Common use of Monitoring and Audits Clause in Contracts

Monitoring and Audits. (a) The Processor makes available to the Controller all information necessary to demonstrate compliance with applicable personal data protection laws and this DPA and allows and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller only if: a. There has sufficient evidence that Processor failed its compliance with the technical and organizational measures that protect the production systems of the Application; b. A personal Data Breach has occurred; c. An audit is formally requested by Controller’s data protection authority; or d. Mandatory applicable data protection law provides Controller with a direct audit right and provided that Controller shall only audit once in any twelve month period unless mandatory applicable data protection law requires more frequent audits. The Controller acknowledges and agrees in writing that it will not seek to access any confidential information or personal data of third parties (including Processor’s other customers), and the Processor may take any steps (in the Processor’s discretion) necessary to ensure the Controller is not given or does not obtain access to such confidential information or personal data. (b) Controller shall provide at least sixty days advance notice of any audit unless applicable mandatory data protection law or a competent data protection authority requires shorter notice. The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith. Controller audits shall be limited in time to a maximum of two business days. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. Controller shall provide the results of any audit to Processor. (c) Controller shall bear the costs of any audit unless such audit reveals a material breach by Processor of this DPA, then Processor shall bear its own expenses of an audit. If an audit determines that Processor has breached its obligations under the DPA, Processor will promptly remedy the breach at its own cost.

Monitoring and Audits. (a) The Processor makes available to the Controller all information necessary to demonstrate compliance with applicable personal data protection laws Article 28 of the GDPR and this DPA agreement and allows and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller only if: a. There has sufficient evidence that Processor failed its compliance with the technical and organizational measures that protect the production systems of the Application; b. A personal Data Breach has occurred; c. An audit is formally requested by Controller’s data protection authority; or d. Mandatory applicable data protection law provides Controller with a direct audit right and provided that Controller shall only audit once in any twelve month period unless mandatory applicable data protection law requires more frequent audits. The Controller acknowledges and agrees in writing that it will not seek to access any confidential information or personal data of third parties (including Processor’s other customers), and the Processor may take any steps (in the Processor’s discretion) necessary to ensure the Controller is not given or does not obtain access to such confidential information or personal data. (b) Controller shall provide at least sixty days advance notice of any audit unless applicable mandatory data protection law or a competent data protection authority requires shorter notice. The frequency and scope of any audits shall be mutually agreed between the parties acting reasonably and in good faith. Controller audits shall be limited in time to a maximum of two business days. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. Controller shall provide the results of any audit to Processor. (c) Controller shall bear the costs of any audit unless such audit reveals a material breach by Processor of this DPA, then Processor shall bear its own expenses of an audit. If an audit determines that Processor has breached its obligations under the DPA, Processor will promptly remedy the breach at its own cost.