What DORA requires from your voice AI vendor
The five DORA requirements your voice AI vendor must document — mapped to PolyAI's controls and the evidence available to buyers.
DORA's Articles 28–30 specify exactly what a financial entity must verify in a third-party ICT provider before contracting — and throughout the relationship. Five requirements. All documentable. The following maps each one to PolyAI's controls and the evidence available to qualified buyers.
Scope
This covers the third-party ICT risk requirements under Articles 28–30 of the Digital Operational Resilience Act, enforceable since January 17, 2025. It does not cover the full DORA obligation set for financial entities — your legal team owns that. What it covers: the specific controls your voice AI vendor must demonstrate for you to satisfy your third-party ICT risk register requirements.
DORA does not certify vendors. The obligation sits with the financial entity. Your vendor's controls either make your DORA posture achievable or they don't.
The five requirements
Articles 28–30 break into five verifiable categories for third-party ICT providers:
- Formal ICT risk management program — A documented, reviewed risk register with annual risk reviews at minimum.
- Incident notification within 48 hours — On identification of a security incident, the vendor must notify affected customers within 48 hours, with post-incident analysis to follow.
- Operational resilience testing — Annual third-party penetration testing, incident response drills, and BCP/DR testing, each documented and available on request.
- Sub-processor transparency — A current sub-processor list, with flow-down security and data residency provisions in all sub-processor contracts.
- Contractual provisions — Audit rights, exit strategy provisions, and documented data return and deletion procedures on termination.
PolyAI's control stack, mapped
| DORA requirement | PolyAI control | Verification path |
|---|---|---|
| ICT risk management program | ISO/IEC 27001:2022 certified (certificate IS 739102, BSI); formal risk register maintained and reviewed annually; board-level ISMS governance with CEO direct ownership | ISO 27001 certificate via Vanta Trust Centre (NDA-gated) |
| 48-hour incident notification | Formal incident response program; customer notification within 48 hours of incident identification; post-incident analysis within 24 hours; structured escalation path to executive level | Security Schedule available on request; Incident Response Plan in Vanta policy inventory |
| Operational resilience testing | Annual third-party penetration testing; yearly incident response drills; BCP/DR tested annually; 99.9% contracted SLA (99.994% actual trailing 12 months); RTO/RPO: 24 hours | Penetration test results on request; availability controls covered in SOC 2+ Type 2 report |
| Sub-processor transparency | Sub-processor list maintained and published via Vanta; annual vendor security reviews; flow-down provisions in all sub-processor contracts | Full sub-processor list via Vanta Trust Centre (NDA-gated) |
| Contractual provisions | Third-Party Management Policy approved in Vanta; contractual obligations documented across all sub-processors | SOC 2+ Type 2 report; Security Schedule on request |
Certifications underpinning the table
ISO/IEC 27001:2022. Certificate IS 739102, issued by BSI. Certified continuously since 2022; transitioned to the 2022 standard in January 2024. The February 2025 surveillance audit returned a clean opinion with zero major nonconformities.
SOC 2+ Type 2. Audited by Moss Adams LLP. Full 12-month period: February 2024 to January 2025. Clean, unqualified opinion covering Security, Availability, and Confidentiality Trust Services Criteria, plus HIPAA Security Rule requirements within the same report.
PCI DSS 4.0.1. Current certification against PCI DSS version 4.0.1. Applicable to payment-handling voice agent deployments.
GDPR Ready. EU data residency available in Ireland. Directly relevant for EU-domiciled deployments within DORA's scope.
Cyber Essentials Plus. The UK government-backed standard; relevant for UK-regulated financial entities.
Data residency
PolyAI operates dedicated instances in four regions: United States, United Kingdom, Ireland (EU), and Singapore. EU-regulated financial entities can deploy with EU data residency in Ireland, satisfying data localization requirements under both GDPR and DORA.
For organizations with strict data sovereignty requirements, PolyAI supports Private Cloud (VPC) and Hybrid/Customer Dedicated deployment configurations in addition to the standard public cloud option.
Still curious? Read this guide to learn why domain-specialist LLMs are more secure than publicly available generalist models like those from Anthropic, OpenAI, and Google.
