Common use of Certifications and Audits Clause in Contracts

Certifications and Audits. (a) Customer may audit Provider’s compliance with its obligations under this Data Processing Agreement up to once per year. In addition, to the extent required by Applicable Data Protection Law, including where mandated by Customer’s Supervisory Authority, Customer or Customer’s Supervisory Authority may perform more frequent audits, including inspections of any Provider-owned and controlled data center facility that Processes Personal Data. Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services ordered by Customer. (b) If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Provider (except if such third party is a competent Supervisory Authority). Provider will not unreasonably withhold its consent to a third party auditor requested by Customer. The third party must execute a written confidentiality agreement acceptable to Provider or otherwise be bound by a statutory confidentiality obligation before conducting the audit. (c) To request an audit, Customer must submit a detailed proposed audit plan to Provider at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. (d) If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Provider provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report. (e) The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Provider’s health and safety or other relevant policies, and may not unreasonably interfere with Provider business activities. (f) Customer will provide Provider any audit reports generated in connection with any audit under this Section 6.3, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. The audit reports are Confidential Information of the parties under the terms of the Agreement. (g) Any audits are at Customer’s expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by Provider to provide assistance with an audit that requires the use of resources different from or in addition to those required for the provision of the Services.

Certifications and Audits. (a) 8.1 Emburse shall provide to Customer may audit Providerinformation on Emburse’s compliance with its obligations under technical and organizational measures as set forth in this Data Processing Agreement up to once per year. In addition, to the extent required by Applicable Data Protection LawDPA, including where mandated by Customer’s Supervisory Authoritythird party certifications and security Documentation, Customer or Customer’s Supervisory Authority may perform more frequent audits, including inspections upon the written request of any Provider-owned and controlled data center facility that Processes Personal Data. Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services ordered by Customer. 8.2 Customer may reasonably audit Emburse’s Processing if: (bi) Emburse fails to provide the information required under Section 8.1; or (ii) an audit is requested by a Responsible Authority. Customer may not request such audit more than once in any twelve (12) month period, however, a Responsible Authority may require more frequent audits of Emburse’s Processing. If a third party is to conduct the Controller requests an audit, the third party must such audit shall be mutually agreed to conducted by Customer and Provider (except if such third party is a competent Supervisory Authority). Provider will not unreasonably withhold its consent to a third party auditor requested by through Customer. The third party must execute a written confidentiality agreement acceptable to Provider or otherwise be bound by a statutory confidentiality obligation before conducting the audit. (c) To If several Controllers request an audit, Customer must submit shall make reasonable efforts to combine the audits. 8.3 Customer or a detailed proposed Controller undertaking an audit plan to Provider under Section 8.2 shall give Emburse at least two weeks in advance sixty (60) days prior written notice of the proposed audit datesuch audit. The proposed audit plan must describe date, time, place and scope of any audits shall be mutually agreed by the proposed scope, durationparties. Audits shall be limited to three (3) days and Customer or Controller shall make, and start date ensure that their independent auditors shall make, reasonable efforts to avoid and mitigate risk of any damage, injury or disruption to Emburse premises, equipment, personnel, operations, services and business in the course of such audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. (d) If the requested audit scope is addressed 8.4 Customer shall bear all costs and expenses of all audits under Section 8.2. Emburse shall bear its own costs and expenses in a SSAE 16/ISAE 3402 Type 2making commercially reasonable efforts to cooperate with an audit; provided, ISO, NIST, PCI DSS, HIPAA that Customer or similar audit report issued by a qualified third party auditor within the prior twelve months Controller shall reimburse Emburse for Emburse’s costs and Provider provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report in lieu of requesting expenses incurred regarding an audit which is (i) conducted in breach of the same controls covered by the report. (e) The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Provider’s health and safety or other relevant policies, and may not unreasonably interfere with Provider business activities. (f) Customer will provide Provider any audit reports generated in connection with any audit under this Section 6.3, unless prohibited by Applicable Data Protection Law 8 or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. The audit reports are Confidential Information of the parties under the terms of the Agreement(ii) causes Emburse to incur costs and expenses extraordinary to industry standards and best practices. (g) Any audits are at Customer’s expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by Provider to provide assistance with an audit that requires the use of resources different from or in addition to those required for the provision of the Services.

Certifications and Audits. (a) Customer may audit Provider’s 10.1 Emburse will, upon written request of Customer, make available evidence of its compliance with the technical and organizational measures that protect the Service through third-party certifications and audits as described in the security Documentation.‌ 10.2 Customer, a Controller, or its respective independent third party auditor reasonably acceptable to Emburse, may have a right to audit Emburse’s control environment and security practices relevant to the Processing if: 10.2.1 Emburse fails to provide sufficient evidence under Section 10.1; 10.2.2 An audit is requested by Customer’s, or a Controller’s, relevant data protection authority; or 10.2.3 Data Protection Law provides Customer with a direct audit right, provided any such audit shall only occur once in any twelve (12) month period unless such law requires more frequent audits. 10.3 If a Controller (other than Customer) requests to conduct an audit under section 10.2, such audit must be undertaken by and through Customer unless Data Protection Law requires otherwise. If several Controllers whose Personal Data is processed Emburse under the Agreement require an Audit, Customer shall use all reasonable means to combine the audits and to avoid multiple audits. Customer shall bear the costs of all audits under this Section 10. 10.4 Customer or the relevant Controller undertaking an audit under Section 10.2 shall give ` Emburse at least 60 days (or such other period as required by Data Protection Law) prior notice of any audit to be conducted under section 10.2. The scope of any audits shall be mutually agreed by the parties acting reasonably and in good faith. Audits shall be limited to 3 days and Customer (or relevant Controller) shall make (and ensure that each of its auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to Emburse premises, equipment, personnel and business in the course of such audit. Customer shall bear the costs of such audit and will provide the results of any audit to Emburse. If an audit determines that Emburse has breached its obligations under this Data Processing Agreement up to once per year. In additionthe DPA, to Emburse will promptly remedy the extent required by Applicable Data Protection Law, including where mandated by Customer’s Supervisory Authority, Customer or Customer’s Supervisory Authority may perform more frequent audits, including inspections of any Provider-owned and controlled data center facility that Processes Personal Data. Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services ordered by Customerbreach at its own cost. (b) If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Provider (except if such third party is a competent Supervisory Authority). Provider will not unreasonably withhold its consent to a third party auditor requested by Customer. The third party must execute a written confidentiality agreement acceptable to Provider or otherwise be bound by a statutory confidentiality obligation before conducting the audit. (c) To request an audit, Customer must submit a detailed proposed audit plan to Provider at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. (d) If the requested audit scope is addressed in a SSAE 16/ISAE 3402 Type 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Provider provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report. (e) The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Provider’s health and safety or other relevant policies, and may not unreasonably interfere with Provider business activities. (f) Customer will provide Provider any audit reports generated in connection with any audit under this Section 6.3, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. The audit reports are Confidential Information of the parties under the terms of the Agreement. (g) Any audits are at Customer’s expense. The parties will negotiate in good faith with respect to any charges or fees that may be incurred by Provider to provide assistance with an audit that requires the use of resources different from or in addition to those required for the provision of the Services.