Common use of County Requested Audits Clause in Contracts

County Requested Audits. At the County’s expense, it or an independent third-party auditor it commissions, will have the right to audit Contractor’s infrastructure, security and privacy practices, data center, Services and/or Systems storing or processing the County Information via an onsite inspection at least once a year. Upon the County’s request Contractor must complete a questionnaire regarding Contractor’s information security and/or privacy program. The County will pay for the County requested audit unless the auditor finds that Contractor has materially breached this Contract, in which case Contractor must bear all costs of the audit; and if the audit reveals material non- compliance with this Paragraph 33.5 (Audit and Inspection, Information Security and Privacy Requirements), the County may exercise its termination rights provided by this Contract. A County requested audit will be conducted during Contractor’s normal business hours with reasonable advance notice, in a manner that does not materially disrupt or otherwise unreasonably and adversely affect Contractor’s normal business operations. The County's request for the audit will specify the scope and areas (e.g., administrative, physical, and technical) that are subject to the audit and may include, but are not limited to physical controls inspection, process reviews, policy reviews, evidence of external and internal vulnerability scans, penetration test results, evidence of code reviews, and evidence of System configuration and audit log reviews. It is understood that the results may be filtered to remove the specific Information of other Contractor customers such as IP address, server names, etc. Contractor must cooperate with the County in the development of the scope and methodology for the audit, and the timing and implementation of the audit. This right of access will extend to any regulators with oversight of the County. Contractor agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes. When not prohibited by regulation, Contractor will provide to the County a summary of: (i) the results of any security audits, security reviews, or other relevant audits, conducted by Contractor or a third party, and (ii) corrective actions or modifications, if any, Contractor will implement in response to such audits. Notwithstanding the preceding sentences, the County will have the right to participate in any such defense at its sole cost and expense, except that in the event Contractor fails to provide the County with a full and adequate defense, as determined by the County in its sole judgment, the County will be entitled to retain its own counsel, including without limitation County Counsel, and to reimbursement from Contractor for all such costs and expenses incurred by the County in doing so. Contractor has no right or authority to enter into any settlement, agree to any injunction, other equitable relief, or make any admission, in any case, on behalf of the County without the County’s prior express written approval.

County Requested Audits. At the County’s expense, it it, or an independent third-party auditor it commissions, will have the right to audit Contractor’s infrastructure, security and privacy practices, data center, Services and/or Systems systems storing or processing the County Information via an onsite inspection at least once a year. Upon the County’s request Contractor must complete a questionnaire regarding Contractor’s information security and/or privacy program. The County will pay for the County requested audit unless the auditor finds that Contractor has materially breached this Contract, in which case Contractor must bear all costs of the audit; and if the audit reveals material non- non-compliance with in this Paragraph 33.5 8.65 (Audit and Inspection, Information Security and Privacy Requirements), the County may exercise its termination rights provided by this Contract. A County requested audit will be conducted during Contractor’s normal business hours with reasonable advance notice, in a manner that does not materially disrupt or otherwise unreasonably and adversely affect Contractor’s normal business operations. The County's request for the audit will specify the scope and areas (e.g., administrative, physical, and technical) that are subject to the audit and may include, but are not limited to physical controls inspection, process reviews, policy reviews, evidence of external and internal vulnerability scans, penetration test results, evidence of code reviews, and evidence of System system configuration and audit log reviews. It is understood that the results may be filtered to remove the specific Information information of other Contractor customers such as IP address, server names, etc. Contractor must cooperate with the County in the development of the scope and methodology for the audit, and the timing and implementation of the audit. This right of access will extend to any regulators with oversight of the County. Contractor agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes. When not prohibited by regulation, Contractor will provide to the County a summary of: (i) the results of any security audits, security reviews, or other relevant audits, conducted by Contractor or a third party, and (ii) corrective actions or modifications, if any, Contractor will implement in response to such audits. Notwithstanding the preceding sentences, the County will have the right to participate in any such defense at its sole cost and expense, except that in the event Contractor fails to provide the County with a full and adequate defense, as determined by the County in its sole judgment, the County will be entitled to retain its own counsel, including without limitation County Counsel, and to reimbursement from Contractor for all such costs and expenses incurred by the County in doing so. Contractor has no right or authority to enter into any settlement, agree to any injunction, other equitable relief, or make any admission, in any case, on behalf of the County without the County’s prior express written approval.

County Requested Audits. At its own expense, the County’s expense, it or an independent third-party auditor it commissionscommissioned by the County, will have the right to audit the Contractor’s infrastructure, security and privacy practices, data Data center, Services services and/or Systems systems storing or processing the County Information via an onsite inspection at least once a year. Upon the County’s request the Contractor must complete a questionnaire regarding Contractor’s information security Information Security and/or privacy program. The County will pay for the County requested audit unless the auditor finds that the Contractor has materially breached this ContractExhibit, in which case the Contractor must bear all costs of the audit; and if the audit reveals material non- non-compliance with this Paragraph 33.5 (Audit and Inspection, Information Security and Privacy Requirements)Exhibit, the County may exercise its termination rights provided by this underneath the Contract. A County requested Such audit will be conducted during the Contractor’s normal business hours with reasonable advance notice, in a manner that does not materially disrupt or otherwise unreasonably and adversely affect the Contractor’s normal business operations. The County's request for the audit will specify the scope and areas (e.g., administrativeAdministrative, physicalPhysical, and technicalTechnical) that are subject to the audit and may include, but are not limited to physical controls inspection, process reviews, policy reviews, evidence of external and internal vulnerability Vulnerability scans, penetration test results, evidence of code reviews, and evidence of System system configuration and audit log reviews. It is understood that the results may be filtered to remove the specific Information of other Contractor customers such as IP address, server names, etc. The Contractor must cooperate with the County in the development of the scope and methodology for the audit, and the timing and implementation of the audit. This right of access will extend to any regulators with oversight of the County. The Contractor agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes. When not prohibited by regulation, the Contractor will provide to the County a summary of: (i) the results of any security audits, security reviews, or other relevant audits, conducted by the Contractor or a third party, ; and (ii) corrective actions or modifications, if any, the Contractor will implement in response to such audits. Notwithstanding the preceding sentences, the County will have the right to participate in any such defense at its sole cost and expense, except that in the event Contractor fails to provide the County with a full and adequate defense, as determined by the County in its sole judgment, the County will be entitled to retain its own counsel, including without limitation County Counsel, and to reimbursement from Contractor for all such costs and expenses incurred by the County in doing so. Contractor has no right or authority to enter into any settlement, agree to any injunction, other equitable relief, or make any admission, in any case, on behalf of the County without the County’s prior express written approval.

County Requested Audits. At its own expense, the County’s expense, it or an independent third-party auditor it commissionscommissioned by the County, will shall have the right to audit Contractor’s infrastructure, security and privacy practices, data Data center, Services services and/or Systems systems storing or processing the County Information via an onsite inspection at least once a year. Upon the County’s request request, Contractor must will complete a questionnaire regarding Contractor’s information security Information Security and/or privacy program. The County will pay for the County requested audit unless the auditor finds that Contractor has materially breached this ContractExhibit, in which case Contractor must will bear all costs of the audit; and if the audit reveals material non- non-compliance with this Paragraph 33.5 (Audit and Inspection, Information Security and Privacy Requirements)Exhibit, the County may exercise its termination rights provided by this underneath the Contract. A County requested Such audit will be conducted during the Contractor’s normal business hours with reasonable advance notice, in a manner that does not materially disrupt or otherwise unreasonably and adversely affect Contractor’s normal business operations. The County's request for the audit will specify the scope and areas (e.g., administrativeAdministrative, physicalPhysical, and technicalTechnical) that are subject to the audit and may include, but are not limited to physical controls inspection, process reviews, policy reviews, evidence of external and internal vulnerability Vulnerability scans, penetration test results, evidence of code reviews, and evidence of System system configuration and audit log reviews. It is understood that the results may be filtered to remove the specific Information of other Contractor customers such as IP address, server names, etc. Contractor must cooperate with the County in the development of the scope and methodology for the audit, and the timing and implementation of the audit. This right of access will shall extend to any regulators with oversight of the County. The Contractor agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes. When not prohibited by regulation, Contractor will provide to the County a summary of: (i) the results of any security audits, security reviews, or other relevant audits, conducted by Contractor or a third party, ; and (ii) corrective actions or modifications, if any, Contractor will implement in response to such audits. Notwithstanding the preceding sentences, the County will have the right to participate in any such defense at its sole cost and expense, except that other provisions in the event Contract, Contractor fails to provide must ensure the County with a full following provisions and adequate defense, as determined by security controls are established for any and all Systems or Hardware provided under the County in its sole judgment, the County will be entitled to retain its own counsel, including without limitation County Counsel, and to reimbursement from Contractor for all such costs and expenses incurred by the County in doing so. Contractor has no right or authority to enter into any settlement, agree to any injunction, other equitable relief, or make any admission, in any case, on behalf of the County without the County’s prior express written approvalcontract.

County Requested Audits. At its own expense, the County’s expense, it or an independent third-party auditor it commissionscommissioned by the County, will shall have the right to audit the Contractor’s infrastructure, security and privacy practices, data Data center, Services services and/or Systems systems storing or processing the County Information via an onsite inspection at least once a year. Upon the County’s request the Contractor must shall complete a questionnaire regarding Contractor’s information security Information Security and/or privacy program. The County will shall pay for the County requested audit unless the auditor finds that the Contractor has materially breached this ContractExhibit, in which case the Contractor must shall bear all costs of the audit; and if the audit reveals material non- non-compliance with this Paragraph 33.5 (Audit and Inspection, Information Security and Privacy Requirements)Exhibit, the County may exercise its termination rights provided by this underneath the Contract. A County requested Such audit will shall be conducted during the Contractor’s normal business hours with reasonable advance notice, in a manner that does not materially disrupt or otherwise unreasonably and adversely affect the Contractor’s normal business operations. The County's request for the audit will specify the scope and areas (e.g., administrativeAdministrative, physicalPhysical, and technicalTechnical) that are subject to the audit and may include, but are not limited to physical controls inspection, process reviews, policy reviews, evidence of external and internal vulnerability Vulnerability scans, penetration test results, evidence of code reviews, and evidence of System system configuration and audit log reviews. It is understood that the results may be filtered to remove the specific Information of other Contractor customers such as IP address, server names, etc. The Contractor must shall cooperate with the County in the development of the scope and methodology for the audit, and the timing and implementation of the audit. This right of access will shall extend to any regulators with oversight of the County. The Contractor agrees to comply with all reasonable recommendations that result from such inspections, tests, and audits within reasonable timeframes. When not prohibited by regulation, the Contractor will provide to the County a summary of: (i) the results of any security audits, security reviews, or other relevant audits, conducted by the Contractor or a third party, ; and (ii) corrective actions or modifications, if any, the Contractor will implement in response to such audits. Notwithstanding the preceding sentences, the County will have the right to participate in any such defense at its sole cost and expense, except that in the event Contractor fails to provide the County with a full and adequate defense, as determined by the County in its sole judgment, the County will be entitled to retain its own counsel, including without limitation County Counsel, and to reimbursement from Contractor for all such costs and expenses incurred by the County in doing so. Contractor has no right or authority to enter into any settlement, agree to any injunction, other equitable relief, or make any admission, in any case, on behalf of the County without the County’s prior express written approval.