The purpose of this addendum is to include the requirements of the credit bureau to allow Client to receive credit reports. These are the terms required by the credit bureau, and AOA is not authorized to alter these terms.
This addendum applies only to credit reports; for all other matters, the Service Agreement terms shall apply.
1. Member is an “end user” of credit data and uses such data for the permissible purposes stated in this agreement. Member will certify the purpose for which each credit report is requested at the time of the inquiry. Each request for employment purposes will be so designated at the time of the request and a separate service agreement must be completed for certifications of compliance with the Fair Credit Reporting Act (FCRA). Member will neither resell nor distribute credit data obtained from AOA, TransUnion (TU), Experian (XPN), and/or any of its Affiliates to any third party. Member is aware that to do so would violate AOA’s, TU’s, and XPN’s company policy and certain provisions of state and federal law. Member understands that information provided will be maintained in a secure file, be held strictly confidential and not sold or supplied to any third parties or affiliates. Member shall receive and maintain all credit data in strict confidence and will not reveal its contents to the consumer unless compelled by law. Member further agrees to only use Consumer Report for a one-time use.
2. Member’s rental and/or employment application contains the consumer’s signature clearly and conspicuously authorizing member to obtain a credit report and states the address of the rental property. Member is also aware that pursuant to the Fair Credit Reporting Act (FCRA) a fine under Title 18 of $5,000 and/ or imprisonment not more than two years or both may result from requesting a consumer credit report under false pretenses and/or a $3,500 fine pursuant to state law for each violation (ww.ftc.gov). Member agrees to comply with all applicable federal, state and local laws, including the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. § 1681 et seq.
3. Member and member’s employees will not access consumer credit data on themselves, friends and/or family members. Member shall only run reports on his/her/its employees for employment purposes only through an authorized and designated representative and not by the subject employee.
4. Member will maintain adequate security with reference to access and use of membership numbers, subscriber codes, security passwords, consumer data and remote computer access capabilities to prevent unauthorized use and ensure confidentiality.
5. Member agrees to defend and hold AOA, TU, XPN, and/or any of its Affiliates their employees and agents, harmless on account of any expense or damages arising out of Member’s or Member’s employee’s or agent’s breach of any of the terms herein or violation of any law applicable hereto.
6. Member agrees that an onsite inspection must be made of member’s place of operation along with three photos to help verify compliance with this agreement.
7. Member recognizes that information is secured by and through fallible human sources and that for the fee charged AOA, TU, XPN, and/or any of its Affiliates cannot be an insurer of the accuracy of the information. Member understands that the accuracy of the information furnished by said providers is not guaranteed and Member releases said providers and their employees, agents and independent contractors from liability for any loss or expense suffered as a result of any inaccuracies, errors or omissions in said information.
8. Member agrees that upon request from AOA, member will supply to AOA qualifying documents to verify ownership and/or management of rental units, etc., as required by TU, XPN, and/or any of its Affiliates to be renewed every three years or when member changes location. Member will preserve all applications and other consumer documents for five (5) years from the date of the inquiry whether the application is accepted or rejected. Member will make all said documents available to AOA.
9. Member agrees to pay all charges with the authorized credit card on file. Pursuant to Section 1785.26 of the California Civil Code, as required by law, you are hereby notified that a negative credit report reflecting on your credit record may be submitted in the future to a credit reporting agency if you fail to fulfill the terms or default in anyway of your credit obligations to AOA. Member expressly authorizes AOA (including a collection agency) to obtain a consumer credit report, which AOA may use for the processing of membership application and/or for debt collections. With just cause, such as payment delinquency or violation of the terms of this contract or a legal requirement, AOA may, upon its election, discontinue all membership services to Member and cancel this Agreement immediately by oral or written notice. Member agrees to all terms of this agreement.
Federal Fair Credit Reporting Act (FCRA-Public Law 91-508)
Although the FCRA primarily regulates the operations of consumer credit reporting agencies, it also affects you as a user of information. We suggest that you and your employees become familiar with the following sections in particular:
• § 604. Permissible Purposes of Reports
• § 607. Compliance Procedures
• § 615. Requirement of users of consumer reports
• § 616. Civil liability for willful noncompliance
• § 617. Civil liability for negligent noncompliance
• § 619. Obtaining information under false pretenses
• § 621. Administrative Enforcement
• § 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies
As directed by the law, credit reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as investment, partnership, etc. It is imperative that you identify each request for a report to be used for employment purposes when such report is ordered. Additional state laws may also impact your usage of reports for employment purposes. In addition to the Federal Fair Credit Reporting Act, other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted. As a prospective user of consumer reports, we require that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate. AOA strongly endorses the letter and spirit of the Federal Fair Credit Reporting Act. We believe that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce. We support consumer reporting legislation that will assure fair and equitable treatment for all consumers and users of credit information. We encourage you to view these laws on the Federal Trade Commission’s web site at: www.ftc.gov.
The following information is required to reduce unauthorized access to consumer information. It is your (company provided access to TU/XPN systems or data through AOA, referred to as the “Company”) responsibility to implement these requirements. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you.
AOA reserves the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security.
In accessing AOA’s services, Company agrees to follow these security requirements. These requirements are applicable to all systems and devices used to access, transmit, process or store TU/XPN data:
Experian Security Requirements:
The security requirements included in this document represent the minimum security requirements acceptable to Experian and are intended to ensure that a Third Party (i.e., Supplier, Reseller, Service Provider or any other organization engaging with Experian) has appropriate controls in place to protect information and systems, including any information that it receives, processes, transfers, transmits, stores, delivers, and / or otherwise accesses on behalf of Experian.
DEFINITIONS:
“Experian Information” means Experian highly sensitive information including, by way of example and not limitation, data, databases, application software, software documentation, supporting process documents, operation process and procedures documentation, test plans, test cases, test scenarios, cyber incident reports, consumer information, financial records, employee records, and information about potential acquisitions, and such other information that is similar in nature or as mutually agreed in writing, the disclosure, alteration or destruction of which would cause serious damage to Experian’s reputation, valuation, and / or provide a competitive disadvantage to Experian.
“Resource” means all Third-Party devices, including but not limited to laptops, PCs, routers, servers, and other computer systems that store, process, transfer, transmit, deliver, or otherwise access the Experian Information.
1. Information Security Policies and Governance
Third Party shall have Information Security policies and procedures in place that are consistent with the practices described in an industry standard, such as ISO 27002 and / or this Security Requirements document, which is aligned to Experian’s Information Security policy.
2. Vulnerability Management
Firewalls, routers, servers, PCs, and all other resources managed by Third Party (including physical, on-premise or cloud hosted infrastructure) will be kept current with appropriate security specific system patches. Third Party will perform regular penetration tests to further assess the security of systems and resources. Third Party will use end-point computer malware detection / scanning services and procedures.
3. Logging and Monitoring
Logging mechanisms will be in place sufficient to identify security incidents, establish individual accountability, and reconstruct events. Audit logs will be retained in a protected state (i.e., encrypted, or locked) with a process for periodic review.
4. Network Security
Third Party will use security measures, including anti-virus software, to protect communications systems and networks device to reduce the risk of infiltration, hacking, access penetration by, or exposure to, an unauthorized third-party.
5. Data Security
Third Party will use security measures, including encryption, to protect Experian provided data in storage and in transit to reduce the risk of exposure to unauthorized parties.
6. Remote Access Connection Authorization
All remote access connections to Third Party internal networks and / or computer systems will require authorization with access control at the point of entry using multi-factor authentication. Such access will use secure channels, such as a Virtual Private Network (VPN).
7. Incident Response
Processes and procedures will be established for responding to security violations and unusual or suspicious events and incidents. Third Party will report actual or suspected security violations or incidents that may affect Experian to Experian within twenty-four (24) hours of Third Party’s confirmation of such violation or incident.
8. Identification, Authentication and Authorization
Each user of any Resource will have a uniquely assigned user ID to enable individual authentication and accountability. Access to privileged accounts will be restricted to those people who administer the Resource and individual accountability will be maintained. All default passwords (such as those from hardware or software vendors) will be changed immediately upon receipt.
9. User Passwords and Accounts
All passwords will remain confidential and use ‘strong’ passwords that expire after a maximum of 90 calendar days. Accounts will automatically lockout after five (5) consecutive failed login attempts.
10. Training and Awareness
Third Party shall require all Third Party personnel to participate in information security training and awareness sessions at least annually and establish proof of learning for all personnel.
11. Experian’s Right to Audit
Third Party shall be subject to remote and / or onsite assessments of its information security controls and compliance with these Security Requirements.
12. Bulk Email Communications into Experian
Third party will not “bulk email” communications to multiple Experian employees without the prior written approval of Experian. Third party shall seek authorization via their Experian Relationship Owner in advance of any such campaign.
Internet Delivery Security Requirements
In addition to the above, the following requirements apply where Company and their employees or an authorized agent/s acting on behalf of the Company are provided access to AOA provided services via Internet (“Internet Access”).
General requirements:
1. The Company shall designate in writing an employee to be its Head Security Designate, to act as the primary interface with AOA on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to AOA provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.
2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each AOA product based upon the legitimate business needs of each employee. AOA shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.
3. Unless automated means become available, the Company shall request employee’s (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by AOA. Those employees approved by the Head Security Designate or Security Designate for Internet access (“Authorized Users”) will be individually assigned unique access identification accounts (“User ID”) and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). AOA’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. AOA may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company) and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not
be accepted.
4. An officer of the Company agrees to notify AOA in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
Roles and Responsibilities
1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with AOA on systems access related matters. This individual shall be identified as the “Head Security Designate.” The Head Security Designate can further identify a Security Designate(s) to provide the day-to-day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with AOA on information and product access, in accordance with these TU/XPN Access Security Requirements. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to AOA’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to AOA immediately.
2. As a Client to AOA’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.
3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to AOA product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with AOA’s Security Administration group on information and product access matters.
4. The Head Designate shall be responsible for notifying their corresponding AOA representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
Designate
1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.
2. Is responsible for the initial and ongoing authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).
3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User’s job responsibilities.
4. Is responsible for ensuring that Company’s Authorized Users are authorized to access AOA products and services.
5. Must disable Authorized User ID if it becomes compromised or if the Authorized User’s employment is terminated by Company.
6. Must immediately report any suspicious or questionable activity to AOA regarding access to AOA’s products and services.
7. Shall immediately report changes in their Head Security Designate’s status (e.g. transfer or termination) to AOA.
8. Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.
9. Shall be available to interact with AOA when needed on any system or user related matters.
Important Notice – Death Master File
Access to the Death Master File as issued by the Social Security Administration requires an entity to have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1).
The National Technical Information Service has issued the Interim Final Rule for temporary certification permitting access to the Death Master File (“DMF”). Pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, access to the DMF is restricted to only those entities that have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). As many TU/XPN services contain information from the DMF, TU/XPN would like to remind you of your continued obligation to restrict your use of deceased flags or other indicia within the TU/XPN services to legitimate fraud prevention or business purposes in compliance with applicable laws, rules and regulations and consistent with your applicable Fair Credit Reporting Act (15 U.S.C. §1681 et seq.) or Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) use. Your continued use of TU/XPN services affirms your commitment to comply with these terms and all applicable laws.
You acknowledge you will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within the TU/XPN services.
End User shall implement and maintain a comprehensive information security program written in one or more readily accessible parts and that contains administrative, technical, and physical safeguards that are appropriate to the client’s size and complexity, the nature and scope of its activities, and the sensitivity of the information provided to the client by AOA; and that such safeguards shall include the elements set forth in 16 C.F.R. § 314.4 and shall be reasonably designed to (i) insure the security and confidentiality of the information provided by AOA , (ii) protect against any anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer.
Credit Scoring Services Agreement
The End User hereby agrees to the following:
(i) The End User warranties that it has a “permissible purpose” under the Fair Credit Reporting Act, as it may be amended from time to time, to obtain the information derived from the TU/XPN/Fair, Isaac Model.
(ii) The End User agrees to limit its use of the Scores and reason codes solely to use in its own business with no right to transfer or otherwise sell, license, sublicense or distribute said Scores or reason codes to third parties;
(iii) A requirement that each End User maintain internal procedures to minimize the risk of unauthorized disclosure and agree that such Scores and reason codes will be held in strict confidence and disclosed only to those of its employees with a “need to know” and to no other person;
(iv) Notwithstanding any contrary provision of this End User Agreement, End User may disclose the Scores provided to End User under this End User Agreement to credit applicants, when accompanied by the corresponding reason codes, in the context of bona fide lending transactions and decisions only;
(v) A requirement that each End User comply with all applicable laws and regulations in using the Scores and reason codes purchased from Reseller;
(vi) A prohibition on the use by End User, its employees, agents or subcontractors, of the trademarks, service marks, logos, names or any other proprietary designations, whether registered or unregistered, of TU/XPN Information Solutions, Inc. or Fair, Isaac and Company, or the affiliates of either of them, or of any other party involved in the provision of the TU/XPN/Fair, Isaac Model without such entity’s prior written consent;
(vii) A prohibition on any attempts by End User, in any manner, directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by TU/XPN/Fair, Isaac in performing the TU/XPN/Fair, Isaac Model;
(viii) Warranty. TU warrants that the TU Model and XPN/Fair, Isaac warrants that the XPN/Fair, Isaac Model is empirically derived and demonstrably and statistically sound and that to the extent the population to which the TU/XPN/Fair, Isaac Model was developed, the TU/XPN/Fair, Isaac Model score may be relied upon by Reseller and/or End Users to rank consumers in the order of the risk of unsatisfactory payment such consumers might present to End Users. TU/XPN/Fair, Isaac further warrants that so long as it provides the TU/XPN/Fair, Isaac Model, it will comply with the regulations promulgated from time to time pursuant to the Equal Credit Opportunity Act, 15 USC Section 1691 et seq. THE FOREGOING WARRANTIES ARE THE ONLY WARRANTIES TU/XPN/FAIR, ISAAC HAVE GIVEN RESELLER AND/OR END USERS WITH RESPECT TO THE TU/XPN/FAIR, ISAAC MODEL AND SUCH WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, TU/XPN/FAIR, ISAAC MIGHT HAVE GIVEN RESELLER AND/OR END USERS WITH RESPECT THERETO, INCLUDING, FOR EXAMPLE, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Reseller and each respective End User’s Rights under the foregoing Warranty are expressly conditioned upon each respective End User’s periodic revalidation of the TU/XPN/Fair, Isaac Model in compliance with the requirements of Regulation B as it may be amended from time to time (12 CFR Section 202 et seq.);
(ix) A provision limiting the aggregate liability of Reseller, TU/XPN/Fair, Isaac to each End User to the lesser of the Fees paid by Reseller to TU/XPN/Fair, Isaac for the TU/XPN/Fair, Isaac Model resold to the pertinent End User during the six (6) month period immediately preceding the End User’s claim, or the fees paid by the pertinent End User to Reseller under the Resale Contract during said six (6) month period, and excluding any liability of Reseller, TU/XPN/Fair, Isaac for incidental, indirect, special or consequential damages of any kind.