What are audit rights under data-processing agreements?

Audit rights under DPAs give controllers the ability to verify that processors are meeting their contractual and regulatory obligations. GDPR Article 28 requires that processors "make available to the controller all information necessary to demonstrate compliance" and "allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller." This means you have a legal right to audit your ESP and other processors. They ucannot refuse reasonable audit requests.

In practice, audit rights typically include: documentation reviews (examining security policies, procedures, incident records, and sub-processor arrangements), certification verification (reviewing SOC 2 reports, ISO 27001 certificates, or other independent audits), questionnaire responses (detailed answers to security and compliance questions), and in some cases on-site inspections (physical or virtual visits to review controls firsthand). Many DPAs specify audit procedures, frequency limits, advance notice requirements, and cost allocation to make the process manageable for both parties.

Exercise audit rights strategically and proportionately. For routine oversight, annual certification reviews and questionnaire updates may suffice. Request more intensive audits when circumstances warrant-after a security incident, significant vendor changes, or regulatory inquiries. If you can't conduct audits directly, accept reputable third-party audit reports (like SOC 2 Type II) as evidence, while retaining the right to more direct audits if concerns arise. Audit rights aren't about catching vendors doing wrong-they're about maintaining confidence that your data is protected and being prepared to demonstrate that confidence if regulators ask.