Common use of Audits and Assessments Clause in Contracts

Audits and Assessments. Upon Cintas’ written request, to confirm Service Provider’s compliance with this Agreement, as well as Data Protection Laws and any other applicable laws, regulations, and industry standards, Service Provider grants Cintas or, upon Cintas’ election, a third party on Cintas’ behalf, permission to perform an assessment, audit, examination, or review of all controls in Service Provider’s physical and/or technical environment in relation to all Personal Data being handled and/or the Services being provided to Cintas pursuant to the Agreement. Service Provider shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Data for Cintas pursuant to the Agreement. In its sole discretion and in lieu of or in addition to an on-site audit, Cintas may elect to provide, and Service Provider agrees to accurately and promptly complete, a written data privacy and information security questionnaire regarding Service Provider’s business practices and information technology environment in relation to all Personal Data being handled and/or the Services being provided by Service Provider to Cintas pursuant to the Agreement. Service Provider shall fully cooperate with such inquiries. In addition, upon Cintas’ request, Service Provider shall provide Cintas with the results of any audit by or on behalf of Service Provider performed that assesses the effectiveness of Service Provider’s information security program as relevant to the security and confidentiality of Personal Data shared during the course of the Agreement, which may include, without limitation, all of the following, as applicable: Service Provider’s latest Payment Card Industry (PCI) Compliance Report, Statement on Standards for Attestation Engagements (SSAE) No. 18 audit reports for Reporting on Controls at a Service Organization, Service Organization Controls (SOC) Type 1, 2, or 3 audit reports, and any reports relating to its ISO/IEC 27001 certification. Service Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by Service Provider’s management.

Audits and Assessments. Upon Cintas’ written request, to confirm Service Provider’s compliance with this Agreement, as well as Data Protection Laws and any other applicable laws, regulations, and industry standards, Service Provider grants Cintas or, upon Cintas’ election, a third party on Cintas’ behalf, permission to perform an assessment, audit, examination, or review of all controls in Service Provider’s physical and/or technical environment in relation to all Personal Data being handled and/or the Services being provided to Cintas pursuant to the Agreement. Service Provider shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Personal Data for Cintas pursuant to the Agreement. In its sole discretion and in lieu of or in addition to an on-site audit, Cintas may elect to provide, and Service Provider agrees to accurately and promptly complete, a written data privacy and information security questionnaire regarding Service Provider’s business practices and information technology environment in relation to all Personal Data being handled and/or the Services being provided by Service Provider to Cintas pursuant to the Agreement. Service Provider shall fully cooperate with such inquiries. In addition, upon Cintas’ request, Service Provider shall provide Cintas with the results of any audit by or on behalf of Service Provider performed that assesses the effectiveness of Service Provider’s information security program as relevant to the security and confidentiality of Personal Data shared during the course of the Agreement, which may include, without limitation, all of the following, as applicable: Service Provider’s latest Payment Card Industry (PCI) Compliance Report, Statement on Standards for Attestation Engagements (SSAE) No. 18 audit reports for Reporting on Controls at a Service Organization, Service Organization Controls (SOC) Type 1, 2, or 3 audit reports, and any reports relating to its ISO/IEC 27001 certification. Service Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by Service Provider’s management.