audit policy

Audit Policy

General

Customer may audit Accept Mission’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by European Data Protection Legislation, including where mandated by Customer’s Supervisory Authority. Accept Mission will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit.

Independence

If a third party is to conduct the audit, Accept Mission may object to the auditor if the auditor is, in Accept Mission’s reasonable opinion, not independent, a competitor of Accept Mission, or otherwise manifestly unsuitable.  Such objection by Accept Mission will require Customer to appoint another auditor or conduct the audit itself.

Audit Request

To request an audit, Customer must submit a detailed proposed audit plan to Accept Mission at least eight (8) weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Accept Mission will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Accept Mission security, privacy, employment or other relevant policies). Accept Mission will work cooperatively with Customer to agree on a final audit plan. Nothing in this Policy shall require Accept Mission to breach any duties of confidentiality.  

If the controls or measures to be assessed in the requested audit are addressed in an SOC, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request and Accept Mission has confirmed there are no known material changes in the controls audited. Customer agrees to accept such report in lieu of requesting an audit of such controls or measures. 

The audit must be conducted during regular business hours, subject to the agreed final audit plan and Accept Mission’s safety, security, or other relevant policies, and may not unreasonably interfere with Accept Mission business activities.

Customer will promptly notify Accept Mission of any non-compliance discovered during an audit and provide Accept Mission any audit reports generated in connection with any audit under this Section 5.4, unless prohibited by European Data Protection Legislation or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this Addendum.

Audit Costs

Any audits are at Customer’s expense. Customer shall reimburse Accept Mission for any time expended by Accept Mission or its Third-Party Sub processors in connection with any audits or inspections at Accept Mission’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.  Nothing in this Addendum shall be construed to require Accept Mission to furnish more information about its Third-Party Sub processors in a connection with such audits than such Third-Party Sub processors make generally available to their customers.