Common use of Certifications and Audits Clause in Contracts

Certifications and Audits. (i) Microsoft has established and agrees to maintain a data security policy that complies with the ISO 27001 standards for the establishment, implementation, control, and improvement of the Information Security Management System and the ISO/IEC 27002 code of best practices for information security management (“Microsoft Online Information Security Policy”). On a confidential need-to-know basis, and subject to Customer’s agreement to non-disclosure obligations Microsoft specifies, Microsoft will make the Microsoft Online Information Security Policy available to Customer, along with other information reasonably requested by Customer regarding Microsoft security practices and policies. Customer is solely responsible for reviewing the Microsoft Online Information Security Policy, making an independent determination as to whether the Microsoft Online Information Security Policy meets Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security. (ii) Microsoft will audit the security of the computers and computing environment that it uses in processing Customer Data (including personal data) on the Microsoft Online Services and the physical data centers from which Microsoft provides the Microsoft Online Services. This audit: (1) will be performed at least annually; (2) will be performed according to ISO 27001 standards; (3) will be performed by third party security professionals at Microsoft’s selection and expense; (4) will result in the generation of an audit report (“Microsoft Audit Report”), which will be Microsoft’s confidential information; and (5) may be performed for other purposes in addition to satisfying this Section (e.g., as part of Microsoft’s regular internal security procedures or to satisfy other contractual obligations). (iii) If Customer requests in writing, Microsoft will provide Customer with a confidential summary of the Microsoft Audit Report (“Summary Report”) so that Customer can reasonably verify Microsoft’s compliance with the security obligations under this Amendment. The Summary Report is Microsoft confidential information. (iv) Microsoft will make good faith, commercially reasonable efforts to remediate (1) any errors identified in a Microsoft Audit Report that could reasonably be expected to have an adverse impact on Customer use of the Microsoft Online Services and (2) material control deficiencies identified in the Microsoft Audit Report. (v) The audit obligations described in Section 4b(i)-(iv) are made at Customer’s request to ensure regularity and consistency in the audit process and shall apply, without limitation, to processing of Customer Data (including personal data) by Microsoft Corporation for purposes of the Standard Contractual Clauses between Customer and Microsoft Corporation in full satisfaction of Customer’s rights as the data exporter under Clause 5 paragraph f and Clause 12 paragraph 2 of the Standard Contractual Clauses to conduct an audit of the data processing facilities used by Microsoft Corporation. To maintain such regularity and consistency, changes or additions to these audit obligations must be made pursuant to Standard Contractual Clauses. Microsoft Corporation is an intended third-party beneficiary of this Section 4b(v).

Certifications and Audits. (i) Microsoft has established and agrees to maintain a data security policy that complies with the ISO 27001 standards for the establishment, implementation, control, and improvement of the Information Security Management System and the ISO/IEC 27002 code of best practices for information security management (“Microsoft Online Information Security Policy”). On a confidential need-to-know basis, and subject to Customer’s agreement to non-disclosure obligations Microsoft specifies, Microsoft will make the Microsoft Online Information Security Policy available to Customer, along with other information reasonably requested by Customer regarding Microsoft security practices and policies. Customer is solely responsible for reviewing the Microsoft Online Information Security Policy, making an independent determination as to whether the Microsoft Online Information Security Policy meets Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security. (ii) Microsoft will audit the security of the computers and computing environment that it uses in processing Customer Data (including personal data) on the Microsoft Online Office 365 Services and the physical data centers from which Microsoft provides the Microsoft Online Office 365 Services. This audit: (1) will be performed at least annually; (2) will be performed according to ISO 27001 standards; (3) will be performed by third party security professionals at Microsoft’s selection and expense; (4) will result in the generation of an audit report (“Microsoft Audit Report”), which will be Microsoft’s confidential information; and (5) may be performed for other purposes in addition to satisfying this Section (e.g., as part of Microsoft’s regular internal security procedures or to satisfy other contractual obligations). (iii) If Customer requests in writing, Microsoft will provide Customer with a confidential summary of the Microsoft Audit Report (“Summary Report”) so that Customer can reasonably verify Microsoft’s compliance with the security obligations under this AmendmentOffice 365 DPA. The Summary Report is Microsoft confidential information. (iv) Microsoft will make good faith, commercially reasonable efforts to remediate (1) any errors identified in a Microsoft Audit Report that could reasonably be expected to have an adverse impact on Customer use of the Microsoft Online Office 365 Services and (2) material control deficiencies identified in the Microsoft Audit Report. (v) The audit obligations described in Section 4b(i)-(iv) are made at Customer’s request to ensure regularity and consistency in the audit process and shall apply, without limitation, to processing of Customer Data (including personal data) by Microsoft Corporation for purposes of the Standard Contractual Clauses between Customer and Microsoft Corporation in full satisfaction of Customer’s rights as the data exporter under Clause 5 paragraph f and Clause 12 paragraph 2 of the Standard Contractual Clauses to conduct an audit of the data processing facilities used by Microsoft Corporation. To maintain such regularity and consistency, changes or additions to these audit obligations must be made pursuant to Standard Contractual Clauses. Microsoft Corporation is an intended third-party beneficiary of this Section section 4b(v).

Certifications and Audits. (i) Microsoft has established and agrees to maintain a data security policy that complies with the ISO 27001 standards for the establishment, implementation, control, and improvement of the Information Security Management System and the ISO/IEC 27002 code of best practices for information security management (“Microsoft Online Information Security Policy”). On a confidential need-to-know basis, and subject to Customer’s agreement to non-disclosure obligations Microsoft specifies, Microsoft will make the Microsoft Online Information Security Policy available to Customer, along with other information reasonably requested by Customer regarding Microsoft security practices and policies. Customer is solely responsible for reviewing the Microsoft Online Information Security Policy, making an independent determination as to whether the Microsoft Online Information Security Policy meets Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security. (ii) Microsoft will audit the security of the computers and computing environment that it uses in processing Customer Data (including personal data) on the Microsoft Online Services and the physical data centers from which Microsoft provides the Microsoft Online Services. This audit: (1a) will be performed at least annually; (2b) will be performed according to ISO 27001 standards; (3c) will be performed by third party security professionals at Microsoft’s selection and expense; (4d) will result in the generation of an audit report (“Microsoft Audit Report”), which will be Microsoft’s confidential information; and (5e) may be performed for other purposes in addition to satisfying this Section (e.g., as part of Microsoft’s regular internal security procedures or to satisfy other contractual obligations). (iii) If Customer requests in writing, Microsoft will provide Customer with a confidential summary of the Microsoft Audit Report (“Summary Report”) so that Customer can reasonably verify Microsoft’s compliance with the security obligations under this Amendment. The Summary Report is Microsoft confidential information. (iv) Microsoft will make good faith, commercially reasonable efforts to remediate (1a) any errors identified in a Microsoft Audit Report that could reasonably be expected to have an adverse impact on Customer use of the Microsoft Online Services and (2b) material control deficiencies identified in the Microsoft Audit Report. (v) The audit obligations described in Section 4b(i)-(iv) are made at Customer’s request to ensure regularity and consistency in the audit process and shall apply, without limitation, to processing of Customer Data (including personal data) by Microsoft Corporation for purposes of the Standard Contractual Clauses between Customer and Microsoft Corporation in full satisfaction of Customer’s rights as the data exporter under Clause 5 paragraph f and Clause 12 paragraph 2 of the Standard Contractual Clauses to conduct an audit of the data processing facilities used by Microsoft Corporation. To maintain such regularity and consistency, changes or additions to these audit obligations must be made pursuant to Standard Contractual Clauses. Microsoft Corporation is an intended third-party beneficiary of this Section 4b(v).

Certifications and Audits. (i) i. Microsoft has established and agrees to maintain a data security policy that complies with the ISO 27001 standards for the establishment, implementation, control, and improvement of the Information Security Management System and the ISO/IEC 27002 code of best practices for information security management (“"Microsoft Online Information Security Policy”"). On a confidential need-to-know basis, and subject to Customer’s Company's agreement to non-disclosure obligations Microsoft specifies, Microsoft will make the Microsoft Online Information Security Policy available to CustomerCompany, along with other information reasonably requested by Customer Company regarding Microsoft security practices and policies. Customer Company is solely responsible for reviewing the Microsoft Online Information Security Policy, making an independent determination as to whether the Microsoft Online Information Security Policy meets Customer’s Company's requirements, and for ensuring that Customer’s Company and Company's personnel and consultants follow the guidelines they are provided regarding data security. (ii) . Microsoft will audit the security of the computers and computing environment that it uses in processing Customer Data (including personal data) on the Microsoft Online Office 365 Services and the physical data centers from which Microsoft provides the Microsoft Online Office 365 Services. This audit: : (1a) will be performed at least annually; (2b) will be performed according to ISO 27001 standards; (3c) will be performed by third party security professionals at Microsoft’s 's selection and expense; (4d) will result in the generation of an audit report (“"Microsoft Audit Report”"), which will be Microsoft’s 's confidential information; and (5e) may be performed for other purposes in addition to satisfying this Section (e.g., as part of Microsoft’s 's regular internal security procedures or to satisfy other contractual obligations). (iii) . If Customer Company requests in writing, Microsoft will provide Customer Company with a confidential summary of the Microsoft Audit Report (“"Summary Report”") so that Customer Company can reasonably verify Microsoft’s 's compliance with the security obligations under this AmendmentOffice 365 Addendum. The Summary Report is Microsoft confidential information. (iv) Microsoft will make good faith, commercially reasonable efforts to remediate (1) any errors identified in a Microsoft Audit Report that could reasonably be expected to have an adverse impact on Customer use of the Microsoft Online Services and (2) material control deficiencies identified in the Microsoft Audit Report. (v) The audit obligations described in Section 4b(i)-(iv) are made at Customer’s request to ensure regularity and consistency in the audit process and shall apply, without limitation, to processing of Customer Data (including personal data) by Microsoft Corporation for purposes of the Standard Contractual Clauses between Customer and Microsoft Corporation in full satisfaction of Customer’s rights as the data exporter under Clause 5 paragraph f and Clause 12 paragraph 2 of the Standard Contractual Clauses to conduct an audit of the data processing facilities used by Microsoft Corporation. To maintain such regularity and consistency, changes or additions to these audit obligations must be made pursuant to Standard Contractual Clauses. Microsoft Corporation is an intended third-party beneficiary of this Section 4b(v).