Common use of Auditing Compliance Clause in Contracts

Auditing Compliance. Sales Cookie will conduct audits of the security of the computers, computing environment and physical data centers that it uses in processing Customer Data and Personal Data, as follows: Where a standard or framework provides for audits, an audit of such control standard or framework will be initiated at least annually. Each audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework. Each audit will be performed by qualified security auditors at Sales Cookie’s selection and expense. Each audit will result in the generation of an audit report (“Sales Cookie Audit Report”), which Sales Cookie will make available upon request. The Sales Cookie Audit Report will be Sales Cookie’s Confidential Information and will clearly disclose any material findings by the auditor. Sales Cookie will promptly remediate issues raised in any Sales Cookie Audit Report to the satisfaction of the auditor. If Customer requests, Sales Cookie will provide Customer with each Sales Cookie Audit Report. The Sales Cookie Audit Report will be subject to non-disclosure and distribution limitations of Sales Cookie and the auditor. To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Requirements cannot reasonably be satisfied through audit reports, documentation or compliance information Sales Cookie makes generally available to its customers, Sales Cookie will promptly respond to Customer’s additional audit instructions. Before the commencement of an audit, Customer and Sales Cookie will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit Sales Cookie to unreasonably delay performance of the audit. To the extent needed to perform the audit, Sales Cookie will make the processing systems, facilities and supporting documentation relevant to the processing of Customer Data and Personal Data by Sales Cookie, its Affiliates, and its Sub processors available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to Sales Cookie, and subject to reasonable confidentiality procedures. Neither Customer nor the auditor shall have access to any data from Sales Cookie’s other customers or to Sales Cookie systems or facilities not involved in the Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Sales Cookie expends for any such audit, in addition to the rates for services performed by Sales Cookie. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Sales Cookie and Sales Cookie shall promptly cure any material non-compliance. Nothing in this section of the DPA varies or modifies the standard Sales Cookie’s Terms of Service or affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses or Data Protection Requirements.

Auditing Compliance. Sales Cookie Microsoft will conduct audits of the security of the computers, computing environment and physical data centers that it uses in processing Customer Data and Personal Data, as follows: • Where a standard or framework provides for audits, an audit of such control standard or framework will be initiated at least annually. • Each audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework. • Each audit will be performed by qualified qualified, independent, third party security auditors at Sales CookieMicrosoft’s selection and expense. Each audit will result in the generation of an audit report (“Sales Cookie Microsoft Audit Report”), which Sales Cookie Microsoft will make available upon requestat xxxxx://xxxxxxxxxxxx.xxxxxxxxx.xxx/ or another location identified by Microsoft. The Sales Cookie Microsoft Audit Report will be Sales CookieMicrosoft’s Confidential Information and will clearly disclose any material findings by the auditor. Sales Cookie Microsoft will promptly remediate issues raised in any Sales Cookie Microsoft Audit Report to the satisfaction of the auditor. If Customer requests, Sales Cookie Microsoft will provide Customer with each Sales Cookie Microsoft Audit Report. The Sales Cookie Microsoft Audit Report will be subject to non-non- disclosure and distribution limitations of Sales Cookie Microsoft and the auditor. To the extent Customer’s audit requirements under If Customer has entered into the Standard Contractual Clauses with Microsoft or Data Protection Requirements cannot reasonably be satisfied through if the GDPR Terms apply, then Customer agrees to exercise its audit reports, documentation or compliance information Sales Cookie makes generally available right by instructing Microsoft to its customers, Sales Cookie will promptly respond to Customer’s additional execute the audit instructions. Before the commencement of an audit, Customer and Sales Cookie will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that as described in this requirement to agree will not permit Sales Cookie to unreasonably delay performance section of the auditOST. To If Customer desires to change this instruction, then Customer has the extent needed right to perform the audit, Sales Cookie will make the processing systems, facilities and supporting documentation relevant to the processing of Customer Data and Personal Data by Sales Cookie, its Affiliates, and its Sub processors available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to Sales Cookie, and subject to reasonable confidentiality procedures. Neither Customer nor the auditor shall have access to any data from Sales Cookie’s other customers or to Sales Cookie systems or facilities not involved do so as set forth in the ServicesStandard Contractual Clauses and GDPR Terms, which change shall be requested in writing. Customer If the Standard Contractual Clauses apply, then this section is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Sales Cookie expends for any such audit, in addition to Clause 5 paragraph f and Clause 12 paragraph 2 of the rates for services performed by Sales Cookie. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Sales Cookie and Sales Cookie shall promptly cure any material non-complianceStandard Contractual Clauses. Nothing in this section of the DPA OST varies or modifies the standard Sales Cookie’s Standard Contractual Clauses or the GDPR Terms of Service or affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses or GDPR. Microsoft Corporation is an intended third-party beneficiary of this section. If Microsoft becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Protection Requirementsor Personal Data while processed by Microsoft (each a “Security Incident”), Microsoft will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means Microsoft selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable Online Services portal. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident. Microsoft shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident. Microsoft’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Microsoft of any fault or liability with respect to the Security Incident. Customer must notify Microsoft promptly about any possible misuse of its accounts or authentication credentials or any security incident related to an Online Service. Except as described elsewhere in the OST, Customer Data and Personal Data that Microsoft processes on Customer’s behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. Customer appoints Microsoft to perform any such transfer of Customer Data and Personal Data to any such country and to store and process Customer Data and Personal Data to provide the Online Services. All transfers of Customer Data out of the European Union, European Economic Area, and Switzerland by the Core Online Services shall be governed by the Standard Contractual Clauses in Attachment 3, unless the Customer has opted out of those clauses.

Auditing Compliance. Sales Cookie Microsoft will conduct audits of the security of the computers, computing environment environment, and physical data centers that it uses in processing Customer Data Data, Professional Service Data, and Personal Data, as follows: • Where a standard or framework provides for audits, an audit of such control standard or framework will be initiated at least annually. • Each audit will be performed according to the standards and rules of the regulatory or accreditation body for each applicable control standard or framework. • Each audit will be performed by qualified qualified, independent, third party security auditors at Sales CookieMicrosoft’s selection and expense. Each audit will result in the generation of an audit report (“Sales Cookie Microsoft Audit Report”), which Sales Cookie Microsoft will make available upon requestat xxxxx://xxxxxxxxxxxx.xxxxxxxxx.xxx/ or another location identified by Microsoft. The Sales Cookie Microsoft Audit Report will be Sales CookieMicrosoft’s Confidential Information and will clearly disclose any material findings by the auditor. Sales Cookie Microsoft will promptly remediate issues raised in any Sales Cookie Microsoft Audit Report to the satisfaction of the auditor. If Customer requests, Sales Cookie Microsoft will provide Customer with each Sales Cookie Microsoft Audit Report. The Sales Cookie Microsoft Audit Report will be subject to non-disclosure and distribution limitations of Sales Cookie Microsoft and the auditor. To the extent Customer’s audit requirements under the Standard Contractual Clauses or Data Protection Requirements cannot reasonably be satisfied through audit reports, documentation or compliance information Sales Cookie Microsoft makes generally available to its customers, Sales Cookie Microsoft will promptly respond to Customer’s additional audit instructions. Before the commencement of an audit, Customer and Sales Cookie Microsoft will mutually agree upon the scope, timing, duration, control and evidence requirements, and fees for the audit, provided that this requirement to agree will not permit Sales Cookie Microsoft to unreasonably delay performance of the audit. To the extent needed to perform the audit, Sales Cookie Microsoft will make the processing systems, facilities and supporting documentation relevant to the processing of Customer Data Data, Professional Services Data, and Personal Data by Sales CookieMicrosoft, its Affiliates, and its Sub processors Subprocessors available. Such an audit will be conducted by an independent, accredited third-party audit firm, during regular business hours, with reasonable advance notice to Sales CookieMicrosoft, and subject to reasonable confidentiality procedures. Neither Customer nor the auditor shall have access to any data from Sales CookieMicrosoft’s other customers or to Sales Cookie Microsoft systems or facilities not involved in providing the applicable Products and Services. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Sales Cookie Microsoft expends for any such audit, in addition to the rates for services performed by Sales CookieMicrosoft. If the audit report generated as a result of Customer’s audit includes any finding of material non-compliance, Customer shall share such audit report with Sales Cookie Microsoft and Sales Cookie Microsoft shall promptly cure any material non-compliance. Nothing in this section of the DPA varies or modifies the standard Sales Cookie’s GDPR Terms of Service or affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses or Data Protection Requirements. Microsoft Corporation is an intended third-party beneficiary of this section.