CERTIFICATION

1. Experian Death Master File

   Access to the Death Master File as issued by the Social Security Administration requires an entity to have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. §1110.102(a)(1).

   The National Technical Information Service has issued the Interim Final Rule for temporary certification permitting access to the Death Master File ("DMF"). Pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, access to the DMF is restricted to only those entities that have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). As many Experian services contain information from the DMF, your use of deceased flags or other indicia within the Experian services must be restricted to legitimate fraud prevention or business purposes in compliance with applicable laws, rules and regulations and consistent with your applicable Fair Credit Reporting Act (15 U.S.C. §1681 et seq.) or Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) use. You shall not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within the Experian services.

2. Comprehensive Information Security Program

   You shall implement and maintain a comprehensive information security program written in one or more readily accessible parts and that contains administrative, technical, and physical safeguards that are appropriate to your entity's size and complexity, the nature and scope of its activities, and the sensitivity of the information provided to you by Equifax; and that such safeguards shall include the elements set forth in 16 C.F.R. § 314.4 and shall be reasonably designed to (i) insure the security and confidentiality of the information provided by Equifax, (ii) protect against any anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer.

3. Experian Security Requirements

   The following information security controls are required to reduce unauthorized access to consumer information. EIS reserves the right to make changes to this Certification without prior notification. The information provided herewith provides minimum baselines for information security. In accessing EIS's services, you agree to follow the Experian security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Experian data.

   "Experian Information" means Experian highly sensitive information including, by way of example and not limitation, data, databases, application software, software documentation, supporting process documents, operation process and procedures documentation, test plans, test cases, test scenarios, cyber incident reports, consumer information, financial records, employee records, and information about potential acquisitions, and such other information that is similar in nature or as mutually agreed in writing, the disclosure, alteration or destruction of which would cause serious damage to Experian's reputation, valuation, and / or provide a competitive disadvantage to Experian.

   "Resource" means all of your devices, including but not limited to laptops, PCs, routers, servers, and other computer systems that store, process, transfer, transmit, deliver, or otherwise access the Experian Information.

   1. Information Security Policies and Governance. You shall have Information Security policies and procedures in place that are consistent with the practices described in an industry standard, such as ISO 27002 and / or this Certification, which is aligned to Experian's Information Security policy.
   2. Vulnerability Management. Firewalls, routers, servers, PCs, and all other resources managed by You (including physical, on-premise or cloud hosted infrastructure) will be kept current with appropriate security specific system patches. You will perform regular penetration tests to further assess the security of systems and resources. You will use end-point computer malware detection / scanning services and procedures.
   3. Logging and Monitoring. Logging mechanisms will be in place sufficient to identify security incidents, establish individual accountability, and reconstruct events. Audit logs will be retained in a protected state (i.e., encrypted, or locked) with a process for periodic review.
   4. Network Security. You will use security measures, including anti-virus software, to protect communications systems and networks device to reduce the risk of infiltration, hacking, access penetration by, or exposure to, an unauthorized third-party.
   5. Data Security. You will use security measures, including encryption, to protect Experian provided data in storage and in transit to reduce the risk of exposure to unauthorized parties.
   6. Remote Access Connection Authorization. All remote access connections to your internal networks and / or computer systems will require authorization with access control at the point of entry using multi-factor authentication. Such access will use secure channels, such as a Virtual Private Network (VPN).
   7. Incident Response. Processes and procedures will be established for responding to security violations and unusual or suspicious events and incidents. You will report actual or suspected security violations or incidents that may affect Experian to Experian within twenty-four (24) hours of your confirmation of such violation or incident.
   8. Identification, Authentication and Authorization. Each user of any Resource will have a uniquely assigned user ID to enable individual authentication and accountability. Access to privileged accounts will be restricted to those people who administer the Resource and individual accountability will be maintained. All default passwords (such as those from hardware or software vendors) will be changed immediately upon receipt.
   9. User Passwords and Accounts. All passwords will remain confidential and use 'strong' passwords that expire after a maximum of 90 calendar days. Accounts will automatically lockout after five (5) consecutive failed login attempts.
   10. Training and Awareness. You shall require your personnel to participate in information security training and awareness sessions at least annually and establish proof of learning for all personnel.
   11. Experian's Right to Audit. You shall be subject to remote and / or onsite assessments of its information security controls and compliance with this Certification.
   12. Bulk Email Communications into Experian. You will not "bulk email" communications to multiple Experian employees without the prior written approval of Experian. You shall seek authorization via their Experian relationship owner in advance of any such campaign

This New Services Addendum (“Addendum”) amends the Master Agreement for Service (“Agreement”) by and between Equifax Information Services LLC (“Us” or “Equifax”) and Your company being provided access to various Information Services (“You” or “Client”).

THIS ADDENDUM GOVERNS YOUR ORDERING AND RECEIPT OF THE INFORMATION SERVICES DESCRIBED IN THIS ADDENDUM.

BY ACCEPTING THIS ADDENDUM, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE OR BY EXECUTING A SEPARATE AMENDMENT OR STATEMENT OR WORK OR ORDER FORM TO THE AGREEMENT (“SOW”) OR ORDER FORM THAT REFERENCES THIS ADDENDUM AND THE AGREEMENT, YOU AGREE TO THE TERMS OF THIS ADDENDUM. IF YOU ARE ENTERING INTO THIS ADDENDUM ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS ADDENDUM AND MAY NOT RECEIVE THE SERVICE.

This Addendum was last updated on August 1, 2022 and amends the existing Agreement between You and Equifax. It is effective between You and Equifax as of the date of Your accepting this Agreement.

1. Defined Terms All capitalized terms used but not defined herein shall have the meanings given them in the Agreement.In addition to the definitions set forth elsewhere herein, the following terms have the meanings set forth below:

   1. “Approved GSEs” means a government agency or a privately-held, quasi-governmental entity (created by acts of Congress) established to enhance the flow of credit to specific sectors of the American economy (“GSEs”); provide that GSEs do not lend money to the public directly, but instead guarantee third-party loans and purchase loans in the secondary market. A list of the Approved GSEs is attached hereto as Exhibit A, which may be updated from time to time by Equifax.

   2. “NCTUE” means the National Consumer Telecom and Utilities Exchange, Inc. database, a third-party member-owned consumer reporting agency through which its member companies exchange source-anonymous information on new connect requests, payment history, and historical account status and/or fraudulent telecommunications, pay TV, utility and central alarm service accounts. For the avoidance of doubt, NCTUE database does not include Equifax credit information, and Equifax is not a member of NCTUE, nor does Equifax own any aspect of NCTUE.

   3. “Private Issuers” means those financial institutions comprised of investment firms that are members of the Structured Finance Association (an association established with the core mission of supporting a robust and liquid securitization market, recognizing that securitization is an essential source of core funding for the real economy (https://structuredfinance.org/members/)) and that securitize mortgage loans and underwrite and issue MBS for sale to investors in accordance with applicable securities laws. A list of the Private Issuers is attached hereto as Exhibit A, which may be updated from time to time by Equifax.

   4. “Service” means the Trended Credit*Hi-Lite Plus Telco & Utilities, an Information Service pursuant to the Agreement,consisting of the Trended Credit*Hi-Lite, plus the Telco & Utilities Attributes. The Service is considered an “Equifax Information Service” for purposes of this Addendum and the Agreement and the terms and conditions therein (notwithstanding that the separate Telco & Utilities Attributes delivered with the Trended Credit*Hi-Lite as part of the Service comes from the NCTUE consumer reporting database and Equifax is solely a reseller of such information).

   5. “Telco & Utilities Attributes” means the selected attributes and items of information regarding consumers contained in the third-party consumer reporting agency database of NCTUE provided through Equifax as a reseller of the consumer reports from NCTUE (pursuant to the FCRA).

2. Request for New Information Service. Client desires to receive from Equifax and Equifax desires to provide to Client the Service, subject to the terms herein and the Agreement. Equifax will provide the Service during the term of the Agreement, as available, to Client and Client Affiliates listed in the Agreement, or otherwise provided in writing to Equifax, and which are and will be at all times entities controlled by or under common control with Client with the ability to direct the management and policies of the entity in question, whether directly or indirectly.

3. Additional Terms and Conditions. The following terms and conditions apply to the Service.

   1. FCRA Certifications. The Service consists of consumer reports, as defined by the Federal Fair Credit Reporting Act, 15 U.S.C. 1681 et. seq., as amended (the “FCRA”), and will only be ordered when Client intends to use the consumer report: (a) in accordance with the FCRA and all state law FCRA counterparts, and (b) for one of the following FCRA permissible purposes: (i) in connection with a credit transaction involving the consumer on whom the consumer report is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer; or (ii) as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation. Client further certifies that it will use each consumer report ordered from Equifax for one of the foregoing purposes and for no other purpose and that it will not share with or provide to any third party such consumer reports, except as otherwise expressly permitted herein and by the Agreement.

   2. Permitted Use of NCTUE Attributes.

      1. Equifax, as a reseller of the Telco & Utilities Attributes from NCTUE, grants a non-exclusive license to Client to use the Telco & Utilities Attributes only as described herein and the Agreement. Client may reproduce or store the Telco & Utilities Attributes solely for its own uses in accordance herein and with the Agreement, and will hold all Telco & Utilities Attributes licensed herein and under the Agreement in strict confidence and will not reproduce, reveal or make it accessible in whole or in part, in any manner whatsoever, to each other or any others unless required by law, or unless Client first obtains Equifax's written consent or otherwise as expressly set forth in subsection (c)(ii) below. Client will not provide a copy of the consumer report to the consumer, unless required by law or approved in writing by Equifax, except where this contractual prohibition would be invalid.

      2. Client certifies that it is in the mortgage underwriting, mortgage lending and related industries and will only request, obtain and use the Telco & Utilities Attributes for purposes of delivering the Telco & Utilities Attributes to Approved GSEs and Private Issuers that are seeking to obtain the Telco & Utilities Attributes to be used in (i) the Approved GSEs’ and Private Issuers’ respective automated underwriting systems as one of the many secondary risk factors for mortgage loan assessment (e.g. to determine whether to purchase a mortgage loan) (the “Mortgage Loan Assessment”), and (ii) the creation and underwriting of mortgage-backed securities (“MBS” and together with Mortgage Loan Assessment, the “Permitted Use”). Client may deliver the Telco & Utilities Attributes to GSEs and Private Issuers that may not be listed on Exhibit A for the Permitted Use but that otherwise meet the qualifications of an Approved GSE or Private Issuer, as applicable; provided that Client will notify Equifax within five (5) business days of any new GSE(s) and/or Private Investor(s) so that Equifax can determine whether to allow them use or receipt of the Service, in Equifax’s and its data provider’s discretion (the “Permitted Use Update”); provided further, Client shall be permitted to provide the Service to any new Private Issuer that becomes a member of the Structured Finance Association so long as such Private Issuer is included in the Permitted Use Update, until such time as Equifax provides its formal approval or rejection of continued use or receipt of the Telco & Utilities Attributes and inclusion on Exhibit A.

   3. ADVERSE ACTION PROHIBITED. THE TELCO & UTILITIES ATTRIBUTES MAY NOT BE USED BY CLIENT OR ANY APPROVED GSE, PRIVATE ISSUER OR ANY OTHER PERSON, IN WHOLE OR IN PART, TO TAKE ANY ADVERSE ACTION (AS DEFINED IN THE FCRA). Client will not interpret the failure of Equifax to return any Telco & Utilities Attributes or other information regarding the consumer's eligibility for a credit service as a statement regarding that consumer's credit worthiness, because that failure may result from one or more factors unrelated to credit worthiness.

   4. Disclaimer, Waiver and Release. TO THE MAXIMUM EXTENT ALLOWABLE BY LAW, THE SERVICE IS PROVIDED BY EQUIFAX AND ITS DATA PROVIDERS AND SUPPLIERS (INCLUDING NCTUE AND ITS CONTRIBUTORS AND MEMBERS) (COLLECTIVELY, “DATA PROVIDERS AND SUPPLIERS”) ON AN “AS-IS,” AS-AVAILABLE BASIS, AND EQUIFAX AND ITS DATA PROVIDERS AND SUPPLIERS HEREBY DISCLAIM ANY AND ALL PROMISES, REPRESENTATIONS, GUARANTEES, AND WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITH RESPECT TO THE ACCURACY, COMPLETENESS, CURRENTNESS, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE, OF THE SERVICE. IN NO EVENT WILL EQUIFAX OR ITS DATA PROVIDERS AND SUPPLIERS BE LIABLE TO CLIENT FOR ANY LOSS OR INJURY RELATING TO, ARISING OUT OF, OR CAUSED IN WHOLE OR IN PART BY, ITS ACTS OR OMISSIONS, EVEN IF NEGLIGENT, RELATING TO THE ACCURACY, CORRECTNESS, COMPLETENESS, OR CURRENTNESS OF THE SERVICE. CLIENT RELEASES EQUIFAX AND ITS DATA PROVIDERS AND SUPPLIERS, AND THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, EMPLOYEES, INDEPENDENT CONTRACTORS, DATA FURNISHERS, SUCCESSORS AND ASSIGNS (THE “RELEASED ENTITIES”) FROM LIABILITY FOR ANY ACTS OR OMISSIONS IN CONNECTION WITH THE PREPARATION OF SERVICE AND THE INFORMATION THEREIN AND FROM ANY LOSS OR EXPENSE SUFFERED BY QUALIFIED SUBSCRIBER OR USERS (INCLUDING APPROVED GSES AND PRIVATE ISSUERS) RESULTING DIRECTLY OR INDIRECTLY FROM THE SERVICE. CLIENT COVENANTS NOT TO SUE OR MAINTAIN ANY CLAIM, CAUSE OF ACTION, DEMAND, CROSS-ACTION, COUNTERCLAIM, THIRD-PARTY ACTION OR OTHER FORM OF PLEADING AGAINST EQUIFAX, ITS DATA PROVIDERS AND SUPPLIERS, OR RELEASED ENTITIES ARISING OUT OF OR RELATING IN ANY WAY TO THE CURRENCY, ACCURACY OR INACCURACY, VALIDITY OR NONVALIDITY, OR COMPLETENESS OF ANY OF THE SERVICE. .

   5. Referrals to Consumer Reporting Agency. Client will refer the consumer to NCTUE whenever the consumer disputes information contained in the Telco & Utilities Attributes disclosed by Client.

4. Term. This Addendum will be effective as of the date described above, and thereafter will run coterminous with the Agreement. In addition, the Telco & Utilities Attributes included as part of the Service are provided through Equifax as a reseller of the information from NCTUE. As such Equifax may immediately terminate this Addendum or suspend provision the Services, without penalty or liability, if the continued provision of all or any portion of the Information Services becomes impossible, impractical, or undesirable due to a change in applicable law, an Equifax policy with respect to data security, consumer privacy, maintenance of Information Services with current industry standards, or a third party data source restriction (including NCTUE). Equifax will provide written notice of such termination or suspension as far in advance of the effective date as is reasonably practical under the circumstances.

5. Pricing. The Telco & Utilities Attributes are provided at no additional cost with the Trended Credit*Hi-Lite.

6. Effect of the Addendum. The Agreement and all of its terms and conditions, as amended by this Addendum, shall remain in full force and effect. If there is a conflict between the terms of this Addendum and the terms of the Agreement, the terms of this Addendum shall prevail.

Exhibit A
Approved GSEs and Private Issuers

Approved GSEs (including Government Agencies)

• Federal Home Loan Banks.
• Federal National Mortgage Association (FNMA or Fannie Mae)
• Federal Home Loan Mortgage Corporation (FHLMC or Freddie Mac)
• Government National Mortgage Association (Ginnie Mae)
• Veterans Administration (VA loans)
• U.S Department of Agriculture (USDA)
• HUD/FHA

Private Issuers