DORA — Digital Operational Resilience Act
Compliance status: The controls described below are implemented in the production codebase. SOC 2 Type I audit engagement is underway — report expected Q3 2026. For NDA-gated security documentation, contact hello@creatorlayer.eu.
The Digital Operational Resilience Act (Regulation EU 2022/2554) applies to financial entities and their critical ICT third-party providers operating in the EU. It entered into application on 17 January 2025.
Creatorlayer is designed to provide ICT services to regulated financial entities (lenders, credit institutions). Where lender customers are themselves subject to DORA, this page documents the controls Creatorlayer has designed to support their compliance obligations under Article 30 (Contractual arrangements on the use of ICT services).
ICT Risk Management (Articles 5–16)
| Requirement | Creatorlayer Implementation |
|---|---|
| ICT risk management framework | Documented security policies, designed to support quarterly review cycle |
| Asset identification | Data classification policy (4 tiers); PostgreSQL schema under migration control |
| Protection & prevention | helmet.js CSP, HSTS, rate limiting, IP allowlist, RBAC |
| Detection | Audit log on all sensitive endpoints; abuse detection middleware |
| Response & recovery | BCP designed with RTO 4 h / RPO 1 h (PITR); incident runbooks documented |
| Backup & restore | Daily PostgreSQL snapshots + WAL-based PITR (Scalingo managed, France) |
| Learning & evolution | Designed to support post-incident reviews; Semgrep SAST on every PR |
ICT-Related Incident Management (Articles 17–23)
Creatorlayer classifies ICT incidents by severity and has documented response procedures designed to support the following targets:
| Severity | Examples | Target Response |
|---|---|---|
| Critical | Data breach, full service outage | 1 hour |
| High | Partial degradation, failed backups | 4 hours |
| Medium | Performance degradation, single-component failure | 24 hours |
| Low | Non-material anomalies | Next business day |
Incidents are designed to be tracked via a documented incident management process. Lender customers will be notified of material incidents affecting their data within 24 hours of detection.
Digital Operational Resilience Testing (Articles 24–27)
| Test Type | Frequency | Scope |
|---|---|---|
| Basic connectivity & uptime tests | Continuous (uptime monitoring) | All public endpoints |
| Vulnerability assessments | Every pull request (Semgrep SAST) | Application code |
| Penetration testing | Annually (planned from Q3 2025) | API, authentication, data flows |
| Business continuity test | Annually | Database restore from backup |
TLPT (Threat-Led Penetration Testing under Article 26) will be conducted once Creatorlayer crosses the DORA significance threshold.
ICT Third-Party Risk Management (Articles 28–44)
Creatorlayer's ICT sub-processors for DORA purposes are:
| Sub-processor | Service | Contractual Safeguards |
|---|---|---|
| Scalingo SAS | Cloud hosting, PostgreSQL, Redis | DPA; EU data residency (France); SLA; exit plan |
| Resend | Transactional email | DPA; SCCs |
| GitHub (Microsoft) | Source control, CI/CD | DPA; SCCs |
All critical sub-processor contracts include:
- Service level commitments and audit rights
- Data location and security requirements
- Incident notification obligations (≤ 24 hours for material incidents)
- Exit/substitution plan provisions
Documentation Requests
Lender customers requiring DORA Article 30 contractual documentation or ICT risk assessment questionnaire responses should contact:
Email: hello@satoshiframework.com Subject: DORA Documentation Request — [Your Company Name]
Responses are provided within 5 business days.