Last modified: August 10, 2022
Read this document before using our website
Knowing your rights and responsibilities is important, including when you use our products and services, which grant access to sensitive information and are subject to our privacy policy.
Refund policy for applicants to rental apartments. All application fees paid through our website are used to offset the cost of background investigations and other processing and administrative costs; these fees are non-refundable for any reason. Other payments (such as holding deposits) may be refundable under the terms of agreements you make with each housing provider, whom you must contact directly to inquire. If you suspect that a fraudulent or unauthorized transaction has been processed using our website, please contact your issuing bank.
This Agreement sets forth the conditions of the use of our online service for registered members of On-Site.com (“OS”) for the purpose of advertising apartment and rental vacancies and processing rental applications. By using our websites, you (the “Member” or “Client”) agree to these terms and conditions. If you do not agree to the terms and conditions of this Agreement, immediately STOP using this website. We reserve the right, at any time, to change or update the terms and conditions of this Agreement without prior notice. Modifications shall become effective immediately upon being posted on this website. If you continue to use the Service after amendments are posted, your continued use is deemed acknowledgment and acceptance of the Agreement and its modifications.
1. User agreement
In order to protect our users, as well as our information and service providers, you are required to comply with all of the rules set forth in this Agreement. By registering as a user or by using this website (the “Service”), you hereby agree to be bound by all of the following terms and conditions (“Terms of Service Agreement” or “TOS”).
2. Termination of service & billing errors
You understand and agree that in OS’s sole discretion, and without prior notice, OS may terminate your access to this website and the service and it may also exercise any other available remedy. OS may also remove any unauthorized user content if OS believes that your use of the website, service and/or any user content you provided violates or conflicts with the Agreement, violates the rights of OS, or another user or the law. Claims for billing errors must be made in writing to OS within fifteen (15) days after date of invoice.
3. Damages & relief against user
You agree that monetary damages may not provide an adequate remedy to OS for violations of these terms and conditions. You therefore consent to injunctive or other equitable relief for such violations. OS is not required to provide any refund to you if you are terminated as a user because you have violated this Agreement.
4. Security for member account & password
You will receive a password and Member account designation once you are registered. You are responsible for maintaining the confidentiality of the password and account. You are solely responsible for all activities that occur under your password or account. You agree to immediately notify OS of any unauthorized use of your password or account or any other breach of security. You agree to make sure that you exit from your account at the end of each session. OS cannot and will not be liable for any loss or damage arising from your failure to comply with this Section.
5. Proprietary materials – restrictions on use
All materials provided on this website, including but not limited to all text, logos, designs, graphics, images, sounds, information, software, documents, products and services, and the onsite selection, arrangement and display thereof, are the copyrighted works of OS and/or its vendors or suppliers. All materials herein and all OS software are the property of OS. Said materials and software are protected by worldwide copyright and other intellectual property laws. Unless provided for in this Agreement, none of said materials may be modified, copied, reproduced, distributed, republished, downloaded, displayed, sold, compiled, posted or transmitted in any form or by any means. This ban includes, but is not limited to, electronic, mechanical, photocopying, recording or other means, without the prior express written permission of OS.
6. Copyright and trademark information
All content included or available on this site, including site design, text, graphics, interfaces, and the onsite selection and arrangements thereof is © by On-Site.com, with all rights reserved, or is the property of On-Site.com and/or third parties protected by intellectual property rights. Any use of materials on the website, including reproduction for purposes other than those noted above, modification, distribution, or replication, any form of data extraction or data mining, or other commercial exploitation of any kind, without prior written permission of an authorized officer of OS is strictly prohibited. Members agree that they will not use any automatic device (such as a “spider” or “robot” and/or any other automatic device) or any manual process to monitor or copy our web pages or the content contained therein without prior written permission of an authorized officer of OS. Rental Express, Apply Now, Point of Lease, Rental Address, Ad Blast, Connect Now, Renting It, On-Site Manager, Inc. and On-Site.com are proprietary marks of OS. OS’s trademarks may not be used in connection with any product or service that is not provided by OS, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits OS. All other trademarks displayed on OS’s website are the trademarks of their respective owners. Their display does not constitute an endorsement or a recommendation of those vendors. In addition, such use of trademarks or links to the websites of vendors is not intended to imply, directly or indirectly, that those vendors endorse or have any affiliation with OS.
7. Third-party sites
Our website may include links to other sites on the Internet that are owned and operated by online merchants and other third parties. You acknowledge and understand that OS is not responsible for third-party sites and is not responsible for the availability or content of third-party sites. If you have any questions or concerns regarding such links or the content available on such sites, you should contact the site administrator or webmaster for those third-party sites. Your use of those Third-Party Sites is subject to the terms of use and privacy policies of each third-party site. We are not responsible in any way for third-party sites. We encourage all members to review the privacy policies of third-parties’ sites.
8. Ban on resale of service
You agree not to reproduce, duplicate, copy, sell, resell or exploit for any commercial purposes, any portion of the Service, use of the Service, or access to the Service.
9. General disclaimer
Although OS has attempted to provide accurate information on the website, OS assumes no responsibility for the accuracy of the information. You understand and agree that all information provided on this website is provided “as is,” with all faults, without warranty of any kind, either express or implied. OS hereby disclaims all warranties, express or implied, including, and without limitation, those of merchantability, fitness for a particular purpose, title and non-infringement or arising from a course of dealing, and usage or trade practice. This is inapplicable where such a disclaimer has been legally held to be invalid but only to the extent of the specific invalidity.
10. No unlawful or prohibited use
As a condition of your use of this website, you agree and represent to OS that you will comply with all applicable laws, statutes, ordinances and regulations regarding your use of our service and any related activities. In addition, you agree and represent that you will not use this website in any way prohibited by these terms, conditions and notices.
11. Modification of the website
OS reserves the right, in its sole discretion, to improve, modify or remove any information or content appearing on the website. Without prior notice, and in its sole discretion, OS may discontinue or revise any or all aspects of the website.
12. Disclaimer regarding accuracy of vendor information
Product specifications and other information have either been provided by the Vendors or collected from publicly available sources. While OS makes every effort to ensure that the information on this website is accurate, we can make no representations or warranties as to the accuracy or reliability of any information provided on this website.
13. Governing jurisdiction of the courts of Texas
Our website is operated and provided in the State of Texas. As such, we are subject to the laws of the state of Texas. Texas law will govern this Agreement, without giving effect to any choice of law rules. We make no representation that our website or other services are appropriate, legal or available for use in other locations. Accordingly, if you choose to access our site you agree to do so subject to the internal laws of the state of Texas.
14. Fair Housing Act
As a Member you agree not to post, email, or otherwise make available content that violates the Fair Housing Act by stating, in any notice or ad for the sale or rental of any dwelling, a discriminatory preference based on race, color, national origin, religion, sex, familial status or handicap (or that otherwise violates any state or local law prohibiting discrimination on the basis of these or other characteristics.)
15. Limitation of liability
OS and its third party data suppliers shall not be liable for any damages whatsoever, and in particular OS and its third party data suppliers shall not be liable for any special, indirect, consequential, or incidental damages, or damages for lost profits, loss of revenue, or loss of use, arising out of or in any way related to this website or the information contained in it, whether such damages arise in contract, negligence, tort, under statute, in equity, at law, or otherwise, even if OS or its third party data suppliers has been advised of the possibility of such damages.
16. Possible exceptions to limitation of liability
Because some jurisdictions do not allow for the limitation or exclusion of liability for incidental or consequential damages, some of the limitations set forth in the previous paragraph may be inapplicable.
17. Indemnification
You agree to indemnify and hold OS, its parents, subsidiaries, affiliates, third party data suppliers, officers and employees, harmless from any claim or demand, including reasonable attorneys’ fees and costs, made by any third party due to or arising out of the Member’s use of the Service, third party service, any violation of this Agreement, or infringement by user, or other user of the Service using Member computer, of any intellectual property or any other right of any person or entity.
18. Binding on assigns, successors and divested businesses
Terms and agreements with OS will be binding upon and inure to the benefit of the parties and their assigns, successors and divested businesses. OS’s agreement with Client may not be transferred or assigned by Client without the prior written consent of OS. “Successor” means any entity connected to a merger with Client, sale of all or substantially all of the assets of Client or other form of Client’s corporate reorganization. “Divested business” means any business unit that Client sells, or of which it otherwise ceases to have an interest or render services. “Divested business” shall also include such business unit or the acquirer thereof, as applicable.
19. Other terms
If any provision of this Agreement shall be unlawful, void or unenforceable for any reason, the other provisions (and any partially-enforceable provision) shall not be affected thereby and shall remain valid and enforceable to the maximum possible extent. You agree that this Agreement and any other Agreements referenced herein may be assigned by OS, in our sole discretion, to a third party in the event of a merger or acquisition. This Agreement shall apply in addition to, and shall not be superseded by, any other written Agreement between us in relation to your participation as a Member. Member agrees that by accepting this Agreement, Member is consenting to the use and disclosure of their personally identifiable information and other practices described in our Privacy Policy Statement. Client may not assign, delegate, sub-contract or otherwise transfer this agreement (or any of its rights or obligations hereunder) without OS’s prior written consent, and any attempt to do so without OS’s approval will be void. OS may assign this agreement (or any of its rights or obligations hereunder) to a related company or to an unrelated company pursuant to a sale, merger of other consolidation of OS or any of its operating divisions upon written notice to Client. Nothing in this Agreement is intended to confer any rights or remedies under or by reason of this Agreement on any person other than the parties and their respective successors and permitted assigns. The waiver by either party of a breach or violation of any provision of this Agreement shall not operate as, nor be construed to be, a waiver of any subsequent breach hereof. This Agreement may be amended only upon the parties’ mutual written consent. This Agreement and any amendments hereto may be executed in duplicate copies on behalf of OS and Client, and facsimile or online signatures shall be deemed originals. Each duplicate copy shall be deemed an original, but both duplicate originals together shall constitute one and the same instrument. The terms that are defined in this Agreement may be used in the singular or plural, or the masculine, feminine or neutral, as the context requires. The headings and subheadings in this Agreement are inserted for convenience of reference and shall not affect the meaning or interpretation of the Agreement.
Additional Restrictions of Use of On-Site Online Marketing Services
Client may cancel any contracted subscription upon sixty (60) days notice to OS in the event that Client ceases to own or manage the designated apartment community. At the end of the term of any contracted service agreement, the services shall continue automatically renew for an equal term unless canceled by either party with at least thirty (30) days notice prior to expiration. After automatic renewal, Client may cancel upon sixty (60) days notice. Such notice to OS shall be sent to enroll [at] on-site.com but shall not be deemed to have been received until Client receives a confirming response that acknowledges such notice. In the event Client cancels prior to the end of the subscription term, Client is subject to a cancellation fee equal to the remaining subscription fees due through the end of the term. After cancellation, any domain names or other assets purchased or obtained for Client by OS remain the property of OS. OS may elect to transfer ownership and control of a domain name on a case-by-case basis for a fee of $250 per domain.
1. Content
All content designed by OS, whether artistic or technical in nature, shall be deemed to be owned by OS. Client shall have a limited use of such content throughout the term of the Agreement for its intended use. Permission of OS is required for Client to use such content other than the use intended by OS. OS may use any such content and usage statistics and testimonials, for its own promotional purposes. OS reserves the right to edit or reject advertising, photographs, artwork and copy provided by Client and Client accepts all liability for all content supplied by it. Client warrants to OS that its copy is true, that it is not libelous or defamatory, that it violates no rights of privacy, that it infringes no trademark, copyright, literary or other rights, nor constitutes unfair competition with any other party, and that it complies with all federal, state and local laws and regulations, including any and all Fair Housing laws. The fact that content submitted to OS shall have been previously approved by it, either in whole or in part, shall not relieve the Client of this warranty. Client agrees to defend, indemnify, and hold harmless OS from any and all claims, demands, liability, suits, costs or expense, arising by reason of the publication of the Client’s consent, or breach of the foregoing warranty, whether such claims are well grounded or not.
2. No warranty
OS and its affiliates, agents and licensors, cannot and do not warrant the accuracy, completeness, currentness, non-infringement, merchantability or fitness for a particular purpose of the content designed by OS, whether artistic or technical, nor does OS guarantee that the content will be error-free, or continuously available, or that the website will be free of viruses or other harmful components. Under no circumstances will OS or its affiliates, agents or licensors be liable to Client or anyone else for any damages, including, without limitation, consequential, special, incidental, indirect, punitive, exemplary, or other damages of any kind (including lost revenues or profits, loss of business or loss of data), even if OS is advised beforehand of the possibility of such damages. Client agrees that the liability of OS and its affiliates, agents and licensors, if any, arising out of any kind of legal claim arising out of or otherwise related to this Agreement will not exceed the amount Client paid, if any, to OS under the terms of this Agreement.
3. Fees imposed by third parties
OS’s service rates and price schedule are independent of any fees imposed by other entities. If Client requests a service of OS that results in the charging of additional fees, Client thereby authorizes OS to contract for such services on Client’s behalf, and Client is solely responsible for their payment.
Additional Restrictions and Terms of Use for On-Site Background Check Services
Use of OS services is at Client’s sole risk. Client acknowledges and agrees that while OS and its third-party data suppliers make every reasonable effort to assure that the data and information contained therein are an accurate reflection of the information received from their governmental and other sources, neither OS nor its third-party data suppliers can or does represent or warrant that the data and information contained therein or obtained therefrom will be complete and accurate. Client understands and agrees that its use of OS services is entirely at its sole risk. Neither OS nor its third-party data suppliers shall be responsible or liable for any inaccuracy of the data and information contained therein, or for interruption in service caused by the failure of the Internet or the World Wide Web, by any Act of God, or by any other force majeure. UNDER NO CIRCUMSTANCES SHALL OS OR ITS THIRD-PARTY DATA SUPPLIERS BE LIABLE FOR CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY OR SPECIAL DAMAGES, INCLUDING LOST PROFITS, EVEN IF THEY HAVE BEEN MADE AWARE OF THE POTENTIAL FOR SUCH DAMAGES. ADDITIONALLY, OS AND ITS THIRD-PARTY DATA SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF CORRECTNESS, COMPLETENESS, ACCURACY, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OF THE DATABASES AND DATA AND INFORMATION CONTAINED THEREIN OR OBTAINED THEREFROM, OR SERVICES PROVIDED HEREUNDER.
1. Parties will protect confidential information
Both Client and OS agree that they will, to the extent and in accordance with the policies used to protect its own information of similar importance, use their best efforts to refrain from and prevent the use of or disclosure of any confidential information as defined below (“Confidential Information”) of the other party, disclosed or obtained by such party while performing its obligations under this Agreement, provided, however, that OS may disclose any information reasonably necessary to be disclosed in order for OS to provide the services and perform its obligations under this Agreement. Notwithstanding anything to the contrary, neither party shall use any Confidential Information in a manner which is detrimental to the other party. The phrase “Confidential Information” includes, without limitation, all materials and information supplied by one party to the other in the course of each party’s performance under this Agreement, including but not limited to each party’s business objectives and plans, marketing plans, customer lists, and financial information. Confidential Information includes, in addition to the information described above, reports, recommendations, scores, settings, any forms or agreements provided by OS to Client, and any information available to Client’s internal platform on www.on-site.com. Neither party will have an obligation of confidentiality with regard to any information insofar as such information: (1) was known to such party prior to obtaining it from the other party; (2) is at the time of disclosure publicly available or becomes publicly available other than as a result of a breach of this Agreement; or (3) is disclosed to such Party by a third party not under a duty not to disclose such information.
2. Transactions with third parties
In the event that Client elects to enable direct transactions by applicants, whether through OS or an integrated third-party provider, you agree that these transactions will be charged using the same pricing model as the screening initiated by Client via the OS interface. In the event Client elects to integrate third-party providers for related services, Client grants OS permission to provide appropriate information for the purpose of generating such services, including but not limited to tenant data, applicant data, consumer reports and lease data. Client agrees to notify OS in writing as soon as is practical upon termination of its relationship with any third-party to prevent unauthorized access of Client’s information.
3. Limitations on document generation
OS shall maintain an online catalog of documents for Client. Client is solely responsible for the accuracy of its documents, will review documents produced by OS and will provide OS with any changes or updates. ALL DOCUMENTS AND FORMS ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS.
4. Price Adjustments
Notwithstanding anything to the contrary in any other agreement between Client and OS, OS reserves the right to adjust the price for background check services provided hereunder by providing written notice to Client and the adjusted price will be effective on the date identified in the written notice (which may be provided, among other methods, via electronic mail to the address OS has on file for the Client). Client’s continued acceptance of the service(s) for which the price was adjusted shall constitute Client’s agreement to be bound by the adjusted price. Client may terminate the service(s) for which the price has been increased by providing written notice prior to such increase to OS, unless such price was increased due to an increase in charges to OS or its affiliate by any third party.
5. Important Notice about the Death Master File
Access to the Death Master File as issued by the Social Security Administration requires an entity to have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). The National Technical Information Service has issued the Interim Final Rule for temporary certification permitting access to the Death Master File (“DMF”). Pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, access to the DMF is restricted to only those entities that have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). As many of On-Site’s services contain information from the DMF, we would like to remind you of your continued obligation to restrict your use of deceased flags or other indicia within our services to legitimate fraud prevention or business purposes in compliance with applicable laws, rules and regulations and consistent with your applicable Fair Credit Reporting Act (15 U.S.C. §1681 et seq.) or Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) use. Your continued use of On-Site’s services affirms your commitment to comply with these terms and all applicable laws. You acknowledge you will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within On-Site’s services.
6. Client will create a comprehensive security information program
Client shall implement and maintain a comprehensive information security program written in one or more readily accessible parts and that contains administrative, technical, and physical safeguards that are appropriate to Client’s size and complexity, the nature and scope of its activities, and the sensitivity of the information provided to the Client by OS; and that such safeguards shall include the elements set forth in 16 C.F.R. § 314.4 and shall be reasonably designed to (i) insure the security and confidentiality of the information provided by OS, (ii) protect against any anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer.
FCRA Requirements
Although the federal Fair Credit Reporting Act (FCRA) and analogous state laws primarily regulate the operations of consumer credit reporting agencies, it also affects you as a user of information. You represent and warrant that you will comply with applicable laws and regulations, including, but not limited to, the FCRA, which may be found
here. You agree that you and your employees will review and become familiar with the FCRA, and with the following sections of the FCRA in particular: § 604. Permissible Purposes of Reports § 607. Compliance Procedures § 615. Requirement on users of consumer reports § 616. Civil liability for willful noncompliance § 617. Civil liability for negligent noncompliance § 619. Obtaining information under false pretenses § 621. Administrative Enforcement § 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies § 628. Disposal of Records Each of these sections is of direct consequence to users who obtain reports on consumers.
Further, you certify and agree that you will not request, or cause to be requested, an investigative consumer report (as defined under FCRA Section 603(e)) with respect to any consumer, unless:
(a)it is clearly and accurately disclosed to the consumer that an investigative consumer report (including information as to his or her character, general reputation, personal characteristics and mode of living, whichever are applicable) may be made, and such disclosure (i) is made in a writing mailed, or otherwise delivered, to the consumer, not later than three days after the date on which the report was first requested, and (ii) includes a statement informing the consumer of his or her right to request the additional disclosures regarding the nature and scope of the investigation (“Investigative Report Disclosure”);
(b)the Investigative Report Disclosure includes a written summary of the rights of the consumer prepared pursuant to FCRA Section 609(c); and
(c)if the consumer makes a written request within a reasonable amount of time after receipt of the Investigative Report Disclosure, you make a complete and accurate written disclosure of the nature and scope of the investigation requested. You agree to provide this information to the consumer no later than 5 days after the request for such disclosure was received from the consumer or such report was first requested, whichever is later.
In addition, a copy of the Notice to Users of Consumer Reports: Obligations of Users Under the FCRA (“Notice to Users”) is available here. You hereby acknowledge that you have received, reviewed and will comply with the obligations set forth in the Notice to Users.
By law, consumer reports may be issued only if they are to be used for certain specific purposes. You agree that you will only request a report for a purpose that is permitted under the law and this Agreement. THE FCRA PROVIDES THAT ANY PERSON WHO KNOWINGLY AND WILLFULLY OBTAINS INFORMATION ON A CONSUMER FROM A CONSUMER REPORTING AGENCY UNDER FALSE PRETENSES SHALL BE FINED UNDER TITLE 18 OF THE UNITED STATES CODE OR IMPRISONED NOT MORE THAN TWO YEARS, OR BOTH.
In addition to the FCRA, other federal and state laws addressing such topics as computer crime, unauthorized access to protected databases and use of personally identifiable information of individuals have also been enacted. You agree that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate.
Access Security Requirements for FCRA and GLBA Data
The following information security controls are required to reduce unauthorized access to consumer information. It is your (company provided access to credit bureau systems or data, or data through
On-Site.com,referred to as the “Company”) responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you.
On-Site.com reserves the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security. In accessing
On-Site.com’s services, Company agrees to follow these security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store credit bureau data:
1. Implement strong access control measures
1.1 All credentials such as User names/identifiers/account numbers (user IDs) and user passwords must be kept confidential and must not be disclosed to an unauthorized party. No one from
On-Site.com will ever contact you and request your credentials. 1.2 If using third party or proprietary system to access
On-Site.com’s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing
On-Site.com data/systems. 1.3 If the third party or third party software or proprietary system or software, used to access
On-Site.com data/systems, is replaced or no longer in use, the passwords should be changed immediately. 1.4 Create a unique user ID for each user to enable individual authentication and accountability for access to
On-Site.com’s infrastructure. Each user of the system access software must also have a unique logon password. 1.5 User IDs and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job responsibilities. 1.6 User IDs and passwords must not be shared, posted, or otherwise divulged in any manner. 1.7 Develop strong passwords that are:
- Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters)
- Contain a minimum of eight (8) alpha/numeric characters for all user accounts
- For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically (every 90 days is recommended)
1.8 Passwords (e.g. user/account password) must be changed immediately when:
- Any system access software is replaced by another system access software or is no longer used
- The hardware on which the software resides is upgraded, changed or disposed
- Any suspicion of password being disclosed to an unauthorized party (see section 4.3 for reporting requirements)
1.9 Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithm are utilized (e.g. AES 256 or above). 1.10 Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended. 1.11 Active logins to credit information systems must be configured with a 30 minute inactive session timeout. 1.12 Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of your membership application. 1.13 Company must not install Peer-to-Peer file sharing software on systems used to access, transmit or store credit bureau data. 1.14 Ensure that Company employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose. 1.15 Implement a process to terminate access rights immediately for users who access credit bureau credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information. 1.16 Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned. 1.17 Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations. 1.18 Implement physical security controls to prevent unauthorized entry to Company’s facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.
2. Maintain a vulnerability management program
2.1 Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates. 2.2 Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks. 2.3 Implement and follow current best security practices for computer virus detection scanning services and procedures:
- Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
- Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
- If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
3. Protect data
3.1 Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, hard drive, paper, etc.) 3.2 All credit reporting agency data is classified as confidential and must be secured to in accordance with this requirement at a minimum. 3.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information. 3.4 Encrypt all credit bureau data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such AES 256 or above. 3.5 Credit bureau data must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc. 3.6 When using smart tablets or smart phones to access credit bureau data, ensure that such devices are protected via device pass-code. 3.7 Applications utilized to access credit bureau data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN, etc. 3.8 Only open email attachments and links from trusted sources and after verifying legitimacy. 3.9 When no longer in use, ensure that hard-copy materials containing credit bureau data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed. 3.10 When no longer in use, electronic media containing credit bureau data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).
4. Maintain an information security policy
4.1 Develop and follow a security plan to protect the confidentiality and integrity of personal consumer information as required under the GLB Safeguard Rule. 4.2 Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations. 4.3 Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe credit bureau data may have been compromised, immediately notify On-Site.com within twenty-four (24) hours or per agreed contractual notification timeline (See also Section 8). 4.4 The FACTA Disposal Rules requires that Company implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information. 4.5 Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security in the organization. 4.6 When using third party service providers (e.g. application service providers) to access, transmit, store or process credit bureau data, ensure that service provider is compliant with the Experian Independent Third Party Assessment (EI3PA) program, and registered in Experian’s list of compliant service providers. If the service provider is in the process of becoming compliant, it is Company’s responsibility to ensure the service provider is engaged with Experian and an exception is granted in writing. Approved certifications in lieu of EI3PA can be obtained from On-Site.com.
5. Build and maintain a secure network
5.1 Protect Internet connections with dedicated, industry-recognized Firewalls that are configured and managed using industry best security practices. 5.2 Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used. 5.3 Administrative access to Firewalls and servers must be performed through a secure internal wired connection only. 5.4 Any stand-alone computers that directly access the Internet must have a desktop Firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic. 5.5 Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults. 5.6 For wireless networks connected to or used for accessing or transmission of Experian data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks. 5.7 When using service providers (e.g. software providers) to access <Reseller> systems, access to third party tools/services must require multi-factor authentication.
6. Regularly monitor and test networks
6.1 Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.) 6.2 Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit credit bureau data; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required. 6.3 Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access
On-Site.com systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:
- protecting against intrusions;
- securing the computer systems and network devices;
- and protecting against intrusions of operating systems or software.
7. Mobile and cloud technology
7.1 Storing credit bureau data on mobile devices is prohibited. Any exceptions must be obtained from the credit bureaus via
On-Site.com in writing; additional security requirements will apply. 7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks. 7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated. 7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other. 7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is credit bureau data to be exchanged between secured and non-secured applications on the mobile device. 7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing credit bureau data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application. 7.7 When using cloud providers to access, transmit, store, or process credit bureau data ensure that:
- Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations
- Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by the appropriate credit bureau:
- ISO 27001
- PCI DSS
- EI3PA
- SSAE 16 – SOC 2 or SOC3
- FISMA
- CAI / CCM assessment
8. General
8.1
On-Site.com may from time to time audit the security mechanisms Company maintains to safeguard access to credit bureau information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices 8.2 In cases where the Company is accessing credit bureau information and systems via third party software, the Company agrees to make available to
On-Site.com upon request, audit trail information and management reports generated by the vendor software, regarding Company individual authorized users. 8.3 Company shall be responsible for and ensure that third party software, which accesses
On-Site.com information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use. 8.4 Company shall conduct software development (for software which accesses
On-Site.com information systems; this applies to both in-house or outsourced software development) based on the following requirements:
8.4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
8.4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
8.4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
8.5 Reasonable access to audit trail reports of systems utilized to access systems shall be made available to
On-Site.com upon request, for example during breach investigation or while performing audits 8.6 Data requests from Company to
On-Site.com must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable. 8.7 Company shall report actual security violations or incidents that impact the credit bureaus to
On-Site.com within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to
On-Site.com of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at (866) 266-7483, Email notification will be sent to IT [at] on-site.com. 8.8 Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to
On-Site.com services, systems or data, and (d) will abide by the provisions of these requirements when accessing credit bureau data. 8.9 Company understands that its use of
On-Site.com networking and computing resources may be monitored and audited by
On-Site.com, without further notice. 8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/authorized users, and for assuring that mechanisms to access
On-Site.com services or data are secure and in compliance with its membership agreement. 8.11 When using third party service providers to access, transmit, or store credit bureau data, additional documentation may be required by
On-Site.com. Record Retention: The Federal Equal Opportunities Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, the
On-Site.com requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, the credit reporting agency will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract.” Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $2,500 per violation.”
Internet delivery security requirements
In addition to the above, the following requirements apply where Company and their employees or an authorized agent/s acting on behalf of the Company are provided access to
On-Site.com provided services via Internet (“Internet Access”).
General requirements
1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with On-Site.com on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to On-Site.com provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each On-Site.com product based upon the legitimate business needs of each employee. On-Site.com shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.3. Unless automated means become available, the Company shall request employee’s (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by On-Site.com. Those employees approved by the Head Security Designate or Security Designate for Internet access (“Authorized Users”) will be individually assigned unique access identification accounts (“User ID”) and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). On-Site.com’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. On-Site.com may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.4. An officer of the Company agrees to notify On-Site.com in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.
Roles and responsibilities
1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with On-Site.com on systems access related matters. This individual shall be identified as the “Head Security Designate.” The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with On-Site.com on information and product access, in accordance with these Access Security Requirements for FCRA and GLB 5A Data. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to On-Site.com systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to On-Site.com immediately.2. As a Client to On-Site.com’s products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to On-Site.com product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with On-Site.com’s Security Administration group on information and product access matters.4. The Head Designate shall be responsible for notifying their corresponding On-Site.com representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.
General requirements
1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User’s job responsibilities.4. Is responsible for ensuring that Company’s Authorized Users are authorized to access On-Site.com products and services.5. Must disable Authorized User ID if it becomes compromised or if the Authorized User’s employment is terminated by Company.6. Must immediately report any suspicious or questionable activity to On-Site.com regarding access to On-Site.com’s products and services.7. Shall immediately report changes in their Head Security Designate’s status (e.g. transfer or termination) to On-Site.com.8. Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.9. Shall be available to interact with On-Site.com when needed on any system or user related matters.
Important notice about the Social Security Administration Death Master File
Access to the Death Master File as issued by the Social Security Administration requires an entity to have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). The National Technical Information Service has issued the Interim Final Rule for temporary certification permitting access to the Death Master File (“DMF”). Pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, access to the DMF is restricted to only those entities that have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1). As many credit bureau services contain information from the DMF, we would like to remind you of your continued obligation to restrict your use of deceased flags or other indicia provided as part of your access to credit bureau services to legitimate fraud prevention or business purposes in compliance with applicable laws, rules and regulations and consistent with your applicable Fair Credit Reporting Act (15 U.S.C. §1681 et seq.) or Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) use. Your continued use of credit bureau services affirms your commitment to comply with these terms and all applicable laws. You acknowledge you will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia provided as part of your access to credit bureau services.
Additional rules for tenant brokers
If Client is engaged by a consumer to assist in the identification and procurement of housing (rental or otherwise) on consumer’s behalf, or where Client is otherwise not acting as an agent on behalf of the landlord, Client agrees to obtain the following (or substantially similar) written instructions from the consumer prior to requesting any consumer report from On-Site:
“I [consumer] hereby provide to [Client] my written instructions, pursuant to the federal Fair Credit Reporting Act, to permit RP On-Site LLC or its affiliate to provide a consumer report (including an investigative consumer report) about me to [Client] as my agent. I understand that such report may contain information concerning my character, general reputation, personal characteristics and/or mode of living, whichever are applicable, and I authorize [Client] to share my consumer report, including any investigative consumer report about me, with one or more properties, owners, landlords (and/or agents of any such parties) for the purpose of attempting to identify and procure residential real property for me and on my behalf.”
Additional rules on credit scores
Additional rules governing FICO scores from TransUnion
Based on an agreement with TransUnion and Fair Isaac Corporation (Fair Isaac), OS has access to a unique and proprietary statistical credit scoring service jointly offered by TransUnion and Fair Isaac which evaluates certain information in the credit reports of individual consumers from TransUnion’s database (Classic) and provides a score (the Classic Score). Client may desire to obtain Classic Scores from TransUnion in connection with consumer credit reports. Client will request Scores only for Client’s exclusive use and may store Scores solely for Client’s own use in furtherance of Client’s original purpose for obtaining the Scores. Client has a permissible purpose for obtaining consumer reports, as defined by Section 604 of FCRA. Client shall not use the Score for model development or model calibration and shall not reverse-engineer the Score. All Scores provided hereunder will be held in strict confidence and may never be sold, licensed, copied, reused, disclosed, reproduced, revealed or made accessible, in whole or in part to any Person except (i) to those employees of Client with a need to know and in the course of their employment; (ii) to those third party processing agents of Client who have executed an agreement that limits the use of the Scores by the third party to the use permitted to Client and contains the prohibitions set forth herein regarding model development, model calibration and reverse engineering; (iii) when accompanied by the corresponding reason codes, to the consumer who is the subject of the Score; or (iv) as required by law. Client recognizes that factors other than the Classic Score may be considered in making a credit decision. Such other factors include, but are not limited to, the credit report, the individual account history, and economic factors. TransUnion and Fair Isaac shall be deemed third party beneficiaries under this clause. Up to five score reason codes, or if applicable, exclusion reasons, are provided to Client with Classic Scores. These score reason codes are designed to indicate the reasons why the individual did not have a higher Classic Score, and may be disclosed to consumers as the reasons for taking adverse action, as required by the Equal Credit Opportunity Act (ECOA) and its implementing Regulation (Reg. B). However, the Classic Score itself is proprietary to Fair Isaac, may not be used as the reason for adverse action under Reg. B and, accordingly, shall not be disclosed to credit applicants or any other third party, except: (1) to credit applicants in connection with approval/disapproval decisions in the context of bona fide credit extension transactions when accompanied with its corresponding score reason codes; or (2) as clearly required by law. Client will not publicly disseminate any results of the validations or other reports derived from the Classic Scores without Fair Isaac and TransUnion’s prior written consent. In the event Client intends to provide Classic Scores to any agent, Client may do so provided, however, that Client first enters into a written agreement with such agent that is consistent with Client’s obligations under this agreement. Moreover, such agreement between Client and such agent shall contain the following obligations and acknowledgments of the agent: (1) Such agent shall utilize the Classic Scores for the sole benefit of Client and shall not utilize the Classic Scores for any other purpose including for such agent’s own purposes or benefit; (2) That the Classic Score is proprietary to Fair Isaac and, accordingly, shall not be disclosed to the credit applicant or any third party without TransUnion and Fair Isaac’s prior written consent except (a) to credit applicants in connection with approval/disapproval decisions in the context of bona fide credit extension transactions when accompanied with its corresponding score reason codes; or (b) as clearly required by law; (3) Such Agent shall not use the Classic Scores for model development, model validation, model benchmarking, reverse engineering, or model calibration; (4) Such agent shall not resell the Classic Scores; and (5) Such agent shall not use the Classic Scores to create or maintain a database for itself or otherwise. Client acknowledges that the Classic Scores provided under this Agreement which utilize an individual’s consumer credit information will result in an inquiry being added to the consumer’s credit file. Client shall be responsible for compliance with all applicable federal or state legislation, regulations and judicial actions, as now or as may become effective including, but not limited to, the FCRA, the ECOA, and Reg. B, to which it is subject. Fair Isaac, the developer of Classic, warrants that the scoring algorithms as delivered to TransUnion and used in the computation of the Classic Score (Models) are empirically derived from TransUnion’s credit data and are a demonstrably and statistically sound method of rank-ordering candidate records with respect to the relative likelihood that United States consumers will repay their existing or future credit obligations satisfactorily over the twenty four (24) month period following scoring when applied to the population for which they were developed, and that no scoring algorithm used by Classic uses a “prohibited basis” as that term is defined in the ECOA) and Reg. B promulgated thereunder. Classic provides a statistical evaluation of certain information in TransUnion’s files on a particular individual, and the Classic Score indicates the relative likelihood that the consumer will repay their existing or future credit obligations satisfactorily over the twenty four (24) month period following scoring relative to other individuals in TransUnion’s database. The score may appear on a credit report for convenience only, but is not a part of the credit report nor does it add to the information in the report on which it is based. THE WARRANTIES SET FORTH ARE THE SOLE WARRANTIES MADE UNDER THIS CLAUSE CONCERNING THE CLASSIC SCORES AND ANY OTHER DOCUMENTATION OR OTHER DELIVERABLES AND SERVICES PROVIDED UNDER THIS AGREEMENT; AND NEITHER FAIR ISAAC NOR TRANSUNION MAKE ANY OTHER REPRESENTATIONS OR WARRANTIES CONCERNING THE PRODUCTS AND SERVICES TO BE PROVIDED UNDER THIS AGREEMENT OTHER THAN AS SET FORTH HERE. THE WARRANTIES AND REMEDIES SET FORTH ABOVE ARE IN LIEU OF ALL OTHERS, WHETHER WRITTEN OR ORAL, EXPRESS OR IMPLIED (INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT MIGHT BE IMPLIED FROM A COURSE OF PERFORMANCE OR DEALING OR TRADE USAGE). THERE ARE NO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ANY PARTY BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, OR PUNITIVE DAMAGES INCURRED BY THE OTHER PARTIES AND ARISING OUT OF THE PERFORMANCE OF THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOSS OF GOOD WILL AND LOST PROFITS OR REVENUE, WHETHER OR NOT SUCH LOSS OR DAMAGE IS BASED IN CONTRACT, WARRANTY, TORT, NEGLIGENCE, STRICT LIABILITY, INDEMNITY, OR OTHERWISE, EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. THE FOREGOING NOTWITHSTANDING, WITH RESPECT TO CLIENT, IN NO EVENT SHALL THE AFORESTATED LIMITATIONS OF LIABILITY, SET FORTH ABOVE IN SECTION 16, APPLY TO DAMAGES INCURRED BY TRANSUNION AND/OR FAIR ISAAC AS A RESULT OF: (A) GOVERNMENTAL, REGULATORY OR JUDICIAL ACTION(S) PERTAINING TO VIOLATIONS OF THE FCRA AND/OR OTHER LAWS, REGULATIONS AND/OR JUDICIAL ACTIONS TO THE EXTENT SUCH DAMAGES RESULT FROM CLIENT’S BREACH, DIRECTLY OR THROUGH CLIENT’S AGENT(S), OF ITS OBLIGATIONS UNDER THIS AGREEMENT. ADDITIONALLY, NEITHER TRANSUNION NOR FAIR ISAAC SHALL BE LIABLE FOR ANY AND ALL CLAIMS ARISING OUT OF OR IN CONNECTION WITH THIS ADDENDUM BROUGHT MORE THAN ONE (1) YEAR AFTER THE CAUSE OF ACTION HAS ACCRUED. IN NO EVENT SHALL TRANSUNION’S AND FAIR ISAAC’S AGGREGATE TOTAL LIABILITY, IF ANY, UNDER THIS AGREEMENT, EXCEED THE AGGREGATE AMOUNT PAID, UNDER THIS ADDENDUM, BY CLIENT DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING ANY SUCH CLAIM, OR TEN THOUSAND DOLLARS ($10,000.00), WHICHEVER AMOUNT IS LESS.This Agreement may be terminated automatically and without notice: (1) in the event of a breach of the provisions of this supplement by Client; (2) in the event the agreement(s) related to Classic between TransUnion, Fair Isaac and OS are terminated or expire; (3) in the event the requirements of any law, regulation or judicial action are not met, (4) as a result of changes in laws, regulations or regulatory or judicial action, that the requirements of any law, regulation or judicial action will not be met; and/or (5) the use of the Classic Service is the subject of litigation or threatened litigation by any governmental entity.
Additional rules governing FICO scores from Experian
Client may access scores utilizing a statistical scoring model furnished by Experian and Fair, Isaac (Experian FICO score). Client shall limit its use of Experian FICO scores and reason codes solely to use in its own business with no right to transfer, sell, license, sublicense or distribute said Scores or reason codes to third parties. Notwithstanding any contrary provision of this Agreement, Client may disclose the Experian FICO score to credit applicants, when accompanied by the corresponding reason codes, in the context of bona fide lending transactions and decisions only. Client, its employees, agents or subcontractors, are prohibited from using the trademarks, service marks, logos, names, or any other proprietary designations, whether registered or unregistered, of Experian or Fair Isaac, or the affiliates of either of them, or of any other party involved in the provision of the Experian FICO score without such entity’s prior written consent. Client may not attempt, in any manner, directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by Experian/Fair, Isaac in performing the Experian FICO score. The aggregate liability of Experian/Fair, Isaac to Client is limited to the lesser of the fees paid by OS to Experian/Fair, Isaac pursuant for the Experian FICO score resold to the pertinent Client during the six (6) month period immediately preceding the Client’s claim, or the fees paid by Client to OS under this Agreement during said six (6) month period, and excluding any liability of Experian/Fair, Isaac for incidental, indirect, special or consequential damages of any kind. Client warrants that it has a “permissible purpose” under the Fair Credit Reporting Act, as it may be amended from time to time, to obtain the information derived from the Experian/Fair, Isaac Model. Client agrees to maintain internal procedures to minimize the risk of unauthorized disclosure and agrees that such Scores and reason codes will be held in strict confidence and disclosed only to those of its employees that “need to know” and to no other person. Client shall comply with all applicable laws and regulations in using the Scores and reason codes purchased. Experian/Fair, Isaac warrants that the Experian/Fair, Isaac Model is empirically derived and demonstrably and statistically sound and that to the extent the population to which the Experian/Fair, Isaac Model is applied is similar to the population sample on which the Experian/Fair, Isaac Model was developed, the Experian/Fair, Isaac Model score may be relied upon by Client to rank consumers in the order of the risk of unsatisfactory payment such consumers might present to Client. Experian/Fair, Isaac further warrants that so long as it provides the Experian/Fair, Isaac Model, it will comply with the regulations promulgated from time to time pursuant to the Equal Credit Opportunity Act, 15 USC Section 1691 et seq. THE FOREGOING WARRANTIES ARE THE ONLY WARRANTIES EXPERIAN/FAIR, ISSAC HAV GIVEN OS AND/OR CLIENT WITH RESPECT TO THE EXPERIAN/FAIR, ISAAC MODEL AND SUCH WARRANTIES ARE IN LIEU OF ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, EXPERIAN/FAIR, ISAAC MIGHT HAVE GIVEN OS AND/OR CLIENT, FOR EXAMPLE, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. OS and each respective Client’s rights under the foregoing Warranty are expressly conditioned upon each respective Client’s periodic revalidation of the Experian/Fair, Isaac Model in compliance with the requirements of Regulation B as it may be amended from time to time (12 CFR Section 202 et seq.)
Additional rules governing VantageScoresSM
Client: (i) will request VantageScores only for Client’s exclusive use; (ii) may store VantageScores solely for Client’s own use in furtherance of its original purpose for obtaining the VantageScores (iii) shall not use the VantageScores for model development or model calibration, except in compliance with the following conditions: (1) the VantageScores may only be used as an independent variable in custom models; (2) only the raw archived VantageScore and VantageScore segment identifier will be used in modeling (i.e. no other VantageScore information including, but not limited to, adverse action reasons, documentation, or scorecards will be used); and (3) Client’s depersonalized analytics and/or depersonalized third party modeling analytics performed on behalf of Client, using VantageScores, will be kept confidential and not disclosed to any third party other than as expressly provided for below in subsections (ii), (iii), (iv), (v) and/or (vi) of this paragraph. Client shall not reverse engineer the VantageScore. All VantageScores provided hereunder will be held in strict confidence and may never be sold, licensed, copied, reused, disclosed, reproduced, revealed or made accessible, in whole or in part, to any person or entity, except (i) to those employees, agents, and independent contractors of Client with a need to know and in the course of their employment; (ii) to those third party processing agents and other contractors of Client who have executed an agreement that limits the use of the VantageScores by the third party only to the use permitted to Client and contains the prohibitions at least as restrictive as set forth herein regarding model development, model calibration, reverse engineering and confidentiality; (iii) when accompanied by the corresponding reason codes, to the consumer who is the subject of the VantageScore (provided that, accompanying reason codes are not required to the extent permitted by law); (iv) to government regulatory agencies; (v) to ratings agencies, dealers, investors and other third parties for the purpose of evaluating assets or investments (e.g. securities) containing or based on obligations of the consumers to which the VantageScores apply (e.g. mortgages, student loans, auto loans, credit cards), provided that, as it relates to this subsection (v), (a) Client may disclose VantageScores only in aggregated formats (e.g. averages and comparative groupings) that do not reveal individual VantageScores, (b) Client shall not provide any information that would enable a recipient to identify the individuals to whom the VantageScores apply, and (c) Client shall enter into an agreement with each recipient that limits the use of the VantageScore to evaluation of such assets or investments, or (vi) as required by law. Client agrees that the trademarks, trade names, product names, brands, logos, and service marks (“Vantage Marks”) for VantageScores and VantageScore credit scoring models will remain the sole property of VantageScore Solutions, LLC.
Additional rules on retail sellers
California Civil Code – Section 1785.14(a)Section 1785.14(a), as amended, states that a consumer credit reporting agency does not have reasonable grounds for believing that a consumer credit report will only be used for a permissible purpose unless all of the following requirements are met:Section 1785.14(a)(1) states: “If a prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the consumer credit reporting agency shall, with a reasonable degree of certainty, match at least three categories of identifying information within the file maintained by the consumer credit reporting agency on the consumer with the information provided to the consumer credit reporting agency by the retail seller. The categories of identifying information may include, but are not limited to, first and last name, month and date of birth, driver’s license number, place of employment, current residence address, previous residence address, or social security number. The categories of information shall not include mother’s maiden name.”Section 1785.14(a)(2) states: “If the prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the retail seller must certify, in writing, to the consumer credit reporting agency that it instructs its employees and agents to inspect a photo identification of the consumer at the time the application was submitted in person. This paragraph does not apply to an application for credit submitted by mail.”Section 1785.14(a)(3) states: “If the prospective user intends to extend credit by mail pursuant to a solicitation by mail, the extension of credit shall be mailed to the same address as on the solicitation unless the prospective user verifies any address change by, among other methods, contacting the person to whom the extension of credit will be mailed.”In compliance with Section 1785.14(a) of the California Civil Code, Member hereby certifies to OS Member is NOT a retail seller, as defined in Section 1802.3 of the California Civil Code (“Retail Seller”) and issues credit to consumers who appear in person on the basis of applications for credit submitted in person (“Point of Sale”).End User also certifies that if End User is a Retail Seller who conducts Point of Sale transactions, End User will, beginning on or before July 1, 1998, instruct its employees and agents to inspect a photo identification of the consumer at the time an application is submitted in person.End User also certifies that it will only use the appropriate End User code number designated by Consumer Reporting Agency for accessing consumer reports for California Point of Sale transactions conducted by Retail Seller.If End User is not a Retail Seller who issues credit in Point of Sale transactions, End User agrees that if it, at any time hereafter, becomes a Retail Seller who extends credit in Point of Sale transactions, End User shall provide written notice of such to Consumer Reporting Agency prior to using credit reports with Point of Sale transactions as a Retail Seller, and shall comply with the requirements of a Retail Seller conducting Point of Sale transactions, as provided in this certification.
Additional rules on Vermont consumers
Member acknowledges that it subscribes to receive various information services in accordance with the Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (1999), as amended (the “VFCRA”) and the Federal Fair Credit Reporting Act, 15, U.S.C. 1681 et. Seq., as amended (the “FCRA”) and its other state law counterparts. In connection with Member’s continued use of OS services in relation to Vermont consumers, Member hereby certifies as follows: Vermont Certification. Member certifies that it will comply with applicable provisions under Vermont law. In particular, Member certifies that it will order information services relating to Vermont residents that are credit reports as defined by the Vermont Fair Credit Reporting Act (“VFCRA”), only after Member has received prior consumer consent in accordance with VFCRA Section 2480e and applicable Vermont Rules. Member further certifies that the below copy of Section 2480e of the Vermont Fair Credit Reporting Statute was received. Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (1999) § 2480e. Consumer consent(a) A person shall not obtain the credit report of a consumer unless:1. the report is obtained in response to the order of a court having jurisdiction to issue such an order; or 2. the person has secured the consent of the consumer, and the report is used for the purpose consented to by the consumer.(b) Credit reporting agencies shall adopt reasonable procedures to assure maximum possible compliance with subsection (a) of this section.(c) Nothing in this section shall be construed to affect:1. the ability of a person who has secured the consent of the consumer pursuant to subdivision (a)(2) of this section to include in his or her request to the consumer permission to also obtain credit reports, in connection with the same transaction or extension of credit, for the purpose of reviewing the account, increasing the credit line on the account, for the purpose of taking collection action on the account, or for other legitimate purposes associated with the account; and 2. the use of credit information for the purpose of prescreening, as defined and permitted from time to time by the Federal Trade Commission.
VERMONT RULES *** CURRENT THROUGH JUNE 1999 *** AGENCY 06. OFFICE OF THE ATTORNEY GENERAL SUB-AGENCY 031. CONSUMER PROTECTION DIVISION CHAPTER 012. Consumer Fraud–Fair Credit Reporting RULE CF 112 FAIR CREDIT REPORTING CVR 06-031-012, CF 112.03 (1999) CF 112.03 CONSUMER CONSENT (a) A person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing if the consumer has made a written application or written request for credit, insurance, employment, housing or governmental benefit. If the consumer has applied for or requested credit, insurance, employment, housing or governmental benefit in a manner other than in writing, then the person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing or in the same manner in which the consumer made the application or request. The terms of this rule apply whether the consumer or the person required to obtain consumer consent initiates the transaction.(b) Consumer consent required pursuant to 9 V.S.A. §§ 2480e and 2480g shall be deemed to have been obtained in writing if, after a clear and adequate written disclosure of the circumstances under which a credit report or credit reports may be obtained and the purposes for which the credit report or credit reports may be obtained, the consumer indicates his or her consent by providing his or her signature.(c) The fact that a clear and adequate written consent form is signed by the consumer after the consumer’s credit report has been obtained pursuant to some other form of consent shall not affect the validity of the earlier consent.