Common use of Reviews and Audits of Compliance Clause in Contracts

Reviews and Audits of Compliance. Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by any supervisory authority with competent jurisdiction. Provider will contribute to such audits by providing Customer or such supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Provider may object to the auditor if the auditor is, in Provider’s reasonable opinion, not independent, a competitor of Provider, or otherwise manifestly unsuitable. Such objection by Provider will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2(b) shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider any audit reports generated in connection with any audit under this Section 2(b), unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 2(b) at Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

Reviews and Audits of Compliance. Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Applicable Data Protection Laws, including where mandated by any Customer’s supervisory authority with competent jurisdictionauthority. Provider will contribute to such audits by providing Customer or such Customer’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Provider may object to the auditor if the auditor is, in Provider’s reasonable opinion, not independent, a competitor of Provider, or otherwise manifestly unsuitable. Such objection by Provider will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks thirty (30) days in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2(b) 7 shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider any audit reports generated in connection with any audit under this Section 2(b)7, unless prohibited by European Applicable Data Protection Laws or otherwise instructed by a supervisory authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 2(b) 7 at Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

Reviews and Audits of Compliance. Customer Client may audit ProviderCultivate’s compliance with its obligations under this DPA Addendum up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by any Client’s supervisory authority with competent jurisdictionauthority. Provider Cultivate will contribute to such audits by providing Customer Client or such Client’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Provider Cultivate may object to the auditor if the auditor is, in ProviderCultivate’s reasonable opinion, not independent, a competitor of ProviderCultivate, or otherwise manifestly unsuitable. Such objection by Provider Cultivate will require Customer Client to appoint another auditor or conduct the audit itself. To request an audit, Customer Client must submit a detailed proposed audit plan to Provider Cultivate at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider Cultivate will review the proposed audit plan and provide Customer Client with any concerns or questions (for example, any request for information that could compromise Provider Cultivate security, privacy, employment or other relevant policies). Provider Cultivate will work cooperatively with Customer Client to agree on a final audit plan. Nothing in this Section 2(b) 2.2 shall require Provider Cultivate to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of CustomerClient’s audit request and Provider Cultivate has confirmed there have been are no known material changes in the controls audited since the date of such reportaudited, Customer Client agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and ProviderCultivate’s safety, security or other relevant policies, and may not unreasonably interfere with Provider Cultivate business activities. Customer Client will promptly notify Provider Cultivate of any non-compliance discovered during the course of an audit and provide Provider Cultivate any audit reports generated in connection with any audit under this Section 2(b)2.2, unless prohibited by European Data Protection Laws or otherwise instructed by a supervisory authority. Customer Client may use the audit reports only for the purposes of meeting CustomerClient’s regulatory audit requirements and/or confirming compliance with the requirements of this DPAAddendum. Any audits are at CustomerClient’s sole expense. Customer Client shall reimburse Provider Cultivate for any time expended by Provider and any third parties Cultivate or its Third Party Subprocessors in connection with any audits or inspections under this Section 2(b) 2.2 at ProviderCultivate’s then-current professional services rates, which shall be made available to Customer Client upon request. Customer Client will be responsible for any fees charged by any auditor appointed by Customer Client to execute any such audit.. Nothing in this Addendum shall be construed to require Cultivate to furnish more information about its Third Party Subprocessors in connection with such audits than such Third Party Subprocessors make generally available to their customers. Impact Assessments and Consultations Cultivate will (taking into account the nature of the processing and the information available to Cultivate) reasonably assist Client in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of Cultivate’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement, including this Addendum. Data Transfers Data Processing Facilities. Cultivate may, subject to Section 4.2 (Transfers out of the EEA), store and process Personal Data in the United States or anywhere Cultivate or its Subprocessors maintains facilities. Transfers out of the EEA. If Client transfers Personal Data out of the EEA to Cultivate in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this DPA. In furtherance of the foregoing, the parties agree that: for purposes of the Standard Contractual Clauses, (a) Client will act as the data exporter and (b) Cultivate will act as the data importer; for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the processing operations shall be as set out in Section 1.1 to this Annex 1 (Subject Matter and Details of Processing); for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures; upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand; the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 2.2 of this Annex 1 (Reviews and Audits of Compliance); Client’s authorizations in Section 5 of this Annex 1 (Subprocessors) will constitute Client’s prior written consent to the subcontracting by Cultivate of the processing of Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses; and certification of deletion of Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Client’s request; Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the lawful transfer of Personal Data outside the EEA (e.g., US-E.U. Privacy Shield, binding corporate rules) applies to the transfer. Subprocessors

Reviews and Audits of Compliance. Customer ‌ Client may audit ProviderDashlane’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Applicable Data Protection Laws, including where when mandated by any Client’s supervisory authority with competent jurisdictionauthority. Provider Xxxxxxxx will contribute to such audits by providing Customer provide Client or such Client’s supervisory authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Provider Xxxxxxxx may object to the any third-party auditor if the auditor isthat, in ProviderXxxxxxxx’s reasonable opinion, is not independent, a competitor of ProviderDashlane, or otherwise manifestly unsuitable. Such objection by Provider In such case, Client will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer Client must submit a proposed audit plan to Provider Dashlane at least two weeks in advance of the proposed audit date and any third third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider Xxxxxxxx will work cooperatively with Customer Client to agree on a final audit plan. Nothing in this Section 2(b) shall require Provider The audit must be conducted during regular business hours, subject to breach any duties of confidentialitythe agreed final audit plan and Xxxxxxxx’s safety, security or other relevant policies, and may not unreasonably interfere with Dashlane business activities. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third third-party auditor within twelve (12) months of CustomerClient’s audit request and Provider Xxxxxxxx has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to Client will accept such report in lieu of requesting an audit of auditing such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer Client will promptly notify Provider Dashlane of any non-compliance discovered during the course of an audit and provide Provider Dashlane any audit reports generated in connection with any audit under this Section 2(b)reports, unless prohibited by European Applicable Data Protection Laws or otherwise instructed by a its supervisory authority. Customer Client may use the audit reports only for the purposes of meeting Customerto meet Client’s regulatory audit requirements and/or confirming confirm compliance with the requirements of this DPA. Any audits are at CustomerClient’s sole expense. Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 2(b) at Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

Reviews and Audits of Compliance. Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Applicable Data Protection Laws, including where mandated by any supervisory authority with competent jurisdictionCustomer’s Supervisory Authority. Provider will contribute to such audits by providing Customer or such supervisory authority Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit. If a third party is to conduct the audit, Provider may object to the auditor if the auditor is, in Provider’s reasonable opinion, not independent, a competitor of Provider, or otherwise manifestly unsuitable. Such objection by Provider will require Customer to appoint another auditor or conduct the audit itself. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies). Provider will work cooperatively with Customer to agree on a final audit plan. Nothing in this Section 2(b) 7 shall require Provider to breach any duties of confidentiality. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, where permitted by law, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Customer will promptly notify Provider of any non-compliance discovered during the course of an audit and provide Provider any audit reports generated in connection with any audit under this Section 2(b)7, unless prohibited by European Applicable Data Protection Laws or otherwise instructed by a supervisory authoritySupervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. Any audits are at Customer’s sole expense. Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 2(b) at Provider’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.