DORA Compliance | CTELO
top of page

DORA

This document describes how Ctelo supports financial-sector customers, including insurance companies, in meeting their obligations under the EU Digital Operational Resilience Act (DORA) when using our cloud-based telephony services.

This statement complements and references the following contractual documents:

  • Terms & Conditions

  • Service Level Agreement (SLA)

  • Privacy Statement

Ctelo DORA Compliance

While Ctelo is not directly regulated under DORA, our cloud telephony services and contractual framework are designed to support financial-sector customers in meeting DORA requirements related to:

  • ICT risk management

  • Operational resilience

  • Incident handling

  • Data governance

  • Third-party oversight

Regulatory Position

Ctelo is not a regulated financial entity under DORA.

We provide cloud-based telephony services and may act as a third-party ICT provider to customers that are subject to DORA. Our services and contractual commitments are designed to support customers’ operational resilience and third-party risk management obligations.

Service Overview

The service delivered is a cloud telephony platform, providing voice communication and related support functionality.

The service:

  • Is delivered as a managed cloud service

  • Does not replace core insurance systems

  • Supports customer communication and service operations

Operational Resilience & Availability

Service availability, uptime commitments, support response times, and service credits are formally defined in the Service Level Agreement (SLA).

The SLA includes:

  • Guaranteed service availability targets

  • Support hours and escalation routines

  • Incident response and resolution timelines

  • Planned maintenance handling

 

These measures support operational resilience expectations under DORA.

Incident Management & Customer Notification

Incident handling processes, including detection, response, escalation, and customer communication, are defined in the Terms & Conditions and SLA.

In the event of incidents impacting availability, confidentiality, or integrity of services:

  • Customers are notified without undue delay

  • Incidents are handled according to documented routines

  • Corrective and preventive actions are applied where necessary

Data Handling & Privacy

Processing of customer and end-user data is governed by the Privacy Statement.

Key principles include:

  • Data minimization

  • Purpose limitation

  • Secure processing

  • Maximum data retention period of 3 months for support purposes, unless otherwise contractually required

  • Secure and permanent deletion after retention expiry

​​

These practices align with GDPR and support DORA-related data governance expectations.

Information Security

Information security obligations and controls are described in the Terms & Conditions and supporting internal policies.

These include:

  • Access control and authorization mechanisms

  • Secure authentication

  • Protection of data in transit and at rest where applicable

  • Logging and monitoring of system access

Cloud & Subcontractor Management

The telephony service is delivered using cloud infrastructure and selected subcontractors.

Responsibilities, limitations, and risk management related to subcontractors are defined in the Terms & Conditions.


Ctelo remains responsible toward customers for service delivery in accordance with contractual commitments.

Audit & Customer Assurance

Customers may request reasonable information necessary for supplier risk assessments, as permitted under the Terms & Conditions.

This includes:

  • Confirmation of contractual commitments

  • Clarification of service scope and responsibilities

  • Support for regulatory or internal audits, subject to confidentiality and proportionality

bottom of page