European Regulatory Compliance Exhibit
Effective Date: May 19, 2026
This European Regulatory Compliance Exhibit (“Exhibit”) applies to a Customer and/or any of its affiliates only if such Customer and/or affiliate(s) is/are (i) licensed to use the Services under an Agreement (defined below), (ii) domiciled in the European Economic Area, or in Switzerland, San Marino, Monaco, or Vatican City, and (iii) regulated pursuant to the regulations cited in this Exhibit for the Services specifically. An “Agreement” is a Main Services Agreement, Subscription Services Agreement, or other customer agreement for Services between Customer and Notabene. Capitalized terms that are not defined in this Exhibit have the definitions set forth in the Agreement. In event of a conflict between this Exhibit, if applicable, and the Agreement, this Exhibit will prevail.
The Parties expressly accept and acknowledge that Customer and/or its affiliates that satisfy the requirements in the previous paragraph are subject to sector specific regulations with impact on the outsourcing relationships and arrangements established by the Customer, including the following, as applicable (collectively, the “Regulatory Requirements”):
- The guidelines on outsourcing arrangements issued by the European Banking Authority (“EBA”) (EBA/GL/2019/02), as applied by any European Union supervisory authority relevant to the Customer’s activities, including the EBA and the European Security and Markets Authority (“Supervisory Authority”);
- Regulation (EU) 2022/2554 of the European Parliament and of the Council, on the Digital Operational Resilience Act (“DORA Regulation”);
- Directive 2014/59/UE of the European Parliament and of the Council, of 15 May 2014 – Bank Recovery and Resolution Directives (BRRD);
- Directives 2001/24/CE, 2002/47/CE, 2004/25/CE, 2005/56/CE, 2007/36/CE, 2011/35/CE, 2012/30/UE and 2013/36/UE; and
- Regulations (UE) 1093/2010 and (UE) 648/2012.
The Parties agree that the access and use of the Services provided by Notabene, an Information and Communication Technology (“ICT”) third party service provider, are governed by the Regulatory Requirements specified in this Exhibit which, if applicable, is an integral part of the Agreement.
A. GENERAL REQUIREMENTS
1. Notabene’s Obligations and Warranties.
Notabene warrants the following in relation to the provision of Services:
1.1. The Services provided under the Agreement are governed by the Service Level Agreement at notabene.id/agreements/service-level-agreement. The Service Level Agreement will be reviewed by Notabene on an annual basis.
1.2. Notabene will respond to any inquiries or requests for clarification from the Customer concerning the provision of Services, particularly regarding information security.
1.3. Notabene will cooperate in ICT security testing conducted by Customer in accordance with the DORA Regulation, including standard penetration testing and, where the Services are in scope, threat-led penetration testing. All testing described above will be subject to prior written notice, mutually agreed test rules of engagement, and controls designed to avoid disruption to Notabene’s multi‑tenant environment, and will not unreasonably interfere with Notabene’s operations or the services that Notabene provides to its other customers.
1.4. Notabene agrees to notify the Customer of any current or anticipated issues that may affect its ability to fulfill the obligations outlined in the Agreement as soon as it becomes aware of such situations. In particular, Notabene will inform the Customer, without undue delay, of any development that may have an impact on Notabene’s ability to provide the Services in accordance with the agreed Service Level Agreement. This includes Notabene’s ability to efficiently provide the Services in compliance with the Agreement, applicable laws and regulations, and Regulatory Requirements. The Parties also agree that for certain events, notifications may be posted on the website www.notabene.id (or any successor website) during the Term.
2. Customer’s Obligations and Warranties.
The Customer warrants the following in relation to the provision of Services:
2.1. The Customer will provide all necessary and reasonable cooperation to enable Notabene to fulfill its obligations under the Agreement, which includes supplying essential information and resources for the provision of the contracted Services.
2.2. Upon written request, the Customer will grant access to its digital premises, including systems, platforms, and relevant digital resources, to Notabene’s personnel or authorised subcontractors, as necessary, to facilitate the performance of the Services while ensuring compliance with security protocols and regulatory obligations.
2.3. The Customer will ensure compliance with all applicable laws and regulations related to its operations, including obtaining all necessary authorisations, certifications, and licenses required for its business activities.
B. REGULATORY REQUIREMENTS
1. Services. The Services shall be provided as described in Customer’s order form, agreement, or similar document.
2. Compliance with Applicable Law and Regulations.
2.1. Notabene shall comply with all laws and regulations applicable to the provision of Services under the Agreement and shall maintain all necessary permits, licenses, and approvals required by these laws and regulations to lawfully conduct its activities and fulfill its obligations under the Agreement.
2.2. Notabene commits to cooperate with the competent authorities and the resolution authorities of the Customer, including persons appointed by them.
2.3. Notabene shall reasonably cooperate with the Customer and provide information relating to the Services where reasonably required to enable the Customer to comply with its applicable Regulatory Requirements in connection with the Services. Notabene shall not be required to implement any instruction or request from the Customer that would compromise the security, integrity, or availability of the Services or the confidentiality, integrity, or availability of data.
3. Business Continuity Plan.
3.1. Notabene shall implement, test, and have in place a business continuity and disaster recovery plan (“Business Continuity Plan”) to support the continued provision and timely recovery of the Services (including in emergency situation or force majeure events), which is available to the Customer at https://trust.notabene.id/.
3.2. Notabene commits to follow the guidelines outlined in the Business Continuity Plan which will be kept updated and will be activated as needed to support the continued provision of Services to Customer.
3.3. Customer understands that Notabene will periodically update and test the Business Continuity Plan during the duration of the Agreement. Notabene agrees to: (i) test and adhere to its Business Continuity Plan; and (ii) ensure that any changes to the Business Continuity Plan do not materially negatively impact the Customer or the delivery of Services and are aligned with good industry practices.
3.4. Notabene is committed to taking appropriate actions to address any deficiencies identified in the Business Continuity Plan based on analyses and testing.
4. Monitoring. Customer may monitor Notabene’s provision of the Services and performance of obligations under the Agreement. Customer may request information about the provision of Services and the performance of obligations under the Agreement, to the extent reasonably necessary and appropriate to monitor the foregoing and in compliance with applicable laws and regulations.
5. Audits.
5.1. Notabene will grant the Customer, the Supervisory Authorities, and any other person properly appointed by the Customer or the Supervisory Authorities full access, audit, and examination rights with regard to the Services and to information, records, reports, premises, systems, and data of Notabene relevant to the Services (and to reasonably interface with relevant personnel) only to the extent reasonably necessary to monitor Notabene’s performance under the Agreement and its compliance with applicable laws and regulations with respect to the Services.
5.2. To this end, and subject to Notabene’s confidentiality obligations, Notabene shall, upon reasonable written request, provide the Customer, the Supervisory Authorities, and any other person properly appointed by the Customer or the Supervisory Authorities with such information and documentation relating to the Services which they reasonably require for the proper conduct of audits and inspections. The right of access, inspection, and audit includes the right to take transcripts and copies of relevant documentation on-site if they are critical to the operations of Notabene. Notabene will grant the Customer, the Supervisory Authorities, and any other person properly appointed by the Customer or the Supervisory Authorities effective access to premises and data insofar as these relate to the Services and are therefore necessary for the use of these Services.
5.3. Subject to the provisions in this Exhibit, nothing in the Agreement will limit Customer’s and the Supervisory Authorities’ effective exercise of the access, inspection, and audit rights as well as the right to take on-site copies of relevant documentation where such documentation is critical to Notabene’s operations. The access and audit rights will continue to apply in the event of insolvency, resolution, or discontinuation of business operations.
5.4. The Customer must communicate its intended audit requirements to Notabene, including but not limited to: audit objectives and purpose; scope of the audit; specific location; expected duration; list of required information; specific activities the auditors will undertake and expected timing; and the names of the auditors.
5.5. In the event of on-site visits conducted by Customer or a third party appointed by it, Customer will provide at least ten (10) business days’ prior notice, unless such prior notice is not possible due to an emergency or crisis situation or would result in the audit’s ineffectiveness. Such visits will be conducted only if reasonably required under applicable laws and regulations and, if required, in a manner that has minimal adverse impact on the business and operations of Notabene.
5.6. If available, Notabene will provide external audit reports to the Customer on request, and Notabene has the right to use third-party certifications and audit reports to support its compliance with the audit and inspection requirements in this Section 5. In addition, the Customer is entitled to request further documentation from Notabene or to carry out further individual or pooled audits, where reasonably necessary to comply with applicable Regulatory Requirements, if Customer concludes in the course of its internal review that the documentation submitted is not sufficient and, in particular, that it is out of date or does not meet the relevant supervisory requirements.
5.7. The Customer may request, in writing, desired changes to the scope of the certifications or audit reports on other relevant systems and controls, at a frequency that the Customer considers to be appropriate and reasonable from a risk management perspective. Notabene shall assess, within fifteen (15) business days of receipt of the notification, whether the requested changes are technically and organisationally feasible. If these requested changes are not feasible or practicable in Notabene’s judgment, then Notabene shall inform the Customer without undue delay, and the Parties shall discuss in good faith how to proceed. Notabene shall provide assistance to Customer, as required under Subsections 5.5, 5.6, and 5.7, at a cost of €250 per hour worked by each professional, plus VAT.
5.8. The Parties acknowledge and agree that any information that Notabene discloses as a result of an audit or monitoring (whether to Customer, a Supervisory Authority, or an authorized third party) constitutes the Confidential Information of Notabene and is subject to confidentiality protections, including but not limited to those set forth in the Agreement.
5.9. Notabene shall not impede any competent regulatory authority with jurisdiction over Notabene from cooperating with the Supervisory Authorities. Cooperation includes, but is not limited to, receiving information as soon as practicable regarding any breach of applicable law and regulations.
5.10. The Parties have the right to agree on alternative assurance levels if Customer’s monitoring and inspection of the Services could affect the rights of Notabene’s other customers.
5.11 Where the Services fall within the scope of Article 26 and 27 DORA threat-led penetration testing for Customer, the Parties will cooperate in good faith to define a proportionate TLPT scenario, including in particular: (i) specific in-scope components of Notabene’s environment, (ii) applicable legal and technical constraints on testing within a multi-tenant SaaS architecture, and (iii) means for Customer to obtain sufficient assurance via shared testing artifacts, certifications, or pooled testing exercises and results where direct testing is not technically feasible.
6. Security measures.
6.1. Notabene shall implement appropriate and proportionate security measures regarding the accessibility, availability, integrity, confidentiality, and accuracy of the processed and/or transmitted data, including, without limitation, personal data.
6.2. Notabene undertakes to implement and comply with all standards in terms of computer security and to take and maintain all necessary and practicable measures as reasonably necessary to comply with applicable law and regulations, the Agreement, and the Data Processing Agreement, in order to safeguard the integrity and security of the data and systems.
6.3. The security measures set out in the Data Processing Agreement apply to all systems used by Notabene while providing the Services. During the Term, Notabene shall comply at least with the security measures identified in the “Security Measures” section of the Data Processing Agreement.
7. Localization of the Services.
7.1. The Services will be performed using servers based in the EEA (or in jurisdictions where an adequacy decision by the European Commission has been granted) for Customer’s or its client’s data, both at rest and in transit. The jurisdictions where Customer data is stored and processed in connection with the Services are specified in Appendix 1 below.
7.2. Notabene may change the localization where the Services are provided and/or where the data required for the performance of the Services is stored and processed, provided that Notabene notifies the Customer in writing in advance of such relocation (no less than 6 weeks in advance, if feasible). In the event of a relocation outside the EEA, Notabene will provide to Customer any information reasonably required to assure the Customer about the adequate guarantees of moving the Services to a non-EEA country.
8. Sub-Outsourcing. Customer acknowledges and authorises Notabene to subcontract part of the Services to third parties (“Subcontractors”), as described in the list of material subcontractors available in Appendix 1 below. Customer hereby gives general authorization to current, new, or replacement subcontractors, provided that Notabene follows the following procedure:
8.1. Notabene remains fully responsible for the performance of the Services, including any Services performed by Subcontractors, and for the acts and omissions of its Subcontractors as if they were its own, except where caused by force majeure events in accordance with the Agreement.
8.2 When subcontracting (all or parts of) the Services, Notabene shall ensure that the contractual arrangements with any Subcontractor that provides ICT services supporting critical or important functions, or material parts thereof, enable the Customer to comply with its obligations under the Regulatory Requirements. In particular, any contractual arrangement with a Subcontractor shall contain requirements on business contingency plans and shall specify the service levels to be met by the Subcontractor in relation to those plans. Notabene shall ensure that the Customer, the appointed external auditors, and the competent supervisory authorities have the appropriate information, audit, and access rights in relation to the subcontracted Services. These rights may be exercised either directly or through Notabene (including through documentation, certifications, or audit reports), to the extent permitted under applicable law and consistent with Notabene’s contractual arrangements with its Subcontractors. Furthermore, any contractual arrangement between Notabene and a Subcontractor (i) shall specify the ICT security standards and any additional security requirements referred to in sections 30(3)(c) of the DORA Regulation and (ii) shall contain monitoring and reporting obligations on the Subcontractor towards the Customer and Notabene, especially regarding any developments likely to have a material impact on such Subcontractor’s ability to efficiently perform the Services.
8.3 Notabene shall assess ICT security risks in connection with the location of a potential Subcontractor and the location from which the Subcontractor shall provide Services. Notabene shall monitor and oversee the Services provided by any Subcontractor it uses. Upon request, Notabene shall provide Customer with information reasonably necessary to enable Customer to assess the risks associated with the subcontracted Services and to understand Notabene’s oversight of such Services, subject to applicable confidentiality obligations and on a proportionate basis.
8.4 Notabene shall ensure that appropriate measures are in place to maintain the continuity of ICT Services, including in the event of a Subcontractor’s failure to meet its contractual obligations.
8.5. Notabene agrees to provide Customer with notice at least sixty (60) days in advance of engaging any new subcontractor which will be involved in the provision of Services to Customer, such that Customer has the opportunity to object. If Customer has a reasonable belief that such new Subcontractor cannot comply with applicable laws or may lead the Customer to not comply with applicable laws, Customer may provide written notice to Notabene within thirty (30) days of being informed of the engagement of the new subcontractor, and the Parties agree to work together in good faith to resolve such issues. If such issues cannot be resolved, Customer may terminate those Services that cannot be provided by Notabene without the use of the new subcontractor to which Customer has objected. Such termination will be made by providing written notice within thirty (30) days following Customer’s notice of objection. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new subcontractor. In the event of such termination, Customer will not receive a refund for any prepaid fees for the remaining term of its order for the Services, nor will Customer be subject to a penalty for the termination.
8.6 For the purposes of this Section, changes to an existing subcontracting arrangement do not include the engagement of a new Subcontractor, which is governed by Section 8.5. Notabene will inform the Customer, at least thirty (30) days before the intended effective date of any material changes to the existing subcontracting arrangement and will provide sufficient information to enable the Customer to carry out an appropriate risk analysis. This applies if the changes to the subcontracting arrangement may affect the Customer’s ability to meet its contractual obligations or if changes result in modifying the type of data to be provided to a Subcontractor, the location where data is processed or stored, or the concentration risks. Within thirty (30) days of receiving such notice, the Customer has the right to request modifications to the material changes to the subcontracting arrangement proposed by Notabene, if Customer concludes, on the basis of its risk assessment, that the changes to the subcontracting arrangement would expose Customer to risks that exceed its risk tolerance. The Customer may terminate Services impacted by these material changes to the subcontracting arrangement if Notabene implements such material changes (i) despite the Customer’s objection, (ii) prior to the expiration of Customer’s thirty (30) day review period (during which it can request modifications), or (iii) which are expressly disallowed in the contract between Notabene and the Customer. Customer may terminate only within thirty (30) days following Notabene’s implementation of such changes. In any of these events, this termination right is Customer’s sole and exclusive remedy, and Customer will not receive a refund for any prepaid fees for the remaining term of its order for the Services, nor will Customer be subject to a penalty for the termination.
8.7. Notabene may replace a subcontractor without advance notice where the reason for the change is outside of Notabene’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Notabene will inform Customer of the replacement subcontractor as soon as possible following its appointment.
9. Material Impact Incident. Notabene will notify the Customer, without undue delay, of any development likely to have a material impact on Notabene's ability to efficiently perform the Services, in line with the agreed service levels and in accordance with legislation and applicable Regulatory Requirements. If an ICT incident occurs that is related to the Services provided to the Customer, Notabene will provide assistance to Customer at a cost of €250 per hour worked by each professional, plus VAT.
10. Transition of Services. In the event of the termination or expiration of the Agreement, for whatever reason, the Parties agree as follows:
10.1. If requested by Customer, Notabene will continue to provide Services under the Agreement for a maximum duration of six (6) months after the effective date of termination or expiration (“Transition Period”); provided that Customer will pay any outstanding or due amounts without delay, including any outstanding or due Fees for Services (or fees for other work) provided to Customer during the Transition Period. The terms of the Agreement will continue to apply during the Transition Period. Notabene will use commercially reasonable efforts to provide Customer with assistance in timely migrating Customer’s data to Customer’s or another service provider’s system, and thereafter as provided in Section 13 below (“Return of Customer’s Data”). Notabene will charge fees related to any transitional work, including but not limited to data migration, at a cost of €250 per hour worked by each professional, plus VAT.
10.2. If requested by Customer, the Parties will cooperate, acting reasonably and in good faith in accordance with industry standards, as reasonably necessary, appropriate, and practicable, to facilitate (i) an orderly wind down of the Services or (ii) an orderly transition of the Services to a successor (whether Customer or a third party). The foregoing will be done, if requested, without any significant disruption to, and without any significant detrimental effect on the continuity and quality of, the provision of Services and without limiting compliance with applicable laws and regulations with respect to the Services.
11. Bank Resolution and Recovery.
11.1. Notabene acknowledges that the Customer may be subject to the application of a recovery or resolution measure, in accordance with the European recovery and resolution framework for credit institutions and investment firms, and that, in such event, the resolution authority has the authority to apply such measure.
11.2. Notabene acknowledges that it cannot resolve, suspend, amend, restate, or terminate by any way this Agreement following, or on the grounds of, the application of any recovery or resolution measure or on any fact and/or act connected thereto. Notabene further acknowledges that, in such event, subject to Customer’s payment to Notabene of any outstanding or due Fees, expenses, and/or other amounts, the Services will be provided to the Customer as agreed.
11.3. Notabene acknowledges and accepts that the application of a recovery or resolution measure to the Customer, or a restructuring scheme thereafter, may entail, under the law, an assignment or transfer of the Customer’s position under this Agreement to a new legal entity, pursuant to a decision of the Customer or resolution authority and irrespective of Notabene’s prior consent.
11.4. In the event of transfer or assignment as set forth in Section 11.3 above, Customer agrees to notify Notabene of the assignment, in writing, no later than five (5) days prior to such assignment or transfer, and acknowledges that the provision of the Services to the transferee may incur additional costs related to Services, such as implementation services, as necessary to ensure a smooth transition. These costs must be mutually agreed upon between Notabene and the transferee.
11.5. If the contractual position is transferred to a new entity in conformance with the terms of this Section 11, Notabene will make reasonable efforts to facilitate an orderly and non-disruptive transition, while ensuring, to the extent practicable under the circumstances, that Services are provided under substantially the same or similar terms and conditions as previously offered to Customer.
11.6. If an assignment or transfer of Customer’s position in this Agreement occurs in accordance with Section 11.3 or if this Agreement is to be terminated during the resolution period pursuant to any legal ground other than the application of a recovery or resolution measure (e.g., due to contract expiration or otherwise), Notabene will make reasonable efforts to effect the orderly transition of the Services by performing those for the new legal entity, under substantially the same or similar terms and conditions, until a reasonable period of time has elapsed.
12. Termination Rights. In accordance with the Regulatory Requirements, the Customer may immediately terminate the Agreement by delivery of written notice if: (i) Notabene is in a breach of applicable law, regulations, or contractual provisions; (ii) impediments capable of altering the performance of the outsourced functions and Services are identified in a way that cannot be remedied by Notabene for Customer within a reasonable time period; (iii) there are material changes significantly affecting the Services; (iv) there are deficiencies regarding the overall risk management and in particular the security, availability, authenticity, and integrity of confidential or otherwise sensitive information or (non-)personal data which materially impair the Customer’s ability to comply with its Regulatory Requirements; (v) Customer’s inability to meet obligations imposed by a Supervisory Authority due to actions or omissions directly attributable to Notabene; (vi) Customer receives a final and non-appealable decision from the Supervisory Authority requiring the termination of the Agreement due to the Supervisory Authority’s inability to effectively supervise the Customer under this Agreement; or (vii) serious or repeated breaches of confidentiality, bank secrecy, intellectual property, personal data processing, privacy provisions, or loss of Customer data.
13. Return of Customer’s Data. At the request of Customer during the Term and after the termination of the Agreement, including, without limitation, in the event of Notabene’s insolvency, resolution, or discontinuation of operations, Notabene will (i) allow immediate access to, or return to the Customer, all of the Customer’s data, in the format used to provide the Services, or (ii) at the Customer’s request, erase, or destroy Customer’s data held by Notabene. Notabene will provide proof of delivery to Customer, confirming the complete transfer of data, or/and provide a certificate of data erasure or destruction to Customer, confirming the complete and secure removal of data.
14. ICT Security Training.. Where relevant due to the Services to be provided, and upon Customer’s reasonable advance written notice, Notabene will allocate its employees providing Services to the Customer into Customer’s internal training programs, including those related to security awareness and digital resilience. Notabene will do so as necessary or convenient for Customer and for Notabene and its employees to fulfill their duties under this Agreement and the Regulatory Requirements. Notwithstanding the foregoing, such training programs will not occur more than once per year, unless the Parties mutually agree otherwise. The Parties will determine the eligibility criteria for the participation of Notabene and its employees in the above training programs and make these criteria available prior to the scheduled start date. The Customer will provide Notabene with access to training materials, modules, and related resources. Notabene undertakes to have its employees participate in the training sessions, as appropriate, and to acknowledge the training materials provided by the Customer as confidential.