Last Updated: May, 2025

This Addendum is entered into with the understanding that it complies with the requirements of the EU's Digital Operational Resilience Act (“DORA”), including, but not limited to, Article 30's key contractual provisions. The Parties acknowledge that this Agreement includes provisions related to specific DORA requirements, e.g., service level descriptions, data protection, incident response, termination rights to ensure compliance with DORA.

BambooHR Terms of Service, which can be found here (the "Agreement”), are incorporated herein by reference, and shall remain in full force and effect to the extent they are consistent with DORA. The terms of this Addendum shall otherwise supersede any potential inconsistent terms under the Agreement.

Any capitalized terms used but not defined herein have the same meaning as the same or substantially equivalent term in the Agreement or DORA Article 2.

Recitals

1. This Addendum applies only when the Customer is subject to DORA and has subscribed to the Agreement for the receipt of certain services from BambooHR as described in the Agreement (“Services”).
2. When DORA applies to the Customer, BambooHR is an Information and Communication Technology (“ICT”) Third Party Service Provider providing ICT Services.
3. BambooHR’s Services support Customers’ internal HR functions and therefore BambooHR is not classified as a Critical ICT Third-Party Service Provider and does not support a Critical or Important Function.
4. This Addendum, in addition to the Agreement, ensures that BambooHR and Customer comply with Article 30(2) key contractual provisions.

Definitions

Critical ITC Third-Party Service Provider means an ICT third-party service provider designated as critical in accordance with Article 31 of DORA.

Critical or Important Function means a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under the applicable financial services law.

ICT Services are the digital and data services provided through ICT systems to one or more internal or external user on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.

Addendum

1. Description of Services. BambooHR is a cloud-based human resources information system (HRIS) that bundles HR features, such as time tracking, employee engagement, an applicant tracking system and more into one system. BambooHR does not provide a Critical or Important Function as defined by DORA. BambooHR is permitted to subcontract Services.
2. Location of ICT Services. BambooHR provides ICT Services in Draper, Utah, USA. The Customer may elect to store data in the AWS Ireland, Canada, or US data centers. BambooHR will provide the Customer notice, through its published subcontractor list, regarding the locations where the contracted or subcontracted functions are to be provided and where data is processed and stored.
3. Data Protection. BambooHR shall maintain commercially reasonable administrative, physical, and technical safeguards for protection of the Service, and the security of Customer Data, including availability, authenticity, integrity and confidentiality of Customer Data.
4. Access, Recovery, and Return of Customer Data. The Agreement provides that the Customer will continue to have the ability to download the Customer Data uploaded to the customer’s databases in the BambooHR service for a period of 30 days after expiration or termination of the service (except where the service is terminated by BambooHR for the customer’s nonpayment or violation of Sections 4.1 or 13 of the Agreement). The Customer will still have the ability to recover its data: In the event of the insolvency, resolution or discontinuation of the business operations of BambooHR, or in the event of any termination of the contract. Where termination is as a result of the customer’s breach of its obligations, recovery of their data may be made conditional upon the rectification of such breach (i.e., in case of nonpayment, upon payment of the fees due).
5. Service Levels. BambooHR shall use commercially reasonable efforts to make the Service available 24 hours a day, 7 days a week except for: (i) planned downtime, (ii) any unavailability caused by circumstances beyond BambooHR or its subcontractors reasonable control, including, but not limited to, acts of God, acts of government, floods, fires, earthquakes, pandemics, civil unrest, acts of terror, strikes or other labor problems (other than those involving our employees), internet service provider failures or delays, or denial of service attacks, or (iii) as necessary to update the Service to ensure its security and integrity. Outages will be detected, communicated, and resolved, including response and resolution times.
6. Assistance with ICT Security Incidents. BambooHR will provide assistance to the Customer when an ICT incident that is related to BambooHR’s ICT service occurs, at no additional cost, or at a cost that is determined ex-ante.
7. Cooperation with Authorities. BambooHR will fully cooperate with the competent authorities and the resolution authorities of the customer, including persons appointed by them.
8. Termination Rights. The Customer is entitled to terminate the ICT Service anytime under the Agreement. Notwithstanding the foregoing, Customer may terminate in the event of any of the following circumstances under DORA Article 28(7):
   1. Significant breach by BambooHR of applicable laws, regulations or contractual terms;
   2. Circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of BambooHR;
   3. In the event of BambooHR’s evidenced weakness pertaining to its overall ICT risk management and in particular the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; or
   4. Where the competent authority can no longer effectively supervise the customer that is an EU financial entity as a result of the conditions of, or circumstances related to, the respective contractual agreement.
9. Participation in Security Awareness Training. BambooHR requires security awareness training for all of its employees at least annually. The Customer has the right to request, at the Customer’s cost, that BambooHR participate virtually in Customer’s security training no more than once annually.

Contact Information.

If you have any questions about the Service or this Agreement, you may call us at 801-724-6600, email us at [email protected], or write to us at:

Bamboo HR LLC
BambooHR Payroll LLC
ATTN: Legal
42 Future Way
Draper, UT 84020

BambooHR® is a registered trademark of Bamboo HR LLC. © Bamboo HR LLC 2020. All rights reserved.