Common use of Ability to Influence the Online Services and Programs – Suggestions for Additional Testing Clause in Contracts

Ability to Influence the Online Services and Programs – Suggestions for Additional Testing. Microsoft will provide each Member with advanced details on existing and future certifications, audit plans and scope and will solicit feedback on any potential changes to current certifications. For each Microsoft audit, 100% of the existing controls in scope for that audit type will be subject to testing by the auditor, and the expectation is that all controls for each audit scope will be tested within a 3-year audit cycle. As part of the FSI Customer Compliance Program, each Member may suggest additional controls to be included in a future audit scope. Microsoft will consider each such suggestion and, if not accepted, will provide a reasoned basis for refusal. For any given audit cycle, across all suggestions from all Members, Microsoft will include a minimum of five Member-specified controls (from the existing control set) in the audit instructions and will inform the auditor that these controls were selected by the Members. Compliance with these controls will be validated using tests that are consistent with the type of audit (e.g., ISO or SSAE) undertaken. If the total number of Members in the FSI Customer Compliance Program exceeds 15, Microsoft will establish an executive committee (“Executive Committee”). For a given audit cycle, the Executive Committee will determine the five controls described above on behalf of all Members. Microsoft may, at its discretion, include additional controls requested by Members. The Executive Committee will be comprised of at least one representative from each key regulated market with a participant in the FSI Customer Compliance Program. If there are multiple Members from a given market, the Executive Committee member for that market will be determined by (1) majority agreement among the Members from that market that have more than 10,000 active seats in the Office 365 Services or more than US$500,000.00 annual commitment of Microsoft Azure Core Services, or (2) a regulator having authority over all Members from that market. The key regulated markets shall, at a minimum, include Canada, United States, United Kingdom, France, Germany, Japan and Italy. Microsoft may add key regulated markets or increase the number of Members on the Executive Committee only in consultation with all Members. For clarity, nothing in this section precludes Members from requesting that new controls or additional details for a given product, feature or Online Service be included in the roadmap for future audits. Microsoft will consider each such request and, if not accepted, will provide a reasoned basis for refusal.