Audit rights are the customer's contractual right to verify that a vendor is doing what the contract says it is doing. They appear in DPAs (where Article 28 of the GDPR mandates them for processors), in security exhibits, and in industry-specific addenda like BAAs.
Three patterns dominate in practice. Report review, where the customer can request the vendor's most recent SOC 2 Type II, ISO 27001 certification, or equivalent third-party audit, typically under NDA. Customer-led audit, where the customer can conduct an on-site or remote audit at its own expense, usually with reasonable notice and a frequency cap (once per year, once every two years). Mutual third-party audit, where both parties agree on an independent auditor and split the cost.
For most SaaS vendors at scale, the report-review path is the only operationally viable one. A vendor with thousands of customers cannot host individual audits by each one. The compromise enterprise customers accept is that the vendor will produce its SOC 2 Type II annually, will respond to follow-up questions in writing, and will permit on-site audits only in defined circumstances (regulatory request, post-incident, material change in scope).
The drafting trap is leaving audit rights vague. "Customer may audit vendor's compliance with this agreement" without scope, frequency, or process creates an open-ended right that customers occasionally exercise in disruptive ways. The cleanest clauses spell out: what counts as an audit (report review by default, on-site only on cause), the frequency, the notice period, the cost allocation, the confidentiality obligations on the customer's auditors, and the remediation timeline if the audit identifies an issue.