xcPEP Customer Audit Policy
1. Purpose and Scope
This Customer Audit Policy outlines the terms and conditions under which customers of the xcPEP SaaS platform may conduct audits of Advanced Structures India Private Limited's infrastructure and systems. This policy aims to provide transparency and assurance regarding our security and compliance posture, while safeguarding the security and operational integrity of our multi-tenant environment.
2. Right to Audit
Customers may exercise their right to audit the infrastructure and systems directly used to provide and support their xcPEP service, subject to the conditions outlined in this policy. This right is granted solely for the purpose of verifying Advanced Structures India Private Limited's compliance with its security and data protection obligations as outlined in the Master Service Agreement (if in place) and relevant policies of Advanced Structures India Pvt Ltd (e.g., xcPEP Information Security Policy, xcPEP Data Privacy Policy).
3. Scope of Audit
The scope of any customer audit is strictly limited to:
- Infrastructure and systems directly used to serve the auditing customer. This specifically excludes access to infrastructure, data, or systems belonging to other customers or any part of Advanced Structures India Private Limited's internal corporate network not directly related to the provision of the xcPEP service to the auditing customer.
- Logical access to relevant documentation and audit trails. Physical access to data centers or Advanced Structures India Private Limited's premises is generally not permitted, as our core infrastructure is hosted on AWS, which provides its own stringent audit reports (e.g., SOC 1, 2, 3 reports).
4. Audit Procedure
- Advance Notice: The customer must provide Advanced Structures India Private Limited with a minimum of two (2) weeks' written notice of their intent to conduct an audit.
- Audit Plan: The customer must submit a detailed audit plan, including the proposed scope, methodology, tools (if any), and the names and qualifications of the auditors (who must be reputable and independent third parties, if not the customer's internal personnel).
- Mutual Agreement: The exact dates, times, and specific scope of the audit must be mutually agreed upon by both Advanced Structures India Private Limited and the customer. Advanced Structures India Private Limited reserves the right to reasonably object to any proposed auditor or audit methodology that poses an undue risk to its systems or operations.
- Supervision: All audits will be conducted under the supervision of Advanced Structures India Private Limited personnel.
- Confidentiality: All information obtained during the audit, including but not limited to system configurations, security controls, and internal procedures, must be treated as highly confidential and used solely for the purpose of verifying compliance. A non-disclosure agreement (NDA) may be required.
5. Audit Frequency
Customers are permitted to conduct no more than one (1) audit per twelve (12) month period.
6. Audit Costs
All costs associated with the customer's audit, including but not limited to the auditor's fees, customer personnel time, and any expenses incurred by Advanced Structures India Private Limited in assisting with the audit (e.g., dedicated staff time beyond reasonable limits, special reports), shall be borne solely by the customer. Advanced Structures India Private Limited will provide an estimate of such costs upon receipt of the audit plan.
7. Alternative Assurance
Advanced Structures India Private Limited regularly undergoes independent third-party audits and maintains certification for ISO 27001. Customers are encouraged to first review these available reports and certifications, as they may satisfy audit requirements without the need for a direct customer-initiated audit.
8. Policy Review and Updates
This xcPEP Customer Audit Policy is reviewed annually and updated as necessary to reflect changes in our services, security posture, and industry best practices.