12. Audit
During the Term of the Agreement, on an annual basis, Tradeshift Belgium will conduct, at no charge to Customer, an ISAE SOC 2, Type II and an ISO 27001 audit of controls relating to the network operations of Babelway through which Personal Data is processed by Babelway under an Agreement, which audit will be performed by an independent certified public accounting firm (or similarly qualified person). If a deficiency is identified as result of such audit, Tradeshift Belgium will remediate, as Tradeshift Belgium deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Tradeshift Belgium.
In the event Customer wishes to audit Tradeshift Belgium’s compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Tradeshift Belgium’s compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data center facility that Processes Personal Data to the extent required by laws applicable to Customer. The Auditor must execute a written confidentiality agreement acceptable to Tradeshift Belgium before conducting the audit.
To request an audit, Customer must submit a detailed audit plan to Tradeshift Belgium at least four weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Tradeshift Belgium will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Babelway’s security, privacy, employment or other relevant policies). Tradeshift Belgium will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in a SSAE SOC 1, Type II or ISO27001 report prepared for Tradeshift Belgium by a qualified third party auditor or another equivalent report within the prior twelve (12) months and Tradeshift Belgium confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
The audit must be conducted during regular business hours at the applicable facility, subject to Tradeshift Belgium’s policies, and may not unreasonably interfere with Tradeshift Belgium’s business activities.
Customer will provide Tradeshift Belgium any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer agrees that Tradeshift Belgium may, at their discretion, release the audit report to a third party provided Customer is given a reasonable opportunity to redact any personal, confidential, or proprietary information that may be contained in the audit report. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.
Any audits are at the Customer’s expense. Any request for Tradeshift Belgium to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Tradeshift Belgium will seek the Customer’s written approval and agreement to pay any related fees before performing such audit assistance.