[Attachment __, Data Management, Privacy, and Security, continued]
N. Audits. Provider shall retain a certified public accounting firm to perform an annual audit of the System’s data protection features and to provide a SOC 2 Type II report, pursuant to the then-current standards of the American Institute of Certified Public Accountants (the “AICPA”). If the AICPA revises its relevant reporting standards, Provider shall retain such accounting firm to provide the report that then most resembles a SOC 2 Type II report. In addition, Provider shall annually conduct its own internal security audit and address security gaps. Provider shall give Customer a copy of the most current report from each audit listed above in this Section N within __ business days of the Effective Date and thereafter annually within __ business days of completion of thereof.
O. Customer Testing. If requested by Customer, Provider shall, on a quarterly basis: (1) permit security reviews by Customer on systems storing or processing Customer Data and on Provider policies and procedures relating to the foregoing, including without limitation the InfoSec Program; and (2) permit testing of all security processes and procedures during the Term, including without limitation penetration tests. Notwithstanding the foregoing, Provider is not required to permit any review or inspection that may compromise the security of Provider’s other customers’ data.
P. Audit and Test Results. Any report or other result generated through the tests or audits required by Section N (Audits) or O (Customer Testing) of this Attachment __ will be Provider’s Confidential Information pursuant to Section __ (Confidential Information) of this Agreement’s main body. If any audit or test referenced above uncovers deficiencies or identifies suggested changes in Provider’s provision of the System, Provider shall exercise reasonable efforts promptly to address such deficiencies and changes, including without limitation by revising the InfoSec Program.