The services provided by BitaBIZ are not subject to the DORA regulation. This FAQ has been prepared specifically for BitaBIZ customers who themselves are subject to the DORA regulation and who wish to include BitaBIZ services in their own DORA documentation.
| Regulation | Provision | Question | BitaBIZ |
2-2 | RTS on policy | Art. 6(1) Art. 6(1)(a) | Please provide a general description of you as a service provider, your company and organizational structure (in particular with regard to information security and risk management), ownership and group structure. | BitaBIZ ApS is a 100% Danish company owned by management and the founders Esben Hedegaard, Morten Borum and David Bitnar. |
2-3 | General | General | Has your company/parent company been designated as a critical third-party ICT service provider under the DORA Regulation? If yes, please state whether you have a legal entity within the EU. | No – BitaBIZ ApS is not designated as a critical third-party ICT service provider under the DORA Regulation, and BitaBIZ has no legal entities outside the EU. |
2-4 | RTS on subcontractors | Art. 6(1)(a)
Art. 1(a) | Please identify all ICT services that you will provide under the agreement. | 1. ICT project management: No 2. ICT Development: No 3. ICT help desk and first level support: Yes, for BitaBIZ only 4. ICT-security management services: No 5. Provision of data: No 6. Data analysis: No 7. ICT, facilities and hosting services (excl. Cloud services): No 8. Computation: No 9. Non-Cloud Data storage: No 10. Telecom carrier: No 11. Network infrastructure: No 12. Hardware and physical devices: No 13. Software licensing (excluding SaaS): No 14. ICT-operation management (including maintenance): No 15. ICT Consulting: No 16. ICT Risk management: No 17. Cloud services: IaaS: No 18. Cloud services PaaS: No 19. Cloud services SaaS: Yes |
2-5 | RTS on policy | Art. 6(1)(a) | Please describe the services provided by you, including your service levels (SLA) and pricing. Please attach documentation demonstrating your general compliance with service targets.
Your description should also include an explanation of your infrastructure (if cloud services are included in the services). Please include details on reliability, scalability, and implemented security measures. | The services provided by BitaBIZ are described on our website at http://www.bitabiz.com and on our Privacy Page at http://www.openli.com, to which we provide access and which contains all relevant information about our services. Pricing and Terms of Use are available on our website. Our entire infrastructure runs on Microsoft Azure, and we refer to our Privacy Page at http://www.openli.com |
2-6 | RTS on policy | Art. 6(1)(b) | Please provide a list of your subcontractors and the services each subcontractor provides. | Our subprocessors (subcontractors) are listed in our standard DPA, based on the Danish Data Protection Authority’s model, and are available on our website and on our Privacy Page at www.openli.com |
2-7 | RTS on policy | Art. 6(1)(c) | Please provide a list of the locations from which your service(s) are delivered, including where data is stored or processed, specified for each individual service. In addition, please provide details of your own location as well as your parent company (if any). | BitaBIZ’s standard cloud-based SaaS solution is delivered from Microsoft Azure’s data centres in Western Europe.
Details regarding BitaBIZ’s location, etc., are provided under the main supplier. |
2-8 | RTS on policy | Art. 6(1)
Art. 6(1)(a) | Please describe your experience with the customer’s business area (insurance and pensions) and provide a list of your customers within that sector. | BitaBIZ’s standard HR service is based on Danish and EU legislation and does not require experience within specific business areas. BitaBIZ serves all types of business sectors in relation to time tracking and holiday/absence management. |
2-9 | RTS on policy | Art. 6(1)
Art. 6(1)(a) | Please describe how you continuously ensure the training and upskilling of your employees in current ICT and cybersecurity trends. | BitaBIZ uses external consultants and our account managers at suppliers such as Microsoft Denmark to ensure that our knowledge in this area remains up to date. |
2-10 | RTS on policy | Art. 6(1)
Art. 6(1)(a) | Please describe any material complaints, legal proceedings, or sanctions (including those imposed by authorities) that you have received or been involved in within the past five years. | BitaBIZ has had no material complaints, legal proceedings, or sanctions since its establishment in 2011. |
2-11 | RTS on policy | Art. 6(1)
Art. 6(1)(a) | Please provide a list of the resources allocated to deliver the services, including a description of their roles and competencies (where relevant to the services). | BitaBIZ is a standard SaaS solution, and no specific resources or competencies are allocated to individual services. |
2-12 | RTS on policy | Art. 6(1)
Art. 6(1)(a) | Please document your compliance with applicable legislation, including GDPR, for example by means of audit reports. In addition, please describe how you ensure that personal data is processed exclusively within the EU and in secure third countries. | BitaBIZ has an ISAE 3000 GDPR assurance statement audited by EY, which can be requested via our Privacy Page at www.openli.com. The safeguarding of personal data within the EU and secure third countries is documented on our Privacy Page at www.openli.com and in our Data Processing Agreement (DPA). |
2-13 | RTS on policy | Art. 6(1)
Art. 6(1)(a) | Please document your financial situation (for example in the form of an annual report). | BitaBIZ’s annual report is publicly available and can be downloaded from www.virk.dk.
|
2-14 | RTS on policy | Art. 6(1)(a)
Art. 6(2)
Art. 28.5 (DORA) | Please document your information security policies and standards, including your internal controls. Please attach any relevant audit statements or certifications where available. | Policies are available via our web portal. |
2-15 | RTS on policy | Art. 6(1)(a)
Art. 6(2) | Please describe how you identify, assess, and manage ICT risks, and whether your risk management framework follows industry standards for comparable providers. Please also describe which internal control measures are in place to mitigate these risks. | BitaBIZ uses external consultants and our account managers at suppliers such as Microsoft Denmark to ensure that our knowledge in this area remains up to date. In addition, we use checklists based on ISO 27001 and SOC 2 to review all parts of our platform.
|
2-16 | RTS on policy | Art. 6(1)(a) | Please describe how you stay up to date with technological developments relevant to the services, as well as the processes you have in place to identify and integrate leading ICT security practices. | BitaBIZ uses external consultants and our account managers at suppliers such as Microsoft Denmark to ensure that our knowledge in this area remains up to date. |
2-17 | RTS on policy | Art. 6(1)
Art. 6(1)(a) | Please document your insurance arrangements that are relevant to the services you provide.
| BitaBIZ is an efficient solution in which customers themselves are responsible for entering and maintaining their data. BitaBIZ serves customers of very different sizes, ranging from very small companies to international groups; therefore, it is up to the customers themselves to choose their insurance arrangements. |
2-18 | DORA Regulation | Art. 28(4)(e) | Please describe how you ensure that there are no, or do not arise, conflicts of interest in connection with the delivery of services. | BitaBIZ is a standard SaaS solution; therefore, conflicts of interest in relation to the delivery of services are not possible. |
2-19 | RTS on policy | Art. 6(2) | Please document your established business continuity plan and your backup plans. | Point-in-time backups are stored for one month, and weekly backups are stored for two months using zone-redundant storage (ZRS) across three different Azure data centres. Business continuity is based on the BitaBIZ platform running on Azure, with backups stored with Microsoft. |
2-20 | RTS on policy | Art. 6(1)(a) | Please document or provide a guarantee that you hold all necessary and legally required authorizations to deliver the services. | There are currently no Danish or international licensing requirements for delivering a SaaS HR solution. Pursuant to section 13 (Warranty) of our Terms of Use, we state: “We warrant that BitaBIZ owns all rights to the SaaS Services and can enter into these Terms.” |
2-21 | RTS on policy | Art. 6(1)(d) | Do you accept that the customer, designated third parties, and competent authorities have an unrestricted right to conduct audits of you, including on-site audits? | This matter is covered by our standard Data Processing Agreement (DPA), which follows the Danish Data Protection Authority’s standard approved by the EU. |
2-22 | RTS on policy | Art. 6(1)(e) | Please document that you act in an ethical and socially responsible manner, comply with human and children’s rights, adhere to applicable principles of environmental protection, and ensure appropriate working conditions, including the prohibition of child labour. Please attach your internal policies and guidelines where available. | BitaBIZ is a 100% Danish company and operates in accordance with the norms and standards applicable in Denmark and Scandinavia. The services we provide are delivered at a very high technical level. BitaBIZ employs only highly educated and qualified employees. |
2-23 | RTS on policy | Art. 6(3) | Please describe your process for auditing your own operations as well as your subcontractors, including whether external auditors are used. | We use various tools to test and verify our security and procedures, including tools built into the Azure platform as well as tools provided by Microsoft, in addition to penetration testing. |
2-24 | General | General | Please attach a copy of your exit plan, if any. | We do not have a specific exit plan in relation to Microsoft Azure; however, we have previously used another hosting provider in Germany. |
4-2 | ITS | RT.05.01.0010 / RT.05.01.0020 | Please state your LEI code. If you do not have an LEI code, please provide one of the following codes (in order of priority): 1. CRN (Corporate Registration Number). For Danish companies, this corresponds to your CVR number. 2. VAT (VAT number) 3. PNR (Passport Number) 4. NIN (National Identity Number) | LEI code:
If no LEI code is available: |