Audits & Records

Contract Type:
Generic Contract

Each party shall keep and maintain true and accurate records and accounts relating to its performance of this Agreement. Each party shall have the right, at its own expense, upon reasonable notice and at reasonable times, to audit the other party’s records and accounts to verify compliance with this Agreement. Any such audit shall be conducted during normal business hours and shall not interfere unreasonably with the audited party’s business activities. The parties shall retain such records and accounts for a period of [6] years following the expiry or termination of this Agreement.


Here is a plain English explanation of the Audits & Records clause:

This clause requires both parties to keep accurate records and accounts related to the contract.

It allows either party to audit the other party's records. The audit is to check if they are complying with the contract.

The auditing party must pay for the audit themselves. They must give reasonable notice and do the audit during normal business hours. The audit should not unreasonably disrupt work.

Both parties must keep the relevant records for 6 years after the contract ends.

In simple terms, this clause permits each party to audit the other's books and records related to the contract, in order to verify compliance.

The records must be retained for 6 years after termination.

History of the clause (for the geeks)

Record-keeping and audit clauses have long been standard contract features to verify performance, but became more prevalent in data protection agreements as digitalization escalated risks.

Their origins trace back centuries in accounting and business transactions. Keeping orderly records allowed monitoring and auditing financial flows between parties. The development of double-entry bookkeeping in medieval Italy improved transparency.

By the 20th century, contractual record-retention and audit powers were commonplace across industries to confirm compliance beyond just finances. Mass production and outsourcing increased supply chain complexity, necessitating verification.

With the information technology boom since the 1970s, data security and privacy concerns arose. Data protection laws mandated organizational accountability through retaining processing records and accommodating audits.

The 1995 EU Data Protection Directive first codified mandatory record-keeping and empowered regulator audits. But contractual audits between entities remained discretionary until the GDPR explicitly required enabling controller audits in Article 28.

Now detailed record-keeping duties and expansive audit rights are fixture of modern data protection agreements, allowing verification of security and lawful practices. As digital transformation proliferates data processing to vendors, strong clauses govern liability.

They uphold accountability and permit exposing violations through comprehensive reviews of internal documentation.