Controller Audits. Certain information about Processor’s security standards and practices are sensitive confidential information which will not be disclosed by Processor to Controller. Upon request, Processor agrees to respond, no more than once per year, to a reasonable information security questionnaire concerning security practices specific to the Services provided hereunder. Upon reasonable advance written notice in no case fewer than five (5) business days and Processor acceptance, Controller may, not more than once per year, during normal business hours and at its own expense, inspect Processor’s facilities, networks and procedures directly related to the processing of Controller Personal Data in order to determine compliance with this Agreement. Processor shall reasonably cooperate with such audit by providing access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Controller Personal Data. Controller shall be responsible for its costs and expenses of such audit. Processor will promptly address and correct any deficiencies identified in any such audit.