Last Updated: March 10, 2026

What is DORA and does DORA apply to Contentstack?

The EU Digital Operational Resilience Regulation and relevant Regulatory Technical Standard (DORA) is an EU regulation aimed at enhancing the operational resilience of financial institutions and critical third-party service providers, including information and communication technology (ICT) service providers. It establishes requirements for incident reporting, risk management, and operational continuity

Financial entities are subject to the DORA regulation. Contentstack, as an ICT service provider providing cloud software as a service (SaaS), is not directly subject to DORA nor is Contentstack a critical vendor under DORA. With that said, Contentstack will use commercially reasonable efforts to support our financial entity customers in meeting their compliance obligations under DORA applicable to ICT services.

How does Contentstack help customers meet their DORA obligations?

Contentstack assists financial entity customers by (a) offering robust security measures to ensure the resilience and availability of its services; (b) providing clear documentation and support for incident management, including security incident notifications; and (c) incorporating specific contractual terms or addendums that address DORA requirements, where necessary and applicable.

Does Contentstack provide DORA-specific terms in its Security Addendum?

Yes, Contentstack’s standard Security Addendum contains terms around incident response regulatory cooperation specific to DORA.

Contentstack’s commitment to security, continuity, and customer collaboration ensures alignment with DORA’s core objectives of operational resilience and effective incident management. See our Security Addendum page for more information.

How does Contentstack address DORA’s incident notification requirements?

Contentstack follows industry best practices for incident detection, response, and communication. We recognize the strict incident notification timelines that may apply under DORA (e.g., 24 hours) and have adapted our existing security practices to support customers in meeting their compliance obligations. See our Security Addendum page for more information.

Can Contentstack support Customer’s DORA reporting obligations?

Yes, Contentstack can provide relevant information about security incidents and operational resilience to support customers’ DORA reporting obligations, as set forth in the Security Addendum. However, customers remain responsible for ensuring compliance with DORA, including submitting reports to their regulators.

What operational resilience measures does Contentstack have in place?

Contentstack implements a comprehensive security program, including: (a) regular risk assessments and audits; (b) business continuity and disaster recovery plans; (c) monitoring and alerting systems to detect and address potential threats promptly; and (d) compliance with globally recognized security standards, such as ISO 27001 and SOC 2.

How does Contentstack define "subcontractors," and how does this apply to DORA?

Subcontractor: Subcontractors are third-party service providers that provide “back-office” like services (for ex., outside legal counsel). A subcontractor does not process Customer Data nor provides services on behalf of Contentstack to deliver the SaaS.

Subprocessor: Subprocessors are third-party entities listed by product in Contentstack’s online subprocessor list, which process Customer Data (i.e. data provided to Contentstack by Customer through use of the SaaS) on behalf of Contentstack to deliver the SaaS. 

Who can I contact for more information about Contentstack and DORA compliance?

If you have specific questions or require additional support, please contact your Account Executive or Customer Success Manager.