The EU Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to financial entities such as banks, insurers, payment institutions, and investment firms. If your organization is regulated under DORA, this page provides the vendor information you need for your ICT third-party risk management — your due diligence, contractual arrangements under Article 30, and your Register of Information.
Gleap’s role under DORA
- Gleap is an ICT third-party service provider within the meaning of DORA. DORA does not regulate Gleap directly; it reaches us through the requirements it places on our regulated customers.
- Gleap is not designated as a critical ICT third-party provider (CTPP) by the European Supervisory Authorities and is therefore not subject to direct EU oversight.
- There is no official DORA certification for ICT providers. Gleap is DORA-ready: we provide the information, contractual commitments, and cooperation our regulated customers need for their own compliance. Whether your use of Gleap supports a critical or important function is your organization’s assessment — most customers use Gleap for customer support and product feedback, which they typically do not classify as such.
Vendor datasheet for your Register of Information
- Legal name — Gleap GmbH
- Registered address — Am Dorfplatz 3, 6858 Schwarzach, Austria
- Company register — FN 534390 v, Regional Court Feldkirch (Austria)
- VAT number — ATU 75671417
- LEI — 984500FHA581037A0R84 (view on GLEIF)
- Type of ICT service — S19 — Cloud computing services: Software as a Service (SaaS), per the ESAs’ taxonomy (Annex III of the ITS on the Register of Information)
- Service description — Customer support, feedback, and bug reporting platform (AI-assisted customer service suite)
- Data processing & storage locations — EU (Frankfurt) primary; US data residency available on Enterprise; full breakdown on the sub-processors page
- Governing law — Austrian law (per our DPA)
Article 30 — how Gleap supports the required contractual provisions
Our Terms of Service and Data Processing Addendum already cover the core Article 30(2) elements; Enterprise agreements can address entity-specific requirements:
- Service and function description — documented in the Terms of Service and DPA (subject matter of processing).
- Data locations and change notification — processing and storage locations are documented per sub-processor; changes to the sub-processor list are announced in advance in accordance with the DPA.
- Protection of data — availability, integrity, and confidentiality commitments via the DPA’s technical and organizational measures; see security practices.
- Sub-outsourcing transparency — the complete sub-processor chain with locations and purposes is public on the sub-processors page; engaging new sub-processors requires customer consent under the DPA (§8), and sub-processor compliance is reviewed at least every 12 months with documented results.
- Incident assistance and notification — personal data breaches are reported immediately upon becoming aware, with defined notification content, and significant disruptions in service execution are likewise reported immediately (DPA §9) — enabling you to meet your own DORA incident-reporting deadlines. Gleap supports customers’ obligations under Articles 33 and 34 GDPR as part of the service.
- Cooperation with competent authorities — Gleap informs customers without undue delay of inspections or measures by supervisory authorities relating to their processing, and supports customers subject to inspections (DPA §5.7, §9.3).
- Access, recovery, and return of data — data export during the contract, and return and deletion of personal data upon termination, are governed by the DPA, including deletion evidence on request.
- Termination and exit support — defined notice periods per the Terms of Service; on termination we support an orderly transition with data export in standard formats.
- Audit and information rights — under the DPA (§6.8), Gleap provides evidence of the implementation and effectiveness of its technical and organizational measures annually without being asked, and at any time on request; we additionally support customer due-diligence reviews, including pooled audit approaches, and provide our SOC 2 Type II report as independent evidence.
Incident notification
- Notification of affected customers without undue delay at the contacts you provide, with follow-up information as the investigation progresses.
- Contact for incident and breach matters: privacy@gleap.io (reaches Gleap’s data protection officer directly).
- Real-time service status: status.gleap.io.
Due diligence & requests
For your vendor assessment we provide via privacy@gleap.io:
- The current SOC 2 Type II report (under NDA).
- Completed DORA / security questionnaires.
- A signed DPA, and discussion of DORA-specific contractual addenda for ICT services supporting critical or important functions (enhanced SLAs, resilience testing cooperation, extended audit rights, exit strategies) as part of an Enterprise agreement.