During the Term of the Agreement, on an annual basis, Babelway will conduct, at no charge to Customer, an ISAE SOC 2, Type II and an ISO 27001 audit of controls relating to the network operations of Babelway through which Personal Data is processed by Babelway under an Agreement, which audit will be performed by an independent certified public accounting firm (or similarly qualified person). If a deficiency is identified as result of such audit, Babelway will remediate, as Babelway deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Babelway.
In the event Customer wishes to audit Babelway’s compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Babelway’s compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data center facility that Processes Personal Data to the extent required by laws applicable to Customer. The Auditor must execute a written confidentiality agreement acceptable to Babelway before conducting the audit.
To request an audit, Customer must submit a detailed audit plan to Babelway at least four weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Babelway will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Babelway’s security, privacy, employment or other relevant policies). Babelway will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in a SSAE SOC 1, Type II or ISO27001 report prepared for Babelway by a qualified third party auditor or another equivalent report within the prior twelve (12) months and Babelway confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
The audit must be conducted during regular business hours at the applicable facility, subject to Babelway’s policies, and may not unreasonably interfere with Babelway’s business activities.
Customer will provide Babelway any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer agrees that Babelway may, at their discretion, release the audit report to a third party provided Customer is given a reasonable opportunity to redact any personal, confidential, or proprietary information that may be contained in the audit report. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.
Any audits are at the Customer’s expense. Any request for Babelway to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Babelway will seek the Customer’s written approval and agreement to pay any related fees before performing such audit assistance.