1. General
Customers have the right to audit WeSolve’s compliance with its obligations under this Data Processing Agreement (DPA). Audits may be conducted once per year or as required by European Data Protection Legislation, including audits mandated by the Customer’s Supervisory Authority.
WeSolve will fully cooperate by providing the necessary information and assistance to facilitate such audits, ensuring compliance with applicable data protection laws.
2. Independence of Auditors
If the Customer appoints a third-party auditor, WeSolve reserves the right to object to the auditor if:
- The auditor is not independent.
- The auditor is a direct competitor of WeSolve.
- The auditor is otherwise manifestly unsuitable.
If WeSolve raises an objection, the Customer must either appoint another auditor or conduct the audit internally.
3. Audit Request Process
Customers must submit a detailed audit request to WeSolve at least eight (8) weeks in advance of the proposed audit date.
The audit request must include:
- The scope and objectives of the audit.
- The proposed duration and start date.
- The third-party auditor’s details (if applicable).
Before the audit, any third-party auditor must sign a non-disclosure agreement (NDA), ensuring the confidential treatment of all exchanged information and reports.
WeSolve’s Review & Approval Process
- WeSolve will review the proposed audit plan and may raise concerns (e.g., if a request compromises WeSolve’s security, privacy, or employment policies).
- Both parties will work together to agree on a final audit plan that meets compliance needs without disrupting WeSolve’s operations.
- The audit must be conducted during regular business hours and in accordance with WeSolve’s security and operational policies.
Alternative to Physical Audits
If the requested audit covers controls already assessed in an independent audit report (e.g., SOC, ISO, NIST), issued within 12 months prior to the audit request, WeSolve may provide this certified report in lieu of conducting an audit. The Customer agrees to accept this report if no material changes have occurred.
4. Audit Execution & Reporting
- Audits must not unreasonably interfere with WeSolve’s business operations.
- Customers must promptly notify WeSolve of any non-compliance issues discovered.
- Any generated audit reports must be shared with WeSolve, unless prohibited by law or the Supervisory Authority.
- Customers may only use audit reports to meet their regulatory audit requirements or confirm WeSolve’s compliance with the DPA.
5. Audit Costs
- All audit-related costs and expenses are the responsibility of the Customer.
- Customers must reimburse WeSolve for any time and resources allocated to the audit at WeSolve’s standard professional services rates.
- If a third-party auditor is used, all fees and expenses for that auditor are the Customer’s responsibility.
WeSolve is not obligated to provide additional sub-processor audit details beyond what the sub-processors generally make available to their customers.