County Requested Audits. At the County’s expense, it or an independent third-party auditor it commissions, will have the right to audit Contractor’s infrastructure, security and privacy practices, data center, Services and/or Systems storing or processing the County Information via an onsite inspection at least once a year. Upon the County’s request Contractor must complete a questionnaire regarding Contractor’s information security and/or privacy program. The County will pay for the County requested audit unless the auditor finds that Contractor has materially breached this Contract, in which case Contractor must bear all costs of the audit; and if the audit reveals material non- compliance with this Paragraph 33.5 (Audit and Inspection, Information Security and Privacy Requirements), the County may exercise its termination rights provided by this Contract. A County requested audit will be conducted during Contractor’s normal business hours with reasonable advance notice, in a manner that does not materially disrupt or otherwise unreasonably and adversely affect Contractor’s normal business operations. The County's request for the audit will specify the scope and areas (e.g., administrative, physical, and technical) that are subject to the audit and may include, but are not limited to physical controls inspection, process reviews, policy reviews, evidence of external and internal vulnerability scans, penetration test results, evidence of code reviews, and evidence of System configuration and audit log reviews. It is understood that the results may be filtered to remove the specific Information of other Contractor customers such as IP address, server names, etc. Contractor must cooperate with the County in the development of the scope and methodology for the audit, and the timing and implementation of the audit. This right of access will extend to any regulators with oversight of the County. Contractor agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes. When not prohibited by regulation, Contractor will provide to the County a summary of: (i) the results of any security audits, security reviews, or other relevant audits, conducted by Contractor or a third party, and (ii) corrective actions or modifications, if any, Contractor will implement in response to such audits. Notwithstanding the preceding sentences, the County will have the right to participate in any such defense at its sole cost and expe...
