Enabling Customer Compliance a. Effective Access to Data and Business Premises. As set forth in this Amendment and for clarity and to be consistent with applicable regulations, Microsoft will provide Customer, Customer’s internal and external auditors (both of which are defined as “Customer Auditor” herein) and Customer’s Regulator, with effective access to data related to the activities outsourced to Microsoft, as well as reasonable access to Microsoft’s business premises (see Section 2(b)(ii) and Section 2(c)(iii)). Customer will at all times have direct access to Customer Data, including Customer’s virtual machines and applications deployed in the Online Services. This includes the ability for Customer to conduct vulnerability and penetration testing of Customer’s deployments in the Online Services or other similar testing as applicable to a specific Online Service that Customer is using. For avoidance of doubt, Customer must conduct any testing in accordance with Microsoft’s terms and conditions, which may require, among other things, Customer to provide Microsoft with advance notice of any tests and prohibit Customer from targeting any other Microsoft customer.
Enabling Customer Compliance a. Penetration Testing by Customer and Microsoft. Customer has the ability to conduct vulnerability and penetration testing of Customer’s deployments in the Online Services or other similar testing as applicable to a specific Online Service that Customer is using. For avoidance of doubt, Customer must conduct any testing in accordance with Microsoft’s terms and conditions, which may require, among other things, Customer to provide Microsoft with advance notice of any tests and prohibit Customer from targeting any other Microsoft customer. At least annually, Microsoft will commission third-party penetration testing against the Online Services, including evidence of data isolation among tenants in the multi-tenant Online Services. Such information is available to customers through the Service Trust Portal.
Enabling Customer Compliance a. Customer Access to Data. Customer will at all times have direct access to Customer Data, including virtual machines and applications deployed in the Online Services. This includes the ability for Customer to conduct vulnerability and penetration testing of Customer’s deployments in the Online Services or other similar testing as applicable to a specific Online Service that Customer is using. For avoidance of doubt, Customer must conduct any testing in accordance with Microsoft’s terms and conditions, which may provide among other things that Customer shall provide Microsoft with advance notice of any tests and prohibit such tests from targeting any other Microsoft customer.
Enabling Customer Compliance
