Common use of SOC 2 Reports Clause in Contracts

SOC 2 Reports. (i) In addition to its other obligations under this Section 9.8, Successful Respondent shall cause a Service Organization Controls 2 Report, type 2, ("SOC 2 Report") (SOC 2: Attestation Standards, Section 101 of the AICPA Codification Standards (AT Section 101). "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)", as published by the AICPA in 2011) to be conducted by an independent, nationally recognized public accounting firm qualified to perform such audits at least annually, prepared in accordance with the relevant and current standards. The Successful Respondent acknowledges that each such SOC 2 Report shall cover Successful Respondent's policies, procedures, controls and systems for twelve (12) months of Successful Respondent's performance of the Services, in accordance with the State fiscal year (and each successive twelve (12) month period thereafter), and in particular those policies, procedures, controls and systems applicable to an audit of Successful Respondent's customers. Prior to initiating any such SOC 2 Report, Successful Respondent shall confer with DIR as to the scope and timing of each SOC 2 Report and shall accommodate DIR's requested modifications (if any) for each such SOC 2 Report to the extent reasonably practicable. (ii) Successful Respondent shall cause its Subcontractors performing the Services to allow SOC 2 Reports on their policies, procedures, controls and systems that complement the SOC 2 Report performed pursuant to clause (i) above, when requested by Successful Respondent, DIR, Customers, Texas State Auditor’s Office, and other entities authorized by DIR. If Successful Respondent is unable to cause its Subcontractors to conduct such SOC 2 Reports or chooses to conduct the SOC 2 Reports of such complementary policies, procedures, contracts and systems itself, then Successful Respondent shall engage an independent, nationally recognized public accounting firm to perform such audits of its Subcontractors to ensure that the policies, procedures, controls and systems of the Subcontractor complement those of Successful Respondent. For purposes of this clause (ii), the term "complement" shall mean that the policies, procedures, controls and systems of the Subcontractors, when taken as a whole in combination with the policies, procedures, controls and systems of Successful Respondent, represent the entire control environment under this Agreement. (iii) Unless otherwise agreed by the Parties, such report shall be conducted so as to result in an annual final report dated as of each December 31st or such date that represented the end of the Successful Respondent’s fiscal year during the Term with a copy of such final report provided by Successful Respondent to DIR and DIR Auditors ten (10) days from the date Successful Respondent receives the final report from the external firm. DIR and such DIR Auditors and DIR Customers shall (i) only use the SOC 2 Reports on behalf of DIR and DIR Customers, and (ii) not further disclose such SOC 2 Reports to any person or entity other than DIR Customers, except pursuant to Section 13.1(iv) below. In all events, each report delivered by such date shall be unqualified and Successful Respondent shall respond to such report in accordance with Section 9.8(g). In addition, within ten (10) Business Days of DIR's written request to Successful Respondent, Successful Respondent shall provide a letter to DIR signed by an officer of Successful Respondent certifying that there has been no change in the policies, procedures, controls and systems of Successful Respondent since the date of the most recent SOC 2 Report. (iv) To the extent DIR provides reasonable notice and requests that, in addition to the SOC 2 Reports described in clauses (i) and (ii) above, Successful Respondent conduct DIR-specific SOC 2 Report, Successful Respondent shall, at DIR's expense, cause such DIR-specific SOC 2 Report to be performed by a nationally recognized public accounting firm qualified to perform such Report; provided, however, that Successful Respondent timely notifies DIR of such expense, obtains DIR's prior written approval and uses commercially reasonable efforts to minimize such expense. A copy of the final report of each such DIR- specific SOC 2 Report shall be delivered to DIR by Successful Respondent ten (10) days from the date Successful Respondent receives the final audit report from the external firm. If Successful Respondent undertakes additional or different SOC 2 Reports (other than customer-specific audits requested and paid for by other Successful Respondent customers), Successful Respondent shall accord DIR the rights described in clause (i) above with respect to such reports. To the extent DIR provides reasonable notice and requests that, in addition to the SOC 2 Reports described in clauses (i) and (ii) above, DIR may, in coordination with the DIR Auditors, conduct DIR-specific SOC 2 Report on the services facility at or from which the Services are provided. (v) During the period when SOC 2 Reports are performed under this Section 9.8(i), Successful Respondent shall provide DIR with periodic updates on the status of such reports and any issues that are specific to DIR or that are reasonably anticipated to impact in any material respect the control environment under this Agreement. Upon completion of any such SOC 2 Report that identifies any significant deficiency or material weakness, Successful Respondent shall prepare and implement a corrective action plan to correct any such deficiency or resolve any problem identified from such SOC 2 Report specific to DIR or that impact in any material respect the control environment under this Agreement. A copy of the corrective action plan shall be provided to DIR within thirty (30) days following the discovery of such deficiency or problem. If the SOC 2 Report shows a control issue that is specific to DIR or that impacts in any material respect the control environment under this Agreement (a "Control Deficiency") that has not theretofore been corrected or properly mitigated and such failure to mitigate the Control Deficiency leads to a qualified opinion being issued by Successful Respondent's auditor, then Successful Respondent's failure to promptly remedy the Control Deficiency will be deemed a material breach of this Agreement triggering a termination rights for DIR under Section 20.1. (vi) If Successful Respondent is unable to timely deliver to DIR any report described in this Section 9.8(i) that does not identify any significant deficiency or material weakness, Successful Respondent shall (A) provide a certificate from an officer of Successful Respondent to DIR certifying, on the date such report is delivered, or is otherwise due to be delivered, the circumstances giving rise to any delay in delivering such report, (B) promptly take such actions as deemed necessary by DIR to resolve such circumstances and deliver such report as promptly as practicable thereafter, and (C) permit DIR and the DIR Auditors (or their agents), at Successful Respondents' expense, to perform such procedures and testing of the operating effectiveness of Successful Respondent's policies, procedures, controls and systems for the period otherwise covered by such report.

SOC 2 Reports. (i) In addition to its other obligations under this Section 9.8, Successful Respondent shall cause a Service Organization Controls 2 Report, type 2, ("SOC 2 Report") (SOC 2: Attestation Standards, Section 101 of the AICPA Codification Standards (AT Section 101). "Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2)", as published by the AICPA in 2011) to be conducted by an independent, nationally recognized public accounting firm qualified to perform such audits at least annually, prepared in accordance with the relevant and current standards. The Successful Respondent acknowledges that each such SOC 2 Report shall cover Successful Respondent's policies, procedures, controls and systems for twelve (12) months of Successful Respondent's performance of the Services, in accordance with the State fiscal year (and each successive twelve (12) month period thereafter), and in particular those policies, procedures, controls and systems applicable to an audit of Successful Respondent's customers. Prior to initiating any such SOC 2 Report, Successful Respondent shall confer with DIR as to the scope and timing of each SOC 2 Report and shall accommodate DIR's requested modifications (if any) for each such SOC 2 Report to the extent reasonably practicable. (ii) Successful Respondent shall cause its Subcontractors performing the Services to allow SOC 2 Reports on their policies, procedures, controls and systems that complement the SOC 2 Report performed pursuant to clause (i) above, when requested by Successful Respondent, DIR, Customers, Texas State Auditor’s Office, and other entities authorized by DIR. If Successful Respondent is unable to cause its Subcontractors to conduct such SOC 2 Reports or chooses to conduct the SOC 2 Reports of such complementary policies, procedures, contracts and systems itself, then Successful Respondent shall engage an independent, nationally recognized public accounting firm to perform such audits of its Subcontractors to ensure that the policies, procedures, controls and systems of the Subcontractor complement those of Successful Respondent. For purposes of this clause (ii), the term "complement" shall mean that the policies, procedures, controls and systems of the Subcontractors, when taken as a whole in combination with the policies, procedures, controls and systems of Successful Respondent, represent the entire control environment under this Agreement. (iii) Unless otherwise agreed by the Parties, such report shall be conducted so as to result in an annual final report dated as of each December 31st or such date that represented the end of the Successful Respondent’s fiscal year during the Term with a copy of such final report provided by Successful Respondent to DIR and DIR Auditors ten (10) days from the date Successful Respondent receives the final report from the external firm. DIR and such DIR Auditors and DIR Customers shall (i) only use the SOC 2 Reports on behalf of DIR and DIR Customers, and (ii) not further disclose such SOC 2 Reports to any person or entity other than DIR Customers, except pursuant to Section 13.1(iv) below. In all events, each report delivered by such date shall be unqualified and Successful Respondent shall respond to such report in accordance with Section 9.8(g). In addition, within ten (10) Business Days of DIR's written request to Successful Respondent, Successful Respondent shall provide a letter to DIR signed by an officer of Successful Respondent certifying that there has been no change in the policies, procedures, controls and systems of Successful Respondent since the date of the most recent SOC 2 Report. (iv) To the extent DIR provides reasonable notice and requests that, in addition to the SOC 2 Reports described in clauses (i) and (ii) above, Successful Respondent conduct DIR-specific SOC 2 Report, Successful Respondent shall, at DIR's expense, cause such DIR-specific SOC 2 Report to be performed by a nationally recognized public accounting firm qualified to perform such Report; provided, however, that Successful Respondent timely notifies DIR of such expense, obtains DIR's prior written approval and uses commercially reasonable efforts to minimize such expense. A copy of the final report of each such DIR- DIR-specific SOC 2 Report shall be delivered to DIR by Successful Respondent ten (10) days from the date Successful Respondent receives the final audit report from the external firm. If Successful Respondent undertakes additional or different SOC 2 Reports (other than customer-specific audits requested and paid for by other Successful Respondent customers), Successful Respondent shall accord DIR the rights described in clause (i) above with respect to such reports. To the extent DIR provides reasonable notice and requests that, in addition to the SOC 2 Reports described in clauses (i) and (ii) above, DIR may, in coordination with the DIR Auditors, conduct DIR-DIR- specific SOC 2 Report on the services facility at or from which the Services are provided. (v) During the period when SOC 2 Reports are performed under this Section 9.8(i), Successful Respondent shall provide DIR with periodic updates on the status of such reports and any issues that are specific to DIR or that are reasonably anticipated to impact in any material respect the control environment under this Agreement. Upon completion of any such SOC 2 Report that identifies any significant deficiency or material weakness, Successful Respondent shall prepare and implement a corrective action plan to correct any such deficiency or resolve any problem identified from such SOC 2 Report specific to DIR or that impact in any material respect the control environment under this Agreement. A copy of the corrective action plan shall be provided to DIR within thirty (30) days following the discovery of such deficiency or problem. If the SOC 2 Report shows a control issue that is specific to DIR or that impacts in any material respect the control environment under this Agreement (a "Control Deficiency") that has not theretofore been corrected or properly mitigated and such failure to mitigate the Control Deficiency leads to a qualified opinion being issued by Successful Respondent's auditor, then Successful Respondent's failure to promptly remedy the Control Deficiency will be deemed a material breach of this Agreement triggering a termination rights for DIR under Section 20.1. (vi) If Successful Respondent is unable to timely deliver to DIR any report described in this Section 9.8(i) that does not identify any significant deficiency or material weakness, Successful Respondent shall (A) provide a certificate from an officer of Successful Respondent to DIR certifying, on the date such report is delivered, or is otherwise due to be delivered, the circumstances giving rise to any delay in delivering such report, (B) promptly take such actions as deemed necessary by DIR to resolve such circumstances and deliver such report as promptly as practicable thereafter, and (C) permit DIR and the DIR Auditors (or their agents), at Successful Respondents' expense, to perform such procedures and testing of the operating effectiveness of Successful Respondent's policies, procedures, controls and systems for the period otherwise covered by such report.