Common use of RECORDS, INFORMATION AND AUDIT Clause in Contracts

RECORDS, INFORMATION AND AUDIT. 7.1 The Data Processor shall maintain, in accordance with Data Protection Laws binding on the Data Processor, written records of all categories of processing activities of the Protected Data carried out on behalf of the Data Controller. 7.2 The Data Processor shall provide, upon the Data Controller’s request, all information reasonably necessary to demonstrate the Data Processor’s compliance with this Addendum. 7.3 If the Data Controller has justifiable reason to believe that the Data Processor is not complying with the terms and conditions under the Addendum, in particular with the obligation to maintain and implement the agreed technical and organizational measures, or those arising out of inquiries by its auditors or regulators, the Data Processor will use commercially reasonable efforts to work in good faith to respond to further inquiries by Data Controller (including Data Controller inquiries arising out of inquiries by its auditors or regulators) regarding Data Processor’s information security program as it relates to Protected Data, which may include (1) an onsite visit of Data Processor's offices at 0000 X. Xxxx Street Arlington, VA 22202 no more than once per calendar year, at a mutually agreed upon time during Data Processor’s normal business hours and (2) no more than once every calendar year, requiring Data Processor to complete or respond to a risk due diligence document provided by Data Controller requesting information on information security and related measures. During the course of any onsite visit by Data Controller, Data Processor shall make available to Data Controller (i) information pertaining to Data Processor’s information security program as it relates to Protected Data, (ii) appropriate personnel to review with Data Controller such information security program and (iii) other information related to compliance with the Agreement and this Addendum as requested by Data Controller and reasonably available to the Data Processor. Any onsite visit shall be subject to Data Processor’s standard security and confidentiality procedures and practices, including but not limited to, Data Processor’s requirement that Data Controller must enter into a non-disclosure agreement before the visit. In addition, Data Processor shall provide Data Controller with the following information: (x) updates on internal security measures (y) risk reports (e.g. SOC reviews, where available), penetration assessment summaries and due diligence documentation, and (z) selected risk and compliance information and evidence of its internal security controls through additional on-site visits, questionnaires, phone calls and video conference meetings, in each case to the extent Data Processor deems the provision of such information to be appropriate in its sole good faith discretion and makes such information generally available to similarly situated customers of Data Processor.