DORA Addendum

This DORA Addendum supplements the Balsamiq Terms of Service or other agreement under which Balsamiq provides access to our cloud-based products and services.

1. Introduction & classification

DORA (Digital Operational Resilience Act) is a European law focused on operational resilience of financial institutions and the ICT services they use.

This Addendum applies only to Balsamiq Cloud, our cloud-based SaaS product.

This Addendum does not apply to:

  • Balsamiq Wireframes for Desktop, which is locally installed, customer-operated software (not an ICT service under DORA).
  • Balsamiq for Jira and Balsamiq for Confluence integrations, which are products that operate on Atlassian’s cloud infrastructure. In these cases, Atlassian is the ICT provider under DORA.

Balsamiq Cloud is used for ideation, communication, and documentation within product and design workflows. Balsamiq does not perform operational activities for financial institutions or support any “critical or important functions” under Article 3(22) of Regulation (EU) 2022/2554.

Balsamiq is therefore classified as a non-critical ICT third-party service provider under DORA.

This Addendum provides the contractual information required under Article 30 (Key Contractual Provisions) for non-critical ICT services and may be used for due-diligence assessments in place of proprietary questionnaires.

2. Scope of DORA obligations for vendors

Most obligations under DORA apply to financial entities themselves, not to ICT providers.

Only the baseline contractual elements of Article 30 apply to non-critical providers such as Balsamiq.

✅ What applies to Balsamiq

  • High-level security and data protection commitments
  • Data location disclosure
  • Subprocessor transparency
  • Incident notification to customers
  • Cooperation with customer-led incident assessments
  • Access, export, and deletion of customer data
  • Reasonable exit and termination support
  • Clear description of services

❌ What does not apply

The following DORA obligations apply only to financial entities and/or critical ICT providers:
  • ICT third-party risk strategy and governance (Article 28)
  • ICT outsourcing register (Article 29)
  • Classification of critical or important functions
  • Notification to supervisory authorities
  • Oversight of critical ICT providers (Articles 31–39)
  • Concentration-risk assessment
  • Multi-vendor strategy
  • Conflicts of interest assessment
  • Due-diligence duties imposed on financial entities
These obligations do not transfer to Balsamiq.

3. How Balsamiq meets the applicable DORA requirements (Article 30)

DORA requirement (Article 30) How Balsamiq meets this requirement
Description of ICT services Balsamiq Cloud enables teams to create, edit, store, and share wireframes and design documentation.

Descriptions of functionality, technical requirements, and customer responsibilities are available in the Terms of Service, Privacy Policy, and product documentation.
Locations for data hosting and processing Balsamiq Cloud stores customer data in secure data centers via AWS, located in:
  • United States, or
  • European Union (Ireland)
Enterprise plan customers may choose their data storage location.

A current list of subprocessors is maintained in our Privacy Policy (third-party vendors).

Material changes to subprocessors or hosting locations are communicated as required by applicable law and our Privacy Policy.

Please note, we do not currently offer a standalone DPA.
Availability, integrity, and confidentiality of data Balsamiq implements industry-standard security practices, including:
  • SOC 2 Type II compliance (certified via external audit)
  • Encryption in transit and at rest
  • ccess control and least-privilege principles
  • Secure software development and vulnerability management
  • Business continuity and backup procedures
Our security and privacy commitments are further defined in the Terms of Service and Privacy Policy.

See details by requesting our SOC 2 report.
Access, recovery, export, and deletion of customer data During an active subscription: Customers can export project data (BMPR, PDF, PNG, and others) at any time through standard product functionality.

Upon account closure or termination: Customer data is deleted in accordance with Balsamiq’s retention schedule, typically within 30 days of account closure. Backup data and logs may persist for up to 90 days before permanent deletion.

Our customer data commitments are further defined in the Terms of Service and Privacy Policy.
Service level descriptions Balsamiq Cloud service levels and support commitments are described in the Terms of Service. For customers with a cloud-based Enterprise plan, we offer specific Enterprise SLAs regarding uptime and support commitments.

We also maintain a public status page.
Incident notification and assistance If an incident affects the confidentiality, integrity, or availability of customer data, Balsamiq will:
  1. Notify the customer without undue delay (typically within 72 hours of confirmation).
  2. Provide reasonably requested information needed for customer assessments.
  3. Provide reasonably requested information on how the incident was managed and resolved.
Cooperation with competent authorities Where required by applicable law, Balsamiq will reasonably cooperate with EU financial regulators or supervisory authorities regarding information relevant to the customer’s use of Balsamiq Cloud, to the extent such information is accessible to Balsamiq.
Termination rights Customers may terminate their Balsamiq Cloud subscription at any time in accordance with our Terms of Service.

This means customers already have the contractual right to discontinue use of Balsamiq Cloud whenever required, including if a regulator instructs you to stop using a service under DORA or if continued use presents unacceptable ICT or operational risk.
Reasonable exit assistance Upon termination, Balsamiq will:
  • Provide reasonable notice of termination, usually via email or in-product message.
  • Provide customers the ability to export project data before access ends.
  • Delete customer data according to our retention schedule.
No custom or extended migration support is provided.

4. Additional security and compliance information

See our legal resource center or request our SOC 2 report for details.

Security

  • SOC 2 Type II compliant (via external audit)
  • Encryption in transit and at rest
  • Access control and least-privilege principles
  • Secure development and change-management practices
  • Vendor risk management program

Data protection

  • GDPR compliant
  • Subprocessor list publicly available in our Privacy Policy

Payments

  • Balsamiq does not store, process, or transmit cardholder data
  • All Balsamiq Cloud and Balsamiq for Desktop payments are handled by Stripe, a PCI-DSS Level 1 compliant merchant
  • All Balsamiq for Jira and Balsamiq for Confluence payments are handled by Atlassian, a PCI-DSS compliant merchant

Business continuity & resilience

  • High-availability cloud architecture
  • Redundant infrastructure
  • Backups and recovery procedures
  • Documented business continuity processes

Incident response

  • Formal incident response plan
  • Monitoring and alerting
  • Customer notification for relevant incidents

5. Contact for regulatory or due-diligence inquiries

Please refer to the resources on this page as you fill out your security and compliance forms.

If you have additional questions, you can contact us at support@balsamiq.com.

Our monthly emails will make you better at your job

Get our inside stories on product design, making things people love, and running a business built to last. Delivered once a month to your inbox.