Vendor Management: (a) To meet the mandates associated with third party vendors, the Client may request annually from the Company the following information: Annual Financial Statements; Insurance Coverage/Certificate; SSAE16 report inclusive of User Entity controls; External Penetration Testing results; Data Encryption procedures, Business Resumption Plans and Disaster Recovery testing results. The Company shall provide all such Information within thirty (30) days of receiving a written request for it. Additional vendor due diligence requirements not addressed in this Agreement and required by federal regulation will be provided within ninety (90) days of a written request for it. Failure to provide such information will be grounds for termination of the Agreement. (b) As specifically permitted by law or regulation, the Client shall be permitted to audit the Company's performance under this Agreement during normal business.
Thanks ever so much for sharing your "Right to Audit" clause.
In my examination of the clause against our subcontract I noted that SSAE 16 (with which I was unfamiliar) says online it has been superseded by SSAE No. 18 and as of 5/1/2017 the report is referred to as SOC 1. Not my area of expertise so please validate.
All the best,
Cathleen "Cathy" Strabala
Senior Director, Quality, Ethics & Compliance