terms / dora

    DORA Addendum

    Effective Date: April, 2026

    This Addendum supplements the Terms and Conditions, Privacy Policy, and Security page and applies to customers that are “financial entities” within the meaning of Regulation (EU) 2022/2554 (the Digital Operational Resilience Act, “DORA”) and that use the Cogny Cloud tier. It is drafted to meet the mandatory contractual requirements in DORA Article 30. Where this Addendum conflicts with the main Terms, this Addendum controls for Cloud tier usage by a financial entity.

    This Addendum applies only to the Cloud tier. The Solo (self-serve) tier is not offered to financial entities for regulated ICT functions; see the Solo Tier Addendum for that plan.

    1. Service description and functions supported

    Cogny Cloud provides a self-serve AI-powered marketing data analytics, reporting, and recommendation platform. The customer connects their own data sources (for example BigQuery, Google Ads, Meta Ads, LinkedIn Ads, Google Analytics, Search Console, Shopify, HubSpot) and the platform produces analyses, reports, and growth tickets. The customer operates the platform themselves; Cogny personnel do not run the customer's account.

    Cloud supports autonomous AI execution on the customer's connected marketing platforms within guardrails the customer configures (for example budget caps, allowed action types, and target accounts). The customer is solely responsible for configuring those guardrails and for the actions that the AI takes within them.

    Cogny Cloud does not execute financial transactions, process payments on behalf of the customer, or make decisions that directly affect the customer's regulated activity. It is a marketing analytics and decision-support service.

    2. Subcontracting arrangements (Art. 30(2)(a))

    Cogny uses the following subcontractors (“subprocessors”) to deliver the service. The list is maintained here and is part of this Addendum:

    • Google LLC / Google Cloud EMEA Ltd. — compute (GKE), managed databases, BigQuery, object storage, build and deployment, OAuth identity for Google integrations. Region: europe-west1 (Belgium).
    • Supabase, Inc. — managed PostgreSQL, authentication, encrypted secret storage (Vault), point-in-time recovery. Region: AWSeu-north-1 (Stockholm).
    • Anthropic PBC — large language model inference for AI reports and chat (Claude). Processing occurs under Anthropic's Commercial Terms of Service, under which Anthropic may not train models on Customer Content submitted through the API. See § 3 on geographic location.
    • Cloudflare, Inc. — edge CDN, WAF, DDoS mitigation and TLS termination.
    • Stripe Payments Europe, Ltd. — subscription billing and payment processing.
    • Resend, Inc. — transactional email delivery (report emails, auth emails).
    • Slack Technologies, LLC — internal alerting and, where enabled by the customer, customer-facing Slack notifications.
    • ElevenLabs Inc. — optional text-to-speech for audio summaries; only invoked when the customer uses audio features.

    Cogny will give the customer at least 30 days' prior written notice before adding, replacing, or materially changing a subprocessor in a way that would result in a material change to the service, the data processed, or the geographic location of processing. During that notice period the customer may object on reasonable documented grounds related to DORA or data protection; if the parties cannot agree on a remedy, the customer may terminate the affected services with no cancellation penalty (see § 9).

    3. Geographic location of service and data (Art. 30(2)(b))

    Cogny is EU-primary. Customer data at rest (database, backups, object storage, BigQuery exports, application logs) is stored in the European Union, primarily in Google Cloud europe-west1 (Belgium) and Supabase on AWS eu-north-1 (Stockholm).

    Listed exceptions (data in transit for processing outside the EU):

    • Anthropic (LLM inference). Cogny's Anthropic workspace is configured with Global routing for API inference and a US workspace geo. Prompts and completions may therefore be processed on Anthropic infrastructure outside the EU, including the United States. Under Anthropic's Commercial Terms of Service, Anthropic may not train models on Customer Content submitted through the API. Retention, abuse monitoring, and international-transfer safeguards are set out in Anthropic's Commercial Terms of Service and Data Processing Addendum (incorporating Standard Contractual Clauses for transfers out of the EU), which govern this sub-processing relationship and which Cogny will share on request. Customers requiring EU-only inference should contact Cogny to discuss configuring an Anthropic workspace with an EU inference geo, subject to Anthropic's regional availability and pricing.
    • Cloudflare edge (global). TLS termination and WAF inspection occur at the Cloudflare edge nearest to the end user. No customer data is persisted at the edge.
    • Stripe, Slack, Resend, ElevenLabs. These providers may process limited operational data (billing records, notification payloads, email metadata, audio-summary prompts) on infrastructure outside the EU. Personal data transfers rely on Standard Contractual Clauses.

    Cogny will notify the customer at least 30 days in advance of any change that would move the primary storage location of customer data outside the EU, or that would add a new non-EU processing location not listed above. The customer may terminate for convenience if the change is not acceptable (see § 9).

    4. Data availability, integrity, authenticity and protection (Art. 30(2)(c))

    Cogny maintains technical and organisational measures described on the Security page, which is incorporated by reference. In particular:

    • Availability. Service level is defined in § 6. Infrastructure runs on managed EU-region services with automated failover inside the region.
    • Integrity. All database writes are committed through PostgreSQL with ACID guarantees. Application-layer operations are logged for audit. Tokens and credentials are isolated from application logs.
    • Authenticity. Connections between the customer's browser and Cogny, and between Cogny and upstream providers, use TLS 1.2+. OAuth integrations use platform-native signature verification on callbacks and webhooks where available.
    • Personal data protection. Cogny acts as a data processor for customer personal data. Processing terms (GDPR Art. 28) are set out in the Data Processing Agreement available on request at privacy@cogny.com.
    • Encryption. In transit (TLS) and at rest (provider-level encryption plus Supabase Vault for OAuth tokens and secrets).
    • Access control. Row-Level Security (RLS) enforces tenant isolation at the database layer. Employee access to customer data is limited to named personnel on a need-to-know basis and is logged.

    5. Data recovery, return and deletion (Art. 30(2)(d))

    Backups and recovery. Customer data is protected by Supabase's managed backups with point-in-time recovery, and by object-storage versioning for generated reports.

    • Recovery Time Objective (RTO): 24 hours for full service restoration.
    • Recovery Point Objective (RPO): 24 hours of maximum data loss.

    These targets are subject to the underlying provider outage window and apply to disaster-recovery scenarios, not to routine operations.

    Return of data on termination or discontinuation. On termination for any reason, or if Cogny discontinues the service or becomes insolvent, the customer may, for a period of 30 days after the effective date of termination, request export of their data from Cogny. Cogny will provide data in a commonly-used machine-readable format (CSV, JSON, or SQL dump for raw warehouse data; PDF or Markdown for generated reports). Connected platform credentials are not returned; they are revocable directly with the upstream provider.

    Deletion. After the 30-day export window, Cogny will delete customer personal data from production systems within 30 days, and from backups within the standard backup retention window (up to 90 days). On written request from the customer, Cogny will certify completion in writing.

    Exit assistance. Cogny will, on request, provide reasonable cooperation to help the customer transition to an alternative provider or to resume the function in-house. Exit assistance is billable at Cogny's then-current professional-services rate; no free allowance is included.

    6. Service levels (Art. 30(2)(e) / Art. 30(3)(a))

    • Target monthly uptime: 95.0%, measured as the percentage of minutes in a calendar month during which the authenticated web application is reachable and returns HTTP 2xx/3xx from the primary region, excluding scheduled maintenance windows announced at least 48 hours in advance.
    • Incident response times (business days, CET):
      • P1 — service down / major outage: acknowledged within 1 hour, workaround or remediation plan within 8 hours.
      • P2 — major feature degraded: acknowledged within 4 business hours, remediation plan within 2 business days.
      • P3 — minor issue or question: acknowledged within 2 business days.
    • Monitoring. Cogny monitors application errors and tool-execution failures in real time. The customer may request a quarterly summary of uptime, incident counts, and notification history for the customer's tenant.

    7. ICT incident support and notification (Art. 30(2)(f) / Art. 30(3))

    Cogny will provide support to the customer in the event of an ICT-related incident affecting the service, at no additional cost for incidents attributable to the Cogny Cloud service itself. This includes: triage and root-cause analysis, status updates during the incident, and a post-incident summary on request.

    Incident notification. Cogny will notify the customer without undue delay, and in any event within 72 hours, after Cogny becomes aware of:

    • a major ICT-related incident affecting the availability or integrity of the service for the customer,
    • a personal data breach under GDPR Art. 33 affecting the customer, or
    • a significant cyber threat that could reasonably be expected to affect the customer.

    Notifications are sent to the customer's designated technical contact (provided on request) and will include, to the extent known at the time: nature of the incident, systems affected, data categories affected, actions taken, and estimated time to resolution. Updates are provided as material information becomes available.

    8. Cooperation with competent authorities (Art. 30(2)(g) and (h))

    Cogny will cooperate with the competent supervisory authorities of the customer, and with any resolution authorities, including by providing information and access reasonably necessary for them to supervise the customer under DORA. This includes:

    • Responding to reasonable information requests from the customer's supervisor that relate to the service.
    • Granting the customer, or an auditor appointed by the customer, access and audit rights over the service to the extent necessary for DORA compliance, at reasonable frequency (not more than once per year absent a specific incident) and with reasonable notice.
    • Participating, on reasonable commercial terms, in the customer's threat-led penetration testing (TLPT) where the customer is required to perform it under DORA and where Cogny is identified as in scope.

    Nothing in this section requires Cogny to breach its legal obligations or the confidentiality of other customers.

    9. Unilateral termination rights (Art. 30(2)(i))

    The customer may terminate this Addendum and the underlying Cloud subscription, in whole or in part, for:

    • Convenience, with 30 days' prior written notice, for any reason and with no cancellation penalty beyond fees accrued to the effective date of termination.
    • Material breach by Cogny, if Cogny fails to cure within 30 days of written notice.
    • Regulatory reasons, with immediate effect, if a competent supervisory authority instructs the customer to terminate or if continued use would cause the customer to breach applicable financial services law.
    • Material change to subprocessors or geographic location (§§ 2 and 3), if the customer does not accept the change.

    10. Security awareness and resilience training (Art. 13(6))

    On reasonable request, Cogny personnel with access to the customer's data will participate in the customer's ICT security awareness programme and digital-operational-resilience training, provided the training is delivered remotely, is reasonable in duration (up to 4 hours per person per year), and is scheduled in advance. Cogny operates its own internal security awareness programme for all personnel and can share a summary on request.

    11. Register of Information — FAQ (Art. 28(3))

    This FAQ is intended to help the customer populate its Register of Information in respect of Cogny Cloud. The values below reflect Cogny's current setup and will be updated here when they change.

    • ICT third-party service provider. Cogny AB, org. no. 559164-9628 (Sweden), Peter Myndes Backe 16, 118 46 Stockholm, Sweden. LEI: not currently registered; available on request if required.
    • Group / ultimate parent. Cogny AB is privately held and has no ultimate parent undertaking.
    • Function / service provided. AI-powered marketing analytics, reporting, and recommendation platform (Cogny Cloud).
    • ICT service type (Annex III categories). Software as a Service (SaaS); AI / machine learning service (inference); data analytics; reporting. Does not include trading, settlement, custody, payment initiation, core banking, or similar critical functions.
    • Support of critical or important functions. Cogny Cloud is generally not a provider of critical or important functions within the meaning of DORA Art. 3(22); it supports marketing-analytics and decision-support workflows that do not directly perform the customer's regulated activity. The customer's own DORA classification governs.
    • Geographic location of service provision. Sweden (Cogny AB legal entity).
    • Geographic location of data storage. European Union — Google Cloud europe-west1 (Belgium) and Supabase on AWS eu-north-1 (Stockholm), with the listed transit-time exceptions in § 3.
    • Data categories processed. Marketing performance data, aggregated analytics, account configuration, OAuth tokens for connected platforms, and limited personal data of the customer's authorised users (name, email, IP address).
    • Sensitive data. No payment card data is processed by Cogny (Stripe handles it directly). No special-category personal data under GDPR Art. 9 is processed.
    • Subcontractors (sub-outsourcing). See § 2.
    • Governing law. Swedish law; Stockholm District Court.
    • Contract start / end / notice. As stated in the customer's order form; unilateral termination for convenience with 30 days' notice (§ 9).
    • Exit strategy support. 30-day data export window; transition assistance available on request, billable at professional-services rate (§ 5).
    • Audit rights. Yes — § 8.
    • Substitutability assessment. Medium. Alternative providers exist for marketing analytics and AI reporting; migration requires exporting warehouse data and reconfiguring connected platforms.

    12. Order of precedence and updates

    In case of conflict, this Addendum prevails over the main Terms and Conditions for DORA-scoped Cloud usage, and the executed order form prevails over both if explicitly addressing the same subject. Cogny may update this Addendum; material changes will be announced at least 30 days in advance by email to the customer's billing contact.

    13. Contact

    Questions, audit requests, or incident notifications: privacy@cogny.com.

    Cogny AB, Peter Myndes Backe 16, 118 46 Stockholm, Sweden.