Common use of Cloud Services and Systems Clause in Contracts

Cloud Services and Systems. Cloud-based systems may only contain Confidential Information subject to the prior written approval by Us and must be certified to ISO 27001 standards as a minimum. This minimum ISO 27001 certification must not exceed 12 months from the initial date of issue, for the standard to be considered valid. We reserve the right to perform a security review and risk assessmentof applications and services containing Confidential Information in the cloud prior to implementation. Any changes to the architecture or function of a service or data model inthe cloud that stores Confidential Information must first be reviewed and approved by Our Information Security Department. Applications that require physical separation cannot be on a cloud-based service unless duly segregated and approved in writing by Us. Supplier shall ensure Confidential Informationis fully segregated from the Supplier’s other customers and/or third parties. In addition, the Supplier agrees to allow any regulated Customers (i.e., when a government or regulatory body with binding authority (“Regulator”) regulates such entity’s regulated services such as (for example) financial services) or any independent or impartial inspection agents or auditors selected by Us or a regulated Customer, to audit the Supplier and the Supplier agrees to allow Us to provide any such reports to its Customers where required.