> ## Documentation Index
> Fetch the complete documentation index at: https://www.qovery.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# DORA Compliance

> Digital Operational Resilience Act (DORA) readiness with Qovery

## Overview

The Digital Operational Resilience Act (DORA) is an EU regulation that establishes requirements for the security of network and information systems of financial entities and their critical third-party service providers. Qovery is designed to help financial services organizations meet DORA requirements.

<Info>
  **Effective Date**: January 17, 2025

  DORA applies to financial entities operating in the EU and their ICT (Information and Communication Technology) service providers.
</Info>

## DORA Requirements

DORA focuses on five key pillars:

<CardGroup cols={2}>
  <Card title="ICT Risk Management" icon="shield">
    Comprehensive risk management framework for ICT systems
  </Card>

  <Card title="Incident Reporting" icon="bell">
    Mandatory reporting of major ICT-related incidents
  </Card>

  <Card title="Digital Resilience Testing" icon="flask">
    Regular testing including advanced scenarios (TLPT)
  </Card>

  <Card title="Third-Party Risk" icon="handshake">
    Due diligence and oversight of ICT service providers
  </Card>

  <Card title="Information Sharing" icon="share-nodes">
    Sharing of cyber threat intelligence and best practices
  </Card>
</CardGroup>

## How Qovery Supports DORA Compliance

### 1. ICT Risk Management

<AccordionGroup>
  <Accordion title="Risk Assessment" icon="magnifying-glass-chart">
    **Qovery Features**:

    * Infrastructure monitoring and observability
    * Real-time health checks and alerts
    * Automated security scanning
    * Vulnerability management
    * Configuration drift detection

    **Documentation**:

    * Complete audit trail of all changes
    * Risk assessment reports available
    * Security posture dashboards
  </Accordion>

  <Accordion title="Business Continuity" icon="rotate">
    **High Availability**:

    * Multi-AZ deployment by default
    * Automated failover capabilities
    * Load balancing and auto-scaling
    * Zero-downtime deployments

    **Disaster Recovery**:

    * Automated backups with point-in-time recovery
    * Multi-region replication available
    * RTO: 15-30 minutes (configurable)
    * RPO: \< 24 hours (continuous available)
  </Accordion>

  <Accordion title="Change Management" icon="code-pull-request">
    **Controlled Deployments**:

    * GitOps workflow with version control
    * Approval workflows (enterprise)
    * Automated testing pipelines
    * Rollback capabilities

    **Change Tracking**:

    * Complete audit log of all changes
    * Who, what, when, and why documented
    * Immutable change history
  </Accordion>
</AccordionGroup>

### 2. Incident Management and Reporting

<Tabs>
  <Tab title="Detection">
    **Real-Time Monitoring**:

    * Application and infrastructure monitoring
    * Log aggregation and analysis
    * Anomaly detection
    * Automated alerting

    **Alert Channels**:

    * Email, Slack, PagerDuty
    * Webhook integrations
    * Custom notification rules
  </Tab>

  <Tab title="Classification">
    **Incident Severity Levels**:

    * P0: Critical (service outage)
    * P1: High (major degradation)
    * P2: Medium (minor impact)
    * P3: Low (cosmetic issues)

    **DORA Major Incident Criteria**:

    * Significant service disruption
    * Data breach or loss
    * Security compromise
    * Systemic failure
  </Tab>

  <Tab title="Response">
    **Incident Response Process**:

    1. Detection and triage
    2. Impact assessment
    3. Containment and mitigation
    4. Root cause analysis
    5. Recovery and validation
    6. Post-incident review

    **Documentation**:

    * Incident timeline tracking
    * Actions taken logged
    * Export reports for regulatory filing
  </Tab>

  <Tab title="Reporting">
    **Compliance Reporting**:

    * Incident reports with timeline
    * Impact assessment documentation
    * Root cause analysis
    * Corrective actions taken

    **DORA Reporting Requirements**:

    * Initial notification: Within 4 hours
    * Intermediate report: Within 72 hours
    * Final report: Within 1 month
  </Tab>
</Tabs>

### 3. Digital Operational Resilience Testing

<AccordionGroup>
  <Accordion title="Regular Testing" icon="vial">
    **Testing Capabilities**:

    * Automated health checks
    * Chaos engineering support
    * Load testing integration
    * Disaster recovery drills

    **Qovery Tools**:

    * Preview environments for testing
    * Staging environment replication
    * Safe production testing
    * Automated rollback on failure
  </Accordion>

  <Accordion title="Advanced Testing (TLPT)" icon="user-secret">
    **Threat-Led Penetration Testing**:

    For critical service providers, DORA requires advanced testing:

    * Simulated cyber-attacks
    * Red team exercises
    * Blue team defense
    * Purple team collaboration

    **Qovery Support**:

    * Isolated test environments
    * Production-like staging
    * Security scanning tools integration
    * Test result documentation
  </Accordion>

  <Accordion title="Test Documentation" icon="file-lines">
    **Required Documentation**:

    * Test plans and scenarios
    * Test execution records
    * Results and findings
    * Remediation actions

    **Qovery Features**:

    * Deployment logs and history
    * Test environment snapshots
    * Audit trail of changes
    * Compliance reports
  </Accordion>
</AccordionGroup>

### 4. Third-Party ICT Service Provider Management

<Tabs>
  <Tab title="Qovery as Service Provider">
    **Due Diligence Information**:

    * SOC 2 Type II certification
    * GDPR compliance
    * Data processing agreements (DPA)
    * Security documentation
    * SLA commitments

    **Contract Terms**:

    * Right to audit
    * Exit strategies
    * Data portability
    * Termination procedures
  </Tab>

  <Tab title="Sub-Processors">
    **Qovery Sub-Processors**:

    * Cloud providers (AWS, GCP, Azure, Scaleway)
    * Monitoring services
    * Authentication providers

    **Transparency**:

    * List of sub-processors available
    * Notification of changes
    * Contractual flow-down clauses
  </Tab>

  <Tab title="Risk Assessment">
    **Ongoing Monitoring**:

    * Vendor security assessments
    * Service level monitoring
    * Incident reporting
    * Compliance verification

    **Documentation**:

    * Vendor risk registers
    * Assessment reports
    * Audit findings
  </Tab>
</Tabs>

### 5. Information Sharing

**Qovery Commitment**:

* Timely notification of security incidents
* Sharing of threat intelligence (where applicable)
* Collaboration on security best practices
* Participation in industry forums

**Customer Responsibilities**:

* Report incidents affecting Qovery services
* Share relevant threat information
* Collaborate on security improvements

## DORA-Specific Features

<CardGroup cols={2}>
  <Card title="Audit Logs" icon="clock-rotate-left">
    Immutable audit trail of all actions with long-term retention (1+ years)
  </Card>

  <Card title="Data Residency" icon="location-dot" href="/configuration/integrations/kubernetes/eks/overview">
    Deploy in EU regions to meet data localization requirements
  </Card>

  <Card title="Encryption" icon="lock">
    End-to-end encryption at rest and in transit with key management
  </Card>

  <Card title="Access Controls" icon="key" href="/configuration/organization/members-rbac">
    Role-based access control (RBAC) with MFA and SSO support
  </Card>

  <Card title="Backup & Recovery" icon="cloud-arrow-up">
    Automated backups with point-in-time recovery and DR capabilities
  </Card>

  <Card title="Monitoring" icon="chart-line" href="/configuration/integrations/observability/qovery-observe">
    Real-time monitoring, alerting, and anomaly detection
  </Card>
</CardGroup>

## Customer Responsibilities

To achieve DORA compliance, customers must:

<Steps>
  <Step title="Risk Assessment">
    Conduct regular risk assessments of applications and infrastructure
  </Step>

  <Step title="Testing Program">
    Implement regular testing including DR drills and security testing
  </Step>

  <Step title="Incident Response">
    Establish incident response procedures and reporting mechanisms
  </Step>

  <Step title="Documentation">
    Maintain documentation of security controls and testing results
  </Step>

  <Step title="Third-Party Management">
    Assess and monitor all ICT service providers including Qovery
  </Step>

  <Step title="Training">
    Provide security awareness training to team members
  </Step>
</Steps>

## Documentation and Evidence

Qovery provides documentation to support DORA compliance:

* **Security Documentation**: Architecture, controls, policies
* **Compliance Certificates**: SOC 2, ISO certifications
* **Audit Reports**: Available upon request (NDA required)
* **SLA Documentation**: Service level commitments
* **DPA/GDPR**: Data processing agreements
* **Incident Reports**: Historical incident documentation

**How to Access**:

1. Contact your account manager
2. Request specific compliance documentation
3. Sign NDA if required
4. Receive documentation package

## Regional Considerations

### EU Data Centers

Qovery supports deployment in EU regions:

<Tabs>
  <Tab title="AWS">
    * eu-west-1 (Ireland)
    * eu-west-2 (London)
    * eu-west-3 (Paris)
    * eu-central-1 (Frankfurt)
    * eu-north-1 (Stockholm)
  </Tab>

  <Tab title="GCP">
    * europe-west1 (Belgium)
    * europe-west4 (Netherlands)
    * europe-west3 (Frankfurt)
    * europe-west2 (London)
    * europe-west6 (Zurich)
  </Tab>

  <Tab title="Azure">
    * West Europe (Netherlands)
    * North Europe (Ireland)
    * France Central (Paris)
    * Germany West Central (Frankfurt)
    * UK South (London)
  </Tab>

  <Tab title="Scaleway">
    * fr-par (Paris) - 100% EU
    * nl-ams (Amsterdam) - 100% EU
    * pl-waw (Warsaw) - 100% EU
  </Tab>
</Tabs>

## Getting Started with DORA Compliance

<Steps>
  <Step title="Gap Analysis">
    Conduct gap analysis against DORA requirements
  </Step>

  <Step title="Risk Assessment">
    Assess ICT risks and document in risk register
  </Step>

  <Step title="Control Implementation">
    Implement required security and resilience controls using Qovery features
  </Step>

  <Step title="Testing Program">
    Establish regular testing and DR drill schedule
  </Step>

  <Step title="Documentation">
    Document policies, procedures, and testing results
  </Step>

  <Step title="Continuous Improvement">
    Regular review and enhancement of controls
  </Step>
</Steps>

## Need Help?

<CardGroup cols={2}>
  <Card title="Contact Sales" icon="comments" href="https://www.qovery.com/contact">
    Speak with our compliance team about DORA requirements
  </Card>

  <Card title="Documentation" icon="book" href="https://www.qovery.com/contact">
    Request DORA compliance documentation package
  </Card>

  <Card title="Professional Services" icon="user-tie" href="https://www.qovery.com/contact">
    Engage our team for compliance consulting
  </Card>

  <Card title="Security Overview" icon="shield" href="/getting-started/security-and-compliance/overview">
    Review Qovery's security architecture
  </Card>
</CardGroup>

## Resources

* [DORA Official Text](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554)
* [European Banking Authority DORA Guidelines](https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-act-dora)
* [Qovery Security Overview](/security-and-compliance/overview)
* [SOC 2 Compliance](/security-and-compliance/soc2)

<Info>
  **Disclaimer**: This documentation provides information about Qovery features that support DORA compliance. Customers are responsible for their own compliance and should consult with legal and compliance advisors.
</Info>