organizational Security Measures.

5.2. Kong’s Audit Program. Kong engages independent, qualified third-party auditors, at its own expense, to conduct audits of the adequacy of its security measures in relation to its processing of Customer Content or Customer Payload Data as applicable. Such audits will be performed at least once annually and will result in a confidential report issued by the auditor (the “Audit Report”). Upon written request by the Customer, at reasonable intervals and subject to Customer’s compliance with the applicable confidentiality obligations, Kong will make available to the Customer a copy of its most recent Audit Report.

5.3. Customer Audit. If the Audit Report does not provide sufficient information for the Customer to verify Kong’s compliance with this FS Addendum or applicable Financial Services Law, or if the Customer is required to undergo an audit by a Regulatory Authority, each as evidenced by Customer to Kong in writing, then, upon written request, the parties will agree on an audit plan that: (a) is carried out by an independent third party acceptable to both parties; (b) is subject to at least 30 days’ prior written notice to Kong; (c) is conducted during normal business hours and in a manner that minimises disruption to Kong’s operations; (d) occurs no more than once annually (unless otherwise required by a Regulatory Authority or applicable Financial Services Law); (e) is limited to information relevant to Customer’s use of the ICT Services and necessary to verify compliance with this FS Addendum; (f) requires Customer to reimburse Kong at its then-current professional service rates for time and resources reasonably expended in connection with the audit; and (g) obligates Customer, to the extent permitted by law, to maintain the confidentiality of all information obtained during the audit that is not specific to Customer.

5.4. Disciplinary Proceedings. Upon written request by Customer, to the extent legally permissible and directly applicable to the provision of the applicable Kong Product, Kong will provide details to Customer of any disciplinary proceedings or investigation by any Regulatory Authority against Kong.

6. TRANSITION SERVICES AND EXIST ASSISTANCE (DORA Article 30(3)(f))

6.1. Transition Services. Upon termination of the Agreement (other than for Customer’s non-payment or material breach), provided that Customer gives Kong written notice of its election to enter into a Post-Termination Subscription no later than 30 days prior to the effective date of termination, Customer may enter into an additional Order Form for Products and/or Support Services for up to 12months (the “Post-Termination Subscription”) at Kong’s then-current list prices, subject to up-front payment and continued compliance with the Agreement. Where the Customer has purchased a Post-Termination Subscription, Customer may also purchase professional services for migration and data removal (“Termination Assistance”) at Kong’s then-current professional service rates, subject to an Order Form, Statement of Work and up-front payment.

6.2. Exit Assistance Documentation. If Customer purchases Termination Assistance, Kong will, upon written request, prepare an Exit Assistance Document setting out the measures required to transition Customer Payload Data from the Kong Konnect Service to Customer, its client, or a designated third party. The Exit Assistance Document will include where applicable: (a) material elements of the transfer of responsibilities; (b) the processes, documentation, and data transfer required for transition of Customer Payload Data; and (c) the scope of any exit services to be provided after notice of termination.

6.3. Data Access. During the Post-Termination Period, Customer and, where applicable, its clients will have continued access to all Customer Payload Data and Customer Content processed by Kong. Kong will ensure such access in accordance with the Agreement and applicable service level obligations.

7. STEP-IN RIGHTS (Resolution Powers under the PRA).

7.1. Step-In Events. Where required by applicable Financial Services Law or upon instruction of a Regulatory Authority, the Customer, an end customer of the Customer, or its appointed agent may exercise certain step-in rights under the Customer’s agreements in the event of circumstances materially impacting the Agreement (a “Step-In Event”).

7.2. Kong’s Obligations. During a Step-In Event, Kong will continue to perform its obligations under the Agreement and will not terminate the Agreement solely by reason of the Step-In Event, provided that the Customer or the relevant end customer remains in full compliance with the Agreement, including timely payment of all applicable fees.

7.3. Customer’s Responsibilities. The Customer acknowledges that Kong cannot differentiate between the Customer and its end customers as beneficiaries of the Kong Konnect Cloud Service. Accordingly, the Customer will: (a) act as intermediary between Kong and its end customers in connection with any Step-In Event; (b) implement and maintain appropriate segmentation controls with respect to its clients; and (c) cooperate with Kong to enable continuity of the ICT Services.

7.4. Limitations on End Customer Rights. An end customer may exercise step-in rights only in respect of the Kong Konnect Cloud Service provided to that end customer individually, and not in relation to services provided to other end customers of the Customer. For such purposes, Kong will treat the end customer (or its appointed agent) as the Customer in relation to the provision of the Cloud Service, and will provide such information, assistance, access, and rights of use as are reasonably required to enable continuity of service. The Customer will ensure that all information relating to each end customer is stored separately and that no information of one end customer is disclosed to any other end customer.

¹ Optional Payload Capture Feature. This is an optional feature of the Konnect Control Plane Cloud Services that, if enabled, permits the Customer’s Authorized Users to send Customer Payload Data to the Konnect Cloud Services in the Customer’s designated control plane hosting region for debugging and troubleshooting. A description of the specific functionality, data use, data retention periods, and security measures of the feature is provided in the Documentation found at https://developer.konghq.com/gateway/debugger/ (or such updated URL provided by Kong from time to time). Kong will retain, and thereafter immediately delete, any Customer Payload Data collected through the payload capture period for the period set out in the Documentation.