Right to Audit - Sample Clause

(a) Audit Right. Subject to the terms of this Section, no more than once per twelve (12) month period (or more frequently in response to a confirmed Security Incident or upon a regulator's written demand), Customer may, at Customer's expense and upon thirty (30) days' prior written notice, audit Provider's compliance with the Agreement, including the Business Associate Agreement and the Data Processing Agreement, with respect to the Services provided to Customer (an "Audit").

(b) Conduct of Audit. Audits shall be conducted (i) by Customer's qualified employees or by an independent third-party auditor that is not a competitor of Provider and is reasonably acceptable to Provider; (ii) during normal business hours; (iii) in a manner that does not unreasonably interfere with Provider's operations; and (iv) in accordance with Provider's reasonable security, confidentiality, and access policies, including any background-check and non-disclosure requirements applicable to the auditors.

(c) Scope. The scope of an Audit is limited to records and systems reasonably necessary to verify Provider's compliance with the Agreement, the Business Associate Agreement, the Data Processing Agreement, and applicable law. The Audit does not extend to (i) other Provider customers' data or systems; (ii) Provider's internal financial records, employee personal files, or trade-secret algorithmic detail beyond what is necessary to verify control implementation; or (iii) the data centers and infrastructure of Provider's cloud subprocessor (Amazon Web Services), audit of which is satisfied by the inheritance of AWS's then-current SOC 2 Type II, ISO 27001, and FedRAMP audit reports made available to Customer under non-disclosure agreement.

(d) Available Reports. Provider will make the following reports available to Customer in lieu of, or in supplement to, an on-site Audit: (i) Provider's most recent SOC 2 Type II report, when issued; (ii) Provider's most recent HITRUST CSF certification, when issued; (iii) executive summary of Provider's most recent third-party penetration test, redacted as necessary to protect remediation status of any then-open findings; (iv) Provider's then-current Information Security Policy summary; and (v) Provider's then-current HIPAA Risk Assessment executive summary. The Parties acknowledge that the reports in (i) through (iii) substantially address the matters that would be reviewed in an on-site Audit.

(e) Findings. Customer shall provide Provider with a written report of any Audit findings within thirty (30) days following the conclusion of the Audit. The Parties shall promptly meet and confer in good faith to agree on remediation, if any. Provider shall remediate confirmed findings on a schedule commensurate with severity: critical findings within seven (7) days; high findings within thirty (30) days; medium findings within ninety (90) days; low findings within the next calendar quarter.

(f) Confidentiality. All information observed, accessed, or generated by Customer or Customer's auditors in the course of an Audit constitutes Provider's Confidential Information under the Agreement. Customer shall not disclose any Audit Finding, observation, working paper, or report to any third party other than (i) Customer's legal counsel; (ii) Customer's external auditors under their professional obligations of confidentiality; (iii) regulators upon demand of legal process or to satisfy Customer's regulatory reporting obligations, with prompt notice to Provider where permitted; and (iv) other recipients with Provider's prior written consent.

(g) Cost. Each Party shall bear its own costs of an Audit. If an Audit identifies material non-compliance by Provider with the Agreement that has caused or is reasonably likely to cause material harm to Customer, Provider shall reimburse Customer's reasonable out-of-pocket Audit costs up to a cap of $[CAP], without prejudice to any other rights or remedies of Customer.

(h) Survival. The Audit right survives termination of the Agreement for the period reasonably necessary for Customer to verify Provider's compliance with its post-termination obligations under the Business Associate Agreement and the Data Processing Agreement, but not more than two (2) years after the effective date of termination.