This Master Agreement is entered into between the Parties named in the Order Document, and the authorized representatives of the Parties hereby execute this Master Agreement to be effective as of the Effective Date, as defined in the Order Document. As used in this Agreement, “Party” means either Client or MRI, as appropriate, and “Parties” means Client and ResidentCheck LLC, Albin Acquisitions Corporation dba Rental History Reports and Trusted Employees as applicable and as outlined in the Order Document (“MRI”).

PURPOSE AND SCOPE

1.1 Master Agreement. This Master Agreement establishes the general terms and conditions to which the Parties have agreed in order to facilitate the licensing of residential and/or commercial property management enterprise software, content, other products and/or the provision of related services. Additional product or service-specific terms and conditions are set forth in one or more Schedules (as further defined in Section 1.2 herein).

All references to the “Master Agreement” shall mean this document, exclusive of Schedules. All references to the “Agreement” wherever found shall include this Master Agreement, all Schedules, the Order Document and any attachments incorporated in the Schedules.

1.2 Incorporation of Schedules. This Master Agreement shall fully incorporate by reference the terms and conditions found in each of the Schedules marked on the Order Document

The Parties may execute, from time to time, additional Schedules under the terms of this Master Agreement.

1.3 Incorporation of Order Documents.

“Order Document” means the document(s), regardless of its actual name, executed by the Parties which incorporates by reference the terms of this Master Agreement and applicable Schedules, and describes Client’s order-specific information, such as description of Software or Services ordered, license scope, use and restrictions, fees, milestones, and/or Third Party EULAs, if any. For clarification purposes, the Membership Application is deemed to be an Order Document.

At any time after execution of the initial Order Document, Client may purchase additional Software licenses or Services or otherwise expand the scope of such license or Services granted under an Order Document, upon MRI’s receipt and acceptance of a new Order Document specifying the foregoing.

1.4 Incorporation of EULAs. Client’s use of any Third Party Software licensed hereunder or incorporated in the Screening Services shall be subject to, and Client shall comply with, the Agreement and any applicable EULAs, if any, the terms of which may be incorporated in the Agreement or contained in a separate document. As between Client and MRI, to the extent any terms and conditions of this Master Agreement or a Schedule conflict with the terms and conditions of a Third Party EULA, the terms and conditions of this Master Agreement and the Schedule shall control unless the Third Party EULA explicitly overrides a term or condition of the Master Agreement or Schedule. However, should a dispute arise between Client and the Third Party Software provider, the terms of the applicable Third Party EULA shall control but only to the extent MRI is not a party to such dispute. By way of example, if this Agreement is subject to Ohio Law and a Third Party EULA is subject to California law, a dispute among MRI, Client and the Third Party Software provider would be subject to Ohio law, but a dispute only between Client and the Third Party Software provider would be subject to California law. Each Third Party Software provider shall be considered a third party beneficiary of the Agreement, with rights to enforce the terms of the Agreement and the EULA, if any, against Client, pursuant to the terms of Section 10.14 below.

1.5 Administrators. For the purposes of this Agreement, “Administrators” means the individual so designated by Client on the Order Document. An Administrator has full administrative privileges for all Software and Services, including without limitation (i) creating, deleting or modifying databases or user accounts; (ii) creating, deleting, copying, restoring or requesting copies of databases; (iii) requesting security and audit reporting; (iv) security class modification; and (v) site modification. Once named, the Administrator(s) shall have sole authority to instruct MRI and make decisions on behalf of Client regarding Client’s use of the Software or Services. MRI shall be entitled to rely upon any representation of the Administrator(s) without further verification of authority. MRI may, from time to time, in its sole discretion, require written documentation of Client verifying the authority or continued authority of any Administrator, which Client shall provide upon request. At least one (1) Administrator must be a Designated Support Contact. An Administrator must be an employee of the Client.

1.6 Designated Support Contact. For the purposes of this Agreement, “Designated Support Contacts” means the Client employees so designated by Client on the Order Document. The Client shall have the number of Designated Support Contacts as designated on the Order Document. Only a Designated Support Contact shall be permitted to contact MRI for any Maintenance and Support services and shall have the authority to (i) log case requests; and (ii) receive status updates on cases. A Designated Support Contact must be an employee of the Client.

1.7 Client User. For the purposes of this Agreement, “Client User” means a Client employee or Client Affiliate, acting directly on behalf of Client and using the Software or Services solely for the purpose of the Client’s internal business operations. If an Affiliate is a Client User, Client warrants that it has the authority to bind such Affiliate(s) to the terms of the Agreement and any applicable Schedule and further warrants that Client shall be jointly and severally responsible (with any such Affiliates) for a breach of such terms by its Affiliates. Client shall only permit Client Users to access and use any Software or Service and represents and warrants that all Client Users shall comply with the terms and conditions of use set forth in this Agreement and each such Client User shall be bound by a nondisclosure agreement with provisions that are at least as restrictive as the terms of this Agreement. Client shall indemnify and hold MRI harmless for all loss, damages, costs and expenses (including reasonable attorneys’ fees) incurred by MRI for any breach or other violation of this Agreement by a Client User. An independent contractor, agent or other third party acting on behalf of Client may be deemed a Client User upon prior written consent of MRI, which MRI shall determine in its sole discretion, and may require such independent contractor, agent or other third party to certify with or enter contractual terms with MRI acceptable to MRI. In no event shall the combined use of the Software or Services hereunder by Client and its Client Users exceed the Licensed Metrics authorized under the applicable Order Document.

1.8 Owner. The Software is designed to be used for residential and/or commercial property management. If the Client is not the owner of such property or not the owner of all such properties for which the Software or any Service is utilized; but rather, Client is the manager for the owner of such property (with the non-Client property owner defined as “Owner”), then Client represents that Client either: (i) is entering this Agreement directly in privity with MRI; or (ii) is the duly appointed agent of the Owner and has the authority to enter into and perform the Agreement and use the Software and Services pursuant to the terms set forth in the Agreement. Client shall at all times be solely liable for the payment of all fees and the observance of all obligations, terms and conditions of the Agreement, regardless of any action, inaction or nonpayment by any Owner. Client shall keep MRI apprised in writing at all times of the identity and contact information of the Owner, and if Client’s relationship changes with respect to the Owner (by way of example and not by way of limitation, such as if Client’s agency or management relationship with Owner terminates). If Client’s relationship with an Owner or a particular property terminates for any reason, Client shall continue to be liable for any and all fees related to such Owner or property regardless of when such fees are billed by MRI. Client shall immediately notify MRI in the event of any change in ownership or control (including any change in control pursuant to a management contract) of Client, Owner or any of the properties, sites, or communities authorized for use of any Software or Screening Service. Client shall undertake all reasonable efforts to assist in deactivating the ability of any such sold or transferred properties, sites and communities to use or benefit from any Software or Screening Service. Client shall remain fully liable for the use of any Software or Screening Service until proper notification is completed.

1. DEFINITIONS

“Affiliate” means an entity controlling, controlled by or under common control with a Party to the Agreement where control means the ownership or control, directly or indirectly, of more than fifty percent (50%) of all the voting power of the shares (or other securities or rights) entitled to vote for the election of directors or other governing authority.

“Client” means the entity that has entered into this Agreement with MRI. “Client” also refers to Affiliates authorized to use the Software and Services in accordance with Section 1.7. The Services provided hereunder are restricted to legitimate businesses that have appropriate business needs for the information and who meet all applicable laws to use such Services. MRI does not provide its services to consumers.

“Client Data” means any data, media, content, and information that Client provides, generates, transfers, uploads or makes available to MRI under the Agreement, whether printed, electronic, or in some other format. Information that is collected by the System as part of the Services shall be considered information that has been provided by the Client. Client Data shall include, without limitation, documents, data, spreadsheets, photographs, video, and other media. Client Data shall also include data and information belonging to Owner as well as Owner’s customers and Client’s customers. Feedback provided to MRI by the Client shall not be considered Client Data.

“Content” means any information, data, text, software, music, sound, photographs, graphics, video messages or other material to which Client is provided access through MRI or the Software.

“Configurations” means, regardless of whether such Configurations are performed by MRI, Client or Client User, (i) configurations implemented through use of the MRI application toolkit or other MRI approved industry standard toolkit, and not through source code change, or (ii) modifications to standard services reports. Notwithstanding any other provision in the Agreement, if Client has Configurations performed by a third party, such third party must be qualified as a Client User pursuant to Section 1.7 prior to the disclosure of any MRI Confidential Information to such third party. Configurations include, without limitation, the scoring calculation designations.

“Documentation” means the user instructions, release notes, Functional Specifications, manuals and on-line help files in the form generally made available by MRI, regarding the use of the applicable Software.

“Functional Specifications” means those specifications of the MRI Software’s functionality as set forth in the MRI Functional Specifications, which may be found on www.mrisoftware.com/MRIfunctionalspecs.asp, which specifications may be updated from time to time by MRI upon posting new specifications at such web page address.

“Intellectual Property” means any and all intellectual property rights, recognized in any country or jurisdiction in the world, now or hereafter existing, and whether or not perfected, filed or recorded, including without limitation inventions, technology, patents rights (including patent applications and disclosures), copyrights, trade secrets, trademarks, service marks, trade dress, methodologies, procedures, processes, know-how, tools, utilities, techniques, various concepts, ideas, methods, models, templates, software, source code, algorithms, the generalized features of the structure, sequence and organization of software, user interfaces and screen designs, general purpose consulting and software tools, utilities and routines, and logic, coherence and methods of operation of systems, training methodology and materials, which MRI has created, acquired or otherwise has rights in, and may, in connection with the performance of Services hereunder, create, employ, provide, modify, create, acquire or otherwise obtain rights in.

“License Metrics” means the limitation on the usage of each of the Software and Maintenance and Support services as designated and/or defined in the applicable Order Document by a term such as the number of leases, units, assets, users and the like.

“Maintenance and Support” includes (i) phone assistance and workarounds so that the Software operates in material conformance with the Functional Specifications, and (ii) Updates, all of which are provided under MRI’s Maintenance and Support Policies (as may be amended by MRI from time to time) in effect at the time the Support is provided. For the avoidance of doubt, Support excludes Professional Services.

“Maintenance and Support Policies” means those policies and procedures listed in the Maintenance and Support Policies, that may also be found on MRI’s website at www.mrisoftware.com/mainteanceandsupport, which may be subject to update by MRI from time to time.

“MRI Software” means each MRI-developed and/or MRI-owned software product in machine readable object code (not source code), the Documentation for such product, and any Updates and Upgrades thereto (if purchased by Client).

“Owner” is defined in Section 1.8.

“Professional Services” means data conversion, implementation, site planning, configuration, integration and deployment of the Software or Screening Services, training, project management and other consulting services.

“Protected Materials” means Software, Content, Services, Configurations, license keys and MRI’s or its licensors’ Intellectual Property or Confidential Information.

“Screening Services” means the provision of Software and/or Content which is hosted by MRI or its hosting providers and which is accessed by Client via the internet, and the review of relevant records by MRI or its agents, and which check an individual employee or consumer’s information and which could be past employment, criminal records, credit records, or the like, as more fully described in the Screening Services Schedule and associated Order Document(s).

“Services” means collectively (i) the Professional Services; (ii) Maintenance and Support, (iii) Screening Services, and (iv) SaaS Services.

“Software” means collectively the MRI Software and Third Party Software.

“System” means the total package of hardware and Software furnished and/or maintained by MRI.

“Third Party EULA” or “EULA”: the end user license agreement, if any, that accompanies or pertains to the Third Party Software, and that is incorporated into the Agreement, appended to the Order Document or is otherwise published by the third party supplier, and which governs the use of or access by Client to the applicable Third Party Software. A current list of Third Party EULAs may be found at www.mrisoftware.com/EULA, which may be updated from time to time.

“Third Party Software” means software in object code form, including Documentation, Updates and Upgrades (if purchased by Client), owned by an entity other than MRI which are to be provided to Client by MRI on a pass-through, reseller or OEM basis pursuant to the terms of the EULA.

“Updates” means a new version of the Software, if and when developed after the effective date of the Order Document, which MRI makes generally available to its customers as part of the Maintenance and Support. Updates include bug fixes, patches, error corrections, non-new platform changes, or minor modifications or revisions to the Software that enhance existing performance. Updates exclude Upgrades and new products, modules or functionality for which MRI generally charges a separate fee.

“Upgrade” means a new Software release that may contain (i) new applications; (ii) major functionality enhancements or improvements; and/or (iii) a new platform, which MRI designates as an Upgrade and for which MRI charges a separate license fee or, at MRI’s election, new modules or products, or major releases that include significant feature enhancements or significant architectural modifications for which MRI charges an incremental upgrade fee.

2. FINANCIAL TERMS

3.1 Fees and Payment Terms. Fees are specified in the applicable Order Document. Fees are exclusive of, and Client is responsible for, shipping costs.

Payment of all fees is due thirty (30) days’ after the invoice date, unless otherwise agreed in the Order Document. Interest accrues on past due balances at the lesser of a 1½% per month or the highest rate allowed by law. Client is responsible for providing an accurate billing contact on the Order Document and updating that billing contact as needed from time to time such that MRI always has an accurate billing contact for Client.

If Client fails to make payments of any fees due under the Agreement, Client shall be in material breach of this Agreement. MRI will be entitled to suspend its performance upon ten (10) days’ written notice to Client and/or to modify the payment terms, and to require full payment before any additional performance is rendered by MRI. Notwithstanding any of MRI’s rights enumerated in Sections 3.1 or 9 of this Master Agreement, if Client fails to timely pay applicable fees under an Order Document, MRI shall be entitled to collect all past and current amounts due and owing, and to accelerate all future amounts to be due, such that all remaining periodic payments for the then current term of the applicable Order Document are immediately due and owing. Client shall be responsible to pay any collection expenses (including attorneys’ fees) incurred by MRI.

Unless expressly provided otherwise, fees paid or payable for Software licenses, Screening Services or Maintenance and Support are not contingent under any circumstances upon the performance of any Professional Services.

3.2 Taxes. Unless expressly provided otherwise, the prices in the Agreement do not include taxes. Client agrees to pay any taxes, other than those based on MRI’s net income, arising out of the Agreement. If Client is tax-exempt, Client agrees to send MRI a copy of its tax-exempt certificate prior to execution of a Schedule. Client agrees to indemnify MRI from any liability or expense incurred by MRI as a result of Client’s failure or delay in paying taxes due.

3.3 Travel Expenses. Unless otherwise noted within the Order Document, MRI’s reasonable travel and lodging expenses incurred by MRI in the performance of Services on Client’s site will be billed separately at actual cost.

CONFIDENTIALITY

4.1 Defined. By virtue of the Agreement, the Parties may be exposed to or be provided with certain confidential and proprietary information of the other Party or third parties, including but not limited to information designated as confidential in writing or information which by its nature ought to be in good faith considered confidential and proprietary to the disclosing Party (“Confidential Information”). Confidential Information of MRI and/or its licensors includes but is not limited to the terms and conditions (but not the existence) of the Agreement, including without limitation all Order Documents, fees and charges, all trade secrets, software, source code, object code, specifications, documentation, business plans, customer lists and customer-related information, financial information, proposals, budgets as well as results of testing and benchmarking of the Software or Services, product roadmap, data and other information of MRI and its licensors relating to or embodied in the Software or Documentation. MRI’s placement of a copyright notice on any portion of any Software will not be construed to mean that such portion has been published and will not derogate from any claim that such portion contains proprietary and confidential information of MRI.

4.2 Non-Disclosure. Each Party will protect the other Party’s Confidential Information from unauthorized use or dissemination and use the same degree of care that each such Party uses to protect its own confidential information, but in no event less than a reasonable amount of care. Neither Party will use Confidential Information of the other Party for purposes other than those necessary to directly further the purposes of the Agreement. Neither Party will disclose to third parties Confidential Information of the other Party without prior written consent of such other Party. Notwithstanding anything in this Agreement to the contrary, Client agrees that MRI may communicate directly with the Owner about all aspects of the Agreement, the Client Data, and any other Client Confidential Information, if applicable.

4.3 Exceptions. Information shall not be considered Confidential Information to the extent, but only to the extent, that the receiving Party can establish that such information (i) is or becomes generally known or available to the public through no fault of the receiving Party; (ii) was rightfully in the receiving Party’s possession before receipt from the disclosing Party free of any obligation to keep it confidential; (iii) is lawfully obtained from a third party who has the right to make such disclosure; or (iv) has been independently developed by the receiving Party without reference to any Confidential Information of the disclosing Party.

4.4 Compelled Disclosure. The receiving Party may disclose Confidential Information of the disclosing Party if it is required or compelled by law to do so, provided the receiving Party gives the disclosing Party sufficient prior notice of such compelled disclosure (to the extent legally permitted) to permit the disclosing Party a reasonable opportunity to object to the compelled disclosure and to allow the disclosing Party the opportunity to seek a protective order or other appropriate remedy. Notwithstanding the foregoing, should MRI receive a court order to disclose information related to a consumer about whom the Screening Services were run, MRI shall be permitted to disclose such information without providing a period of time in which the Client may object. The receiving Party shall provide reasonable assistance, at the disclosing Party’s cost, if the disclosing Party wishes to contest the disclosure.

4.5 Remedy/Injunctive Relief. The Parties acknowledge that disclosure of any Confidential Information may give rise to irreparable injury to the Party whose information is disclosed, which injury may be inadequately compensated in damages. Therefore, either Party may seek injunctive relief against the other Party’s breach or threatened breach of this Section 4 as well as any other legal remedies that are available.

5. PRIVACY

The Parties agree to comply with the terms of the Data Protection and Security Schedule.

6. LIMITED RIGHTS AND OWNERSHIP

6.1 Reservation of Rights. All rights not expressly granted in the Agreement are reserved by MRI and its licensors. Client acknowledges that: (i) all Software is licensed and not sold and all Content is subscribed to and not sold; (ii) Client acquires only the right to use the Protected Materials and MRI, its licensors, and Content providers shall retain sole and exclusive ownership of all rights, title, and interest in the Protected Materials, including (whether developed by MRI, Client, Client User, or other third party) (a) Intellectual Property embodied in or associated with the Protected Materials, (b) deliverables and work product associated with the Protected Materials, and (c) all copies and derivative works thereof; and (iii) the Protected Materials, including the source and object codes, logic and structure thereof, constitute valuable trade secrets of MRI and its licensors. Client hereby assigns to MRI all right, title and interest in and to Configurations developed by Client, Client User or by any other third party on behalf of Client; however, Client shall retain a license to use such Configurations for so long as Client retains a license to use the Software or Screening Services, as applicable, used in conjunction with such Configurations. Client agrees to secure and protect the Protected Materials consistent with the maintenance of MRI’s and its licensors’ rights therein, as set forth in this Master Agreement. Client agrees to execute such further instruments and take such further actions as MRI may reasonably request, at MRI’s expense, to apply for, register, perfect, confirm, and protect MRI’s rights. Client shall reimburse MRI for any and all expenses that MRI may incur (including interest, attorneys’ fees and other legal expenses) in connection with MRI’s efforts to enforce its rights against Client with respect to the Protected Materials, or any of MRI’s Intellectual Property rights in the event MRI prevails in such enforcement efforts.

6.2 Restrictions. Client shall not itself, or through any Affiliate, Client User, employee, consultant, contractor, agent or other third party: (i) sell, resell, distribute, host (except Client shall be permitted to host the MRI Software with respect to a perpetual software license), lease, rent, license or sublicense, in whole or in part, the Protected Materials; (ii) decipher, decompile, disassemble, reverse assemble, modify, translate, reverse engineer or otherwise attempt to derive source code, algorithms, tags, specifications, architecture, structure or other elements of the Software, including the license keys, in whole or in part, for competitive purposes or otherwise; (iii) allow access to, provide, divulge or make available the Protected Materials to any user other than Client Users; (iv) write or develop any derivative works based upon the Protected Materials, except for authorized Configurations; (v) modify, adapt, translate or otherwise make any changes to the Protected Materials or any part thereof; (vi) use the Protected Materials to provide processing services to third parties, or otherwise use the same on a ‘service bureau’ basis, other than on behalf of Owner, if applicable; (vii) disclose or publish, without MRI’s prior written consent, performance or capacity statistics or the results of any benchmark test performed on the Protected Materials; or (viii) otherwise use or copy the Protected Materials except as expressly permitted herein.

6.3 Client Data. Notwithstanding anything in this Agreement to the contrary, Client and/or Owner retains sole and exclusive ownership to any and all Client Data.

6.4 License Grant by Client. Client hereby grants to MRI a perpetual, non-cancellable, worldwide, non-exclusive right to utilize any data that arises from the use of the Protected Materials by Client whether disclosed on or prior to the Effective Date for any legitimate business purpose, including the right to sublicense such data to third parties, subject to all legal restrictions regarding the use and disclosure of such information.

6.5 Enforcement. Client shall (i) ensure that all users of Protected Materials comply with the terms and conditions of the Agreement, (ii) promptly notify MRI of any actual or suspected violation thereof and (iii) cooperate with MRI with respect to investigation and enforcement of the Agreement. The Software contains code-based protections that serve to prevent and remedy violations of the license restrictions. If the Software is hosted on Client’s technology systems, MRI may access the Software remotely in order to ensure Client’s compliance with the license terms and other restrictions of the Agreement.

7. INDEMNIFICATION

7.1 Intellectual Property Infringement. MRI will defend or settle, at its option and expense, any action, suit or proceeding brought against Client by a third party that the MRI Software or Screening Services infringe a third party’s USA patent, registered copyright, or registered trademark (“IP Claim”). MRI will indemnify Client against all damages and costs finally awarded or those costs and damages agreed to in a monetary settlement of such action, which are attributable exclusively to such IP Claim, provided that Client: (i) promptly gives written notice of the IP Claim to MRI; (ii) gives MRI sole control of the defense and settlement of the IP Claim; (iii) provides MRI, at MRI’s expense, with all available information and assistance relating to the IP Claim and cooperates with MRI and its counsel; (iv) does not compromise or settle such IP Claim; and (v) is not in material breach of any agreement with MRI.

7.2 Indemnification Exceptions. MRI has no obligation to the extent any IP Claim results from: (i) Client having modified the MRI Software or Screening Services or used a release other than a current unaltered release of the MRI Software, if such an infringement would have been avoided by the use of a current unaltered release of the MRI Software, (ii) Content and/or any Third Party Software, (iii) Configurations or (iv) the combination, operation or use of the MRI Software or Screening Services with software or data not provided by MRI.

7.3 Infringement Remedies. If it is adjudicated that an infringement of the MRI Software or Screening Service by itself and used in accordance with the Agreement infringes any USA patent, registered copyright, or registered trademark, MRI shall, at its option: (i) procure for Client the right to continue using the MRI Software or Screening Service; (ii) replace or modify the same so it becomes non-infringing; or (iii) MRI shall terminate the applicable license or Service and shall refund to Client with respect to Screening Services, the pre-paid portion of the Screening Services fees paid to MRI for the affected MRI Software or Service. SECTIONS 7.1, 7.2 AND 7.3 STATE MRI’S ENTIRE OBLIGATION TO CLIENT AND CLIENT’S SOLE AND EXCLUSIVE REMEDY FOR ANY CLAIM OF INFRINGEMENT.

7.4 Client Indemnification. Client shall defend MRI against any claim, demand, suit, or proceeding made or brought against MRI by a third party arising out of or related to (i) the Client Data; (ii) Client’s or its users’ use of the Software or the Screening Services in violation of the Agreement; (iii) Client or any user infringing or misappropriating the Intellectual Property rights of a third party or violating applicable law; (iv) Client’s or its users’ use or misuse of the Software or Screening Service or Client’s or its users’ use or misuse of the Client Data (including, without limitation, accessing, providing access, using or distributing the Client Data), or (v) any scoring system, whether or not developed with the assistance of MRI has been developed, with or without the assistance of MRI (each of the above a “Client Claim”). Client shall indemnify MRI for all damages and costs finally awarded against, and for reasonable attorneys’ fees incurred by, MRI in connection with any Client Claim, or those costs and damages agreed to in a monetary settlement of such Client Claim; provided that MRI (a) promptly gives Client written notice of the Client Claim, (b) gives Client sole control of the defense and settlement of the Client Claim (provided that Client may not settle or defend any Client Claim unless it unconditionally releases MRI of all liability), and (c) provides Client all reasonable assistance, at Client’s cost. For purposes of this Section 7.4 only, “MRI” shall include MRI and its Affiliates, and each of their members, owners, officers, directors, employees, agents, successors and assigns.

8. DISCLAIMERS AND LIMITATION OF LIABILITY

8.1 Disclaimer of Warranties. THE WARRANTIES, IF ANY, SET FORTH IN THE SCHEDULES ARE IN LIEU OF, AND MRI, ITS LICENSORS AND SUPPLIERS EXPRESSLY DISCLAIM TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, ORAL OR WRITTEN, INCLUDING, WITHOUT LIMITATION, (i) ANY WARRANTY THAT ANY SOFTWARE, SCREENING SERVICE, CONTENT, DELIVERABLES OR OTHER SERVICES ARE ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION OR THAT ALL ERRORS WILL BE CORRECTED; (ii) ANY AND ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, (iii) ANY WARRANTY THAT CONTENT AND/OR THIRD PARTY SOFTWARE WILL BE ACCURATE, RELIABLE AND ERROR-FREE AND (iv) ANY AND ALL IMPLIED WARRANTIES ARISING FROM STATUTE, COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE. NO ADVICE, STATEMENT OR INFORMATION GIVEN BY MRI, ITS AFFILIATES, CONTRACTORS OR EMPLOYEES SHALL CREATE OR CHANGE ANY WARRANTY PROVIDED HEREIN. ALTHOUGH CERTAIN OF THE SOFTWARE AND CONTENT MAY BE DESIGNED TO HELP CLIENTS COMPLY WITH APPLICABLE LAWS AND REGULATIONS, MRI HEREBY DISCLAIMS ALL WARRANTIES WITH RESPECT TO THE SUFFICIENCY OR ACCURACY OF THE SOFTWARE AND CONTENT IN THIS REGARD; MOREOVER, VARIOUS STATE LAWS MAY APPLY, AND THE SOFTWARE DOES NOT INCORPORATE STATE LAW REQUIREMENTS. ALL SUCH LAWS AND REGULATIONS MAY CHANGE FROM TIME TO TIME, AND THE SOFTWARE AND CONTENT MAY NOT BE UPDATED TO REFLECT SUCH CHANGES. CLIENT SHOULD CONSULT AN ATTORNEY WITH RESPECT TO COMPLIANCE WITH ALL APPLICABLE LAWS AND REGULATIONS.

8.2 Connection Over Internet. Client acknowledges that use of or connection to the Internet provides the opportunity for unauthorized third parties to circumvent security precautions and illegally gain access to the Services and Client Data. Accordingly, MRI cannot and does not guaranty the privacy, security or authenticity of any information so transmitted over or stored in any system connected to the Internet.

8.3 Limitation of Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, MRI’S TOTAL LIABILITY (INCLUDING ATTORNEYS’ FEES AWARDED UNDER THE AGREEMENT) TO CLIENT FOR ANY CLAIM BY CLIENT OR ANY THIRD PARTIES UNDER THE AGREEMENT, EXCLUDING LIABILITY PURSUANT TO SECTION 7 (Indemnification), WILL BE LIMITED TO (i) WITH RESPECT TO PROFESSIONAL SERVICES, THE FEES PAID BY CLIENT FOR THE SOFTWARE OR SERVICE WHICH IS THE SUBJECT MATTER OF THE CLAIM LESS 1/36 THEREOF FOR EACH MONTH OR PORTION THEREOF SINCE THE EFFECTIVE DATE AND (II) WITH RESPECT TO SCREENING SERVICES,THE FEES PAID FOR THE PRIOR TWELVE (12) MONTHS FOR THE SOFTWARE OR SERVICE WHICH IS THE SUBJECT MATTER OF THE CLAIM.

8.4 Third Party Software and Content. With respect to any Third Party Software or Content provided to Client under the Agreement, including any modules of the Screening Services that may contain Third Party Software or Content, Client agrees that (i) MRI may add and/or substitute functionally equivalent products for any third party SOFTWARE in the event of product unavailability, end-of-life, or changes to software requirements; (ii) the provision of Content is subject to availability from third party Content providers and MRI shall have no liability should such Content become unavailable for any reason or is no longer available under reasonable commercial terms; (iii) Client’s use of any Third Party Software shall be subject to, and Client and users shall comply with, the Agreement and any applicable Third Party EULAs; (iv) MRI makes no warranty with respect to any Third Party Software or any Content; and (v) Client’s sole remedy with respect to such Third Party Software shall be pursuant to the original licensor’s warranty, if any, to MRI, to the extent permitted by the original licensor. Content and Third Party Software are made available on an “AS IS, AS AVAILABLE” BASIS.

8.5 No Special Damages. IN NO EVENT WILL MRI BE LIABLE TO CLIENT FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE, TREBLE OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUE, PROFITS, STAFF TIME, GOODWILL, USE, DATA, OR OTHER ECONOMIC ADVANTAGE), WHETHER BASED ON BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, WHETHER OR NOT MRI HAS PREVIOUSLY BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

8.6 Time to Bring Claim. NO CLAIM ARISING OUT OF THE AGREEMENT, REGARDLESS OF FORM, MAY BE BROUGHT AGAINST MRI MORE THAN ONE YEAR AFTER THE CAUSE OF ACTION HAS OCCURRED.

8.7 Survival. THIS SECTION SHALL SURVIVE FAILURE OF ANY EXCLUSIVE REMEDY.

9. TERM AND TERMINATION

9.1 Term. The term of this Master Agreement shall commence on the Effective Date set forth above and shall continue in full force and effect until the expiration or termination of all Schedules, unless otherwise terminated earlier as provided hereunder.

9.2 Termination. Either Party may terminate the Agreement including all Schedules immediately upon written notice in the event that the other Party commits a non-remediable material breach of the Agreement, or if the other Party fails to cure any remediable material breach or provide a written plan of cure acceptable to the non-breaching Party within thirty (30) calendar days’ of being notified in writing of such breach, except for breach of Section 3.1 (Fees and Payment Terms) which shall have a ten (10) calendar day cure period.

Where a Party has a right to terminate the Agreement, the non-breaching Party may at its discretion either terminate the Agreement or the applicable Schedule. Schedules that are not terminated shall continue in full force and effect under the terms of this Master Agreement.

9.3 Post-Termination Obligations. Following termination of the Agreement or a Schedule (for whatever reason), Client shall certify that it has returned or destroyed all copies of the applicable Software, Content and Confidential Information of MRI and acknowledges that its rights to use the same are relinquished. Termination of this Agreement for any reason shall not excuse Client’s obligation to pay in full any and all amounts due, nor shall termination by MRI result in a refund of fees paid. Client shall use its commercially reasonable efforts to remove all Client Data from any Software or Screening Service prior to termination of the Agreement or applicable Schedule. Client may engage MRI to assist Client in removing such Client Data at MRI’s then standard rates. If any Client Data remains in the Software or Screening Service more than thirty (30) calendar days’ after the effective date of termination, MRI may, in its sole discretion and without notice, delete any and all Client Data. At any time before or after termination, if an Owner requests that any Client Data be provided directly to such Owner, Client agrees that MRI may transfer such Client Data directly to such Owner, and that MRI shall not be liable for any damages that result from the transfer of Client Data to an Owner.

10. GENERAL PROVISIONS

10.1 Publicity. Client may not use the name, logo or otherwise of MRI in any publicity without the prior written approval of MRI, which approval shall not be unreasonably withheld. Each Party shall complete its review of any proposed materials or activities submitted by the other Party within five (5) business days’ of its receipt of such materials from the other Party. Client agrees it will participate in a joint press release within thirty (30) calendar days’ of the execution of this Master Agreement.

10.2 Force Majeure. Neither Party shall incur any liability to the other Party on account of any loss, claim, damage or liability to the extent resulting from any delay or failure to perform all or any part of this Agreement (except for payment obligations), if and to the extent such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control and without any negligence on the part of the Party seeking protection under this Section. Such events, occurrences, or causes shall include, without limitation, acts of God, strikes, lockouts, riots, acts of war, terrorism, earthquake, fire or explosions (“Force Majeure Events”). Dates by which performance obligations are scheduled to be met will be extended for a period of time equal to the time lost due to any delay so caused.

10.3 Assignment. MRI may assign the Agreement and all of its rights and obligations herein without Client’s approval to its parent company or other affiliated company, to a successor by operation of law, or by reason of the sale or transfer of all or substantially all of its stock or assets to another entity. Neither Party may otherwise assign or transfer the Agreement without the prior written consent of the other Party.

10.4 Notice of U.S. Government Restricted Rights. If the Client hereunder is the U.S. Government, or if the Software is acquired hereunder on behalf of the U.S. Government with U.S. Government federal funding, notice is hereby given that the Software is commercial computer software and documentation developed exclusively at private expense and is furnished as follows: “U.S. GOVERNMENT RESTRICTED RIGHTS. Software delivered subject to the FAR 52.227-19. All use, duplication and disclosure of the Software by or on behalf of the U.S. Government shall be subject to this Agreement and the restrictions contained in subsection (c) of FAR 52.227-19, Commercial Computer Software – Restricted Rights (June 1987)”.

10.5 Export. Client shall comply fully with all relevant export laws and regulations of the United States and other applicable jurisdictions to ensure that the Software is not exported, directly or indirectly, in violation of those laws.

10.6 Non-solicitation. During the term of this Master Agreement and for a period of one (1) year following its termination, Client will not employ or solicit for employment directly or through other parties, without the MRI’s written permission, any individual employed by MRI. If a Party breaches this Section 10.6, such Party shall pay to the non-breaching Party a sum equal to 150% of the hired employee’s annual salary while such employee was employed by the non-breaching Party, and such payment shall be made within 30 days of hiring such employee.

10.7 Compliance. During the term of this Master Agreement and for a period of one year following its termination, Client shall maintain and make available to MRI records sufficient to permit MRI or an independent auditor retained by MRI to verify, upon ten days’ written notice, Client’s full compliance with the terms and requirements of the Agreement. Such audit shall be performed during regular business hours. If such verification process reveals any noncompliance by Client with the Agreement, Client shall reimburse MRI for the reasonable costs and expenses of such verification process (including, but not limited to the fees of an independent auditor) incurred by MRI, and Client shall promptly cure any such noncompliance, including without limitation through the payment of any and all fees owed to MRI during the period of noncompliance; provided, however, that the obligations under this Section do not constitute a waiver of MRI’s termination rights. Client acknowledges that the Software may include a license manager component to track usage of the Software and agrees not to impede, disable or otherwise undermine such license manager’s operation. Furthermore, Client agrees to comply with all applicable laws related to the Screening Services.

10.8 Notices. Any notice required or permitted to be sent under the Agreement shall be delivered by hand; by overnight courier; by certified mail, return receipt requested; or in a conspicuous banner to the Client within the product, to the Parties first set forth in the Agreement or to such other address of the Parties designated in writing in accordance with this subsection.

10.9 Relationship. The Agreement is not intended to create a partnership, franchise, joint venture, agency, or a fiduciary or employment relationship. Neither Party may bind the other Party or act in a manner which expresses or implies a relationship other than that of independent contractor.

10.10 Invalidity. If any provision of the Agreement shall be held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired.

10.11 Survival. The following provisions will survive any termination or expiration of the Agreement or a Schedule: Sections 1, 2, 3, 4, 6.1, 6.2, 6.5, 7, 8, 9, and 10.

10.12 No Waiver. Any waiver of the provisions of the Agreement or of a Party’s rights or remedies under the Agreement must be in writing and include a signature by an authorized representative of each Party to be effective. Any such waiver shall constitute a waiver only with respect to the specific matter described in such writing and shall in no way impair the rights of the Party granting such waiver in any other respect or at any other time. The waiver by either of the Parties hereto of a breach or of a default under any of the provisions of the Agreement shall not be construed as a waiver of any other breach or default of a similar nature, or as a waiver of any of such provisions, rights or privileges hereunder. The rights and remedies herein provided are cumulative and none is exclusive of any other, or of any rights or remedies that any Party may otherwise have at law or in equity. Failure, neglect, or delay by a Party to enforce the provisions of the Agreement or its rights or remedies at any time, shall not be construed and shall not be deemed to be a waiver of such Party’s rights under the Agreement and shall not in any way affect the validity of the whole or any part of the Agreement or prejudice such Party’s right to take subsequent action.

10.13 Entire Agreement. The Agreement constitutes the Parties’ entire agreement relating to its subject matter. It cancels and supersedes all prior or contemporaneous oral or written communications, agreements, requests for proposals, proposals, conditions, representations, and warranties, or other communication between the Parties relating to its subject matter as well as any prior contractual agreements between the Parties. Client hereby releases and discharges MRI from any and all claims for relief, causes of action, or demands arising out of or in any way relating to any event, act or occurrence prior to the Effective Date of this Agreement. No modification to the Agreement will be binding unless in writing and includes a signature by an authorized representative of each Party. All pre-printed terms of any Client purchase order or other Client business processing document shall have no effect. Each Party represents and warrants to the other that: (i) it has full power, authority, and legal right to execute, deliver, and perform this Agreement, (ii) each signor is duly authorized and has legal capacity to execute and deliver this Agreement and (iii) this Agreement constitutes the legal, valid, and binding obligation of the Parties, enforceable in accordance with its terms.

10.14 No Third Party Beneficiaries. This Agreement is for the benefit of the Parties and their successors and permitted assigns, and does not confer any rights or benefits on any third party, including any employee of a Party, any client of a Party, or any employee of a client of a Party. Notwithstanding the above, the Parties acknowledge that all rights and benefits afforded to MRI under the Agreement shall apply equally to the owner of the Third Party Software with respect to the Third Party Software, and such third party is an intended third party beneficiary of the Agreement, with respect to the Third Party Software.

10.15 Governing Law and Venue. The Agreement shall be governed by and construed in accordance with the laws of the State of Ohio without giving effect to its principles of conflict of laws. Any dispute shall be litigated in the state or federal courts located in the State of Ohio to whose exclusive jurisdiction the Parties hereby consent. For purposes of establishing jurisdiction in Ohio under this Agreement, each Party hereby waives, to the fullest extent permitted by applicable law, any claim that: (i) it is not personally subject to the jurisdiction of such court; (ii) it is immune from any legal process with respect to it or its property; and (iii) any such suit, action or proceeding is brought in an inconvenient forum. Each Party irrevocably waive its rights to trial by jury in any action or proceeding arising out of or relating to this Agreement or the transactions relating to its subject matter. The Parties agree that this contract is not a contract for the sale of goods; therefore, the Agreement shall not be governed by any codification of Article 2 or 2A of the Uniform Commercial Code, or any codification of the Uniform Computer Information Technology Act (“UCITA”), or any references to the United National Convention on Contracts for the International Sale of Goods.

10.16 Legal Fees and Costs. In the event of a dispute between the Parties regarding the enforcement of the Agreement, the prevailing Party in such dispute will be entitled to collect from the other Party the prevailing Party’s reasonable legal fees and costs.

10.17 Order of Precedence. To the extent any terms and conditions of this Master Agreement conflict with the terms and conditions of any Schedule, the provisions of this Master Agreement shall control unless the Schedule expressly states the intent to supersede a specific portion of the Master Agreement.

In the event of a conflict between an Order Document and the Master Agreement, the Master Agreement shall prevail, provided, however, that such standard variable terms such as price, quantity, license scope and License Metrics, tax exempt status, payment terms, shipping instructions and the like shall be specified on each Order Document. All pre-printed terms of any Client purchase order or other business processing document shall have no effect.

10.18 Headings and Drafting. The headings in the Agreement shall not be used to construe or interpret the Agreement. The Agreement shall not be construed in favor of or against a Party based on the author of the document.

10.19 Counterparts. The Master Agreement and each Schedule may be executed in one or more counterparts, each of which shall constitute an enforceable original of the Agreement, and that facsimile and/or pdf scanned copies of signatures shall be as effective and binding as original signatures.

10.20 Treatment in the Event of Bankruptcy of Client. The Parties acknowledge and agree that this Agreement is an executory contract as such term is defined in section 365 of the United States Bankruptcy Code (“USBC”). The Parties further acknowledge and agree that the Agreement does not provide a license of intellectual property as defined in section 101(35) of the USBC and that the provisions of Section 365(n) of the USBC are therefore not applicable. Client acknowledges that MRI will be harmed if this Agreement was assigned to a competitor, direct or indirect, or any other party whose use of MRI Software or Services pursuant to the Agreement would be detrimental to the business and rights of MRI, and Client hereby grants MRI the right to consent to any proposed assignment of this Agreement in a bankruptcy and that the rights of consent to the assignment provided in section 365(c)(1) of the USBC shall be applicable to any proposed assignment of this Agreement in any bankruptcy case filed by Client.

***************************************************************************************************************************************

END OF MASTER AGREEMENT

SCREENING SERVICES SCHEDULE

This Screening Services Schedule is entered into between ResidentCheck LLC, Trusted Employees, or Rental History Reports as applicable and as outlined in the Order Document (“MRI”) and the Client named in the Order Document, and the authorized representatives of the Parties hereby execute this Screening Services Schedule to be effective as of the Effective Date, as defined in the Order Document. As used in this Agreement, “Party” means either Client or MRI, as appropriate, and “Parties” means Client and MRI DEFINITIONS:

“Applicant” shall mean the individual data subject about whom the Screening Services are performed. An applicant shall also be deemed to include all co-applicants and guarantors.

“Access Security Requirements” shall mean the list of security requirements necessary for use of the Screening Services found in Exhibit A.

“Error” shall mean a material failure of a hosted MRI Software to conform to its Functional Specifications that is reported by Client to and replicable by MRI.

“Internet Delivery Security Requirements” shall mean the list of requirements necessary for use of the Screening Services through a consumer reporting agency.

“Malicious Code” shall mean computer viruses, worms, time bombs, Trojan horses and other harmful or malicious code, files, scripts, agents or programs.

“Permissible Purpose” shall mean the purposes for which a consumer reporting agency may furnish a consumer report as described in the Fair Credit Reporting Act.

1. TERM AND TERMINATION

Screening Services commence on the date specified in the Order Document and continue for the term set forth in the Order Document (“Initial Term”). Following the end of the Initial Term, Screening Services shall automatically renew for the same length as the Screening Services, as described in section 2.1 of the Screening Services Schedule (each renewal a “Renewal Term”) unless either Party gives written notice at least sixty (60) calendar days’ prior to the end of the Initial Term or any Renewal Term, as applicable, of its intention to not renew the Screening Service. The pricing for the first twelve (12) months of any Renewal Term shall be provided by MRI in writing no less than ninety (90) days’ prior to the end of the Initial Term or any Renewal Term. For the purposes of the pricing notice in this Section, email or first-class mail will suffice. The Initial Term and Renewal Terms are collectively referred to as the “Term”.

This Schedule and the Screening Services granted hereunder may be terminated by either Party for cause in accordance with section 9 of the Master Agreement. Section 1 and 2 hereof and the surviving provisions of the Master Agreement shall survive any such termination. If MRI determines that Client is violating any provisions of the FCRA as it related to the services provided hereunder, then MRI may immediately discontinue providing Screening Services to Client and may, at its sole option, terminate the Agreement with or without opportunity for Client to cure such violation.

2. SERVICES

Screening Services. MRI agrees to furnish to Client information on each Applicant requested as described in this Agreement. Client must specify in writing any information requested before it will be included by MRI in the information provided.
Compliance with Laws. Any reports requested, generated, or created by or through the Screening Services shall be at all times subject to, and Client shall comply with, all applicable laws governing the obtaining, use, disclosure, and destruction of such reports. Client further agrees that some reports provided under the Screening Services, such as the reference reports (identity traces and social security searches), motor vehicle records search, and criminal records search, may be subject to additional laws such as Section 6802(e) of the Gramm-Leach-Bliley Act, Title V, Subtitle A, Financial Privacy; the Driver Privacy Protection Act; Fair Credit Reporting Act (Public Law 91-508) Section 605(5); and the US Federal Trade Commission rules. Client agrees to comply with any and all such laws. The Client further certified to its permissible purpose for such reports within the Order Document. Client shall at all times have the consumer’s specific consent for any reports; will use the reports obtained only for the permissible purposes so certified and authorization received and within the normal course of business; will use the reports for no purposes outside of the foregoing; and shall follow any and all procedures proscribed by MRI from time to time related to such reports, provided that if there is ever a conflict with applicable law, then Client shall follow the applicable law.

Client shall not request, obtain or distribute the Screening Service reports for any other purpose including, but not limited to, for the purpose of selling, leasing, renting or otherwise providing information obtained under this Agreement to any other party, whether alone, in conjunction with Client’s own data, or otherwise in any service which is derived from the Screening Services. Client will prevent its employees and will ensure that the same will be prohibited from gathering information on themselves or any other employee, unless incident to their employment with Client, by the submission of a report request through MRI. Client shall keep and maintain its applications containing a signature of the applicant for a period of not less than thirty-six (36) months and agree to provide MRI copies of any such applications upon request.

Client shall use each report only for a one-time use and shall hold the report in strict confidence, and not to disclose it to any third parties; provided, however, that Client may disclose the report to the subject of the report only in connection with an Adverse Action based on the report. Client may however disclose such reports to its designated and authorized employees who have a need to know, to the extent necessary, and provided the employees maintain the same degree of confidentiality as outlined herein. Client must ensure proper security precautions such that the reports are held in strict confidence at all times, including not transmitting the data contained therein via the public internet, electronic mail, or any other unsecured means.

Additionally, a criminal history report provided by MRI is limited to the public records requested and subject to the Fair Credit Reporting Act (Public Law 91-508) Section 605(5) (“FCRA”). The FCRA provides that any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined under Title 18, or imprisoned not more than two (2) years, or both. With respect to the subject matter and terms of this agreement, Client agrees to comply with all provisions of the Fair Credit Reporting Act and any other federal, state or local laws applicable to consumer credit reporting as pertains to the Services of MRI and operated by Client and to not further resell information provided by MRI. If Client acts upon any application in a negative fashion, denies or approves with conditions, based in whole or in part on information gained from MRI, Client must furnish applicant with an “Adverse Action” letter. Client has a permissible purpose for obtaining reports, as defined by Section 604 of the Fair Credit Reporting Act (15 USC 1681b) as amended by the Consumer Credit Reporting Reform Act of 1996.

Client agrees to comply with the Access Security Requirements. Client understands that the Access Security Requirements mandate that credit bureau reports be requested only when there is permissible purpose for tenant screening and/or pre-employment screening, at the request of the consumer. Client acknowledges and agrees to hold MRI, its Agents and/or Employees harmless from claims, demands, costs or expenses arising out of any loss which may be sustained or attributed by the negligence of Client, its owners, agents, and/or employees in regards to the Screening Services under this Agreement and defend same against any and all claims, liabilities, damages, liens and expense (including without limitations, reasonable attorney’s fees) arising directly or indirectly from any such occurrences. Additional Federal Reporting Act requirements may be found in Exhibit C, which shall be updated from time to time in accordance with the law.

3.3 Screening Service Availability. Client is solely responsible for obtaining and maintaining at its own expense, all equipment needed to access the Screening Services, including but not limited to Client’s Internet access. MRI shall use commercially reasonable efforts to make the Screening Services available twenty-four (24) hours a day, seven (7) days a week, except for: (a) Scheduled Maintenance; (b) Client Error Incidents; (c) Emergency Maintenance; (d) any unavailability caused by circumstances beyond MRI’s reasonable control, including without limitation, Force Majeure Events; and (e) Internet service provider failures or delays. Scheduled Maintenance is defined as any maintenance performed during MRI’s then-current standard maintenance windows and any other maintenance of which Client is given at least forty-eight (48) hours advance notice. MRI may perform maintenance on some or all of the Screening Service in order to upgrade hardware or software that operates or supports the Screening Service, implement security measures, or address any other issues it deems appropriate for the continued operation of the Screening Service. Client Error Incident is defined as any Screening Service unavailability related to Client’s applications, Client Data, or Client’s equipment, or the acts or omissions of any user of the Screening Service. Emergency Maintenance means downtime of the Screening Service due to the application of urgent patches or fixes, or other urgent maintenance, recommended by MRI’s vendors, that is performed outside of Scheduled Maintenance.

Client acknowledges that MRI does not control the transfer of data over telecommunications facilities, including the Internet. MRI does not warrant secure operation of the Screening Services or that it will be able to prevent third party disruptions of such Services. Client acknowledges further that the Screening Services may be subject to limitations, delays, and other problems inherent in the use of the internet and electronic communications. MRI is not responsible for any delays, delivery failures, or other damage resulting from such problems.

Maintenance and Support Services. Subject to Client’s timely payment of applicable Screening Services fees, MRI will provide to Client the Maintenance and Support services for the Maintenance and Support plan indicated in the Order Document, under MRI’s Maintenance and Support policies in effect at the time the Services are provided for the level of Services ordered. MRI shall manage and install all Updates and Upgrades of the hosted Software.
Updates are provided when and if available, and MRI is under no obligation to develop any future programs or functionality. MRI is under no obligation to provide Maintenance and Support with respect to: (i) Software that has been altered or modified by anyone other than MRI or its licensors; (ii) a release for which Maintenance and Support has been discontinued; (iii) Software used other than in accordance with the Documentation; (iv) discrepancies that do not significantly impair or affect the operation of the Screening Services; (v) any systems or programs not supplied by MRI; or (vi) Configurations.

For the avoidance of doubt, Updates provided under Maintenance and Support services do not include custom development, Upgrades, or Configurations regardless of whether such Configurations are performed by MRI or by Client. MRI reserves the right to charge Client for any reintegration work required to make Configurations compatible with future versions/releases.

If an Error was corrected or is not present in a more current version of the Software, MRI shall have no obligation to correct such Errors in prior versions of the Software.

Subject to timely payment of the applicable fees, Maintenance and Support is provided for all Software, unless otherwise noted in the Order Document; provided, however, that with respect to Third Party Software, MRI’s obligation is limited to using commercially reasonable efforts to obtain Maintenance and Support from the third party owner of such Software.

Backups and Restoration Services. Provided Client is not otherwise in breach of the Agreement, MRI will provide backup copies and/or database restoration, upon written request and subject to Client’s payment of applicable fees for such service (a then-current fee schedule will be provided upon request).
Fees for Screening Services do not include implementation, training and other Professional Services, such as project management, conversion, report writing, and external systems interface development. It is Client’s responsibility to ensure that all appropriate users receive initial training services sufficient to enable Client to effectively use the Screening Services. Failure to do so could result in increased service call fees if such service calls are deemed excessive as a result of insufficient training, at MRI’s discretion.

4. GRANT OF USE

Subject to the timely payment of the applicable fees, the terms of this Schedule and the Master Agreement, MRI grants to Client, for the Term, the right to access and use the Screening Services, as more fully described in the Order Document, solely for Client’s internal business purposes. Such access and use is subject to the terms of the Master Agreement, including without limitation the restrictions set forth in Section 6.2 of the Master Agreement.

The Screening Services purchased may be accessed by or used to manage no more than the number of License Metrics specified in the Order Document. Additional License Metrics may be purchased under an additional Order Document at the pricing in effect at the time the additional License Metrics are added, prorated for the remainder of the then-current Term. The added License Metrics shall have the same term as the then applicable Term. Unless stated otherwise in the Order Document, fees are based on Services and License Metrics purchased and not actual usage.

5. WARRANTIES AND DISCLAIMERS

MRI services and reports are provided “as is” without any warranty of any kind, expressed or implied, including, but not limited to, the warranty of performance, merchantability and fitness for a particular purpose. Client understands that MRI is not providing legal advice and MRI makes no warranties or representations that Client’s criteria meets the standards required by applicable.

6. THIRD PARTY SERVICES

While MRI strives to provide complete and accurate information, Client understands that MRI relies on information provided by third parties such as consumer reporting agencies, over which MRI has no control. As such, MRI does not collect or compile information on particular persons or subjects. The information available through online services has been obtained from public sources or publicly available sources.

Because consumer reporting agencies often require physical inspections in order to verify that Client meets federal guidelines as a qualified entity in order to request credit bureau reports, all Clients must be screened after agreeing to the terms of this Agreement. Client’s ability to pass such verification is not guaranteed and there is no refund of fees for any reason. All approved Clients have been carefully screened and qualified under the MRI’s enrollment process. MRI maintains strict standards regarding its client base, access to the information and the management of its databases. MRI makes every effort, through its policies and procedures, to provide information that is current, accurate and is being used for appropriate purposes. Client shall be responsible for all verification fees.

7. CERTAIN OBLIGATIONS

7.1 Passwords; Security. Client is responsible for maintaining the confidentiality of all passwords and for ensuring that each password is used only by the authorized user. Client is entirely responsible for any and all activities that occur under Client’s account. Client agrees to immediately notify MRI of any unauthorized use of Client’s account or any other breach of security known to Client. MRI shall have no liability for any loss or damage arising from Client’s failure to comply with these requirements. MRI will maintain Client passwords as confidential and will not disclose them to third parties.

7.2 Client Data. Client shall be solely responsible for the accuracy, quality, integrity and legality of Client Data and of the means by which it acquired Client Data.

7.3 Acceptable Use. Client acknowledges and agrees that MRI does not monitor or police the content of communications or data of Client or its users transmitted through the Services, and that MRI shall not be responsible for the content of any such communications or transmissions. Client shall use the Services exclusively for authorized and legal purposes, consistent with all applicable laws and regulations. Client agrees not to post or upload any content or data which (a) is libelous, defamatory, obscene, pornographic, abusive, harassing or threatening; (b) contains Malicious Code; (c) violates the rights of others, such as data which infringes on any intellectual property rights or violates any right of privacy or publicity; or (d) otherwise violates any applicable law. Client further agrees not to interfere or disrupt networks connected to the Services, not to interfere with another entity’s use and enjoyment of similar services and to comply with all regulations, policies and procedures of networks connected to the SaaS Services. Client shall be responsible for obtaining any necessary licenses, permits, and consents for MRI with respect to the installation, maintenance, and access to the System. MRI may remove any violating content posted on the Services or transmitted through the Services, without notice to Client. MRI may suspend or terminate any user’s access to the SaaS Services upon notice in the event that MRI reasonably determines that such user has violated the terms and conditions of this Schedule.

8. EMPLOYMENT REALTED SERVICES

The following terms apply if Client purchases services involving consumer reports for employment purposes which may contain consumer identification, employment history, public record and credit information stored in MRI’s consumer credit reporting database (“Employment Related Services”):

8.1. Client Obligation. Client acknowledges the requirement of the Federal Fair Credit Reporting Act as amended by the Consumer Credit Reporting Reform Act of 1996, and hereby agrees to obtain certification from its subscribers (the “Subscriber”) prior to providing any Employment Related Services that is substantially similar to the verbiage set forth in 8.2 below.

8.2 Subscriber and/or Client hereby certifies to Client and to MRI as follows:

Subscriber will ensure that prior to procurement or causing the procurement of a consumer report for employment purposes (an Employment Related Report): (i) a clear and conspicuous disclosure has been made in writing to the consumer at any time before the report is procured or caused to be procured, in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes; and (ii) the consumer has authorized in writing the procurement of the report by Subscriber.
In using a consumer report for employment purposes, before taking any adverse action based in whole or in part on the report, the Subscriber shall comply with all applicable laws, including provide to the consumer to whom the report relates: (i) a copy of the report; (ii) a description of the writing of the rights of the consumer under the FCRA, a copy of which is attached hereto (“Summary of Consumer Rights”); and (iii) shall also provide any necessary notifications under applicable state law to the consumer. Such laws may also include a requirement for the Client to wait a reasonable period of time to allow the consumer to dispute the accuracy of the report between issuance of the pre-adverse action and adverse actions as outlined in the statutorily-required notice identified in the Fair Credit Reporting Act.
The information from the consumer report will not be used in violation of any applicable federal, state or local equal employment opportunity law or regulation.
Client and Subscriber shall comply at all times with applicable law, including use of the information contained in any report in violating of any applicable state or federal law, such as, without limitation equal employment laws. Client certifies it is aware that local, state, and federal laws and regulations impact how and under what circumstances Client may use Reports. Client certifies that it will comply with all applicable federal, state, and local laws covering the acquisition and/or use of consumer reports and/or investigative consumer reports, including, but not limited to, the FCRA and Title VII.

Client acknowledges its responsibility to provide the Summary of Consumer Rights as required by Section 609(c)(3) of the FCRA with each Employment Related Report. Client understands and acknowledges that by virtue of this certification, MRI is not providing legal advice to Client regarding the FCRA. Client further acknowledges that it shall be solely responsible for obtaining its own legal counsel and determining Client’s responsibilities under applicable laws.
Use of Employment Related Report. Client acknowledges that MRI has created the Employment Related Report specifically for use for employment purposes. Client agrees that it shall provide only the Employment Related Services (or any successor or replacement service) to Subscribers for employment purposes, and shall not provide MRI’s general consumer report or other services to any subscriber for such purpose.

If Client shall contemplate an adverse action letters, then it should do so in compliance with the terms of this Schedule and the FCRA, and if the Client determines that it should provide an adverse action letter, then such shall be provided specifically as permitted by applicable federal, state, and/or local law.

***************************************************************************************************************************************

END OF SCREENING SERVICES SCHEDULE

EXHIBIT A

ACCESS SECURITY REQUIREMENT

The following information security controls are required to reduce unauthorized access to consumer information. It is Client’s responsibility to implement these controls. If Client does not understand these requirements or need assistance, it is Client’s responsibility to get an outside service provider to assist you. MRI and/or its chosen consumer credit reporting company (“CCRC”) reserves the right to changes this Access Security Requirements without prior notification to the Client. The information provided herein provides the minimum baselines for access security. In accessing CCRC’s services, Client agrees to follow these security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store CCRC data. Client understands and agrees that the Access Security Requirement mandates that credit bureau reports be requested only when there is permissible purpose for tenant screening and/or pre-employment screening, at the request of the consumer, and will comply with this and all security requirements.

1. Implement Strong Access Control Measures

All credentials such as Client code number, Client code passwords, user names/identifiers (“User Name”), and user passwords must be kept confidential and must not be disclosed to an unauthorized No one from CCRC will ever contact you and request your credentials.
If using third party or proprietary system to access CCRC’s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, ) utilized for accessing CCRC data/systems.
If the third party or third party software or proprietary system or software, used to access CCRC data/systems, is replaced or no longer in use, the passwords should be changed
Create a unique User Name for each user to enable individual authentication and accountability for access to CCRC’s Each user of the system access software must also have a unique logon password.
User Names and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job
User Names and passwords must not be shared, posted, or otherwise divulged in any
Develop strong passwords that are:
- Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters)
- Contain a minimum of eight (8) alphabetic and numeric characters for standard user accounts
- For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically (every ninety (90) days is recommended)
Passwords (e.g. Client code passwords, user password) must be changed immediately when:
- Any system access software is replaced by another system access software or is no longer used
- The hardware on which the software resides is upgraded, changed or disposed
- Any suspicion of password being disclosed to an unauthorized party (see section 3 for reporting requirements)
Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithm are utilized (e.g. AES 256 or above).
Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended Systems should be manually locked before being left unattended.
Active logins to credit information systems must be configured with a thirty (30)-minute inactive session
Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of the membership application.
Client must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store CCRC
Ensure that Client employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible
Implement a process to terminate access rights immediately for users who access CCRC credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit
Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned.
Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations.
Implement physical security controls to prevent unauthorized entry to Client’s facility and access to systems used to obtain credit Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.

2. Maintain a Vulnerability Management Program

Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops) and all other systems current with appropriate system patches and
Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary
Implement and follow current best security practices for computer virus detection scanning services and procedures:
- Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
- Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
- If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been

3. Protect Data

Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper,).
CCRC data is classified Confidential and must be secured to in accordance with the requirements mentioned in this document at a
Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the
Encrypt all CCRC data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such AES 256 or
CCRC data must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices,
When using smart tablets or smart phones to access CCRC data, ensure that such devices are protected via device pass-code.
Applications utilized to access CCRC data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN,
Only open email attachments and links from trusted sources and after verifying legitimacy.
When no longer in use, ensure that hard-copy materials containing CCRC data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be
When no longer in use, electronic media containing CCRC data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).

4. Maintain an Information Security Policy

Develop and follow a security plan to protect the confidentiality and integrity of personal consumer information as required under the GLB Safeguards
Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and
Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of If you believe CCRC data may have been compromised, immediately notify CCRC within twenty-four (24) hours or per agreed contractual notification timeline (See also Section 8).
The FACTA Disposal Rules requires that Client implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that
Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security in the
When using third party service providers (e.g. application service providers) to access, transmit, store or process CCRC data, ensure that service provider is compliant with CCRC Independent Third Party Assessment (EI3PA) program, and registered in CCRC list of compliant service If the service provider is in process of becoming compliant, it is Client responsibility to ensure the service provider is engaged with CCRC and exception is granted in writing. Approved certifications in lieu of EI3PA can be found in the Glossary section.

5. Build and Maintain a Secure Network

Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security
Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Network address translation (NAT) technology should be used.
Administrative access to firewalls and servers must be performed through a secure internal wired connection
Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network
Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor
For wireless networks connected to or used for accessing or transmission of CCRC data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 11i) for authentication and transmission over wireless networks.
When using service providers (e.g. software providers) to access CCRC systems, access to third party tools/services must require multi-factor

6. Regularly Monitor and Test Networks

Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in fifteen (15) days, )
Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit CCRC data; establish a process for linking all access to such systems and Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required.
Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access CCRC systems and These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:
- protecting against intrusions;
- securing the computer systems and network devices;
- and protecting against intrusions of operating systems or

7. Mobile and Cloud Technology

Storing CCRC data on mobile devices is Any exceptions must be obtained from CCRC in writing; additional security requirements will apply.
Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top
Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are
Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or
Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and See details below. Under no circumstances is CCRC data to be exchanged between secured and non-secured applications on the mobile device.
In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing CCRC data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to
When using cloud providers to access, transmit, store, or process CCRC data ensure that:
- Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations
- Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by CCRC:
  - ISO 27001
  - PCI DSS
  - EI3PA
  - SSAE 16 – SOC 2 or SOC3
  - FISMA
  - CAI / CCM assessment

8. General

CCRC may from time to time audit the security mechanisms Client maintains to safeguard access to CCRC information, systems and electronic Audits may include examination of systems security and associated administrative practices.
In cases where the Client is accessing CCRC information and systems via third party software, the Client agrees to make available to CCRC upon request, audit trail information and management reports generated by the vendor software, regarding a Client’s individual users.
Client shall be responsible for and ensure that third party software, which accesses CCRC information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its
Client shall conduct software development (for software which accesses CCRC information systems; this applies to both in-house or outsourced software development) based on the following
- Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top
- Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are
- Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or
Reasonable access to audit trail reports of systems utilized to access CCRC systems shall be made available to CCRC upon request, for example during breach investigation or while performing audits
Data requests from Client to CCRC must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where
Client shall report actual security violations or incidents that impact CCRC to CCRC within twenty-four (24) hours or per agreed contractual notification Client agrees to provide notice to CCRC of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 800-295-4305, Email notification will be sent to regulatorycompliance@CCRC.com .
Client acknowledges and agrees that the Client (a) has received a copy of these requirements, (b) has read and understands Client’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to CCRC services, systems or data, and (d) will abide by the provisions of these requirements when accessing CCRC data.
Client understands that its use of CCRC networking and computing resources may be monitored and audited by CCRC, without further
Client acknowledges and agrees that it is responsible for all activities of its employees/Authorized users, and for assuring that mechanisms to access CCRC services or data are secure and in compliance with its membership application.
When using third party service providers to access, transmit, or store CCRC data, additional documentation may be required by

Record Retention: The Federal Equal Credit Opportunity Act (“ECOA”) states that a creditor must preserve all written or recorded information connected with an application for twenty-five (25) months. In keeping with the ECOA, CCRC requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than twenty-five (25) months. When conducting an investigation, particularly following a consumer complaint that of an impermissible accessing of a credit report, CCRC will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract. “Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation.”

Exhibit B

Internet Delivery Security Requirements

In addition to the above, following requirements apply where Client and its employees or an authorized agent(s) acting on behalf of the Client are provided access to CCRC provided services via the Internet (“Internet Access”).

General requirements:

Client shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with CCRC on systems access related The Client’s Head Security Designate will be responsible for establishing, administering and monitoring all Client employees’ access to CCRC provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
The Client’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access The Head Security Designate or its Security Designate shall determine the appropriate access to each CCRC product based upon the legitimate business needs of each employee. CCRC shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
Unless automated means become available, the Client shall request employee’s (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by CCRC. Those employees approved by the Head Security Designate or Security Designate for Internet access (“Authorized Users”) will be individually assigned unique access identification accounts (“User Name”) and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). CCRC’s approval of requests for (Internet) access may be granted or withheld in its sole CCRC may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Client), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.
An officer of the Client agrees to notify CCRC in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized

Roles and Responsibilities

Client agrees to identify an employee it has designated to act on its behalf as a primary interface with CCRC on systems access related This individual shall be identified as the “Head Security Designate.” The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Client and shall be available to interact with CCRC on information and product access, in accordance with these CCRC Access Security Requirements. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Client. Client’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Client’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to CCRC’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to CCRC immediately.
As a Client to CCRC’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of
The Security Designate may be appointed by the Head Security Designate as the individual that the Client authorizes to act on behalf of the business in regards to CCRC product access control (e.g. request to add/change/remove access). The Client can opt to appoint more than one Security Designate (e.g. for backup purposes). The Client understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with CCRC’s Security Administration group on information and product access
The Head Designate shall be responsible for notifying their corresponding CCRC representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account

Designate

Must be an employee and duly appointed representative of Client, identified as an approval point for Client’s Authorized
Is responsible for the initial and on-going authentication and validation of Client’s Authorized Users and must maintain current information about each (phone number, valid email address, ).
Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User’s job responsibilities.
Is responsible for ensuring that Client’s Authorized Users are authorized to access CCRC products and services.
Must disable Authorized User Name if it becomes compromised or if the Authorized User’s employment is terminated by
Must immediately report any suspicious or questionable activity to CCRC regarding access to CCRC’s products and services.
Shall immediately report changes in their Head Security Designate’s status (e.g. transfer or termination) to
Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized
Shall be available to interact with CCRC when needed on any system or user related

Death Master File

Client certifies that it meets the qualifications of a Certifies Person under 15 CFR Part 1110.2 and that its access to the Death Master File is appropriate under the law. Client certifies that it has a legitimate fraud prevention interest, or has a legitimate business purpose pursuant to law, governmental rule, regulation or fiduciary duty, and shall specify the basis for so certifying.
Client acknowledges that many Services containing credit bureau information also contain information from the Death Master File as issued by the Social Security Administration (“DMF”); certifies pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102 that, consistent with its applicable FCRA or GLB use of credit bureau information, the Client’s use of deceased flags or other indicia within the credit bureau information is restricted to legitimate fraud prevention or business purposes in compliance with applicable laws, rules regulations, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1); and certify that the Client will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within the credit bureau information.
Client certifies that the Client shall implement and maintain a comprehensive information security program written in one or more readily accessible parts and that contains administrative, technical, and physical safeguards that are appropriate to the client’s size and complexity, the nature and scope of its activities, and the sensitivity of the information provided to the Client by MRI and/or the credit bureau; and that such safeguards shall include the elements set forth in 16 C.F.R. § 314.4 and 15 C.F.R. § 1110.102 Section 6103(p), as applicable to Client, and shall be reasonably designed to (i) insure the security and confidentiality of the information provided by MRI and/or the credit bureau, (ii) protect against any anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer. Client shall not disclose information derived from the Death Master File to the consumer or any third party, unless clearly required by law.
Client acknowledges that failure to comply with the provisions above may subject Client, in addition to damages resulting from breach of this Agreement, to penalties under 15 CFR 1110.200 of $1,000 for each disclosure or use, up to a maximum of $250,000 in penalties per calendar year. Client shall indemnify and hold harmless MRI, the credit bureau, and the United States Government/NTIS from all claims, demands, damages, expenses, and losses, whether sounding in tort, contract or otherwise, arising from or in connection with Client’s, or Client’s employees, contractors or subcontractors, use of the Death Master File. This provision shall survive termination of the Agreement and will include any and all claims or liabilities arising from intellectual property rights.
The Death Master File does have inaccuracies and NTIS and the Social Security Administration (SSA), which provides the Death File Master to NTIS, does not guarantee the accuracy of the Death Master File. SSA does not have a death record for all deceased persons. Therefore, the absence of a particular person on the Death Master File is not proof that the individual is alive. Further, in rare instances, it is possible for the records of a person who is not deceased to be included erroneously in the Death Master File. If an individual claims that SSA has incorrectly listed someone as deceased (or has incorrect dates/data on the Death Master File), the individual should be told to contact their local Social Security office (with proof) to have the error corrected. The local Social Security office will (a) make the correction to the main NUMIDENT file at SSA and give the individual a verification document of SSA’s current records to use to show any company, recipient/purchaser of the DMF that has the error; OR, (b) find that SSA already has the correct information on the main NUMIDENT file and Death Master File (probably corrected sometime prior), and give the individual a verification document of SSA’s records to use to show to any company, subscriber/purchaser of the Death Master File that had error. Neither MRI nor the credit bureau can be responsible for or assist in the correction of the Death Master File.

Exhibit C

Additional Fair Credit Reporting Requirements

MRI strongly endorses the letter and spirit of the Federal Fair Credit Reporting Act. Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects the Client as a user of information. Client can access the FCRA in its entirety at http://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0111-fair-credit-reporting-act.pdf. MRI suggest that the Client and its employees become familiar with the following sections in particular:

604. Permissible Purposes of Reports
607. Compliance Procedures
615. Requirement on users of consumer reports
616. Civil liability for willful noncompliance
617. Civil liability for negligent noncompliance
619. Obtaining information under false pretenses
621. Administrative Enforcement
623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies
628. Disposal of Records

In addition to the Federal Fair Credit Reporting Act, other federal and state laws addressing such topics as usage of reports for employment purposes, computer crime and unauthorized access to protected databases have also been enacted. Client is required to comply with all laws applicable to the request and use of the Screening Services.

As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as in investment, partnership, etc. It is imperative that you identify each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact your usage of reports for employment purposes.

PROFESSIONAL SERVICES SCHEDULE

This Professional Services Schedule is entered into between ResidentCheck LLC, Trusted Employees, or Rental History Reports as applicable and as outlined in the Order Document (“MRI”) and the Client named in the Order Document, and the authorized representatives of the Parties hereby execute this Professional Services Schedule to be effective as of the Effective Date, as defined in the Order Document.

1. SERVICES

1.1 Work Authorizations/Statements of Work. MRI will perform the mutually agreed upon Professional Services for Client described in one or more work orders, work authorizations, statements of work or Order Documents (individually and collectively an “SOW”) as the parties may agree to in writing from time to time. Each SOW, once executed by the authorized representatives of the parties, shall become a part of the Agreement. Except as expressly stated elsewhere in this Schedule, in the event of a conflict between the terms of this Schedule and the terms of a SOW, the terms of this Schedule shall prevail.

1.2 Change Orders. Either party may propose a change order to add to, reduce or change the Professional Services ordered in the SOW. Each change order shall specify the change(s) to the Professional Services or deliverables, and the effect on the time of performance and on the fees owed to MRI, due to the change. Once executed by both parties, a change order shall become a part of the SOW.

1.3 Costs. Professional Services shall be provided on a time and materials (“T&M”) basis at MRI’s T&M rates in effect at the time the Professional Services are performed, unless otherwise specified in the applicable Statement of Work. On a T&M engagement, if an estimated total amount is stated in the applicable SOW, that amount is solely a good faith estimate for Client’s budgeting and MRI’s resource scheduling purposes and not a guarantee that the work will be completed for that amount. If Client wishes the MRI personnel to perform Professional Services at Client’s site, Client agrees it shall give MRI at least two (2) weeks’ prior notice so MRI can make appropriate travel arrangements. Professional Services performed at Client’s site shall be billed to Client in minimum increments of eight (8) hours per day per MRI employee. Fees are based on services, including training services, provided during normal MRI business hours, Monday through Friday, 8:00 a.m. – 7:00 p.m. local time (MRI holidays excluded). Professional Services provided by MRI outside of normal MRI business hours will be subject to a premium service charge of one and one-half of the standard MRI list price for such services. Except as otherwise provided in Section 4.1 herein with respect to training services, if Client cancels a Professional Services engagement specified in an approved SOW less than ten (10) business days before the scheduled start date for such Professional Services, Client shall pay twenty-five percent (25%) of the total estimated costs for Professional Services scheduled for performance between five (5) and ten (10) business days’ of MRI’s receipt of Client’s cancellation and fifty percent (50%) of any Professional Services scheduled for performance within five (5) business days of such receipt.

1.4 Delays/Costs Overruns. In the event of any delay in Client’s performance of any of the obligations set forth herein or any other delays caused by Client, the milestones, fees and date(s) set forth in the SOW shall be adjusted on a T&M basis as reasonably necessary to account for such delays, and the adjustment shall be made by change order in accordance with the provisions of Section 1.2 above.

2. PROJECT MANAGEMENT

2.1 Responsibility. MRI shall be responsible for securing, managing, scheduling, coordinating and supervising MRI personnel, including its subcontractors, in performing the Professional Services.

2.2 Cooperation. Client shall provide MRI with good faith cooperation and access to such information, facilities, personnel and equipment as may be reasonably required by MRI in order to provide the Professional Services, including, but not limited to, providing security access, information, and software interfaces to Client’s applications, and Client personnel, as may be reasonably requested by MRI from time to time. Client acknowledges and agrees that MRI’s performance is dependent upon the timely and effective satisfaction of Client’s responsibilities hereunder and timely decisions and approvals of Client in connection with the Professional Services. MRI shall be entitled to rely on all decisions and approvals of Client.

2.3 Subcontractors. MRI may subcontract or delegate any work under any SOW to any third party without Client’s prior written consent; provided, however, that MRI shall remain responsible for the performance, acts and omissions of any such subcontractors.

2.4 Client Data. Client Data must be provided to MRI in a format approved by MRI or additional charges will apply. Client is responsible for the accuracy and completeness of its information and Client Data. MRI’s performance is dependent on Client’s timely provision of accurate and complete resources and information, including but not limited to detailed, precise and clear specifications for any deliverables.

2.5 Access. For installation of the System and for any Support of the System, Client shall ensure that MRI’s assigned technical personnel are able to access the System remotely. Client shall be responsible for providing MRI access through any Client security measures. MRI alone shall decide whether access to the System is sufficient for installation purposes. Certain functionality of the System may require connections to or interaction with MRI after such System is running on Client’s infrastructure, and Client agrees to permit and facilitate such connections and interaction. .

If the Parties agree to Services on-site, then Client shall provide MRI and/or its authorized representatives with reasonable, legal, and safe access to the Client’s premises and furnish such information as MRI may reasonably request from time to time as necessary for MRI’s performance of the Services. MRI and its authorized representatives shall access the Client’s physical premises under this Agreement only if agreed between the Parties and solely for the purposes of providing the Services. While providing Services on Client’s premises, MRI personnel and its authorized representative shall comply with applicable laws and reasonable security requirements which Client has given MRI notice of and which relate to the Professional Services being delivered on site.

3. LICENSE AND OWNERSHIP

3.1 Ownership. Without prejudice to the provisions of Section 6 (Limited Rights and Ownership) of the Master Agreement, all Intellectual Property including all copies thereof in any Software, other products furnished by MRI and the results of the Professional Services performed by MRI including (without limitation) all deliverables, documentation, training materials, Configurations and all Intellectual Property embodied therein shall, subject to Section 3.2 below, vest solely and absolutely in MRI or its licensors. MRI may access the System remotely in order to copy Configurations to the Software or to otherwise ensure Client’s compliance with the terms of this Section 3.1 and the Agreement.

3.2 Limited License. MRI grants Client, upon full payment of the applicable fees and charges, during the Term and subject to the restrictions set forth in Section 6.2 of the Master Agreement, a personal, nontransferable, nonexclusive, nonsublicensable, limited license to use the deliverables solely for Client’s own internal business needs.

4. SUPPLEMENTAL TERMS FOR TRAINING SERVICES

4.1 General. “Training Courses” are defined as: classroom-based, live virtual, and/or self-paced e-learning courses provided by MRI’s training division called MRI Learning Solutions. Training Courses and their respective prices, policies and schedules are subject to change without notice. Training Courses shall be provided by MRI to Client pursuant to the terms of an SOW. “Named Users” as used herein are defined as Client Users listed in the SOW that shall be eligible to receive Training Courses.

4.2 Cancellation and Transfer Policies

4.2.1 Client Training Course Cancellation Policy. “Client Training Courses” means non-publicly offered Training Courses delivered specifically for Client and held at a mutually agreed upon time and location. Client Training Courses may be delivered in a physical classroom at a location determined by mutual agreement or through a live virtual classroom. Details regarding delivering Client Training Courses shall be set forth in an approved SOW. For Client Training Courses to be provided at an onsite classroom that are canceled by Client: (i) ten (10) or more business days prior to the course start date, MRI will provide a full refund or credit; or (ii) within the ten (10) business day period before the course start date, fifty percent (50%) of the course fee will be forfeited and MRI will provide the remainder as a refund or credit.

4.2.2 Physical Classroom Public Training Course Cancellation Policy. “Public Training Courses” means publicly offered Training Courses that are not delivered specifically for Client. Public Training Courses may be delivered in a physical classroom or through a live virtual classroom. Registered attendees for a physical classroom Public Training Course who cancel less than ten (10) business days prior to the course start date will forfeit all applicable Training Course fees; however, transfers to another person are permitted up to one (1) business day prior to the course start date. In order to transfer a physical classroom Public Training Course attendance spot, contact MRI Learning Solutions at 1.800.321.8770 ext. 1 or email learning@mrisoftware.com . MRI reserves the right to cancel any physical classroom Public Training Course class up to ten (10) business days prior to the course start date for any reason. If MRI cancels a physical classroom Public Training Course class and is unable to reschedule the attendee, MRI will refund to such attendee all applicable Training Course fees. MRI assumes no responsibility for non-refundable airline tickets or other expenses that may be incurred due to cancellation of a physical classroom Public Training Course.

4.2.3 Live Virtual Classroom Public Training Course Cancellation Policy. Registered attendees for a live virtual classroom Public Training Course program will receive a web-conferencing invitation on the day prior to the start of the program. Registered attendees who cancel less than twenty-four (24) hours before the scheduled start date and time will not be refunded any applicable Training Course fees. However, transfers to another person are permitted up to the starting time of the program. In order to transfer a live virtual classroom Public Training Course attendance spot, contact MRI Learning Solutions at 1.800.321.8770 ext. 1 or email learning@mrisoftware.com . MRI reserves the right to cancel any live virtual classroom Public Training Course class for any reason. If MRI cancels a live virtual classroom Public Training Course class and is unable to reschedule the attendee, MRI will refund to such attendee all applicable Training Course fees.

4.2.4 Self-Paced e-Learning Training Course Cancellation Policy. “Self-Paced e-Learning Training Courses” means publicly offered Training Courses that have no set time or location, and can be taken by any person at any time at the MRI Learning Solutions website. Self-Paced e-Learning Training Courses are non-cancelable and applicable fees are non-refundable. All sales of Self-Paced e-Learning Training Courses are final and non-transferable.

4.3 Use Limitations; Monitoring. Unless otherwise explicitly agreed in writing by MRI, Client is only allowed user access rights to any Training Course up to the number of Named Users purchased as shown in an executed SOW. Client and Named Users may not share access rights, or any Training Course content, with others and may only access the Training Course for personal training use as specifically permitted. To the extent permitted by law, MRI may monitor, suspend or terminate Client’s or any Named User’s use of any Training Course and/or training account, or terminate this Schedule or the applicable SOW, or remove or disclose Client’s or any Named User’s information in order to ensure Client’s and all Named Users’ compliance with the Agreement or to otherwise protect MRI rights or rights of others. If Client or any Named User does not comply with the restrictions set forth in this Section 4.3, Client may be charged additional fees equivalent to the resulting usage fees for the related services incurred.

5. TERMINATION

This Schedule may be terminated in accordance with Section 9 of the Master Agreement.

Where the non-breaching Party has a right to terminate this Schedule, the non-breaching Party may at its discretion either terminate this Schedule, or the applicable SOW.

Upon termination for any reason, all work products, including all drafts and works in progress of deliverables, shall be delivered to Client. Upon MRI’s receipt of a notice of termination, MRI shall cease and shall cause any agent or subcontractor to cease all work under the applicable SOW and minimize any additional costs or reimbursable expenses unless otherwise agreed in writing by the Parties. Except as may be expressly set forth in the applicable SOW, Client shall pay MRI fees for services performed to the date of termination on a T&M basis together with any expenses reasonably incurred in connection therewith. The Parties’ obligations under this Section 5 and Section 3 of this Schedule and the surviving provisions of the Master Agreement shall survive any termination of this Schedule.

***************************************************************************************************************************************

END OF PROFESSIONAL SERVICES SCHEDULE

The Work Number® Terms and Conditions

The Work Number® and/or Information (as defined below) will be received by Client through MRI subject to the following conditions (the “Work Number Terms and Conditions”). For clarity, if Client is not purchasing The Work Number® or The Work Number® Express Social Service, then the below Work Number Terms® and Conditions and Exhibits A-1 through B-1 shall not apply:

Any information services and data originating from TALX Corporation’s (a provider of Equifax Verification Services)(“EVS”) The Work Number® service (“The Work Number®”) will be requested only for Subscriber’s exclusive use in connection with a determination of the consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status, and held in strict confidence except to the extent that disclosure to others is required or permitted by Only designated representatives of Client will request The Work Number®, and employees will be forbidden to obtain data from The Work Number® on themselves, associates or any other persons except in the exercise of their official duties. Client will not disclose The Work Number® to the subject of The Work Number® except as permitted or required by law, but will refer the subject to EVS.
Client will hold EVS and all its agents harmless on account of any expense or damage arising or resulting from the publishing or other disclosure of data from The Work Number® by Client, its employees or agents in direct violation of the conditions of Section 1 above or applicable
Client recognizes that EVS does not guarantee the accuracy or completeness of data from The Work Number®, as outside entities independently contribute or furnish the information contained Accordingly, Client releases EVS and its directors, officers, employees, and agents, independent contractors, affiliates, and successors and assigns (the “EVS Entities”) from liability for any acts or omissions in connection with the provision of The Work Number® and from any loss or expense suffered by Client or users resulting directly or indirectly therefrom. Client covenants not to sue or maintain any claim, cause of action, demand, cross-action, counterclaim, third-party action or other form of pleading against EVS or EVS Entities arising out of or relating in any way to the accuracy or inaccuracy, validity or nonvalidity or completeness of any data from The Work Number® as the EVS Entities are under different accuracy and completeness obligations from data furnishers under the FCRA and other applicable law.
Client will be charged for The Work Number® by MRI, which is responsible for paying EVS for The Work Number®; provided, however, should the underlying relationship between Client and MRI terminate at any time during the term of this Agreement, charges for The Work Number® will be invoiced to Client, and Client will be solely responsible to pay EVS directly.
Fair Credit Reporting Act Certification. Client certifies that it will order data from The Work Number® Service only when Client intends to use the data (i) in accordance with the Fair Credit Reporting Act (“FCRA”) and all applicable state law FCRA counterparts as though the data is a consumer report, and (ii) for the following FCRA permissible purpose: in connection with a determination of the consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status, and for no other Client agrees to only use the data consistent with the obligations of users of consumer reports as provided for in the Consumer Financial Protection Bureau’s (the “CFPB’s”) Notice Form attached as Exhibit 1. Client certifies that before ordering data to be used in connection with employment purposes, it will clearly and conspicuously disclose to the subject Consumer, in a written document consisting solely of the disclosure, that Client may obtain data for employment purposes and will also obtain the Consumer’s written authorization to obtain or procure data relating to that Consumer. Client further certifies that it will not take adverse action against the consumer based in whole or in part upon the data without first providing to the Consumer to whom the data relates a copy of the data and a written description of the Consumer’s rights as prescribed by the CFPB, and also will not use any data in violation of any applicable federal or state equal opportunity law or regulation. Client acknowledges that it has received from EVS a copy of the consumer rights summary as prescribed by the CFPB as referenced on Exhibit A-1.

It is recognized and understood that the FCRA provides that anyone “who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined under Title 18, United States Code, imprisoned for not more than two (2) years, or both.” EVS may periodically conduct audits of Client regarding its compliance with the FCRA and other certifications in this Agreement. Audits will be conducted by mail whenever possible and will require Clients to provide documentation as to permissible use of particular data from The Work Number®. Client gives its consent to EVS to conduct such audits and agrees that any failure to cooperate fully and promptly in the conduct of any audit, or Client’s material breach of this Agreement, constitute grounds for immediate suspension of the Service or termination of this Agreement. If EVS terminates this Agreement due to the conditions in the preceding sentence, Client (i) unconditionally releases and agrees to hold EVS harmless and indemnify it from and against any and all liabilities of whatever kind or nature that may arise from or relate to such termination, and (ii) covenants it will not assert any claim or cause of action of any kind or nature against EVS in connection with such termination.

Vermont Certification. Client certifies that it will comply with applicable provisions under Vermont law. In particular, Client certifies that it will order The Work Number® relating to Vermont residents that are consumer reports as defined by the Vermont Fair Credit Reporting Act (“VFCRA”), only after Client has received prior Consumer consent in accordance with VFCRA Section 2480e and applicable Vermont Rules. Client further certifies that a copy of Section 2480e of the Vermont Fair Credit Reporting Statute, attached hereto as Exhibit A-2, was received from MRI.

Client will comply with the applicable provisions of the FCRA, Federal Equal Credit Opportunity Act and any amendments to it, all state law counterparts of them, and all applicable regulations promulgated under any of them including, without limitation, any provisions requiring adverse action notification to the Consumer.

Section 1785.14(a) of the California Civil Code imposes special requirements with respect to transactions in which a “retail seller” (as defined in Section 1802.3 of the California Civil Code) intends to issue credit to a California resident who appears in person on the basis of an application for credit submitted in person (“point of sale transactions”). Client certifies that these requirements do not apply to it because Client is NOT a “retail seller” (as defined in Section 1802.3 of the California Civil Code), and/or (b) Client does NOT issue credit to California residents who appear in person on the basis of applications for credit submitted in person. Client further certifies that it will notify EVS in writing 30 days PRIOR to becoming a retail seller or engaging in point of sale transactions with respect to California residents.

Data Security. This Section 6 applies to any means through which Client orders or accesses The Work Number®, without limitation, system-to-system, personal computer or the The term “Authorized User” means a Client employee that Client has authorized to order The Work Number® and who is trained on Client’s obligations under this Agreement with respect to the ordering and use of The Work Number®, including Client’s FCRA and other obligations with respect to the access and use of consumer reports.
1. With respect to handling The Work Number®, Client agrees to:
  1. ensure that only Authorized Users can order or have access to The Work Number®,
  2. ensure that Authorized Users do not order The Work Number® for personal reasons or provide them to any third party except as permitted by this Agreement,

inform Authorized Users that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA punishable by fines and imprisonment,

ensure that all devices used by Client to order or access The Work Number® are placed in a secure location and accessible only by Authorized Users and that such devices are secured when not in use through such means as screen locks, shutting power controls off, or other commercially reasonable security procedures,
take all necessary measures to prevent unauthorized ordering of The Work Number® by any persons other than Authorized Users for permissible purposes, including, without limitation, (a) limiting the knowledge of the Client security codes, member numbers, User IDs, and any passwords Client may use (collectively, “Security Information”), to those individuals with a need to know, (b) changing Client’s user passwords at least every ninety (90) days, or sooner if an Authorized User is no longer responsible for accessing The Work Number®, or if Client suspects an unauthorized person has learned the password, and (c) using all security features in the software and hardware Client uses to order The Work Number®,
in no event access The Work Number® via any hand-held wireless communication device, including but not limited to, web enabled cell phones, interactive wireless pagers, personal digital assistants (PDAs), mobile data terminals, and portable data terminals,

not use non-company owned assets such as personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs, and DVDs) to store data from The Work Number®.
encrypt data from The Work Number® when it is not in use and with respect to all printed data from The Work Number® store in a secure, locked container when not in use and completely destroyed when no longer needed by cross-cut shredding machines (or other equally effective destruction method).

if Client sends, transfers or ships any data from The Work Number®, encrypt the data from The Work Number® using the following minimum standards, which standards may be modified from time to time by EVS, provided that they do not materially, negatively change as of the Effective Date: FIPS 140-2 compliant ciphers and algorithms,
monitor compliance with the obligations of this Section 6, and promptly notify EVS if Client suspects or knows of any unauthorized access or attempt to access The Work Number®, including, without limitation, a review of EVS invoices for the purpose of detecting any unauthorized activity,
not ship hardware or software between Client’s locations or to third parties without deleting all Security Information and any data from The Work Number®,

if Client uses a Service Provider to establish access to The Work Number®, be responsible for the Service Provider’s use of Security Information, and ensure the Service Provider safeguards Security Information through the use of security requirements that are no less stringent than those applicable to Client under this Section 6,
use commercially reasonable efforts to assure data security when disposing of any consumer information or record obtained from The Work Number®. Such efforts must include the use of those procedures issued by the federal regulatory agency charged with oversight of Client’s activities (e.g. the Consumer Financial Protection Bureau, the applicable banking or credit union regulator) applicable to the disposal of consumer report information or records.
use commercially reasonable efforts to secure data from The Work Number® when stored on servers, subject to the following requirements: (i) servers storing data from The Work Number® must be separated from the internet or other public networks by firewalls which are managed and configured to meet industry accepted best practices, (ii) protect data from The Work Number® through multiple layers of network security, including but not limited to, industry-recognized firewalls, routers, and intrusion detection/prevention devices (IDS/IPS),

secure access (both physical and network) to systems storing data from The Work Number®, which must include authentication and passwords that are changed at least every ninety (90) days; and (iv) all servers must be kept current and patched on a timely basis with appropriate security specific system patches, as they are available.

not allow data from The Work Number® to be displayed via the internet unless utilizing, at a minimum, a three- tier architecture configured in accordance with industry best practices, and
use commercially reasonable efforts to establish procedures and logging mechanisms for systems and networks that will allow tracking and analysis in the event there is a compromise, and maintain an audit trail history for at least three (3) months for review by EVS.

EVS may, no more than once each calendar year and upon reasonable prior written notice, conduct, or have a third party conduct on its behalf, at EVS’s sole expense, an audit reasonably designed to monitor compliance with the obligations set forth in this Agreement; provided, however, if EVS has a reasonable belief that Client is not in compliance with one or more of the obligations of this Agreement, these restrictions shall not apply. If EVS reasonably believes a compliance issue exists, EVS or its designated representative may enter Client’s facilities, upon at least five (5) business days prior written notice and at a mutually agreed upon time, during normal business hours, without undue disruption of Client’s business, and subject to Client’s reasonable security requirements and information security practices, to conduct an on-site assessment of Client’s practices and procedures relating to Client’s request for, and use of, the Services and Client’s security practices with respect Provided however that neither EVS nor the auditor shall be permitted to inspect or audit of the Client’s SaaS environment itself, the servers contained therein, any information that contains Personal Data not related to this Agreement, or confidential information of Client’s customers. Client agrees that any failure to cooperate fully and promptly in the conduct of any audit requested pursuant to this Section 10 will constitute grounds for immediate suspension of service(s) under, or termination of, this Agreement.
TERRITORY. Client may access, use and store The Work Number® only at or from locations within the territorial boundaries of the United States (the “Permitted Territory”). Client may not access, use or store The Work Number® at or from, or send it to any location outside of the Permitted Territory without first obtaining EVS’s written
SERVICE PROVIDERS. Client may not allow a third party service provider (hereafter “Service Provider”) to access, use, or store The Work Number® on Client’s behalf , without: (i) first performing due diligence into the financial and operational stability of the proposed Service Provider, (ii) entering into contracts with such Service Providers that contain provisions substantially similar to those contained in this Agreement, (iii) Client shall be responsible for the acts and omissions of such Service Provider, and (iv) receiving prior written approval and credentialing by EVS and the conveyance of EVS written agreements or documents in accordance with applicable federal and state
Client certifies that it has read the attached Exhibit A-3 “Notice to Users of Consumer Reports, Obligations of Users” which explains Client’s obligations under the FCRA as a user of consumer information.

Exhibit A-1 to The Work Number® Terms and Conditions

Para información en español, visite www.consumerfinance.gov/learnmore o escribe a la Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.

A Summary of Your Rights Under the Fair Credit Reporting Act

The federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. There are many types of consumer reporting agencies, including credit bureaus and specialty agencies (such as agencies that sell information about check writing histories, medical records, and rental history records). Here is a summary of your major rights under FCRA. For more information, including information about additional rights, go to www.consumerfinance.gov/learnmore or write to: Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.

You must be told if information in your file has been used against Anyone who uses a credit report or another type of consumer report to deny your application for credit, insurance, or employment – or to take another adverse action against you – must tell you, and must give you the name, address, and phone number of the agency that provided the information.
You have the right to know what is in your file. You may request and obtain all the information about you in the files of a consumer reporting agency (your “file disclosure”). You will be required to provide proper identification, which may include your Social Security In many cases, the disclosure will be free. You are entitled to a free file disclosure if:
a person has taken adverse action against you because of information in your credit report;
you are the victim of identity theft and place a fraud alert in your file;
your file contains inaccurate information as a result of fraud;
you are on public assistance;
you are unemployed but expect to apply for employment within sixty (60)

In addition, all consumers are entitled to one free disclosure every twelve (12) months upon request from each nationwide credit bureau and from nationwide specialty consumer reporting agencies. See www.consumerfinance.gov/learnmore for additional information.

You have the right to ask for a credit Credit scores are numerical summaries of your credit-worthiness based on information from credit bureaus. You may request a credit score from consumer reporting agencies that create scores or distribute scores used in residential real property loans, but you will have to pay for it. In some mortgage transactions, you will receive credit score information for free from the mortgage lender.
You have the right to dispute incomplete or inaccurate information. If you identify information in your file that is incomplete or inaccurate, and report it to the consumer reporting agency, the agency must investigate unless your dispute is See www.consumerfinance.gov/learnmore for an explanation of dispute procedures.
Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information. Inaccurate, incomplete, or unverifiable information must be removed or corrected, usually within thirty (30) However, a consumer reporting agency may continue to report information it has verified as accurate.
Consumer reporting agencies may not report outdated negative information. In most cases, a consumer reporting agency may not report negative information that is more than seven years old, or bankruptcies that are more than ten (10) years
Access to your file is A consumer reporting agency may provide information about you only to people with a valid need – usually to consider an application with a creditor, insurer, employer, landlord, or other business. The FCRA specifies those with a valid need for access.
You must give your consent for reports to be provided to A consumer reporting agency may not give out information about you to your employer, or a potential employer, without your written consent given to the employer. Written consent generally is not required in the trucking industry. For more information, go to www.consumerfinance.gov/learnmore.
You may limit “prescreened” offers of credit and insurance you get based on information in your credit report. Unsolicited “prescreened” offers for credit and insurance must include a toll-free phone number you can call if you choose to remove your name and address form the lists these offers are based You may opt out with the nationwide credit bureaus at 1-888-5-OPTOUT (1-888-567-8688).
The following FCRA right applies with respect to nationwide consumer reporting agencies: CONSUMERS HAVE THE RIGHT TO OBTAIN A SECURITY FREEZE
You have a right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.

However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.

As an alternative to a security freeze, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a one(1)-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven (7) years.

A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

You may seek damages from violators. If a consumer reporting agency, or, in some cases, a user of consumer reports or a furnisher of information to a consumer reporting agency violates the FCRA, you may be able to sue in state or federal court.
Identity theft victims and active duty military personnel have additional rights. For more information, visit consumerfinance.gov/learnmore.

States may enforce the FCRA, and many states have their own consumer reporting laws. In some cases, you may have more rights under state law. For more information, contact your state or local consumer protection agency or your state Attorney General. For information about your federal rights, contact:

Exhibit A-2 to The Work Number® Terms and Conditions

State Compliance Matters

Vermont Fair Credit Reporting Contract Certification

The undersigned, (“Client”), acknowledges that it subscribes to receive various information services from TALX Corporation (“EVS”) in accordance with the Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (1999), as amended (the “VFCRA”) and the Federal Fair Credit Reporting Act, 15, U.S.C. 1681 et. Seq., as amended (the “FCRA”) and its other state law counterparts. In connection with Subscriber’s continued use of EVS information services in relation to Vermont consumers, Subscriber hereby certifies as follows:

Vermont Certification. Client certifies that it will comply with applicable provisions under Vermont law. In particular, Client certifies that it will order EVS Employment Information relating to Vermont residents, that are credit reports as defined by the VFCRA, only after Client has received prior consumer consent in accordance with VFCRA § 2480e and applicable Vermont Rules. Subscriber further certifies that the attached copy of § 2480e of the Vermont Fair Credit Reporting Statute was received from EVS.

Client: (please print)

Signed By: ________________________________________________________

Printed Name: ____________________________________________________ (please print)

Title: ____________________________________________________________

Account Number: __________________________________________________

Date: ___________________________________________________________

Please also include the following information:

Compliance Officer or Person Responsible for Credit Reporting Compliance

Printed Name: (please print)

Title: __________________________________________________________________

Mailing Address: _________________________________________________________

City: State: Zip: ____________________

E-Mail Address: _________________________________________________________

Phone: ______ Fax: _______________________

Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (1999)

2480e. Consumer consent

A person shall not obtain the credit report of a consumer unless:
1. the report is obtained in response to the order of a court having jurisdiction to issue such an order; or
2. the person has secured the consent of the consumer, and the report is used for the purpose consented to by the consumer.
Credit reporting agencies shall adopt reasonable procedures to assure maximum possible compliance with subsection (a) of this
Nothing in this section shall be construed to affect:
the ability of a person who has secured the consent of the consumer pursuant to subdivision (a)(2) of this section to include in his or her request to the consumer permission to also obtain credit reports, in connection with the same transaction or extension of credit, for the purpose of reviewing the account, increasing the credit line on the account, for the purpose of taking collection action on the account, or for other legitimate purposes associated with the account; and
the use of credit information for the purpose of prescreening, as defined and permitted from time to time by the Consumer Financial Protection

VERMONT RULES *** CURRENT THROUGH JUNE 1999 *** AGENCY 06. OFFICE OF THE ATTORNEY GENERAL

SUB-AGENCY 031. CONSUMER PROTECTION DIVISION

CHAPTER 012. Consumer Fraud–Fair Credit Reporting RULE CF 112 FAIR CREDIT REPORTING

CVR 06-031-012, CF 112.03 (1999)

CF 112.03 CONSUMER CONSENT

A person required to obtain consumer consent pursuant to 9 S.A. §§ 2480e and 2480g shall obtain said consent in writing if the consumer has made a written application or written request for credit, insurance, employment, housing or governmental benefit. If the consumer has applied for or requested credit, insurance, employment, housing or governmental benefit in a manner other than in writing, then the person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing or in the same manner in which the consumer made the application or request. The terms of this rule apply whether the consumer or the person required to obtain consumer consent initiates the transaction.

Consumer consent required pursuant to 9 S.A. §§ 2480e and 2480g shall be deemed to have been obtained in writing if, after a clear and adequate written disclosure of the circumstances under which a credit report or credit reports may be obtained and the purposes for which the credit report or credit reports may be obtained, the consumer indicates his or her consent by providing his or her signature.

The fact that a clear and adequate written consent form is signed by the consumer after the consumer’s credit report has been obtained pursuant to some other form of consent shall not affect the validity of the earlier

Exhibit A-3 to The Work Number® Terms and Conditions

All users of consumer reports must comply with all applicable regulations, including regulations promulgated after this notice was first prescribed in 2004. Information about applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau’s website, www.consumerfinance.gov/learnmore .

NOTICE TO USERS OF CONSUMER REPORTS: OBLIGATIONS OF USERS UNDER THE FCRA

The Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Bureau of Consumer Financial Protection’s website at www.consumerfinance.gov/learnmore. At the end of this document is a list of United States Code citations for the FCRA. Other information about user duties is also available at the Bureau’s website. Users must consult the relevant provisions of the FCRA for details about their obligations under the FCRA.

The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or that are used for certain purposes, and the legal consequences of violations. If you are a furnisher of information to a consumer reporting agency (CRA), you have additional obligations and will receive a separate notice from the CRA describing your duties as a furnisher.

OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS
Users Must Have a Permissible Purpose

Congress has limited the use of consumer reports to protect consumers’ privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:

As ordered by a court or a federal grand jury Section 604(a)(1)
As instructed by the consumer in Section 604(a)(2)
For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s Section 604(a)(3)(A)
For employment purposes, including hiring and promotion decisions, where the consumer has given written Sections 604(a)(3)(B) and 604(b)
For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C)
When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(a)(3)(F)(i)
To review a consumer’s account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii)
To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or Section 604(a)(3)(D)
For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit Section 604(a)(3)(E)
For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement Sections 604(a)(4) and 604 (a)(5)

In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of “prescreened” information are described in Section VII below.

Users Must Provide Certifications

Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

Users Must Notify Consumers When Adverse Actions Are Taken

The term “adverse action” is defined very broadly by Section 603. “Adverse actions” include all business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined by Section 603(k) of the FCRA – such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.

Adverse Actions Based on Information Obtained From a CRA

If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the The notification may be done in writing, orally, or by electronic means. It must include the following:
The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the
A statement that the CRA did not make the adverse decision and is not able to explain why the decision was
A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer makes a request within sixty (60)
A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.

Adverse Actions Based on Information Obtained From Third Parties Who Are Not Consumer Reporting Agencies

If a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type of consumer information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a written request within sixty(60) days’ of notification. The user must provide the disclosure within a reasonable period of time following the consumer’s written request.

Adverse Actions Based on Information Obtained From Affiliates

If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within sixty (60) days’ of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than thirty (30) days’ after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above.

Users Have Obligations When Fraud and Active Duty Military Alerts are in Files

When a consumer has placed a fraud alert, including one relating to identity theft, or an active duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active duty alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the identity of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in the consumer’s alert.

Users Have Obligations When Notified of an Address Discrepancy

Section 605(h) requires nationwide CRAs, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer’s file. When this occurs, users must comply with regulations specifying the procedures to be followed, which will be issued by the Consumer Financial Protection Bureau and the banking and credit union regulators. The Consumer Financial Protection Bureau regulations will be available at www.consumerfinance.gov/learnmore.

Users Have Obligations When Disposing of Records

Section 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. The Consumer Financial Protection Bureau, the Securities and Exchange Commission, and the banking and credit union regulators have issued regulations covering disposal. The Consumer Financial Protection Bureau regulations may be found at www.consumerfinance.gov/learnmore.

CREDITORS MUST MAKE ADDITIONAL DISCLOSURES

If a person uses a consumer report in connection with an application for, or a grant, extension, or provision of, credit to a consumer on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person must provide a risk-based pricing notice to the consumer in accordance with regulations prescribed by the Consumer Financial Protection Bureau.

Section 609(g) requires a disclosure by all persons that make or arrange loans secured by residential real property (one (1) to four (4) units) and that use credit scores. These persons must provide credit scores and other information about credit scores to applicants, including the disclosure set forth in Section 609(g)(1)(D) (“Notice to the Home Loan Applicant”).

OBLIGATIONS OF USERS WHEN CONSUMER REPORTS ARE OBTAINED FOR EMPLOYMENT PURPOSES

Employment Other Than in the Trucking Industry

If information from a CRA is used for employment purposes, the user has specific duties, which are set forth in Section 604(b) of the FCRA. The user must:

Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained.

Obtain from the consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment.

Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer.

Before taking an adverse action, the user must provide a copy of the report to the consumer as well as the summary of consumer’s rights. (The user should receive this summary from the CRA.) A Section 615(a) adverse action notice should be sent after the adverse action is taken.

An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2)

The procedures for investigative consumer reports and employee misconduct investigations are set forth below.

Employment in the Trucking Industry

Special rules apply for truck drivers where the only interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report relied upon by the trucking company by contacting the company.

OBLIGATIONS WHEN INVESTIGATIVE CONSUMER REPORTS ARE USED

Investigative consumer reports are a special type of consumer report in which information about a consumer’s character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by an entity or person that is a consumer reporting agency. Consumers who are the subjects of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the following:

The user must disclose to the consumer that an investigative consumer report may be This must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below, and the summary of consumer rights required by Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the investigation.)
The user must certify to the CRA that the disclosures set forth above have been made and that the user will make the disclosure described
Upon the written request of a consumer made within a reasonable period of time after the disclosures required above, the user must make a complete disclosure of the nature and scope of the This must be made in a written statement that is mailed, or otherwise delivered, to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later in time.

SPECIAL PROCEDURES FOR EMPLOYEE INVESTIGATIONS

Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.

OBLIGATIONS OF USERS OF MEDICAL INFORMATION

Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in regulations issued by the banking and credit union regulators) – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation, or order).

OBLIGATIONS OF USERS OF “PRESCREENED” LISTS

The FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circumstances. Sections 603(l), 604(c), 604(e), and 615(d). This practice is known as “prescreening” and typically involves obtaining from a CRA a list of consumers who meet certain preestablished criteria. If any person intends to use prescreened lists, that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance, and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that:

Information contained in a consumer’s CRA file was used in connection with the
The consumer received the offer because he or she satisfied the criteria for credit worthiness or insurability used to screen for the offer.
Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on credit worthiness or insurability, or the consumer does not furnish required
The consumer may prohibit the use of information in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the The statement must include the address and toll-free telephone number of the appropriate notification system.

In addition, Consumer Financial Protection Bureau has established the format, type size, and manner of the disclosure required by Section 615(d), with which users must comply. The relevant regulation is 12 CFR 1022.54.

OBLIGATIONS OF RESELLERS

Disclosure and Certification Requirements

Section 607(e) requires any person who obtains a consumer report for resale to take the following steps:

Disclose the identity of the end-user to the source CRA.
Identify to the source CRA each permissible purpose for which the report will be furnished to the end- user.
Establish and follow reasonable procedures to ensure that reports are resold only for permissible purposes, including procedures to obtain:
the identity of all end-users;
certifications from all users of each purpose for which reports will be used; and
certifications that reports will not be used for any purpose other than the purpose(s) specified to the reseller. Resellers must make reasonable efforts to verify this information before selling the report.

Reinvestigations by Resellers

Under Section 611(f), if a consumer disputes the accuracy or completeness of information in a report prepared by a reseller, the reseller must determine whether this is a result of an action or omission on its part and, if so, correct or delete the information. If not, the reseller must send the dispute to the source CRA for reinvestigation. When any CRA notifies the reseller of the results of an investigation, the reseller must immediately convey the information to the consumer.

Fraud Alerts and Resellers

Section 605A(f) requires resellers who receive fraud alerts or active duty alerts from another consumer reporting agency to include these in their reports.

LIABILITY FOR VIOLATIONS OF THE FCRA

Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619.

The Consumer Financial Protection Bureau website, www.consumerfinance.gov/learnmore, has more information about the FCRA.

Citations for FCRA sections in the U.S. Code, 15 U.S.C. § 1681 et seq.:

Section 602 15 U.S.C. 1681

Section 603 15 U.S.C. 1681a

Section 604 15 U.S.C. 1681b

Section 605 15 U.S.C. 1681c

Section 605A 15 U.S.C. 1681cA

Section 605B 15 U.S.C. 1681cB

Section 606 15 U.S.C. 1681d

Section 607 15 U.S.C. 1681e

Section 608 15 U.S.C. 1681f

Section 609 15 U.S.C. 1681g

Section 610 15 U.S.C. 1681h

Section 611 15 U.S.C. 1681i

Section 612 15 U.S.C. 1681j

Section 613 15 U.S.C. 1681k

Section 614 15 U.S.C. 1681l

Section 615 15 U.S.C. 1681m

Section 616 15 U.S.C. 1681n

Section 617 15 U.S.C. 1681o

Section 618 15 U.S.C. 1681p

Section 619 15 U.S.C. 1681q

Section 620 15 U.S.C. 1681r

Section 621 15 U.S.C. 1681s

Section 622 15 U.S.C. 1681s-1

Section 623 15 U.S.C. 1681s-2

Section 624 15 U.S.C. 1681t

Section 625 15 U.S.C. 1681u

Section 626 15 U.S.C. 1681v

Section 627 15 U.S.C. 1681w

Section 628 15 U.S.C. 1681x

Section 629 15 U.S.C. 1681y

EXHIBIT B-1

THE WORK NUMBER® SERVICE DESCRIPTION

CLIENT USE OF SERVICE:

The Work Number® is an employment verification service provided by TALX Corporation, a Missouri corporation, (“TALX” or “EVS”) to its employer clients. Data on the Service may be used to verify Consumer’s employment status (“Employment Verification”) or income (“Income Verification”) to determine a Consumer’s eligibility for a license or other benefit granted by a governmental instrumentality.

The Work Number® Express Social Service (the “Service”) is an employment and income verification service provided by EVS.
1. Description: A verification report provided via the Service (“Verification Report”) will include, without limitation and as available, the Consumer’s (i) employer name, (ii) employment status, (iii) employer address, (iv) employment dates, (v) position title, (vi) medical and dental insurance information, (vii) employer wage garnishment address, (viii) pay rate, (ix) up to three (3) years of year-to-date gross income details, and (x) up to three (3) years of pay period detail.
ADDITIONAL TERMS AND CONDITIONS
1. Client agrees to provide proof (supporting documentation), which must include the name of Client, of Client’s need for ordering The Work Number® Express Social Service, as mentioned below in the addendum.
2. Client represents it (i) is administering a government funded benefit or program, and (ii) has been given the legal authority to view the Data by the Consumer or by operation of law.
3. Client represents it has written authorization from the Consumer to verify income. Client need not use any particular form of authorization or obtain a separate signature for verifying income provided that the form constitutes Consumer authorization. Notwithstanding the foregoing, in the event Client is using the Service to collect on defaulted child support obligations, Client is not required to obtain such authorization.

AUDIT:
1. EVS may, no more than once each calendar year and upon reasonable prior written notice to Client, conduct, or have a third-party conduct on its behalf, at EVS’s sole expense, an audit reasonably designed to monitor Client’s compliance with the obligations set forth in this Agreement; provided, however, if EVS has a reasonable belief that Client is not in compliance with one or more of the obligations of this Agreement, these restrictions shall not apply. If EVS reasonably believes a compliance issue exists, EVS or its designated representative may enter Client’s facilities, upon at least five (5) business days’ prior written notice and at a mutually agreed upon time, during normal business hours, without undue disruption of Client’s business, and subject to Client’s reasonable security Client’s and information security practices, to conduct an on-site assessment of Client’s practices and procedures relating to Client’s request for, and use of, the Services and Client’s security practices with respect thereto. Provided however that neither EVS nor the auditor shall be permitted to inspect or audit of the Client’s SaaS environment itself, the servers contained therein, any information that contains Personal Data not related to this Agreement, or confidential information of Client’s customers. Client agrees that any failure to cooperate fully and promptly in the conduct of any audit requested pursuant to this Section III(a) will constitute grounds for immediate suspension of service(s) under, or termination of, this Agreement.

MODIFICATION OF SERVICE DESCRIPTION: TALX reserves the right to reasonably modify the Service from time to time, provided that the changes made will only enhance and not reduce the quality of the Service or compromise in any way the security of Confidential Information maintained by TALX in connection with the Service. If the modification shall be a substantial change from this Service Description Overview or a change that adversely affects the Client, TALX shall provide written notice of the change to Client. Client may terminate the Service by notice given to TALX within thirty (30) days’ after notice of an amendment to the Service Description Overview, or sooner if the change(s) takes effect earlier than thirty (30) days’. Termination shall be effective thirty (30) days’ after notice is provided unless Client provides for an earlier or later effective date of termination in the notice of termination. Or, if the non-agreeable change in terms is to take effect sooner than thirty (30) days’, then termination shall be effective sooner. Absence of such termination shall constitute Client’s agreement to the modified Service Description Overview.

COMPLIANCE WITH LAWS: Client will comply with all applicable laws, statutes and regulations regarding the Services. Where applicable, Client will comply with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq. (“GLB”) and the implementing regulations issued thereunder and any other applicable statutes or federal laws, Client will not use or disclose any Information other than in accordance with Section 6802(c) or with one of the General Exceptions of Section 6802(e) of the GLB and applicable regulations and all other Privacy Laws.

Addendum to Exhibit B-1

Client Type:

Federal/State/County/City/Local/Government Social Security Administration

Non- Profit Organization Housing Authority

For-Profit Organization Third Party Vendor for Government Agency

Apartment Complex/Property Management Other: Please specify ______________

Each program requires documented proof. Specific Program(s) that will use this service:

Food Stamps TANF MEDICAID

Child Support Enforcement Daycare Assistance

Low-Income Energy Assistance Pre-Employment Work-related Assistance

Low-Income Housing Mortgage Loans Collections

Other: (Please indicate other programs that will use this service:

If Client is an Apartment Complex or Property Management Agency, please answer the following questions:

How many units do you have? How many of those are subsidized units?

Note: Subsidized units are those in which the owner receives funds from Federal, State, County or Local Government.

Are you affiliated with City/State Housing Authority? Yes No

If yes, please include the name:

Qualifications: Client is required to provide proof (supporting documentation) of Client’s need for employment and income verifications. Please provide the following:

Federal/State/County/City/Local/Government	Social Security Administration
1. Copy of program’s application 2. Income guidelines to determine eligibility	1. Copy of program’s application 2. Income guidelines to determine eligibility
Non-Profit / For-Profit Organizations	Third Party Vendor for Government Agency
1. Copy of program’s application 2. Income guidelines to determine eligibility 3. Affiliation (contract) with a Federal/State/County/City/Local/Government 4. Funding source	1. Copy of program’s application 2. Income guidelines to determine eligibility 3. Affiliation (contract) with a Federal/State/County/City/Local/Government 4. Funding source.
Housing Authority	Apartment Complex/Property Management
1. Copy of tenant’s application 2. Income guidelines for low-income housing 3. Complete HUD Schedule or Rural Development Rent Schedule or L.U.R.A. (Land Use Restriction Agreement)	1. Copy of tenant’s application 2. Income guidelines for low-income housing 3. Complete HUD Schedule or Rural Development Rent Schedule or L.U.R.A. (Land Use Restriction Agreement)

DATA PROTECTION AND SECURITY SCHEDULE

This Data Protection and Security Schedule is entered into between MRI Software company outlined on the applicable Order Document (“MRI”) and the Client named in the Order Document, and the authorized representatives of the Parties hereby execute this Data Protection and Security Schedule to be effective as of the Effective Date, as defined in the Order Document. Capitalized terms not defined herein shall have the meaning set forth in the Agreement.

“Controller” means the natural or legal person which determines (individually or jointly or in common with others) the purposes for which and the manner in which any Client Personal Data are or will be Processed. For the purposes of this Agreement, the Client shall be deemed the Controller. Controller shall include a Business under the CCPA.

“Data Breach” shall mean a breach of security resulting from an act or omission by MRI, its employees or its subcontractors, leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. For the purposes of this Agreement.

“Data Protection Legislation” means any applicable laws relating to the Processing, privacy, and use of Personal Data applicable to the Parties, might can include California Consumer Privacy Act (“CCPA”).

“Personal Data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person which is provided by the Client to MRI. The business information of the Client is not by itself deemed to be Personal Data, unless otherwise determined to be under applicable laws. Personal Data is deemed to be Confidential Information of Client.

“Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and “Process” and “Processed” will be interpreted accordingly.

“Processing Instructions” means the written instructions for Processing Client Personal Data, as set out in this Schedule and in the Agreement, and otherwise as provided in writing by or on behalf of Client to MRI or a MRI Affiliate from time to time.

“Processor” means the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. For the purposes of this Agreement, MRI shall be deemed the Processor. Processor shall include a Service Provider under the CCPA.

“Sub-contractor” or “Third Party” means any third party engaged by MRI in provision of the Services or otherwise delivering any part of the Services.

Security

MRI shall ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to the Personal Data, which are appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. During the Term of the Agreement, MRI shall maintain a documented information security plan (“Information Security Program”). MRI agrees to comply with all of its own requirements contained in such Information Security Program. MRI’s Information Security Program shall include, at a minimum, appropriate controls and measures in relation to: (1) physical security at all MRI locations involved in the provision of the Services; (2) technical security with respect to the Client Data in MRI’s possession; (3) organizational security arrangements regarding the employees and other representatives of MRI, its Affiliates, and its subcontractors, including training and awareness, staff vetting procedures and other security measures (e.g. use of passwords and security credentials); (4) securing Client Data contained within the SaaS Services; (5) Disaster Recovery and Business Continuity; (6) Vulnerability Testing and Security Audit; and (7) Data Breach Procedures. Additionally, MRI’s Information Security Program shall comply with all laws applicable to MRI related to its security programs. MRI may update its Information Security Program from time to time in its sole discretion. Upon the occurrence of a disaster, MRI must evaluate the cause of the disaster as soon as possible, attempt to remediate the cause, and, if the outage will be sustained or cannot be remediated promptly, take appropriate actions to minimize the impact of the Disaster to the Client, such as implementing the Disaster Recover/Business Continuity Plan. Client shall not be charged an additional fee for any disaster recovery services, including backups and database restorations, performed by MRI due to a Disaster (whether at the MRI hosting location, within the SaaS Services or otherwise). MRI shall evaluate the effectiveness of its Information Security Program on a commercially reasonable periodic basis, but no less frequently than annually and (if it, acting reasonably, considers it necessary to do so) update the same.

Disaster Recovery and Business Continuity. MRI shall implement and maintain a disaster recovery plan with contingency measures as are reasonable within its industry in light of the sensitivity of the Services which MRI provides (the “Disaster Recovery/Business Continuity Plan”). Upon the occurrence of a Disaster, MRI must promptly evaluate the cause of the Disaster, attempt to remediate the cause and, if the outage will be sustained or cannot be remediated promptly, then it will promptly implement the Disaster Recovery/Business Continuity Plan. Client shall not be charged an additional fee for any disaster recovery services, including backups and database restorations, performed by MRI due to a Disaster (whether at the MRI hosting location, within the SaaS Services or otherwise). MRI shall evaluate the effectiveness of its Disaster Recovery/Business Continuity Plan on a commercially reasonable periodic basis, but not less frequently than annually. MRI may modify the Disaster Recovery/Business Continuity Plan from time to time, in its sole discretion, provided that such modifications do not materially and negatively modify the services provided in the Disaster Recovery/Business Continuity Plan as of the execution of this Agreement.

Vulnerability Testing and Security Audit. MRI shall conduct regular penetration and vulnerability testing of its information technology infrastructure and networks, at a commercially reasonable frequency. Upon Client’s request, MRI shall provide a letter of attestation to Client that the testing occurred. MRI may modify the scope of such penetration and vulnerability testing provided however, that the scope shall not materially and negatively change from the execution of this Agreement. During the Term of the Agreement, MRI shall comply with industry standard practices for audit and security procedures.

Data Breach. MRI will take commercially reasonable, but not less than industry standard, measures to protect the security of such Personal Data transferred by Client to MRI. In the event that MRI becomes aware or reasonably suspects that a Data Breach involving Client’s Personal Data has occurred, MRI will without undue delay: (i) investigate the cause of the Data Breach; (ii) notify Client of the Data Breach and provide sufficient information to allow the Client to report the Data Breach and/or notify the data subject, if required; (iii) contain and remedy any Data Breach; (iv) take reasonable steps to mitigate the effects of and to minimize any damage resulting from the Data Breach; (v) reasonably assist Client in remediating or mitigating any potential damage from a Data Breach to the extent that such remediation or mitigation is within MRI’s control; (vi) take reasonable steps to restore the security and integrity of any Systems used by MRI and/or its subcontractors to provide the Services; (vii) if the Data Breach resulted from Client’s own actions the Client shall immediately, on demand, reimburse MRI for any costs incurred in relation to undertaking any of the foregoing and all costs, losses, damages, expenses or otherwise incurred by MRI to the extent that the same arise from such actions of the Client.

Provision of Personal Data. In addition to the terms and conditions set forth in the Agreement, Client agrees to only input into, transfer into the MRI Software and SaaS Services or provide access to MRI such Personal Data: (i) if and to the extent that Client is authorized to do so under applicable law, including obtaining any relevant consents from the Data Subject for such disclosure; (ii) if and to the extent that such Personal Data is necessary to enable MRI to provide the Services under this Agreement; (iii), and to do so only in fields specifically designed to house such Personal Data. MRI shall have no liability to Client, and Client shall indemnify MRI for all claims by third parties resulting from Client’s storing Personal Data in non-designated fields. Client shall remove any Personal Data from its database(s) once it is no longer necessary for that purpose and may engage MRI (at MRI’s then-current rates to assist in such deletion).
Data Processing. As Processor, MRI will only act upon and Process the Client’s Personal Data for the purposes of performing its obligations under the Agreement or as outlined in MRI’s Privacy Policy, subject to the Processing Instructions. MRI’s Privacy Policy may be found at https://www.mrisoftware.com/privacy-policy/ , and may be updated from time to time by MRI. Where Client is purchasing any of MRI’s marketing products then MRI’s Web Marketing Privacy Policy shall apply which may be found at https://www.mrisoftware.com/webmarketingprivacypolicy and which may be updated from time to time. Client’s instruction to cease Processing Client Personal Data shall not alleviate Client’s obligations under the Agreement, including without limitation, its payment obligations.

Additionally, MRI shall be permitted to Process Client Personal Data, without regard for the Processing Instructions, if required to do so by Data Protection Legislation; in such case, MRI shall promptly notify the Client of that legal requirement before Processing, unless that law prohibits such notification. If MRI is ever unsure as to the parameters or lawfulness of the Processing Instructions issued by Client, MRI will, as soon as reasonably practicable, revert to Client. MRI shall comply with its obligations as a Processor under the applicable Data Protection Legislation in relation to the Processing of Client Personal Data by it under this Agreement.

Data Subject Requests. MRI shall, at its option and subject to the requirements of the Data Protection Legislation, (i) respond directly to the request from the Data Subject, or (ii) forward to the Client any requests from Data Subjects in respect of Personal Data pursuant to Data Protection Legislation (including the ability to correct, delete, block or port Client Personal Data and rights of access) and reasonably cooperate with the Client in complying with any such Data Subject’s exercise of his/her rights in relation to such Personal Data as is Processed by MRI. Client may be required to make such requested modifications itself within the MRI system to fulfill the data subject request. For the purposes of responding to data subject requests, MRI shall be permitted to disclose information related to the Client as it relates to the data subject request.

Duration of Processing. Processing of the Client’s Personal Data by MRI shall be for the Term of this Agreement, subject to restrictions outlined by Data Protection Legislation. Any Client Data remaining within the accessible SaaS Services beyond the expiration of the Term of this Agreement, shall be permanently deleted, without notice to Client. The Parties agree that the Personal Data, may be held in back up for up to one (1) year following the expiration of the Term. Client may engage MRI to return the Client Data, at MRI’s then standard rates.

Scope of Personal Data. Client may provide and MRI may process the following types/categories of Personal Data for the following categories of Data Subject, or as otherwise provided to MRI by the Client:

Type of Data

Data Subjects Impacted

Personal Data;

Contact Details;

Financial Details;

Files, Images, or Videos;

Real estate investment data;

Ownership data;

Related party details

Syndicators, developers and borrowers of the Client;

Client’s employees and staff;

Client’s consultants or other professional experts;

Client’s resident, tenants, and customers

Owners and property managers of the Client

MRI personnel. MRI shall ensure that its personnel and any Subcontractors will not Process the Client’s Personal Data except in accordance with the provisions of this Schedule; and MRI will procure that the same are contractually obligated to maintain the security and confidentiality of any Client Personal Data. MRI shall take reasonable steps to ensure that the personnel Processing the Client’s Personal Data receive adequate training on compliance with this Agreement and the Data Protection Legislation applicable to the Processing.

The Client consents to MRI utilizing any of the sub-contractors listed on MRI’s Service Providers/Subprocessor list, which may be found at www.mrisoftware.com/subprocessors . The MRI’s Service Providers/Subprocessor list may be updated by MRI from time to time without the Client’s prior approval, provided that MRI shall:(a) carry out adequate due diligence to ensure that the Sub-contractor is capable of providing the level of protection for Client Personal Data required by this Agreement; and (b) ensure that any additional or replacement Sub-contractors shall be contractually bound to obligations with respect to the Processing of Client Personal Data substantially similar to those to which MRI is bound by this Schedule.

Compliance. MRI shall maintain such records and information as are necessary to demonstrate its compliance with Data Protection Legislation in relation to the Processing of Personal Data on behalf of Client under this Agreement, containing as a minimum the information required under Data Protection Legislation, which shall be made available to Client upon request. MRI shall reasonably cooperate with the Client in good faith to ensure compliance with its obligations under the Data Protection Legislation in respect of Personal Data taking into account the nature of Processing and the information available to MRI.

Audit. As required by applicable Data Protection Legislation, MRI shall, at the Client’s cost, make available to the Client on reasonable request such information that is in its possession or control as is necessary to demonstrate MRI’s compliance with the obligations placed on it under this Schedule) provided that under no circumstances shall a Client be granted access to MRI’s offices, facilities, storage devices or infrastructure. MRI shall be entitled to withhold information and limit access to information on grounds of commercial sensitivity and/or confidentiality and shall not be obligated to provide such information that the Client can obtain for itself via the Services.

California Terms. Notwithstanding anything to the contrary in this Agreement, the following clause shall apply for Clients processing Personal Data of data subjects located in California:
1. MRI shall not: (1) “Sell” or “Share” Personal Data as those terms are defined under Data Protection Legislation; (2) retain, use, disclose, or otherwise Process Personal Data except as necessary for the business purposes specified in the Agreement or this Schedule; (3) retain, use, disclose, or otherwise Process Personal Data in any manner outside of the direct business relationship between Client and MRI except as necessary for the business purposes specified in the Agreement or this Schedule; or (4) combine any Personal Data with Personal Data that MRI receives from or on behalf of any other third party or collects from MRI’s own interactions with Data Subjects, provided that MRI may so combine Personal Data for a purpose permitted under Data Protection Legislation if directed to do so by Client or as otherwise expressly permitted by the Data Protection Legislation.
2. MRI shall: (1) notify Client if MRI becomes aware that it is no longer able to meet its obligations under applicable Data Protection Legislation; and (2) take reasonable and appropriate steps to help ensure that Personal Data use is consistent with Client’s obligations under applicable Data Privacy Legislation.

Order of Precedence. In case of any conflict or inconsistency between the provisions of this Schedule and the terms of the Master Agreement, the provisions contained in this Schedule shall prevail to the extent of the inconsistency, provided always that nothing in this Schedule shall permit MRI (or any sub-Processor) to handle Personal Data in a manner which is prohibited by this Agreement or by applicable law.

***************************************************************************************************************************************

END OF DATA PROTECTION AND SECURITY SCHEDULE

SELF-CERTIFICATION DOCUMENT

I hereby certify that, _________________________________________ (“Client”), with a registered office located at ______________________________________

___________________________________________________________________________________________________________________________________

continues to utilize its License Software and/or SaaS Services in full conformity with the use rights and restrictions under its Agreement with MRI Software. Client agrees that submission of this Self-Certification does not waive any other audit rights granted to MRI under the Agreement.

Signature: __________________________________________

Print Name: ________________________________________

Title: ______________________________________________

Date: ______________________________________________

MRI Client ID: _______________________________________

Send Self-Certification Document to:

Fax: 216-803-4339

Email: legal@mrisoftware.com

Mail: MRI Software, LLC

Attn: Legal Department

28925 Fountain Parkway

Solon, Ohio 44139

All documents must be received prior to its certification date.

Master Agreement

PURPOSE AND SCOPE

1. DEFINITIONS

2. FINANCIAL TERMS

5. PRIVACY

6. LIMITED RIGHTS AND OWNERSHIP

7. INDEMNIFICATION

8. DISCLAIMERS AND LIMITATION OF LIABILITY

9. TERM AND TERMINATION

10. GENERAL PROVISIONS

SCREENING SERVICES SCHEDULE

1. TERM AND TERMINATION

2. SERVICES

4. GRANT OF USE

5. WARRANTIES AND DISCLAIMERS

6. THIRD PARTY SERVICES

7. CERTAIN OBLIGATIONS

8. EMPLOYMENT REALTED SERVICES

EXHIBIT A

ACCESS SECURITY REQUIREMENT

1. Implement Strong Access Control Measures

2. Maintain a Vulnerability Management Program

3. Protect Data

4. Maintain an Information Security Policy

5. Build and Maintain a Secure Network

6. Regularly Monitor and Test Networks

7. Mobile and Cloud Technology

8. General

Exhibit B

Internet Delivery Security Requirements

General requirements:

Roles and Responsibilities

Designate

Death Master File

Exhibit C

Additional Fair Credit Reporting Requirements

PROFESSIONAL SERVICES SCHEDULE

1. SERVICES

2. PROJECT MANAGEMENT

3. LICENSE AND OWNERSHIP

4. SUPPLEMENTAL TERMS FOR TRAINING SERVICES

4.2 Cancellation and Transfer Policies

5. TERMINATION

The Work Number® Terms and Conditions

Exhibit A-1 to The Work Number® Terms and Conditions

Select your region