You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Updated the key model provisions document based on the outcome of the Legal Work Group call of 2023-07-28.
Basically: Andrew's additions mark the close of the document excepting final review, and the risk grid format items move to the risk grid. The risk grid will be the next subject for our review once core document is published.
Copy file name to clipboardExpand all lines: Adoption-Preparation/Model-Provisions/openchain-standards-model-provisions.0.5.md
+1-158Lines changed: 1 addition & 158 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -124,161 +124,4 @@ Note: this document is to be interpreted consistently with the OpenChain Specifi
124
124
125
125
#### 1.8.4. [usual ongoing obligations as to awareness of breaches etc.]
126
126
127
-
#### 1.8.5. [usual indemnity wording]
128
-
129
-
# Below is a Series of Optional Model Language Issues in Original Risk Grid Format:
130
-
131
-
Each issue is formatted as follows:
132
-
133
-
- Issue
134
-
- Commentary
135
-
- Who is best placed to bear risk?
136
-
- Best mechanism to tackle risk
137
-
- Sample Wording
138
-
- Supplier's Arguments
139
-
- Customer's Arguments
140
-
141
-
## Overarching Topics
142
-
143
-
### Issue - Inclusion of OpenChain ISO/IEC 5230
144
-
145
-
#### Commentary
146
-
147
-
None listed.
148
-
149
-
#### Who is best placed to bear risk?
150
-
151
-
Supplier.
152
-
153
-
#### Best mechanism to tackle risk
154
-
155
-
None listed.
156
-
157
-
#### Sample Wording
158
-
159
-
The Supplier warrants that the [Software][defined components of the Software] originate[s] from an OpenChain ISO/IEC 5230:2000 Conformant Program [or Programs][, with the OpenChain ISO/IEC 5230:2000 Conformant Program being specified in the Supplier Information Pack].
160
-
161
-
or
162
-
163
-
The Supplier warrants that the [Software][defined components of the Software] originate[s] from a Program [or Programs] adhering to aspects of an OpenChain ISO/IEC 5230:2000 Conformant Program as specified in the Supplier Information Pack].
164
-
165
-
and
166
-
167
-
[The Supplier does not warrant that use, modification or further distribution by the Customer of the Software constitutes a continuation of adherence to an OpenChain ISO/IEC 5230:2000 Conformant Program].
168
-
169
-
#### Supplier's Arguments
170
-
171
-
The Supplier may argue that the inclusion of these requirements or the extent of the requirements included introduce a cost-burden that need to be offset.
172
-
173
-
#### Customer's Arguments
174
-
175
-
The Customer is receiving a potential liability regarding third-party intellectual property along with the Software deliverable from the Supplier. As such, it is reasonable to request that the Supplier adheres to international standards related to the licensing of this third-party intellectual property.
176
-
177
-
### Issue - Inclusion of OpenChain ISO/IEC DIS 18974
178
-
179
-
#### Commentary
180
-
181
-
None listed.
182
-
183
-
#### Who is best placed to bear risk?
184
-
185
-
Supplier.
186
-
187
-
#### Best mechanism to tackle risk
188
-
189
-
None listed.
190
-
191
-
#### Sample Wording
192
-
193
-
The Supplier warrants that the [Software][defined components of the Software] originate[s] from an OpenChain ISO/IEC DIS 18974 Conformant Program [or Programs][, with the OpenChain ISO/IEC DIS 18974 Conformant Program being specified in the Supplier Information Pack].
194
-
195
-
or
196
-
197
-
The Supplier warrants that the [Software][defined components of the Software] originate[s] from a Program [or Programs] adhering to aspects of an OpenChain ISO/IEC DIS 18974 Conformant Program as specified in the Supplier Information Pack].
198
-
199
-
and
200
-
201
-
[The Supplier does not warrant that use, modification or further distribution by the Customer of the Software constitutes a continuation of adherence to an OpenChain ISO/IEC DIS 18974 Conformant Program].
202
-
203
-
#### Supplier's Arguments
204
-
205
-
The Supplier may argue that the inclusion of these requirements or the extent of the requirements included introduce a cost-burden that need to be offset.
206
-
207
-
#### Customer's Arguments
208
-
209
-
The Customer is receiving a potential liability regarding security along with the Software deliverable from the Supplier. As such, it is reasonable to request that the Supplier adheres to international standards related to the managing of security assurance related to the Software.
210
-
211
-
### Issue - Determining if the OpenChain Conformant Program is self-certified or third-party certified
212
-
213
-
#### Commentary
214
-
215
-
None listed.
216
-
217
-
#### Who is best placed to bear risk?
218
-
219
-
Supplier
220
-
221
-
#### Best mechanism to tackle risk
222
-
223
-
None listed.
224
-
225
-
#### Sample Wording
226
-
227
-
The Supplier warrants that the OpenChain [ISO/IEC 5230:2000][ISO/IEC DIS 18974] Conformant Program [or Programs] referenced in the relevant [purchasing agreement[s]][contract[s]] is self-certified as per the checklists or questionnaires provided by the OpenChain Project.
228
-
229
-
or
230
-
231
-
The Supplier warrants that the OpenChain [ISO/IEC 5230:2000][ISO/IEC DIS 18974] Conformant Program [or Programs] referenced in the relevant [purchasing agreement[s]][contract[s]] is third-party certified by [registered][licensed] third-party certified.
232
-
233
-
and
234
-
235
-
[The Supplier will produce documentation to verify that the OpenChain [ISO/IEC 5230:2000][ISO/IEC DIS 18974] Conformant Program [or Programs] has undergone the disclosed certification process.]
236
-
237
-
#### Supplier's Arguments
238
-
239
-
None.
240
-
241
-
#### Customer's Arguments
242
-
243
-
The Customer requires clarity regarding the type of certification that the Supplier has undergone to contextualize their risk. A Customer may regard third-party certification as preferable due to the inherent audit involved. Alternatively, a Customer may be satisfied that self-certification is sufficient given that OpenChain ISO/IEC 5230:2000 or ISO/IEC DIS 18974 both require the party with a conformant program to maintain documentation on how they accomplished their conformance.
244
-
245
-
### Issue - Risk that the Declaration is just pro-forma, how to verify?
246
-
247
-
#### Commentary
248
-
249
-
None listed.
250
-
251
-
#### Who is best placed to bear risk?
252
-
253
-
Supplier
254
-
255
-
#### Best mechanism to tackle risk
256
-
257
-
Audit rights
258
-
259
-
#### Sample Wording
260
-
261
-
Customer may request that an audit be carried out to verify compliance to ISO/IEC 5230:2000 by a Third party auditor (**"Audit"**) that shall be approved by Supplier and such approval shall not be unreasonably withheld.
262
-
263
-
The Audit is subject to the following conditions:
264
-
265
-
a. it must only concern Supplier's OpenChain-related material, processes, policies and other relevant Artefact as provided for by ISO/IEC 5230:2000 that are used to demonstrate compliance.
266
-
a. the auditor shall undertake a formal non disclosure agreement if it was not bound to professional secrecy by operation of the law;
267
-
a. it must be carried out no more than once a year;
268
-
a. it must come with an adequate advance notice, in no case less than 5 business days, and may be carried out during normal working hours, without interrupting the continuity of Supplier's activities or causing Supplier excessive burden and inconvenience, and in compliance with Supplier's safety policies;
269
-
a. Customer shall bear all expenses arising out of or in connection with Audits at Supplier's premises, unless such Audits reveal that Supplier is not acting in compliance ISO/IEC 5230:2000, in which case all expenses shall be borne by Supplier. Customer may prepare an audit report summarizing the results and observations of the Audits (**"Audit Report"**);
270
-
a. If at all possible, the Audit shall be documental, but the auditor may interview personnel of the Supplier to verify the level of compliance.
271
-
272
-
Audit Reports are confidential information of Supplier and Customer undertakes not to disclose them to third parties, with the exception of its own consultants, including legal consultants and its own employees.
273
-
274
-
Supplier can respond to a request to carry out an audit by handing over a recent Audit Report performed by a reputable third part; such handing over may carry reasonably confidentiality conditions. A recent Audit Report is a report that was formed no more than 10 months prior to the request to carry over the audit. Customer shall not unreasonably refuse to accept such Audit Report *in lieu* of a full audit, but can demand to carry over an audit on areas which have not been accurately described or which have not been covered by the Audit Report.
275
-
276
-
[in case Supplier is self-certified] Supplier may retain the auditor for becoming third-party certified or to renew third-party certification, but any such request may not be made earlier than one calendar month after the Audit Report has been delivered.
277
-
278
-
#### Supplier's Arguments
279
-
280
-
Cost and complication of an audit process, confidentiality.
281
-
282
-
#### Customer's Arguments
283
-
284
-
Costs are borne mainly by Customer, confidentiality is tackled by NDA and the process is run by a third party, frequency is limited and the audit can be done by showing a reliable audit done by a reputable third party.
0 commit comments