DORA Compliance Mapping
Last updated: April 2026 · Next review: October 2026
§1. Purpose
This page explains how HumanKey helps financial-entity customers meet their obligations under the Digital Operational Resilience Act (Regulation (EU) 2022/2554), which entered into application on 17 January 2025.
HumanKey is not itself a financial entity within the meaning of DORA Art. 2(1). When a financial entity uses HumanKey, HumanKey is classified as an ICT third-party service provider under DORA Art. 3(19), and the customer's ICT third-party risk management framework (Art. 28) applies to the HumanKey engagement.
§2. Current designation status
HumanKey is NOT currently designated as a Critical ICT Third-Party Provider (CTPP) by the European Supervisory Authorities (EBA, EIOPA, ESMA). CTPP designation under Regulation (EU) 2024/1505 applies only to a small number of pan-European ICT providers whose services are used by a large proportion of the European financial sector. HumanKey expects to remain outside the CTPP perimeter for the foreseeable future, which means HumanKey is subject to the Controller's ICT TPRM framework under Art. 28, but not to the direct oversight regime in Art. 31-44.
§3. Article-by-article mapping
The following table maps each applicable DORA Article to the corresponding HumanKey contractual provision or documented practice.
| Article | DORA requirement | HumanKey contribution |
|---|---|---|
| Art. 28(1) | ICT third-party risk management as part of the ICT risk management framework | HumanKey provides the Register-of-Information inputs required by the Controller's framework: service description, data location, sub-contracting disclosure, and function-criticality flag on request. |
| Art. 28(2) | Proportionality to the size, nature, scale, and complexity of the Controller | The HumanKey DPA and sub-processor notice procedure scale with the Controller's plan tier (SMB 14-day notice, Enterprise 30-day notice) to match the risk management framework's granularity. |
| Art. 28(3) | Register of Information on all contractual arrangements | HumanKey's published Sub-Processors page is the authoritative source for HumanKey's own onward ICT service chain. Updates are announced with the notice period in DPA Art. 6. |
| Art. 30(1) | Rights and obligations of the parties clearly allocated and set out in writing | HumanKey's DPA establishes the parties' rights and obligations in writing and is offered to every Controller regardless of tier. |
| Art. 30(2)(a) | Clear and complete description of functions and ICT services to be provided | Annex 1 of the HumanKey DPA (Article 3) describes the nature and purpose of processing. HumanKey's public product documentation at humankey.io/docs supplements this description. |
| Art. 30(2)(b) | Locations where functions and ICT services will be provided and data processed | Primary data storage is within the European Economic Area (Neon Postgres Frankfurt, Railway Amsterdam). Sub-processor locations are documented on the Sub-Processors page and assessed in the public TIA. |
| Art. 30(2)(c) | Provisions on availability, authenticity, integrity and confidentiality of data | HumanKey DPA Article 5 (Processor Obligations) and Annex 2 (Technical and Organisational Measures) document the controls in place. |
| Art. 30(2)(d) | Termination rights with full data access and return | DPA Article 5.7 commits HumanKey to return or delete Controller Personal Data within 30 days of termination. JSON export is available on demand throughout the engagement. |
| Art. 30(2)(e) | Service level descriptions | Service level descriptions are included in the Enterprise tier service order. HumanKey is not currently designated as a Critical ICT Third-Party Provider; uptime targets are expressed in the service order rather than in delegated RTS. |
| Art. 30(3)(a) | Full service level description with precise quantitative and qualitative targets (CIFs) | Where HumanKey supports a critical or important function (CIF) for the Controller, targeted service level terms are agreed in the Enterprise service order, including availability targets, reporting cadence, and remediation commitments. |
| Art. 30(3)(b) | Cooperation with the Controller's competent authorities | Committed in §4 below. HumanKey cooperates with the Controller's competent authority within the meaning of DORA Art. 30(3)(b). |
| Art. 30(3)(c) | Termination rights following specified events (e.g., significant breach) | DPA Article 6 provides termination rights where a sub-processor objection cannot be resolved. Enterprise customers additionally receive termination-for-cause rights in the service order. |
| Art. 30(3)(d) | Notification obligations regarding security incidents and service disruptions | DPA Article 8 commits HumanKey to incident notification without undue delay. Cooperation with the Controller's upstream DORA Art. 17 reporting timelines is committed in §5 below. |
| Art. 30(3)(e) | Data access, recovery, return and portability obligations | DPA Article 5.7 and GDPR data-subject rights tooling (JSON export, cascading deletion, rectification) cover this obligation. |
| Art. 30(3)(f) | Conditions for sub-contracting and approval rights | DPA Article 6 sets out the sub-processor notification and objection procedure. The Enterprise tier applies a 30-day advance notice window aligned with the DORA recommended standard. |
| Art. 17 | Management of ICT-related incidents (classification, reporting, response) | HumanKey's DPA Art. 8 incident notification feeds into the Controller's internal incident management so the Controller can classify and, where required, report major ICT incidents to the competent authorities within the DORA timelines. |
§4. Cooperation with competent authorities
HumanKey cooperates with the Controller's competent authority within the meaning of DORA Art. 30(3)(b). HumanKey provides reasonable assistance to the Controller in responding to supervisory inquiries regarding HumanKey's processing activities, subject to applicable confidentiality obligations and HumanKey's own legal counsel review.
Cooperation requests should be routed through the HumanKey legal contact form at humankey.io/contact, selecting the "Legal & Compliance" or "Security" category as appropriate. HumanKey aims to acknowledge receipt within two (2) business days and to provide a substantive response within the timeline communicated to the Controller by the competent authority.
§5. Incident notification flow
DORA Art. 17 requires financial entities to establish an ICT-related incident management process, classify incidents, and notify competent authorities of major ICT-related incidents within the timelines set out in the delegated Regulatory Technical Standards.
HumanKey supports the Controller's upstream notification flow as follows:
- HumanKey notifies the Controller without undue delay upon becoming aware of a Personal Data Breach affecting Controller Personal Data, per HumanKey DPA Article 8.
- The notification includes the information required by GDPR Art. 33(3) and DORA Art. 19(4) insofar as known at the time: nature, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.
- HumanKey provides reasonable cooperation to enable the Controller to meet the Controller's own DORA Art. 17 reporting timelines, while preserving HumanKey's own internal incident response procedures and the confidentiality required by ongoing forensic work.
- HumanKey does not issue any public announcement about such an incident without the Controller's prior written consent, unless required by applicable law.
§6. What HumanKey does NOT yet commit to
In the interest of honesty and to avoid creating expectations HumanKey cannot meet today, the following items are explicitly out of scope for this public mapping:
- HumanKey is not currently ISO 27001 certified. A documented Internal Compliance Roadmap is available to financial-entity prospects on written NDA request.
- HumanKey is not currently SOC 2 Type II reported. The same Internal Compliance Roadmap covers the planned path toward this assurance mechanism.
- HumanKey is not currently designated as a Critical ICT Third-Party Provider under Regulation (EU) 2024/1505 and is therefore not subject to the direct ESAs oversight regime in DORA Art. 31-44.
- This mapping does not purport to be legal advice. Financial-entity Controllers should review it together with their own legal counsel and map it back to their internal ICT TPRM framework.
This DORA Compliance Mapping is provided as a public positioning document. It supplements but does not replace the HumanKey Data Processing Agreement. Last updated: April 2026.