ASSESSMENTS AND AUDITS. (a) OneStream will, at least annually, cause an independent third-party provider to conduct penetration tests of the then-current release and version of the Software. OneStream will remediate any critical vulnerability revealed by such penetration test within 30 days after receipt of the report identifying such vulnerability. (b) OneStream will, at least annually, cause a third party to perform an audit of OneStream’s own systems used to process Customer Data, as contemplated by Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and produce a Service Organization Control 2 Type II report (each an “Audit Report”) of such audit’s findings. (c) OneStream will make available to Customer each Audit Report upon request, subject to Customer’s undertaking of such confidentiality obligations as the auditor requires. (d) OneStream will promptly address any deficiency identified in an Audit Report. (e) OneStream will make available to Customer such audit results and similar security information as OneStream is entitled to receive from its vendors and contracting parties that bear on the processing of Customer Data, including, but not limited to, such audit results as are available from its service providers. Where any such vendor or contracting party imposes confidentiality or non-use restrictions on such information, Customer will comply with such restrictions and will, if required, execute and deliver to such auditor any undertaking of confidentiality that the auditor requires. (f) Customer may audit OneStream’s own books, records, and facilities as follows. (i) Any such audit will be subject to a mutually agreed written scope. No audit scope will include any matter covered by the then-current Audit Report unless that matter is subject to a finding by the auditor in the Audit Report of non-conformity with the management statements underlying the Audit Report. (ii) Any such audit will take place with at least 10 business days’ notice and be conducted in a manner reasonably calculated to avoid or minimize disruptions to OneStream’s operations and the operations of OneStream’s other customers. (iii) Customer will bear all costs of such audits. (iv) Customer may engage a qualified third party to conduct the audit, provided that the third party undertakes confidentiality obligations to OneStream that are at least as robust as those contained in this Agreement. (v) OneStream will use commercially reasonable efforts to facilitate each audit and cooperate with Customer, including, within the agreed scope of the audit, access to equipment, applications, and systems used by OneStream and OneStream personnel.
Appears in 3 contracts
Samples: Saas Agreement, Service Agreement, Saas Agreement
ASSESSMENTS AND AUDITS. (a) OneStream will, at least semi-annually, cause an independent third-party provider to conduct penetration tests of the then-then- current release and version of the SoftwareService. Upon OneStream validation, OneStream will remediate any critical vulnerability revealed by such penetration test vulnerabilities within 30 days after receipt of the report identifying such vulnerabilitytimelines which are in accordance with NIST 800-53 guidelines.
(b) OneStream will, at least annually, cause a third party to perform an audit of OneStream’s own systems used to process Customer Data, as contemplated by Statement on Standards for Attestation Engagements No. 18 (SSAE 18) authorized FedRAMP boundary which will follow standard FedRAMP guidelines and produce a Service Organization Control 2 Type II report (each an “Audit Report”) of such auditsubject OneStream’s findingsFedRAMP authorization.
(c) OneStream will make its FedRAMP audit report available to Customer each Audit Report upon request, subject to Customer’s undertaking of such confidentiality obligations as the auditor requiresfederal government Customers in accordance with standard distribution procedures.
(d) OneStream will promptly address any deficiency identified in an Audit Report.
(e) OneStream will make available to Customer such audit results and similar security information as OneStream is entitled to receive from its vendors and contracting parties that bear on the processing of Customer Data, including, but not limited to, such audit results as are available from its service providers. Where any such vendor or contracting party imposes confidentiality or non-use restrictions on such information, Customer will comply with such restrictions and will, if required, execute execute, and deliver to such auditor any undertaking of confidentiality that the auditor requires.
(fe) Customer may audit OneStream’s own books, records, and facilities as follows.
(i) Any such audit will be subject to a mutually agreed written scope. No audit scope will include any matter covered by the then-current Audit Report unless that matter is subject to a finding by the auditor in the Audit Report of non-conformity with the management statements underlying the Audit Report.
(ii) Any such audit will take place with at least 10 business days’ notice and be conducted in a manner reasonably calculated to avoid or minimize disruptions to OneStream’s operations and the operations of OneStream’s other customers.
(iii) Customer will bear all costs of such audits.
(iv) Customer may engage a qualified third party to conduct the audit, provided that the third party undertakes confidentiality obligations to OneStream that are at least as robust as those contained in this Agreement.
(v) OneStream will use commercially reasonable efforts to facilitate each audit and cooperate with Customer, including, within the agreed scope of the audit, access to equipment, applications, and systems used by OneStream and OneStream personnel.
Appears in 1 contract
Samples: Saas Agreement
ASSESSMENTS AND AUDITS. (a) OneStream will, at least annually, cause an independent third-party provider to conduct penetration tests of the then-current release and version of the Software. OneStream will remediate any critical vulnerability revealed by such penetration test within 30 days after receipt of the report identifying such vulnerabilityon a similar environment.
(b) OneStream will, at least annually, will cause a third party to perform an audit of OneStream’s own systems used to process Customer Data, as contemplated by Statement on a Standards for Attestation Engagements No. 18 (SSAE 18) audit, or any successor authoritative guidance for reporting on service organizations, at least once a year during the term of this Agreement, and produce will make available to Customer, at least annually, a Service Organization Control copy of the reports OneStream receives related to compliance with SSAE 18 (e.g., SOC 1 Type II, SOC 2 Type II report (each an “Audit Report”) of such audit’s findingsII).
(c) In an effort to maintain its FedRAMP authorization, OneStream will engage an accredited third -party assessment organization (“3PAO”) at least annually to assess the security controls of the Service to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements per FedRAMP guidelines. OneStream will make available to Customer a copy of the security assessment report that documents the results of the assessment.
(d) OneStream will make available to Customer each Audit Report upon request, subject to Customer’s undertaking of such confidentiality obligations as the auditor requires.
(d) OneStream will promptly address any deficiency identified in an Audit Report.
(e) OneStream will make available to Customer such audit results and similar security information as OneStream is entitled to receive from its vendors and contracting parties that bear on the processing of Customer Data, including, but not limited to, such audit results as are available from its service providers. Where any such vendor or contracting party imposes confidentiality or non-use restrictions on such information, Customer will comply with such restrictions and will, if required, execute and deliver to such auditor any undertaking of confidentiality that the auditor requires.
(f) OneStream acknowledges that Customer may audit OneStream’s own books, recordsbe required to conduct regular due diligence of its suppliers, and facilities OneStream, in its role as follows.
(ia supplier, will use commercially reasonable efforts to cooperate with third -party assessments requested by Customer, with 30 days’ written notice, as it relates to Service(s) performed. Any such audit will be subject to a mutually agreed upon written scope. No audit scope will include any matter covered by the then-current Audit Report unless that matter is subject to a finding by the auditor in the Audit Report of non-conformity with the management statements underlying the Audit Report.
(ii) Any such audit will take place with at least 10 business days’ notice and be conducted in a manner reasonably calculated to avoid or minimize disruptions to OneStream’s operations and the operations of OneStream’s other customers.
(iii) . Customer will bear all costs of such auditsaudit.
(iv) Customer may engage a qualified third party to conduct the audit, provided that the third party undertakes confidentiality obligations to OneStream that are at least as robust as those contained in this Agreement.
(v) OneStream will use commercially reasonable efforts to facilitate each audit and cooperate with Customer, including, within the agreed scope of the audit, access to equipment, applications, and systems used by OneStream and OneStream personnel.
Appears in 1 contract
Samples: Fedramp Saas Agreement
ASSESSMENTS AND AUDITS. (a) OneStream will, at least semi-annually, cause an independent third-party provider to conduct penetration tests of the then-then- current release and version of the SoftwareService. Upon OneStream validation, OneStream will remediate any critical vulnerability revealed by such penetration test vulnerabilities within 30 days after receipt of the report identifying such vulnerabilitytimelines which are in accordance with NIST 800-53 guidelines.
(b) OneStream will, at least annually, cause a third party to perform an audit of OneStream’s own systems used to process Customer Data, as contemplated by Statement on Standards authorized FedRAMP boundary which will follow standard FedRAMP guidelines for Attestation Engagements No. 18 (SSAE 18) and produce a Service Organization Control 2 Type II report (each an “Audit Report”) of such audit’s findingsFedRAMP authorization.
(c) OneStream will make its FedRAMP audit report available to Customer each Audit Report upon request, subject to Customer’s undertaking of such confidentiality obligations as the auditor requiresfederal government Customers in accordance with standard distribution procedures.
(d) OneStream will promptly address any deficiency identified in an Audit Report.
(e) OneStream will make available to Customer such audit results and similar security information as OneStream is entitled to receive from its vendors and contracting parties that bear on the processing of Customer Data, including, but not limited to, such audit results as are available from its service providers. Where any such vendor or contracting party imposes confidentiality or non-use restrictions on such information, Customer will comply with such restrictions and will, if required, execute execute, and deliver to such auditor any undertaking of confidentiality that the auditor requires.
(fe) Customer may audit OneStream’s own books, records, and facilities as follows.
(i) Any such audit will be subject to a mutually agreed written scope. No audit scope will include any matter covered by the then-current Audit Report unless that matter is subject to a finding by the auditor in the Audit Report of non-conformity with the management statements underlying the Audit Report.
(ii) Any such audit will take place with at least 10 business days’ notice and be conducted in a manner reasonably calculated to avoid or minimize disruptions to OneStream’s operations and the operations of OneStream’s other customers.
(iii) Customer will bear all costs of such audits.
(iv) Customer may engage a qualified third party to conduct the audit, provided that the third party undertakes confidentiality obligations to OneStream that are at least as robust as those contained in this Agreement.
(v) OneStream will use commercially reasonable efforts to facilitate each audit and cooperate with Customer, including, within the agreed scope of the audit, access to equipment, applications, and systems used by OneStream and OneStream personnel.
Appears in 1 contract
Samples: Saas Agreement
ASSESSMENTS AND AUDITS. (a) OneStream will, at least annually, cause an independent third-party provider to conduct penetration tests of the then-current release and version of the Software. OneStream will remediate any critical vulnerability revealed by such penetration test within 30 days after receipt of the report identifying such vulnerabilityon a similar environment.
(b) OneStream will, at least annually, will cause a third party to perform an audit of OneStream’s own systems used to process Customer Data, as contemplated by Statement on a Standards for Attestation Engagements No. 18 (SSAE 18) audit, or any successor authoritative guidance for reporting on service organizations, at least once a year during the term of this Agreement, and produce will make available to Customer, at least annually, a Service Organization Control copy of the reports OneStream receives related to compliance with SSAE 18 (e.g., SOC 1 Type II, SOC 2 Type II report (each an “Audit Report”) of such audit’s findingsII).
(c) In an effort to maintain its FedRAMP authorization, OneStream will engage an accredited third -party assessment organization (“3PAO”) at least annually to assess the security controls of the Service to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements per FedRAMP guidelines. OneStream will make available to Customer a copy of the security assessment report that documents the results of the assessment.
(d) OneStream will make available to Customer each Audit Report upon request, subject to Customer’s undertaking of such confidentiality obligations as the auditor requires.
(d) OneStream will promptly address any deficiency identified in an Audit Report.
(e) OneStream will make available to Customer such audit results and similar security information as OneStream is entitled to receive from its vendors and contracting parties that bear on the processing of Customer Data, including, but not limited to, such audit results as are available from its service providers. Where any such vendor or contracting party imposes confidentiality or non-use restrictions on such information, Customer will comply with such restrictions and will, if required, execute and deliver to such auditor any undertaking of confidentiality that the auditor requires.
(f) OneStream acknowledges that Customer may audit OneStream’s own books, recordsbe required to conduct regular due diligence of its suppliers, and facilities OneStream, in its role as follows.
(ia supplier, will use commercially reasonable efforts to cooperate with third - party assessments requested by Customer, with 30 days’ written notice, as it relates to Service(s) performed. Any such audit will be subject to a mutually agreed upon written scope. No audit scope will include any matter covered by the then-current Audit Report unless that matter is subject to a finding by the auditor in the Audit Report of non-conformity with the management statements underlying the Audit Report.
(ii) Any such audit will take place with at least 10 business days’ notice and be conducted in a manner reasonably calculated to avoid or minimize disruptions to OneStream’s operations and the operations of OneStream’s other customers.
(iii) . Customer will bear all costs of such auditsaudit.
(iv) Customer may engage a qualified third party to conduct the audit, provided that the third party undertakes confidentiality obligations to OneStream that are at least as robust as those contained in this Agreement.
(v) OneStream will use commercially reasonable efforts to facilitate each audit and cooperate with Customer, including, within the agreed scope of the audit, access to equipment, applications, and systems used by OneStream and OneStream personnel.
Appears in 1 contract
Samples: Onestream Xf Cloud Agreement
