Common use of Operational Audits Clause in Contracts

Operational Audits. Provider shall provide to Customer and to internal and external auditors, inspectors, regulators and other representatives that Customer may designate from time to time (“Customer Auditors”) access in accordance with Section 14.2(b) below to perform operational audits and inspections of Provider, Provider Agents and their respective facilities (“Operational Audits”), to: (i) verify the integrity of the Customer Data; (ii) examine the systems that access, process, store, support and transmit that data and examine the results of external Third Party data processing audits or reviews relating to Provider’s operations relevant to the Services; (iii) verify whether the Services comply with Customer Compliance Requirements and the requirements of the “Privacy Requirements” Exhibit; (iv) evaluate Provider’s compliance with the requirements of the “Information Security Requirements” Exhibit (i.e., Provider’s physical and logical security and Disaster Recovery Services), including examination of all self-conducted and Third Party intrusion vulnerability and CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. penetration assessments and reports; (v) confirm that the Services are being provided in accordance with the Agreement, including the Service Levels; (vi) verify the integrity of Provider’s Performance Reports (including raw data from which such Performance Reports are compiled); (vii) facilitate Customer Group’s compliance with Customer Compliance Requirements; and (viii) examine, test and assess Provider’s systems, policies and procedures relating to intrusion detection and interception with respect to the Provider systems used to provide the Services, provided that any penetration testing on Shared Systems or any other system which would reasonably impact a Provider customer shall be subject to Provider’s security policies and the prior written consent of the Third Party with whom such system is shared, which Provider shall use commercially reasonable efforts to obtain.

Operational Audits. Provider (a) During the Audit Period, Successful Respondent shall provide to Customer DIR Auditors access, at reasonable hours and upon reasonable notice, to Successful Respondent Personnel, to the facilities at or from which Services are then being provided, and to internal and external auditors, inspectors, regulators Successful Respondent records and other representatives that Customer may designate from time pertinent information, all to time (“Customer Auditors”) the extent relevant to the Services and Successful Respondent’s obligations under this Agreement. Such access in accordance with Section 14.2(b) below to perform operational shall be provided for the purpose of performing audits and inspections of Provider, Provider Agents and their respective facilities (“Operational Audits”), to: : (i) verify the integrity of the Customer DIR Data; ; (ii) examine the systems Systems that access, process, store, support support, and transmit that data DIR Data (including system capacity, performance, and examine the results of external Third Party data processing audits or reviews relating to Provider’s operations relevant to the Services; utilization); (iii) verify whether the Services comply with Customer Compliance Requirements examine Successful Respondent’s internal controls (e.g., financial controls, human resources controls, organizational controls, input/output controls, system modification controls, processing controls, system design controls, and access controls) and the requirements of the “Privacy Requirements” Exhibit; security, disaster recovery, and back-up practices and procedures; (iv) evaluate Providerexamine Successful Respondent’s compliance with the requirements performance of the “Information Security Requirements” Exhibit (i.e., Provider’s physical and logical security and Disaster Recovery Services), including examination of all self-conducted and Third Party intrusion vulnerability and CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. penetration assessments and reports; ; (v) confirm that verify Successful Respondent’s reported performance against the Services are being provided in accordance with the Agreement, including the applicable Service Levels; ; (vi) verify the integrity of Providerexamine Successful Respondent’s Performance Reports (including raw data from which such Performance Reports are compiled)measurement, monitoring, and management tools; and (vii) enable DIR and DIR Customers to meet applicable legal, regulatory, and contractual requirements. (b) During the Audit Period, Successful Respondent shall: (i) provide any assistance requested by DIR Auditors in conducting any such audit, including installing and operating audit software; (ii) make requested Successful Respondent Personnel, records, and information available to DIR Auditors; and (iii) in all cases, provide such assistance, personnel, records, and information in an expeditious manner to facilitate Customer Groupthe timely completion of such audit. (c) If an audit reveals a material breach of this Agreement, Successful Respondent shall, upon DIR’s compliance with Customer Compliance Requirements; and request, promptly reimburse DIR for reasonable auditors’ fees including any follow-up audit to verify that such breach has been corrected. (viiid) examine, test and assess ProviderDIR Auditors agree to protect Successful Respondent’s systems, policies and procedures relating to intrusion detection and interception with respect to the Provider systems used to provide the Services, provided that any penetration testing on Shared Systems or any other system which would reasonably impact a Provider customer shall be Confidential Information subject to Provider’s security policies and the prior written consent of the Third Party with whom such system is sharedapplicable Laws, which Provider shall use commercially reasonable efforts to obtainincluding all applicable public information Laws.

Operational Audits. Provider shall Upon reasonable advance notice (and no longer than 48 hours), during the Audit Period, Supplier will provide to Customer NCR (and to internal and external auditors, inspectors, regulators and other representatives authorized by NCR that Customer NCR may designate from time to time (collectively, “Customer NCR Auditors”) ), access in accordance at reasonable business hours and at NCR’s expense, to Supplier Personnel, to the facilities at or from which Services are then being provided and to Supplier records and other pertinent information, all to the extent relevant to the Services and Supplier’s obligations under this Agreement. Such access may not be withheld for audits concerning NCR’s compliance with Section 14.2(b) below to perform operational regulatory requirements and Supplier’s compliance with Legal Requirements. Such access is for the purpose of performing audits and inspections of Provider, Provider Agents and their respective facilities to (“Operational Audits”), to: (ia) verify the integrity of the Customer NCR Data; , (iib) examine the systems that access, process, store, support and transmit that data (including system capacity, performance and utilization), (c) examine the results internal controls (e.g., financial controls, human resources controls, organizational controls, input/output controls, system modification controls, processing controls, system design controls and access controls) and the security, disaster recovery, business continuity and back-up practices and procedures, (d) examine Supplier’s performance of external Third Party data processing the Services, (e) examine Supplier’s measurement, monitoring and management tools and (f) enable NCR to meet applicable legal, regulatory and contractual requirements. Supplier will (1) provide any assistance reasonably requested by NCR Auditors in conducting any such audit, including installing and operating audit software, (2) make requested personnel, records, and information available to NCR Auditors and (3) in all cases, provide such assistance, personnel, records and information in an expeditious manner to facilitate the timely completion of such audit. If an audit reveals a material breach of this Agreement, then, without limiting NCR’s other remedies under this Agreement, Supplier will promptly reimburse NCR for the actual cost of the auditor, including auditor’s fees. During the Audit Period, Supplier will (at all times subject to confidentiality requirements between Supplier and its vendors), pass through to NCR the same prices invoiced to Supplier by such vendors; provide to NCR auditors access at reasonable hours to Supplier Personnel and to Contract Records and other pertinent information to conduct financial audits or reviews relating to Provider’s operations the extent relevant to the Services; performance of Supplier’s obligations under this Agreement to (iii) verify whether the Services comply with Customer Compliance Requirements and the requirements of the “Privacy Requirements” Exhibit; (iv) evaluate Provider’s compliance with the requirements of the “Information Security Requirements” Exhibit (i.e., Provider’s physical and logical security and Disaster Recovery Services), including examination of all self-conducted and Third Party intrusion vulnerability and CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. penetration assessments and reports; (v) confirm that the Services are being provided in accordance with the Agreement, including the Service Levels; (vii) verify the integrity accuracy and completeness of Provider’s Performance Reports Contract Records, and (ii) verify the accuracy and completeness of Charges and Out-of-Pocket Expenses. If any such audit reveals an overcharge by Supplier, and Supplier does not successfully dispute the amount questioned by such audit, Supplier will promptly pay to NCR the amount of such overcharge, and Supplier shall promptly reimburse NCR for the actual cost of such audit (including raw data from which such Performance Reports are compiledauditors’ fees); (vii) facilitate Customer Group’s compliance with Customer Compliance Requirements; and (viii) examine, test and assess Provider’s systems, policies and procedures relating to intrusion detection and interception with respect to the Provider systems used to provide the Services, provided that any penetration testing on Shared Systems or any other system which would reasonably impact a Provider customer shall be subject to Provider’s security policies and the prior written consent of the Third Party with whom such system is shared, which Provider shall use commercially reasonable efforts to obtain.

Operational Audits. Provider shall Upon reasonable advance notice (and no longer than 48 hours), during the Audit Period, Supplier will provide to Customer NCR Voyix (and to internal and external auditors, inspectors, regulators and other representatives authorized by NCR Voyix that Customer NCR Voyix may designate from time to time (collectively, “Customer NCR Voyix Auditors”) ), access in accordance at reasonable business hours and at NCR Voyix’s expense, to Supplier Personnel, to the facilities at or from which Services are then being provided and to Supplier records and other pertinent information, all to the extent relevant to the Services and Supplier’s obligations under this Agreement. Such access may not be withheld for audits concerning NCR Voyix’s compliance with Section 14.2(b) below to perform operational regulatory requirements and Supplier’s compliance with Legal Requirements. Such access is for the purpose of performing audits and inspections of Provider, Provider Agents and their respective facilities to (“Operational Audits”), to: (ia) verify the integrity of the Customer NCR Voyix Data; , (iib) examine the systems that access, process, store, support and transmit that data (including system capacity, performance and utilization), (c) examine the results internal controls (e.g., financial controls, human resources controls, organizational controls, input/output controls, system modification controls, processing controls, system design controls and access controls) and the security, disaster recovery, business continuity and back-up practices and procedures, (d) examine Supplier’s performance of external Third Party data processing the Services, (e) examine Supplier’s measurement, monitoring and management tools and (f) enable NCR Voyix to meet applicable legal, regulatory and contractual requirements. Supplier will (1) provide any assistance reasonably requested by NCR Voyix Auditors in conducting any such audit, including installing and operating audit software, (2) make requested personnel, records, and information available to NCR Voyix Auditors and (3) in all cases, provide such assistance, personnel, records and information in an expeditious manner to facilitate the timely completion of such audit. If an audit reveals a material breach of this Agreement, then, without limiting NCR Voyix’s other remedies under this Agreement, Supplier will promptly reimburse NCR Voyix for the actual cost of the auditor, including auditor’s fees. During the Audit Period, Supplier will (at all times subject to confidentiality requirements between Supplier and its vendors), pass through to NCR Voyix the same prices invoiced to Supplier by such vendors; provide to NCR Voyix auditors access at reasonable hours to Supplier Personnel and to Contract Records and other pertinent information to conduct financial audits or reviews relating to Provider’s operations the extent relevant to the Services; performance of Supplier’s obligations under this Agreement to (iii) verify whether the Services comply with Customer Compliance Requirements and the requirements of the “Privacy Requirements” Exhibit; (iv) evaluate Provider’s compliance with the requirements of the “Information Security Requirements” Exhibit (i.e., Provider’s physical and logical security and Disaster Recovery Services), including examination of all self-conducted and Third Party intrusion vulnerability and CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. penetration assessments and reports; (v) confirm that the Services are being provided in accordance with the Agreement, including the Service Levels; (vii) verify the integrity accuracy and completeness of Provider’s Performance Reports Contract Records, and (ii) verify the accuracy and completeness of Charges and Out-of-Pocket Expenses. If any such audit reveals an overcharge by Supplier, and Supplier does not successfully dispute the amount questioned by such audit, Supplier will promptly pay to NCR Voyix the amount of such overcharge, and Supplier shall promptly reimburse NCR Voyix for the actual cost of such audit (including raw data from which such Performance Reports are compiledauditors’ fees); (vii) facilitate Customer Group’s compliance with Customer Compliance Requirements; and (viii) examine, test and assess Provider’s systems, policies and procedures relating to intrusion detection and interception with respect to the Provider systems used to provide the Services, provided that any penetration testing on Shared Systems or any other system which would reasonably impact a Provider customer shall be subject to Provider’s security policies and the prior written consent of the Third Party with whom such system is shared, which Provider shall use commercially reasonable efforts to obtain.

Operational Audits. Provider Supplier shall provide the auditors designated by Advanta in writing, including Governmental Authorities, third-party auditors and Advanta’s internal audit staff, with access at all times to Customer any facility at which the Services are being performed, to Supplier and Supplier Agent personnel, and to internal the data and external auditors, inspectors, regulators and other representatives that Customer may designate from time records maintained by Supplier with respect to time the Services: (“Customer Auditors”a) access in accordance with Section 14.2(b) below to perform operational for the purpose of performing audits and inspections of ProviderSupplier, Provider Agents the Supplier Agents, and their respective facilities businesses as they relate to the Services (“Operational Audits”including any audits necessary to enable verification of compliance with Regulatory Requirements), to: ; (ib) verify for the ****** — Denotes material that has been omitted and filed separately with the Commission. purpose of verifying the integrity of the Customer Data; (ii) examine personal information, examining the systems that access, process, store, support support, and transmit that data such data, confirming the security of such personal information, and examine the results of external Third Party data processing audits or reviews relating to Provider’s operations relevant to the Services; (iii) verify whether the Services comply with Customer Compliance Requirements and the requirements of the “Privacy Requirements” Exhibit; (iv) evaluate Providerverifying Supplier’s compliance with the data protection requirements of the “Information Security Requirements” Exhibit (i.e., Provider’s physical and logical other data security and Disaster Recovery Services), including examination of all self-conducted and Third Party intrusion vulnerability and CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. penetration assessments and reportsrequirements; (vc) confirm for the purpose of examining data and records pertaining to Advanta’s or any other Service Recipient’s compliance with the ▇▇▇▇▇▇▇▇-▇▇▇▇▇ Requirements; (d) for the purpose of confirming that the Services are being provided efficiently and in accordance with the this Agreement, including the Service Levels; and (vie) verify for any other reasonable business purpose. To the integrity extent applicable to the Services, the scope of Providersuch audits and inspections may include: (i) Supplier’s Performance Reports (including raw data from which such Performance Reports are compiled)practices and procedures; (viiii) facilitate Customer Group’s compliance with Customer Compliance Requirementsthe adequacy of general controls (e.g., organizational controls, input/output controls, system modification controls, processing controls, system design controls, and access controls) and security practices and procedures; (iii) the adequacy of disaster recovery and back-up procedures; and (viiiiv) examineany analyses necessary to enable compliance with applicable Regulatory Requirements. If any audit by an auditor designated by Advanta, test any other Service Recipient or a regulatory authority results in Supplier being notified that Supplier or Supplier Agents are not in compliance with any Regulatory Requirement or audit requirement (e.g., Sarbanes Oxley Requirements), Supplier shall, and assess Provider’s systemsshall cause Supplier Agents to, policies and procedures promptly take actions to comply with such Regulatory Requirement or audit requirement. Supplier shall bear the expense of any such response that is required by a Supplier Regulatory Requirement or audit requirement relating to intrusion detection and interception Supplier’s business or necessary due to Supplier’s noncompliance with respect any Supplier Regulatory Requirement or audit requirement imposed on Supplier. To the extent the expense is not payable by Supplier pursuant to the Provider systems used preceding sentence, Advanta shall bear the expense of any such compliance that is required by any Advanta Regulatory Requirement or audit requirement relating to provide the Services, provided that Advanta’s business or necessary due to Advanta’s noncompliance with any penetration testing Advanta Regulatory Requirement or audit requirement imposed on Shared Systems or any other system which would reasonably impact a Provider customer shall be subject to Provider’s security policies and the prior written consent of the Third Party with whom such system is shared, which Provider shall use commercially reasonable efforts to obtainAdvanta.

Operational Audits. Provider During the Audit Period (as defined in Section 9.12(a), Supplier shall, and shall cause its Subcontractors and suppliers to, provide to Customer Hercules (and to internal and external auditors, inspectors, regulators and other representatives that Customer Hercules may designate from time to time (“Customer Auditors”time), including customers, vendors, licensees and other third parties to the extent Hercules or the Eligible Recipients are legally or contractually obligated to submit to audits by such entities) access in accordance with Section 14.2(b) below at reasonable hours to perform operational Supplier Personnel, to the facilities at or from which Services are then being provided and to Supplier records and other pertinent information, all to the extent relevant to the Services and Supplier’s obligations under this Agreement. Such access shall be provided for the purpose of performing audits and inspections of Provider, Provider Agents and their respective facilities (“Operational Audits”), to: to (i) verify the integrity of the Customer Hercules Data; , (ii) examine the systems that access, process, store, support and transmit that data and data, (iii) examine the results internal controls (e.g., financial controls, human resource controls, organizational controls, input/output controls, system modification controls, processing controls, system design controls, and access controls) and the security, disaster recovery and back-up practices and procedures; (iv) examine Supplier’s performance of external Third Party data processing audits or reviews relating to Provider’s operations relevant to the Services; (v) verify Supplier’s reported performance against the applicable Service Levels; and (vi) examine Supplier’s measurement, monitoring and management tools. Supplier shall (i) provide any assistance reasonably requested by Hercules or its designee in conducting any such audit, including installing and operating audit software, (ii) make requested personnel, records and information available to Hercules or its designee, and (iii) verify whether the Services comply with Customer Compliance Requirements in all cases, provide such assistance, personnel, records and the requirements of the “Privacy Requirements” Exhibit; (iv) evaluate Provider’s compliance with the requirements of the “Information Security Requirements” Exhibit (i.e., Provider’s physical and logical security and Disaster Recovery Services), including examination of all self-conducted and Third Party intrusion vulnerability and information in an THIS EXHIBIT HAS BEEN REDACTED AND IS THE SUBJECT OF A CONFIDENTIAL TREATMENT HAS BEEN REQUESTED FOR PORTIONS OF THIS EXHIBIT. THE COPY FILED HEREWITH OMITS THE INFORMATION SUBJECT TO A CONFIDENTIALITY REQUEST. OMISSIONS ARE DESIGNATED [ * * * ]. A COMPLETE VERSION OF THIS EXHIBIT REDACTED MATERIAL IS MARKED WITH [******] AND HAS BEEN FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION. penetration assessments and reports; (v) confirm that expeditious manner to facilitate the Services are being provided in accordance with the timely completion of such audit. If an audit reveals a non-trivial breach of this Agreement, including Supplier shall promptly reimburse Hercules for the Service Levels; (vi) verify the integrity actual cost of Provider’s Performance Reports (including raw data from which such Performance Reports are compiled); (vii) facilitate Customer Group’s compliance with Customer Compliance Requirements; and (viii) examine, test and assess Provider’s systems, policies and procedures relating to intrusion detection and interception with respect to the Provider systems used to provide the Services, provided that any penetration testing on Shared Systems or any other system which would reasonably impact a Provider customer shall be subject to Provider’s security policies and the prior written consent of the Third Party with whom such system is shared, which Provider shall use commercially reasonable efforts to obtainaudit.