Common use of Certifications and Audits Clause in Contracts

Certifications and Audits. 10.1 Emburse will, upon written request of Customer, make available evidence of its compliance with the technical and organizational measures that protect the Service through third-party certifications and audits as described in the security Documentation.‌ 10.2 Customer, a Controller, or its respective independent third party auditor reasonably acceptable to Emburse, may have a right to audit Emburse’s control environment and security practices relevant to the Processing if: 10.2.1 Emburse fails to provide sufficient evidence under Section 10.1; 10.2.2 An audit is requested by Customer’s, or a Controller’s, relevant data protection authority; or 10.2.3 Data Protection Law provides Customer with a direct audit right, provided any such audit shall only occur once in any twelve (12) month period unless such law requires more frequent audits. 10.3 If a Controller (other than Customer) requests to conduct an audit under section 10.2, such audit must be undertaken by and through Customer unless Data Protection Law requires otherwise. If several Controllers whose Personal Data is processed Emburse under the Agreement require an Audit, Customer shall use all reasonable means to combine the audits and to avoid multiple audits. Customer shall bear the costs of all audits under this Section 10. 10.4 Customer or the relevant Controller undertaking an audit under Section 10.2 shall give ` Emburse at least 60 days (or such other period as required by Data Protection Law) prior notice of any audit to be conducted under section 10.2. The scope of any audits shall be mutually agreed by the parties acting reasonably and in good faith. Audits shall be limited to 3 days and Customer (or relevant Controller) shall make (and ensure that each of its auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Emburse premises, equipment, personnel and business in the course of such audit. Customer shall bear the costs of such audit and will provide the results of any audit to Emburse. If an audit determines that Emburse has breached its obligations under the DPA, Emburse will promptly remedy the breach at its own cost.

Certifications and Audits. 10.1 Emburse will(a) Customer may audit Provider’s compliance with its obligations under this Data Processing Agreement up to once per year. In addition, upon to the extent required by Applicable Data Protection Law, including where mandated by Customer’s Supervisory Authority, Customer or Customer’s Supervisory Authority may perform more frequent audits, including inspections of any Provider-owned and controlled data center facility that Processes Personal Data. Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services ordered by Customer. (b) If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Provider (except if such third party is a competent Supervisory Authority). Provider will not unreasonably withhold its consent to a third party auditor requested by Customer. The third party must execute a written confidentiality agreement acceptable to Provider or otherwise be bound by a statutory confidentiality obligation before conducting the audit. (c) To request an audit, Customer must submit a detailed proposed audit plan to Provider at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. (d) If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Provider provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report. (e) The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Provider’s health and safety or other relevant policies, and may not unreasonably interfere with Provider business activities. (f) Customer will provide Provider any audit reports generated in connection with any audit under this Section 6.3, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer, make available evidence of its ’s regulatory audit requirements and/or confirming compliance with the technical and organizational measures requirements of this Data Processing Agreement. The audit reports are Confidential Information of the parties under the terms of the Agreement. (g) Any audits are at Customer’s expense. The parties will negotiate in good faith with respect to any charges or fees that protect the Service through third-party certifications and audits as described in the security Documentation.‌ 10.2 Customer, a Controller, or its respective independent third party auditor reasonably acceptable to Emburse, may have a right to audit Emburse’s control environment and security practices relevant to the Processing if: 10.2.1 Emburse fails be incurred by Provider to provide sufficient evidence under Section 10.1; 10.2.2 An audit is requested by Customer’s, or a Controller’s, relevant data protection authority; or 10.2.3 Data Protection Law provides Customer assistance with a direct audit right, provided any such audit shall only occur once in any twelve (12) month period unless such law requires more frequent audits. 10.3 If a Controller (other than Customer) requests to conduct an audit under section 10.2, such audit must be undertaken by and through Customer unless Data Protection Law that requires otherwise. If several Controllers whose Personal Data is processed Emburse under the Agreement require an Audit, Customer shall use all reasonable means of resources different from or in addition to combine those required for the audits and to avoid multiple audits. Customer shall bear provision of the costs of all audits under this Section 10. 10.4 Customer or the relevant Controller undertaking an audit under Section 10.2 shall give ` Emburse at least 60 days (or such other period as required by Data Protection Law) prior notice of any audit to be conducted under section 10.2. The scope of any audits shall be mutually agreed by the parties acting reasonably and in good faith. Audits shall be limited to 3 days and Customer (or relevant Controller) shall make (and ensure that each of its auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Emburse premises, equipment, personnel and business in the course of such audit. Customer shall bear the costs of such audit and will provide the results of any audit to Emburse. If an audit determines that Emburse has breached its obligations under the DPA, Emburse will promptly remedy the breach at its own costServices.

Certifications and Audits. 10.1 8.1 Emburse willshall provide to Customer information on Emburse’s technical and organizational measures as set forth in this DPA, including third party certifications and security Documentation, upon the written request of Customer, make available evidence of its compliance with the technical and organizational measures that protect the Service through third-party certifications and audits as described in the security Documentation.‌. 10.2 Customer, a Controller, or its respective independent third party auditor 8.2 Customer may reasonably acceptable to Emburse, may have a right to audit Emburse’s control environment and security practices relevant to the Processing if: 10.2.1 : (i) Emburse fails to provide sufficient evidence the information required under Section 10.1; 10.2.2 An 8.1; or (ii) an audit is requested by Customer’s, or a Controller’s, relevant data protection authority; or 10.2.3 Data Protection Law provides Responsible Authority. Customer with a direct audit right, provided any may not request such audit shall only occur more than once in any twelve (12) month period unless such law requires period, however, a Responsible Authority may require more frequent audits. 10.3 audits of Emburse’s Processing. If a Controller (other than Customer) requests to conduct an audit under section 10.2audit, such audit must shall be undertaken conducted by and through Customer unless Data Protection Law requires otherwiseCustomer. If several Controllers whose Personal Data is processed Emburse under the Agreement require request an Auditaudit, Customer shall use all make reasonable means efforts to combine the audits and to avoid multiple audits. Customer shall bear the costs of all audits under this Section 10. 10.4 . 8.3 Customer or the relevant a Controller undertaking an audit under Section 10.2 8.2 shall give ` Emburse at least 60 sixty (60) days (or such other period as required by Data Protection Law) prior written notice of any audit to be conducted under section 10.2such audit. The date, time, place and scope of any audits shall be mutually agreed by the parties acting reasonably and in good faithparties. Audits shall be limited to 3 three (3) days and Customer (or relevant Controller) Controller shall make (make, and ensure that each of its their independent auditors makes) shall make, reasonable endeavours efforts to avoid causing (or, if it cannot avoid, to minimise) and mitigate risk of any damage, injury or disruption to Emburse premises, equipment, personnel personnel, operations, services and business in the course of such audit. . 8.4 Customer shall bear the all costs and expenses of such audit all audits under Section 8.2. Emburse shall bear its own costs and will provide the results of any audit expenses in making commercially reasonable efforts to cooperate with an audit; provided, that Customer or Controller shall reimburse Emburse for Emburse. If ’s costs and expenses incurred regarding an audit determines that which is (i) conducted in breach of this Section 8 or (ii) causes Emburse has breached its obligations under the DPA, Emburse will promptly remedy the breach at its own costto incur costs and expenses extraordinary to industry standards and best practices.