Skip to content

JustOn and DORA

← Trust and Security

Since January 17, 2025, the Digital Operational Resilience Act (DORA) has been mandatory for the European financial sector. A legitimate question from our customers is whether and how JustOn should be classified as an ICT service provider under DORA. The short answer: JustOn does not fall under this regulation as an ICT service provider. Below we explain why.

What DORA regulates
DORA is primarily aimed at financial entities – banks, insurance companies, payment service providers, and similar institutions. In addition, information and communication technology (ICT) service providers that deliver IT services to financial entities may also be regulated. An ICT third-party service provider under DORA is defined as an entity that continuously operates ICT services, provides its own infrastructure or platform for the customer, and processes customer data on it (DORA Art. 3 No. 21). Software vendors without their own operations are explicitly excluded.
JustOn's deployment model

JustOn develops and distributes software applications for the Salesforce platform. Specifically, this means: The software is installed in the customer's Salesforce environment and runs entirely on Salesforce infrastructure. JustOn does not operate its own infrastructure for customers and does not host any customer data. JustOn delivers software code, licenses, and support – not the ongoing operation of an ICT environment.

This fundamentally distinguishes JustOn from a cloud operator or platform provider. The model is most comparable to a software add-in that is operated entirely under the customer's responsibility and infrastructure.

The right contact: Salesforce
As the operator of the underlying platform and infrastructure, Salesforce is the relevant ICT third-party service provider under DORA. For questions about reporting obligations for security incidents, emergency management, recovery plans, and cybersecurity measures, financial entities should therefore contact Salesforce. Salesforce provides its own DORA documentation for this purpose.
What JustOn can provide
Even though JustOn is not classified as an ICT third-party service provider under DORA, we are happy to support our customers in a spirit of partnership. We provide information about quality and security standards in our development process, communicate transparently about update and release processes, specify support SLAs and response times for critical issues, and are willing to review contractual clauses that accurately reflect our role as a software vendor.