Common use of Security Reports and Audits Clause in Contracts

Security Reports and Audits. 7.1 Customer acknowledges that Pleo is regularly audited against PCI standards by independent third party auditors and internal auditors, respectively. 7.2 Pleo shall provide written responses (on a confidential basis) to reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Pleo's compliance with this DPA, provided that Customer shall not exercise this right more than once per year. Depending on the volume of request, certain lead time is to be expected. 7.3 Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Pleo shall make available to Customer that is not a competitor of Pleo (or Customer’s independent, third party auditor that is not a competitor of Pleo) information regarding Pleo’s compliance with the obligations set forth in the DPA. Customer is entitled to contact Pleo to request an onsite audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Pleo for any time expended by Pleo or its third party Subprocessors for any such onsite audit at Pleo’s then current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such onsite audit, Customer and Pleo shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All costs will be documented, and reimbursement rates shall be reasonable, taking into account the resources expended by Pleo, or its third party Subprocessors. Customer shall promptly notify Pleo with information regarding any noncompliance discovered during the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of ninety (90) days notice to Pleo.

Security Reports and Audits. 7.1 Customer acknowledges (a) To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by iManage, (ii) documentation, or (iii) other compliance information that Pleo is regularly audited against PCI standards by independent third party auditors and internal auditorsiManage makes generally available to its customers, respectively. 7.2 Pleo shall provide written responses (on a confidential basis) to reasonable requests for information made by CustomeriManage will, including responses to information security and audit questionnaires that are necessary to confirm Pleo's compliance with this DPA, provided that Customer shall not exercise this right more than once one time per calendar year. Depending on the volume of request, certain lead time is promptly respond to be expected. 7.3 Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Pleo shall make available to Customer that is not a competitor of Pleo (or Customer’s independent, third party auditor that is not a competitor of Pleo) information regarding Pleo’s compliance with the obligations set forth in the DPA. Customer is entitled to contact Pleo to request an onsite audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Pleo for any time expended by Pleo or its third party Subprocessors for any such onsite audit at Pleo’s then current professional services rates, which shall be made available to Customer upon requestrequests. Before the commencement of any such onsite an audit, Customer and Pleo shall iManage will mutually agree upon the scope, timing, duration, control and duration evidence requirements, and fees for the audit, provided that this requirement to agree will not permit iManage to unreasonably delay performance of the audit. To the extent needed to perform the audit, iManage will make the processing systems, facilities and supporting documentation relevant to the Processing of Customer Data and Personal Data by iManage, its Affiliates, and its Sub-Processors (where possible) available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to iManage (not less than twenty days), and subject to reasonable confidentiality and security procedures. Neither Customer nor the auditor shall have access to any data from iManage’s other customers or to iManage systems or facilities not involved in the Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time iManage expends for any such audit, in addition to the reimbursement rate rates for which services performed by iManage. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall be responsible. All costs will be documented, share such audit report with iManage and reimbursement rates shall be reasonable, taking into account the resources expended by Pleo, or its third party Subprocessors. Customer iManage shall promptly notify Pleo with information regarding cure any noncompliance discovered during material non-compliance. (b) If the course Standard Contractual Clauses apply, then this paragraph is in addition to Clause 5 paragraph f and Clause 12 paragraph 2 of an auditthe Standard Contractual Clauses. This procedure may be instigated a maximum of once per year and with a minimum of ninety (90) days notice to PleoNothing in this paragraph varies or modifies the Standard Contractual Clauses or affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses or Data Protection Legislation.

Security Reports and Audits. 7.1 Customer acknowledges ‌ (a) To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by iManage, (ii) documentation, or (iii) other compliance information that Pleo is regularly audited against PCI standards by independent third party auditors and internal auditorsiManage makes generally available to its customers, respectively. 7.2 Pleo shall provide written responses (on a confidential basis) to reasonable requests for information made by CustomeriManage will, including responses to information security and audit questionnaires that are necessary to confirm Pleo's compliance with this DPA, provided that Customer shall not exercise this right more than once one time per calendar year. Depending on the volume of request, certain lead time is promptly respond to be expected. 7.3 Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Pleo shall make available to Customer that is not a competitor of Pleo (or Customer’s independent, third party auditor that is not a competitor of Pleo) information regarding Pleo’s compliance with the obligations set forth in the DPA. Customer is entitled to contact Pleo to request an onsite audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Pleo for any time expended by Pleo or its third party Subprocessors for any such onsite audit at Pleo’s then current professional services rates, which shall be made available to Customer upon requestrequests. Before the commencement of any such onsite an audit, Customer and Pleo shall iManage will mutually agree upon the scope, timing, duration, control and duration evidence requirements, and fees for the audit, provided that this requirement to agree will not permit iManage to unreasonably delay performance of the audit. To the extent needed to perform the audit, iManage will make the processing systems, facilities and supporting documentation relevant to the Processing of Customer Data and Personal Data by iManage, its Affiliates, and its Sub-Processors (where possible) available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to iManage (not less than twenty days), and subject to reasonable confidentiality and security procedures. Neither Customer nor the auditor shall have access to any data from iManage’s other customers or to iManage systems or facilities not involved in the Cloud Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time iManage expends for any such audit, in addition to the reimbursement rate rates for which services performed by iManage. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall be responsible. All costs will be documented, share such audit report with iManage and reimbursement rates shall be reasonable, taking into account the resources expended by Pleo, or its third party Subprocessors. Customer iManage shall promptly notify Pleo with information regarding cure any noncompliance discovered during material non-compliance. (b) Nothing in this paragraph varies or modifies the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of ninety (90) days notice to PleoStandard Contractual Clauses or affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses or Data Protection Legislation.

Security Reports and Audits. 7.1 Customer acknowledges (a) To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by iManage, (ii) documentation, or (iii) other compliance information that Pleo is regularly audited against PCI standards by independent third party auditors and internal auditorsiManage makes generally available to its customers, respectively. 7.2 Pleo shall provide written responses (on a confidential basis) to reasonable requests for information made by CustomeriManage will, including responses to information security and audit questionnaires that are necessary to confirm Pleo's compliance with this DPA, provided that Customer shall not exercise this right more than once one time per calendar year. Depending on the volume of request, certain lead time is promptly respond to be expected. 7.3 Upon Customer’s request, and subject to the confidentiality obligations set forth in the data processing addendum, Pleo shall make available to Customer that is not a competitor of Pleo (or Customer’s independent, third party auditor that is not a competitor of Pleo) information regarding Pleo’s compliance with the obligations set forth in the DPA. Customer is entitled to contact Pleo to request an onsite audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Pleo for any time expended by Pleo or its third party Subprocessors for any such onsite audit at Pleo’s then current professional services rates, which shall be made available to Customer upon requestrequests. Before the commencement of any such onsite an audit, Customer and Pleo shall iManage will mutually agree upon the scope, timing, duration, control and duration evidence requirements, and fees for the audit, provided that this requirement to agree will not permit iManage to unreasonably delay performance of the audit. To the extent needed to perform the audit, iManage will make the processing systems, facilities and supporting documentation relevant to the Processing of Customer Data and Personal Data by iManage, its Affiliates, and its Sub-Processors (where possible) available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to iManage (not less than twenty days), and subject to reasonable confidentiality and security procedures. Neither Customer nor the auditor shall have access to any data from iManage’s other customers or to iManage systems or facilities not involved in the Cloud Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time iManage expends for any such audit, in addition to the reimbursement rate rates for which services performed by iManage. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall be responsible. All costs will be documented, share such audit report with iManage and reimbursement rates shall be reasonable, taking into account the resources expended by Pleo, or its third party Subprocessors. Customer iManage shall promptly notify Pleo with information regarding cure any noncompliance discovered during material non-compliance. (b) Nothing in this paragraph varies or modifies the course of an audit. This procedure may be instigated a maximum of once per year and with a minimum of ninety (90) days notice to PleoStandard Contractual Clauses or affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses or Data Protection Legislation.