Common use of Security Reports and Audits Clause in Contracts

Security Reports and Audits. (a) To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by iManage, (ii) documentation, or (iii) other compliance information that iManage makes generally available to its customers, iManage will, not more than one time per calendar year, promptly respond to Customer’s audit requests. Before the commencement of an audit, Customer and iManage will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit iManage to unreasonably delay performance of the audit. To the extent needed to perform the audit, iManage will make the processing systems, facilities and supporting documentation relevant to the Processing of Customer Data and Personal Data by iManage, its Affiliates, and its Sub-Processors (where possible) available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to iManage (not less than twenty days), and subject to reasonable confidentiality and security procedures. Neither Customer nor the auditor shall have access to any data from iManage’s other customers or to iManage systems or facilities not involved in the Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time iManage expends for any such audit, in addition to the rates for services performed by iManage. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with iManage and iManage shall promptly cure any material non-compliance.

Security Reports and Audits. Any provision of security attestation or audit reports shall take place in accordance with Customer’s rights under the Agreement. If the Agreement does not include a provision regarding security attestation or audit reports, iManage shall (a) To maintain security practices and policies for the extent protection of Customer Data as set forth in the written data security policy for the Cloud Services, and (b) upon Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through request (i) audit reports provided by iManage, (ii) documentation, or (iii) other compliance information that iManage makes generally available to its customers, iManage will, not more than one time per calendar year, promptly respond to Customer’s audit requests. Before the commencement of an audit, Customer and iManage will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit iManage to unreasonably delay performance of the audit. To the extent needed to perform the audit, iManage will make the processing systems, facilities and supporting documentation relevant to the Processing of Customer Data and Personal Data by iManage, its Affiliates, and its Sub-Processors (where possible) available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to iManage (not less than twenty days), and subject to reasonable the confidentiality and non-disclosure obligations set forth in the Agreement, iManage shall make available to Customer information regarding iManage’s compliance with the obligations set forth in the Agreement and this DPA in the form of iManage’s ISO 27001 certification and/or SOC 2 or SOC 3 reports. If the Agreement does not include audit rights, iManage shall allow Customer (or an independent third-party auditor appointed by Customer), at Customer’s sole cost and expense, upon Customer’s written request at reasonable intervals, to conduct an audit of the procedures relevant to the protection of Customer Personal Data, subject to the confidentiality provisions of the Agreement. Customer and iManage will discuss and agree in advance on the reasonable start date, scope and duration of, and security proceduresand confidentiality controls applicable to, any audit and Customer shall take all necessary steps to minimize the disruption to iManage’s business. iManage may elect to provide Customer with documents and records demonstrating its compliance with the obligations of this DPA and Customer shall refrain from exercising its audit right if the records are sufficient to demonstrate compliance with this DPA. Neither Customer nor the any independent third-party auditor appointed by Customer shall have access to any data from iManage’s other customers or to iManage iManage’s systems or facilities not involved in the Cloud Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time iManage expends for any such audit, in addition to the rates for services performed by iManage. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with iManage and iManage shall promptly cure any material non-compliance.

Security Reports and Audits. (a) To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Legislation cannot reasonably be satisfied through (i) audit reports provided by iManage, (ii) documentation, or (iii) other compliance information that iManage makes generally available to its customers, iManage will, not more than one time per calendar year, promptly respond to Customer’s audit requests. Before the commencement of an audit, Customer and iManage will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit iManage to unreasonably delay performance of the audit. To the extent needed to perform the audit, iManage will make the processing systems, facilities and supporting documentation relevant to the Processing of Customer Data and Personal Data by iManage, its Affiliates, and its Sub-Processors (where possible) available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to iManage (not less than twenty days), and subject to reasonable confidentiality and security procedures. Neither Customer nor the auditor shall have access to any data from iManage’s other customers or to iManage systems or facilities not involved in the Cloud Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time iManage expends for any such audit, in addition to the rates for services performed by iManage. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with iManage and iManage shall promptly cure any material non-compliance.