Skip to content

DORA Addendum

Effective: April 2026

This Addendum sets out contractual provisions required by Regulation (EU) 2022/2554 (the Digital Operational Resilience Act, "DORA"), and in particular Article 30, for arrangements under which Growth Hackers Sthlm AB ("Growth Hackers", "we", "us") provides services to a customer that is a financial entity within the meaning of DORA (the "Customer"). It supplements and, where inconsistent, prevails over the master services agreement, statement of work, or consulting agreement between Growth Hackers and the Customer (together, the "Main Agreement") for services determined by the Customer to fall within scope of DORA. Capitalised terms not defined here have the meanings given in DORA or the Main Agreement.

1. Service description and functions supported

Growth Hackers provides professional consulting services in growth marketing, including strategy, paid-media management, search engine optimisation, content and creative production, conversion rate optimisation, analytics and measurement advisory, and related advisory work (the "Services"). The Services are a consultant-hour deliverable and do not include the operation, hosting, or provision of a customer-facing ICT platform by Growth Hackers.

Where the Services require access to Customer systems (for example advertising accounts, web analytics properties, customer relationship management systems, or data warehouses), such access is provided and controlled by the Customer through credentials or delegated access that the Customer issues. Growth Hackers does not execute financial transactions on behalf of the Customer, make automated decisions affecting regulated activity, or operate customer-facing infrastructure.

2. Subcontracting arrangements β€” Art. 30(2)(a)

Growth Hackers uses the following categories of sub-contractors (sub-processors within the meaning of Article 28 GDPR where personal data is processed) in the delivery of the Services:

  • Google LLC / Google Workspace β€” email, Drive, Meet, and document collaboration (EU data residency).
  • Slack Technologies LLC β€” engagement communication (EU data residency where available).
  • Anthropic PBC β€” AI assistance for analysis, drafting, and research (US processing under EU Standard Contractual Clauses).
  • Notion Labs, Inc. and/or Asana, Inc. β€” engagement and project management.
  • HubSpot, Inc. β€” customer relationship management, where the engagement includes HubSpot work.
  • Cogny AB β€” marketing analytics, where the engagement uses the Cogny Cloud platform (EU/Sweden).

Growth Hackers will give the Customer at least thirty (30) days' prior notice before adding or replacing a sub-contractor that will have access to Customer data or materials. The Customer may object to such a change on reasonable grounds; if the parties are unable to agree on a resolution, the Customer may terminate the affected part of the Services in accordance with Section 9.

3. Geographic location of services and data β€” Art. 30(2)(b)

The Services are primarily delivered from Stockholm, Sweden. Customer materials and data processed in connection with the Services are ordinarily processed within the European Union / European Economic Area through the sub-contractors identified in Section 2 configured for EU data residency.

Where processing occurs outside the EU/EEA, it is limited to the following: (i) Anthropic (United States, under EU Standard Contractual Clauses); (ii) edge and content-delivery processing incidental to the use of Google Workspace and Slack. Growth Hackers will give the Customer at least thirty (30) days' prior notice before any material change to the primary geographic location of processing, with the Customer's rights in Section 2 applying.

4. Data availability, integrity, authenticity and personal data protection β€” Art. 30(2)(c)

Because Growth Hackers does not host Customer production data on its own platform, the commitments in this Section apply to Customer materials in Growth Hackers' possession or under its control in connection with the Services (strategy documents, reports, access credentials provisioned by the Customer, engagement correspondence, and similar).

  • Confidentiality. Customer materials are treated as confidential information under the Main Agreement and are accessed only by personnel with a need to know for the engagement.
  • Integrity and authenticity. Transport-level encryption (TLS 1.2+) is used for communication and file transfer through the sub-contractors in Section 2. Access to shared documents is logged by the underlying platform.
  • Personal data. Where Growth Hackers processes personal data on behalf of the Customer, it does so as a processor within the meaning of Article 4 GDPR. A Data Processing Agreement meeting the requirements of Article 28 GDPR is available from Growth Hackers on request and, once executed, forms part of the Main Agreement.
  • Credentials. Customer-system credentials or delegated-access tokens held by Growth Hackers are stored in an access-controlled secret store with multi-factor authentication required for retrieval, and are revoked on request or at engagement end.

5. Data recovery, return and deletion β€” Art. 30(2)(d)

On termination of the Main Agreement, on the Customer's written request, or on commencement of insolvency proceedings in respect of Growth Hackers, Growth Hackers will, within thirty (30) days:

  • return to the Customer, or at the Customer's election permanently delete, all Customer materials in Growth Hackers' possession or control (including strategy documents, reports, dashboards, shared files, engagement correspondence, and credentials);
  • revoke or return any delegated access to Customer systems;
  • delete residual copies held in backups or archives within ninety (90) days from the date of primary deletion, subject to any mandatory retention required by applicable law.

Exit assistance beyond the return and deletion obligations above (for example knowledge transfer, handover documentation, or transition to a replacement provider) is available at Growth Hackers' standard professional-services rates or at a pre-agreed rate set out in the applicable statement of work.

6. Service levels β€” Art. 30(2)(e) and Art. 30(3)(a)

The Services are consulting services rather than a hosted platform; accordingly the service levels below relate to incident response and engagement responsiveness rather than platform uptime.

  • P1 β€” incident affecting Customer credentials held by Growth Hackers, a personal data breach, or a significant security incident in the engagement work: acknowledge within four (4) business hours (CET); communicate a remediation plan within one (1) business day.
  • P2 β€” material delay or deliverable issue affecting Customer operations: acknowledge within one (1) business day; communicate a plan within three (3) business days.
  • P3 β€” minor issue or question: acknowledge within three (3) business days.

Delivery timelines for engagement deliverables are set in the applicable statement of work. A quarterly engagement review is available to the Customer on request.

7. ICT incident support and notification β€” Art. 30(2)(f) and Art. 30(3)

Growth Hackers will provide support and cooperation to the Customer, at no additional cost above the fees agreed in the Main Agreement, for ICT-related incidents attributable to the Services.

Growth Hackers will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of: (i) any suspected or confirmed compromise of Customer credentials held by Growth Hackers; (ii) any personal data breach within the meaning of Article 4(12) GDPR affecting Customer personal data; and (iii) any other significant cyber incident affecting the engagement work. Notifications will include, to the extent then known, the nature of the incident, the systems and data categories affected, the containment and remediation actions taken or planned, and an estimated timeline for resolution. Growth Hackers will provide updates at reasonable intervals until the incident is resolved.

8. Cooperation with competent authorities β€” Art. 30(2)(g) and (h)

Growth Hackers will cooperate with the Customer's competent authorities, including the Swedish Financial Supervisory Authority (Finansinspektionen) where applicable, and with any resolution authority appointed in respect of the Customer. This includes responding to lawful information requests and making relevant personnel and records available as reasonably required.

The Customer and its appointed auditors and regulators have the right to audit Growth Hackers' compliance with this Addendum. Audits will be conducted on reasonable prior notice, during normal business hours, and not more than once per calendar year unless triggered by a material incident or by an instruction from a competent authority. Growth Hackers will participate in Threat-Led Penetration Testing (TLPT) exercises under Article 26 DORA to the extent that the Services fall within the scope of such testing.

9. Unilateral termination rights β€” Art. 30(2)(i)

The Customer may terminate the Main Agreement in whole or in part:

  • for convenience, on thirty (30) days' written notice, with no penalty beyond fees accrued for Services rendered and non-cancellable committed costs up to the termination date;
  • for material breach by Growth Hackers that is not cured within thirty (30) days of written notice;
  • for regulatory reasons, with immediate effect, where required by a competent authority, by mandatory law applicable to the Customer, or where continued receipt of the Services would cause the Customer to be in breach of DORA; and
  • for a material change to sub-contractors under Section 2 or to the geographic location of processing under Section 3 to which the Customer has reasonably objected.

10. Security awareness and resilience training β€” Art. 13(6)

Growth Hackers personnel with access to Customer data may participate in the Customer's ICT security awareness and digital operational resilience training programmes, up to four (4) hours per calendar year, delivered remotely and scheduled in advance by written agreement between the parties. Growth Hackers maintains its own internal security-awareness programme for all personnel, covering at least confidentiality, access hygiene, phishing awareness, and incident reporting.

11. Register of Information β€” FAQ (Art. 28(3))

The following reference information is provided to assist the Customer in maintaining its Register of Information under Article 28(3) DORA.

  • Provider: Growth Hackers Sthlm AB, registered in Sweden, org. no. 556963-5211.
  • Registered address: Peter Myndes backe 16, 118 46 Stockholm, Sweden.
  • Service type: professional services β€” growth marketing consulting, paid-media management, SEO and content, conversion rate optimisation, analytics and measurement advisory.
  • Classification: the Services are not classified by Growth Hackers as supporting a critical or important function of the Customer. The Customer remains responsible for its own classification under Article 28(4) DORA.
  • Data categories processed: Customer marketing performance data; advertising-platform access tokens provisioned by the Customer; CRM records; and end-user personal data processed under Article 28 GDPR where included in the engagement scope.
  • Special-category and payment data: Growth Hackers does not process payment-card data, special-category personal data under Article 9 GDPR, or criminal-conviction data under Article 10 GDPR in the course of the Services.
  • Substitutability: high β€” the growth-marketing consulting market is well-supplied and the Services can be transitioned to a replacement provider with reasonable exit assistance.

12. Order of precedence and updates

In the event of any conflict between this Addendum and the Main Agreement in relation to Services determined by the Customer to fall within the scope of DORA, this Addendum prevails. Growth Hackers may update this Addendum from time to time to reflect changes in law, regulatory guidance, or the composition of its sub-contractors; material changes will be announced at least thirty (30) days in advance by email to the Customer's named contact.

13. Contact

Questions about this Addendum, requests for a Data Processing Agreement, incident notifications, or DORA-related correspondence should be directed to:

Growth Hackers Sthlm AB
Peter Myndes backe 16, 118 46 Stockholm, Sweden
contact@growthhackers.se