DORA Addendum

Effective Date: June 30, 2025

This DORA Addendum (the “Addendum”) to the Terms or MSA (as applicable to you) is entered into by and between Tailscale and Customer only if and to the extent you must comply with the EU Digital Operational Resilience Act (EU Regulation 2022/2554) and its delegated acts (“DORA”). This Addendum does not affect any other terms and conditions of the Agreement not modified in this Addendum. For purposes of this Addendum, Customer is considered the “financial entity” and Tailscale is considered the “ICT third-party service provider” under DORA. All terms not defined below shall have the meaning ascribed to them in DORA or as defined elsewhere in the Agreement. References to Customer herein also apply to any Customer Affiliate that (i) is covered by the Agreement between Customer and Tailscale and (b) is also required to comply with DORA.

1. Acknowledgement. Customer acknowledges and agrees that, as of the date of this Addendum: Tailscale is not a “critical ICT third-party service provider” under DORA Art. 31, or a “critical third party” under the UK Financial Services and Markets Act 2023; and Tailscale does not perform “critical or important functions” for financial entities as defined in DORA Art. 3(22).

2. Location and Nature of Services. Customer acknowledges and agrees that: (a) the Tailscale DPA includes a clear and complete description of all ICT services to be provided by Tailscale under the Agreement; and (b) Tailscale provides services, processes data and/or stores data in Canada, the United States, the United Kingdom and the EU. In the event of any material change to these service locations, Tailscale will notify Customer in writing at least ten (10) days in advance and provide sufficient information to enable Customer to assess the risks and impact.

3. Regulatory Cooperation. Upon your reasonable request and at your expense, Tailscale will timely and diligently cooperate with any competent authority having legal jurisdiction over your financial regulated activities to the extent required by applicable law, provided that all Tailscale Confidential Information and the confidential information of other customers shall be fully protected to the fullest extent permitted by applicable law.

4. Data Security.

   4.1 Security measures. Tailscale has adopted and will maintain administrative, technical, physical, and organizational security measures to protect Customer Data that we Process (including Personal Data) against accidental or unlawful destruction, loss, alteration, disclosure or access, as described in our DPA. Tailscale will maintain such security measures to provide a level of protection that is appropriate to the risks concerning confidentiality, integrity, availability and resilience of our systems and the Services, while also taking into account the state of the art, implementation costs, the nature, scope and purposes of processing, as well as the probability of occurrence and the severity of the risk.

   4.2 Incidents. In the event of an ICT-related incident (as defined in DORA) with respect to the Services, Tailscale will provide assistance to Customer at no additional cost, or at a cost that is determined by the parties ex-ante, consistent with the incident response procedures for Data Breaches set forth in the DPA.

   4.3 Training Programs. No more than once every twelve (12) calendar months, upon at least thirty (30) days prior notice and at your expense and request, we will designate no more than two (2) Tailscale employees to participate in security awareness programs or digital operational resilience training related to your information security.

5. Additional Obligations for “Supporting Critical or Important Functions.” The following apply to you only if and solely to the extent you have determined that the Services “supports” a “critical or important function” under DORA.

   5.1 Service levels; Notification and Assistance. Customer will be entitled to our standard warranties and services levels as described in the Agreement and our Documentation. Customer will also be able to purchase any available additional standard or enhanced support packages or service warranties pursuant to the Agreement. Tailscale will provide reasonable information to Customer of any circumstance that may have a material impact on Tailscale’s ability to effectively provide the Services in line with agreed service levels. Tailscale may provide this information via email or other electronic means, including by posting security bulletins or maintaining an online status page. You may subscribe to notifications of updates to these resources, and it is your obligation to subscribe to receive notifications and updates.

   5.2 Business continuity. Tailscale will implement, maintain and routinely test security incident, business continuity and disaster recovery policies, plans and procedures with a view to maximizing availability and minimizing business and service disruptions.

   5.3 TLPT Cooperation. Tailscale will fully participate and cooperate in Customer threat-led penetration testing (TLPT) programs pursuant to Articles 26 and 27 DORA, provided such testing does not impact or compromise the security, integrity or availability of the Services.

   5.4 Customer’s Right to Monitor. Tailscale acknowledges and will cooperate with Customer’s right to monitor, on an ongoing basis, Tailscale’s performance under the Agreement, which may entail rights of access, inspection, audit, and the right to make on-site copies of relevant documents. Such rights may be exercised by Customer, its competent authority, or an appointed third party. Such rights will be exercised under the conditions for general compliance audits set forth in Section 8 the Tailscale DPA, provided that additional audits may be performed if required by Customer’s competent authority. If a request for access, inspection or audit is denied due to a threat to security or other service environments, Tailscale will provide alternative assurances to verify compliance.

   5.5 Exit Arrangements. In the event of termination or expiration of the Agreement, the parties will work together in good faith to jointly prepare an exit transition plan. Tailscale shall cooperate and provide all reasonable assistance to Customer (at Customer’s expense) to smoothly transition from the Services, including transferring to Customer or its designee all Confidential Information, Personal Data, and related materials, for a transition period that will not exceed thirty (30) days after the effective date of termination or expiration, unless the transition cannot be performed in that period or the parties agree otherwise in writing. For the avoidance of doubt, Tailscale does not have access to, use of or control over Traffic, and only you can encrypt/decrypt Traffic. Tailscale will continue to provide the Services under the Agreement during the transition period while Customer continues to pay applicable Fees.

   5.6 Subcontracted Services. The Tailscale DPA provisions and controls with respect to Subprocessors (Section 6 of the DPA), including objection and termination rights of Customer will also apply for purposes of “subcontractors” under DORA. In addition, and solely for the purpose of this DORA Addendum, Tailscale will: thoroughly vet its Subprocessors, including with respect to their security measures, location, business continuity planning, and service levels; continuously monitor their performance to ensure contractual obligations are met; and ensure they are required to grant to Customer and its relevant competent and resolution authorities adequate rights of access, inspection and audit consistent with DORA.

6. Additional Termination Rights. In addition to the other termination rights in the Agreement, Customer may also terminate the Agreement immediately upon written notice if: it is necessary to comply with applicable law, including any of the circumstances set out in Article 28(7) of DORA; directed by a competent authority of Customer; or Customer’s regulator can no longer effectively supervise Customer as a result of the terms of, or circumstances related to, the Services or the Agreement. In the event of the expiration or termination of the Agreement, including in the event of insolvency, resolution, or discontinuation of the business operations of Tailscale, all Personal Data and other Customer information processed by Tailscale in connection with providing the Services to Customer will be accessible and recoverable by Customer and returned to Customer in an easily accessible format, in accordance with the existing procedures set forth in the MSA or Terms (as applicable to you) and DPA.

7. Indemnification. Section 9.2 of the Agreement is amended to hereby add the following as an additional “Claim Against Tailscale”: “(c) Customer’s financial regulatory compliance obligations under the EU Digital Operational Resilience Act (EU Regulation 2022/2554), the UK Financial Services and Markets Act 2023, or similar legislation.”