Common use of Audit and Certifications Clause in Contracts

Audit and Certifications. Except as otherwise provided in the Data Protection Agreement set out in Appendix B hereto, the parties agree that the following audit provisions shall apply. Upon a 30-day written request (or shorter notice period where required by applicable law, an order of a supervisory authority, in the event of a data breach or as otherwise agreed between the parties), the Customer (or Permitted Auditor as defined below) has the right to conduct an annual, onsite audit (which must take place during normal business hours) of Secureworks’ controls for safeguarding Customer Data. Such audit must be limited to those processing activities and facilities which are directly involved in the processing of Customer Data. Any access to sensitive or restricted facilities is strictly prohibited – in accordance with regulatory restrictions on access to other customers’ data (although a Permitted Auditor shall be entitled to observe the security operations center via a viewing window) and Customer shall not (and must ensure that any Permitted Auditor shall not) allow any sensitive documents and/or details regarding Secureworks’ policies, controls and/or procedures to leave the Secureworks location at which the audit is taking place (whether in electronic or physical form). Customer must comply at all times with Secureworks’ relevant on site policies and procedures (as notified to Customer by Secureworks). The audit should not take longer than three business days, and if the audit exceeds this timeframe, the Customer will be required to pay for resources necessary to complete the audit. In this clause the term “Permitted Auditor” shall mean a third party appointed by the Customer which is bound by equivalent obligations of confidentiality to those set out in this MSA and is not a direct competitor of Secureworks. Secureworks reserves the right to require any Permitted Auditor to execute a confidentiality agreement with Secureworks prior to the commencement of an audit. Secureworks will on an annual basis, have an audit conducted by a reputable and experienced accounting firm in accordance with the Statement on Standards for Attestation Engagements (“SSAE”) , Reporting on Controls at a Service Organization, developed by the American Institute of Certified Public Accountants (“AICPA”), (the “Security Audit”) and have such accounting firm issue a Service Organization Control (“SOC”) 2 Type II Report (or substantially similar report in the event the SOC 2 Type II Report is no longer the industry standard) which will cover, at a minimum, the security policies, procedures and controls required by this MSA (the “Audit Report”). Upon Customer’s request, Secureworks will provide Customer a copy of Secureworks’ then current Audit Report. Customer acknowledges that the SOC 2 Type II, and/or any other information provided by Secureworks pertaining to Secureworks’ security controls, policies, procedures, etc. are considered Confidential Information of Secureworks and shall be treated by Customer in accordance with the terms and conditions of this MSA, including, but not limited to, Section 8. Secureworks is ISO 27001 certified.

Audit and Certifications. Except as otherwise provided in the Data Protection Agreement set out in Appendix B hereto, the parties agree that the following audit provisions shall apply. Upon a 30-day written request (or shorter notice period where required by applicable law, an order of a supervisory authority, in the event of a data breach or as otherwise agreed between the parties), the Customer (or Permitted Auditor as defined below) has the right to conduct an annual, onsite audit (which must take place during normal business hours) of Secureworks’ controls for safeguarding Customer Data. Such audit must be limited to those processing activities and facilities which are directly involved in the processing of Customer Data. Any access to sensitive or restricted facilities is strictly prohibited – in accordance with regulatory restrictions on access to other customers’ data (although a Permitted Auditor shall be entitled to observe the security operations center via a viewing window) and Customer shall not (and must ensure that any Permitted Auditor shall not) allow any sensitive documents and/or details regarding Secureworks’ policies, controls and/or procedures to leave the Secureworks location at which the audit is taking place (whether in electronic or physical form). Customer must comply at all times with Secureworks’ relevant on site policies and procedures (as notified to Customer by Secureworks). The audit should not take longer than three business days, and if the audit exceeds this timeframe, the Customer will be required to pay for resources necessary to complete the audit. In this clause the term “Permitted Auditor” shall mean a third party appointed by the Customer which is bound by equivalent obligations of confidentiality to those set out in this MSA and is not a direct competitor of Secureworks. Secureworks reserves the right to require any Permitted Auditor to execute a confidentiality agreement with Secureworks prior to the commencement of an audit. Secureworks will on an annual basis, have an audit conducted by a reputable and experienced accounting firm in accordance with the Statement on Standards for Attestation Engagements (“SSAE”) ), Reporting on Controls at a Service Organization, developed by the American Institute of Certified Public Accountants (“AICPA”), (the “Security Audit”) and have such accounting firm issue a Service Organization Control (“SOC”) 2 Type II Report (or substantially similar report in the event the SOC 2 Type II Report is no longer the industry standard) which will cover, at a minimum, the security policies, procedures and controls required by this MSA (the “Audit Report”). Upon Customer’s request, Secureworks will provide Customer a copy of Secureworks’ then current Audit Report. Customer acknowledges that the SOC 2 Type II, and/or any other information provided by Secureworks pertaining to Secureworks’ security controls, policies, procedures, etc. are considered Confidential Information of Secureworks and shall be treated by Customer in accordance with the terms and conditions of this MSA, including, but not limited to, Section 8. Secureworks is ISO 27001 certified.