Common use of Audit and Records Clause in Contracts

Audit and Records. 5.1 Cloudflare shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in Cloudflare’s possession or control as Customer may reasonably request with a view to demonstrating Cloudflare’s compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data. 5.2 Cloudflare may fulfill Customer’s right of audit under Applicable Protection Laws in relation to Personal Data, by providing: (a) an audit report not older than thirteen (13) months, prepared by an independent external auditor demonstrating that Cloudflare’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard; (b) additional information in Cloudflare’s possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by Cloudflare under this DPA; and (c) To the extent that Customer’s Personal Data is subject to the EU SCCs and the information made available pursuant to this clause 5.2 is insufficient, in Customer’s reasonable judgment, to confirm Cloudflare’s compliance with its obligations under this DPA or Applicable Data Protection Laws, then Cloudflare shall enable Customer to request one onsite audit per annual period during the Term (as defined in the Main Agreement) to verify Cloudflare’s compliance with its obligations under this DPA in accordance with clause 5.3. 5.3 The following additional terms shall apply to audits the Customer requests: (a) Customer must send any requests for reviews of Cloudflare’s audit reports to ▇▇▇▇▇▇▇▇-▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇. (b) Following receipt by Cloudflare of a request for audit under clause 5.2(c), Cloudflare and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under clause 5.2(c). Whenever possible, evidence for such an audit will be limited to the evidence collected for Cloudflare’s most recent third-party audit. (c) Cloudflare may charge a fee (based on Cloudflare’s reasonable costs) for any audit under clause 5.2(c). Cloudflare will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. (d) Cloudflare may object in writing to an auditor appointed by Customer to conduct any audit under clause 5.2(c) if the auditor is, in Cloudflare’s reasonable opinion, not suitably qualified or independent, a competitor of Cloudflare, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may have a harmful impact on Cloudflare’s business comparable to the aforementioned aspects). Any such objection by Cloudflare will require Customer to appoint another auditor or conduct the audit itself. If the EU SCCs (including as they may be amended in clause 6.2 below) applies, nothing in this clause 5.3 varies or modifies the EU SCCs nor affects any supervisory authority’s or data subject’s rights under the EU SCCs.

Audit and Records. 5.1 Cloudflare shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in Cloudflare’s possession or control as Customer may reasonably request with a view to demonstrating Cloudflare’s compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data. 5.2 Cloudflare may fulfill Customer’s right of audit under Applicable Protection Laws in relation to Personal Data, by providing: (a) an audit report not older than thirteen (13) months, prepared by an independent external auditor demonstrating that Cloudflare’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard; (b) additional information in Cloudflare’s possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by Cloudflare under this DPA; and (c) To the extent that Customer’s Personal Data is subject to the EU SCCs and the information made available pursuant to this clause 5.2 is insufficient, in Customer’s reasonable judgment, to confirm Cloudflare’s compliance with its obligations under this DPA or Applicable Data Protection Laws, then Cloudflare shall enable Customer to request one onsite audit per annual period during the Term (as defined in the Main Agreement) to verify Cloudflare’s compliance with its obligations under this DPA in accordance with clause 5.3. 5.3 The following additional terms shall apply to audits the Customer requests: (a) Customer must send any requests for reviews of Cloudflare’s audit reports to ▇▇▇▇▇▇▇▇-▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇. (b) Following receipt by Cloudflare of a request for audit under clause 5.2(c), Cloudflare and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under clause 5.2(c). Whenever possible, evidence for such an audit will be limited to the evidence collected for Cloudflare’s most recent third-party audit. (c) Cloudflare may charge a fee (based on Cloudflare’s reasonable costs) for any audit under clause 5.2(c). Cloudflare will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. (d) Cloudflare may object in writing to an auditor appointed by Customer to conduct any audit under clause 5.2(c) if the auditor is, in Cloudflare’s reasonable opinion, not suitably qualified or independent, a competitor of Cloudflare, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may have a harmful impact on Cloudflare’s business comparable to the aforementioned aspects). Any such objection by Cloudflare will require Customer to appoint another auditor or conduct the audit itself. If the EU SCCs (including as they may be amended in clause 6.2 clauses 6.2(a) and (b) below) applies, nothing in this clause clause 5.3 varies or modifies the EU SCCs nor affects any supervisory authority’s or data subject’s rights under the EU SCCs.

Audit and Records. 5.1 Cloudflare shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in Cloudflare’s possession or control as Customer may reasonably request with a view to demonstrating Cloudflare’s compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data. 5.2 Cloudflare may fulfill fulfil Customer’s right of audit under Applicable Protection Laws in relation to Personal Data, by providing: (a) an audit report not older than thirteen (13) months, prepared by an independent external auditor demonstrating that Cloudflare’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard; (b) additional information in Cloudflare’s possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by Cloudflare under this DPA; and (c) To the extent that If Customer’s Personal Data is subject to the EU SCCs and the information made available pursuant to this clause 5.2 is insufficient, in Customer’s reasonable judgment, to confirm Cloudflare’s compliance with its obligations under this DPA or Applicable Data Protection Laws, then Cloudflare shall enable Customer to request one onsite audit per annual period during the Term (as defined in the Main Agreement) to verify Cloudflare’s compliance with its obligations under this DPA in accordance with clause 5.3. 5.3 The following additional terms shall apply to audits the Customer requests: (a) Customer must send any requests for reviews of Cloudflare’s audit reports to ▇▇▇▇▇▇▇▇-▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇. (b) Following receipt by Cloudflare of a request for audit under clause 5.2(c), Cloudflare and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under clause 5.2(c). Whenever possible, evidence for such an audit will be limited to the evidence collected for Cloudflare’s most recent third-party audit. (c) Cloudflare may charge a fee (based on Cloudflare’s reasonable costs) for any audit under clause 5.2(c). Cloudflare will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. (d) Cloudflare may object in writing to an auditor appointed by Customer to conduct any audit under clause 5.2(c) if the auditor is, in Cloudflare’s reasonable opinion, not suitably qualified or independent, a competitor of Cloudflare, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may have a harmful impact on Cloudflare’s business comparable to the aforementioned aspects)unsuitable. Any such objection by Cloudflare will require Customer to appoint another auditor or conduct the audit itself. If the EU SCCs (including as they may be amended in clause 6.2 below) appliesapply, nothing in this clause clause 5.3 varies or modifies the EU SCCs nor affects any supervisory authority’s or data subject’s rights under the EU SCCs.

Audit and Records. 5.1 Cloudflare shall, in accordance with Applicable Data Protection Laws, make available to Customer such information in Cloudflare’s possession or control as Customer may reasonably request with a view to demonstrating Cloudflare’s compliance with the obligations of Processors under Applicable Data Protection Laws in relation to its processing of Personal Data. 5.2 Cloudflare may fulfill fulfil Customer’s right of audit under Applicable Protection Laws in relation to Personal Data, by providing: (a) an audit report not older than thirteen (13) months, prepared by an independent external auditor demonstrating that Cloudflare’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard; (b) additional information in Cloudflare’s possession or control to a data protection supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by Cloudflare under this DPA; and (c) To the extent that Customer’s Personal Data is subject to the EU SCCs and the information made available pursuant to this clause 5.2 is insufficient, in Customer’s reasonable judgment, to confirm Cloudflare’s compliance with its obligations under this DPA or Applicable Data Protection Laws, then Cloudflare shall enable Customer to request one onsite audit per annual period during the Term (as defined in the Main Agreement) to verify Cloudflare’s compliance with its obligations under this DPA in accordance with clause 5.3. 5.3 The following additional terms shall apply to audits the Customer requests: (a) Customer must send any requests for reviews of Cloudflare’s audit reports to ▇▇▇▇▇▇▇▇-▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇.▇▇▇. (b) Following receipt by Cloudflare of a request for audit under clause 5.2(c), Cloudflare and Customer will discuss and agree in advance on the reasonable start date, scope, duration of, and security and confidentiality controls applicable to any audit under clause 5.2(c). Whenever possible, evidence for such an audit will be limited to the evidence collected for Cloudflare’s most recent third-party audit. (c) Cloudflare may charge a fee (based on Cloudflare’s reasonable costs) for any audit under clause 5.2(c). Cloudflare will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. (d) Cloudflare may object in writing to an auditor appointed by Customer to conduct any audit under clause 5.2(c) if the auditor is, in Cloudflare’s reasonable opinion, not suitably qualified or independent, a competitor of Cloudflare, or otherwise manifestly unsuitable (i.e., an auditor whose engagement may have a harmful impact on Cloudflare’s business comparable to the aforementioned aspects). Any such objection by Cloudflare will require Customer to appoint another auditor or conduct the audit itself. If the EU SCCs (including as they may be amended in clause 6.2 below) appliesapply, nothing in this clause clause 5.3 varies or modifies the EU SCCs nor affects any supervisory authority’s or data subject’s rights under the EU SCCs.