Credit Authorization & Access Agreement

This Agreement is between "Customer" or " You & Upsell LLC & it's subsidiaries:

Effective day: November 10, 2019

1. The Applicant hereby petitions Upsell LLC DBA teo, LLC (“teo”) to render service in accordance with its customary practices, for which Applicant agrees to pay promptly on billing by teo. 

2. Applicant hereby agrees, represents and warrants that it will use the services of teo, in accordance with all provisions of 15 U.S.C. §?1681 et seq. (“FCRA”) and that services will be requested only for the Applicant’s exclusive use. Applicant further certifies that consumer reports will be ordered and used only in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or to review of an account of the consumer, even though otherwise permitted by law. 

3. Applicant certifies that it will request consumer reports pursuant to procedures prescribed by teo and only for the permissible purpose certified above, and will use the reports obtained for no other purpose. Applicant shall use each consumer report only for a one-time use and shall hold the report in strict confidence. Applicant shall maintain written proof of permissible purpose for all inquiries for a minimum of five (5) years from the date of inquiry and provide teo copies of such upon request and to indemnify teo, Trans Union, Equifax Information Services, Experian Information Solutions, and each of the other Applicants and the officers and employees of each, jointly and severally, from any loss, damage, attorney's fees and costs arising from any claim or suit based on alleged violation of any provision of this agreement. 

4. This Agreement shall continue in force without any fixed date of termination, subject to cancellation by either party upon ten (10) days prior written notice mailed or delivered to the office of the other party. teo shall have the right to terminate this agreement at any time and without prior notice in event of any or any violation by Applicant of any provision of this Agreement; violation of State or Federal law; and/or action which adversely affects the economic operation of teo.


5. No information furnished to Applicant is guaranteed nor is teo in any way responsible for such information. teo shall not be responsible or liable for any loss caused by neglect or act of any of its servants, agents, attorneys, clerks or employees in procuring, collecting and communicating any information furnished by or to Applicant. No promise, statement, representation or agreement made by any employee or other representative of teo and not expressed in this Agreement shall bind it contractually or otherwise to Applicant. 

6. Applicant agrees to fully support and implement policies that protect the confidential nature of information furnished by and through teo and insure respect for consumers’ rights to privacy. Applicant will take all reasonable precautions to restrict the ability to obtain credit information to key personnel; safeguard access to credit software; safeguard access to websites where credit information can be obtained; protect Applicant identification and passwords; and will properly destroy hard copies and electronic files of consumer credit information when no longer needed. 

7. Applicant hereby agrees to comply with all policies and procedures instituted by teo and required by teo’s consumer reporting vendors contained in this agreement. teo will give Applicant as much notice as possible prior to the effective date of any such new policies, but does not guarantee that reasonable notice will be possible. Applicant may terminate this agreement at any time after notification of a change in policy in the event Applicant deems such compliance as not within its best interest. 

8. Applicant agrees that teo and teo’s consumer reporting vendors shall have the right to audit records of Applicant that are relevant to the provision of services set forth in this Agreement. Applicant further agrees that it will respond within 3 business days to any request for information by teo’s consumer reporting vendors. Applicant understands that such vendor may suspend or terminate access to the vendor’s information in the event Applicant does not cooperate with any such an investigation. 

9. During the term of this Agreement, Applicant agrees to comply with all Federal, State and Local statutes, regulations and rules applicable to it, including, without limitation the FCRA, with any changes enacted to FCRA during the term of this Agreement, the Gramm Leach Bliley Act and its implementing regulations, any state or local laws governing the disclosure of consumer credit information, and any regulations or limitations promulgated by teo’s consumer reporting vendors. Applicant further agrees to comply with teo’s “Access Security Requirements” attached hereto and made a part hereof. 

10. Without limiting the foregoing, teo may from time to time notify Applicant of new, updated or additional requirements relating to such laws, compliance with which will be a condition of teo’s continued provision of the credit information to Applicant, and Applicant shall train and educate its employees in proper security procedures consistent with industry standards. In addition, such new requirements might require price increases. Applicant agrees to comply with any such new requirements no later than thirty (30) days after it actually receives notice from teo and such requirements shall be incorporated into this Agreement by this reference. Applicant understands and agrees that teo may require evidence, including a certification that Applicant understands and will comply with applicable laws. 

11. Applicant will implement strict security procedures designed to ensure that Applicant’s employees use the services and information in accordance with this Agreement and for no purposes other than as permitted by this Agreement. Applicant will treat and hold the services and the credit information in strict confidence and will restrict access to the services and the credit information to Applicant’s employees and applicants who agree to act in accordance with the terms of this Agreement and applicable law. Applicant will inform Applicant’s employees and applicants to whom any credit information is disclosed of the provisions of this Agreement. Applicant agrees to indemnify and protect teo and its consumer reporting vendors from any claims or losses incurred by teo or its consumer reporting vendors as a result of the misuse, improper or unauthorized access (including data breach) to the services or credit information by Applicant or Applicant’s affiliates, employees, agents or subcontractors. 


12. Applicant shall notify teo of any breach or suspected breach of the security of consumer reporting data if the personal information of consumers was, or is reasonably believed to have been acquired by an unauthorized person within 24 hours following discovery thereof. 

13. If approved by teo and teo’s consumer reporting vendors, Applicant may deliver the consumer credit information to a third party, secondary Applicant with which Applicant has an ongoing business relationship (and with which teo has a Applicant relationship) for the permissible use of such information. teo’s consumer reporting vendors may charge a fee for the subsequent delivery to secondary Applicants. 

14. Applicant agrees that teo may verify, through audit or otherwise, that Applicant is in fact the end-user of the credit information with no intention to resell or otherwise provide or transfer the credit information in whole or in part to any other person or entity. Applicant understands that costs associated with credit rescoring are the sole responsibility of the Applicant and Federal Law and repository restrictions prohibit the passing along of rescoring fees to the consumer either directly or indirectly. teo will utilize a third party vendor to perform an on-site inspection of Applicant’s physical location. Applicant agrees to allow access and is responsible for the associated costs. 

15. Applicant will utilize appropriate training and training materials in order for Applicant to comply with the Federal Fair Credit Reporting Act and all applicable State and Federal requirements and with the policies required by teo’s consumer reporting vendors. 

16. Applicant understands and agrees that consumer repository credit information delivered to Applicant by teo is prepared by and obtained through Trans Union, Equifax Information Services, and/ or Experian Information Solutions, each of which impose different conditions on the acquisition, use and disposal of such information. In addition, 15 U.S.C. ?1681 et seq. also requires certain other responsibilities of Applicants of consumer reports from consumer reporting agencies. Those responsibilities are attached (and made a part hereof) as Exhibits. Applicant agrees to abide by the terms and conditions of the Exhibits attached hereof. 

17. Applicant agrees that it will properly dispose of all consumer information in compliance with Federal law and as defined in the included exhibits. “Consumer Information”, as used herein, shall mean any record (or compilation thereof) about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Applicant understands and agrees that teo may monitor, record and store all communications for compliance and quality control purposes. 

18. Applicant agrees to pay for all services requested through teo. Applicant understands and agrees that account invoices are issued monthly and are due and payable upon receipt. Any balance unpaid after 30 days of invoice is subject to a late fee of $15.00 or 1.5%, whichever is greater. Accounts 30 days delinquent, or those exceeding established credit limits may be placed on credit hold. Accounts with monthly services less than $50.00 per month incur a $25.00 monthly account maintenance fee. 

19. Upsell LLC DBA teo may, from time to time, report client and or guarantor account history information to credit reporting or collection agencies including but not limited to, Experian, Equifax, Trans Union and or Dunn & Bradstreet and the National Credit Reporting Association. teo may from time to time diminish or increase the charges to Applicant upon thirty days’ written notice. In such event Applicant agrees to pay to revised charges unless Applicant terminates this agreement in writing. 

20. In the event of any litigation or other action involving this Agreement, teo shall be paid reasonable attorney fees and court costs for trial, appeal, and/or bankruptcy or similar proceeding including ADR fees, and witness/travel expenses incurred by teo whether or not litigation is instituted. In addition, any other recovery to which the teo is entitled shall be paid. If applicant fails to pay as agreed, applicant provides teo permission to ACH draft payment to Applicant’s bank or charge the credit card on file. 

21. Each party to this Agreement is an independent contractor, and nothing contained in this Agreement may be construed as creating a joint venture, partnership, licensor-licensee, principle-agent or mutual agency relationship between or among the parties. No party, by virtue of this Agreement, has any right or power to create any obligation, express or implied, on behalf of any other party. No party, or employee of any party, will be deemed to be an employee of another party by virtue of this Agreement. 

22. Applicant and teo acknowledge and intend that this Agreement was entered into for the respective benefit of each of them and their respective successors and assigns, and, in consideration of their reporting information to teo, the third party benefit to Trans Union LLC, Equifax Information Services LLC and Experian Information Solutions Inc. Nothing in this Agreement will be construed as giving any other person, firm, corporation or other entity, other than the parties to this Agreement and their respective successors and permitted assigns and Trans Union LLC, Equifax Information Services LLC and Experian Information Solutions Inc., any right, remedy or claim under or in respect of this Agreement or any of its provisions. 

23. Due to the special and unique purposes of this Agreement, neither this Agreement nor any rights or obligations in it are assignable by Applicant without the prior written consent of teo. Consent will not be unreasonably withheld. Any dissolution, merger, consolidation or other reorganization of Applicant; the sale or other transfer of all or substantially all of the assets or properties of Applicant or the sale or other transfer of a controlling percentage of the corporate stock of Applicant constitutes an assignment of this Agreement for all purposes of this paragraph. The term "controlling percentage," for the purpose of this paragraph, means the ownership of stock possessing, and of the right to exercise, at least fifty percent (50%) of the total combined voting power of any class or all classes of stock of such a party, issued, outstanding and entitled to vote for the election of directors, whether that ownership is direct or indirect. Applicant agrees to notify teo of any change of ownership or control fifteen days prior to any such change. teo may require the new ownership to re-apply for the services provided for herein and may require a new physical inspection in the event the office location is changed. 

24. Notwithstanding any provision to the contrary, no party to this Agreement will be liable to the other party for any delay or interruption in performance of any obligation resulting from governmental emergency orders, judicial or governmental action, emergency regulations, sabotage, riots, vandalism, labor strikes, or disputes, acts of God, fires, electrical failure, major computer hardware or software failures, equipment delivery delays, acts of third parties, or any other cause, if the delay or interruption in performance is beyond its reasonable control. 

25. Applicant shall indemnify, defend, and hold harmless teo and its representatives, successors and permitted assigns from and against any and all claims or legal actions of whatever kind or nature that are made or threatened by any third party and all related losses, expenses, damages, costs and liabilities, including reasonable attorneys' fees and expenses incurred in investigation, defense or settlement, which arise out of, are alleged to arise out of, or relate to the following: (a) any negligent act or omission or willful misconduct by Applicant, its representatives or any subcontractor engaged by Applicant in the performance of Applicant’s obligations under this Agreement; or (b) any breach in a representation, covenant or obligation of Applicant contained in this Agreement. 

26. In the event any provision of this Agreement is held invalid or unenforceable by any court of competent jurisdiction, that holding will not invalidate or render unenforceable any other provision of this Agreement. 

27. Failure of any party to enforce any of its respective rights or remedies hereunder with respect to any specific act or failure to act of any party will not constitute a waiver of the rights of that party to enforce those rights and remedies with respect to any other or subsequent act or failure to act. 

28. This Agreement, including Exhibits which are expressly incorporated into it, constitutes the entire Agreement between the parties and supersedes and cancels any and all prior agreement between the parties relating to the subject matter. No changes in this Agreement may be made except in writing signed by both parties. A copy of this agreement may be accepted as an original. 

29. This agreement shall be governed by and construed under the laws of the State of Michigan. You irrevocably consent to the jurisdiction and venue of the State court located in Oakland County in the state of Michigan, and hereby waive any claim or defense that such forum is not convenient or lacks jurisdiction. Any dispute resulting in legal action must be brought within two (2) years after the believed claim or cause of action arises. 


Exhibits & Addendums

Credit Scoring Agreement 

Credit Scoring Agreement Client (“End User ”) warrants that it has an Agreement for service and an account in good standing with Upsell LLC DBA teo (“teo ”) for permissible purpose under the Fair Credit Reporting Act to obtain the information in a Fair Isaac Credit Repository Score(s) (Empirica, FICO, Beacon) and their reason codes. End User certifies that all scores and reason codes whether oral or written shall be maintained by the applicant in strict confidence and disclosed only to employees whose duties reasonably relate to the legitimate business purpose for which the report is requested and will not sell or otherwise distribute to third parties any information received there under, except as otherwise required by law. 

Unless explicitly authorized in this Agreement or in a separate agreement, between Broker and End User, for scores obtained from credit repository, or as explicitly otherwise authorized in advance and in writing by credit repository through teo, End User shall not disclose to consumers or any third party, any not all such scores provided under this Agreement, unless clearly required by law. Reason codes may be utilized to assist in preparing an adverse action (denial letter) to consumer. End User shall comply with all applicable laws and regulations in using the Scores and reason codes. 

End User may not use the trademarks, service marks, logos, names, or any other proprietary designations, whether registered or unregistered, of the credit repositories, Fair Isaac and Company, teo, the affiliates of them or of any other party involved in the provision of the Score without such entities written consent. End User agrees not in any manner either directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by Credit Repository/Fair Isaac in performing the Credit Repository Score. 

Warranty: Credit Repository, Fair Isaac warrants the Credit Repository Score Model is empirically derived and demonstrably and statistically sound and that to the extent the population to which the Credit Repository Score Model was developed, Credit Repository Score Model may be relied upon by teo and/or End Users to rank consumers in order of the risk of unsatisfactory payment such consumers might present to End Users. Credit Repository/Fair Isaac further warrants that so long as it provides the Credit Repository score Model, it will comply with regulations promulgated from time to time pursuant to the Equal Credit Opportunity Act, 15 USC Section 1691 et seq. 


teo and each respective End User’s rights under the foregoing warranty are expressly conditioned upon each respective applicant’s periodic revalidation of the Credit Repository Score Model in compliance with the requirements of regulation B as it may be amended from time to time (12 CFR section 202 et seq.) 

Access Security Requirements and Secondary Use Restrictions and Requirements 

All precautions must be taken to secure any system or device used to access consumer reports, credit risk scores, and other sensitive information. To that end, Client must comply with the following requirements: 

1. Client’s account number and password must be protected in such that sensitive information is known only to Authorized Employees. Authorized Employees are employees of Client who have access to Information Services

Under no circumstances are unauthorized persons to have knowledge of your Client’s password or account number. Prior to providing an Authorized Employee with access to any Information Service, Client will provide the Authorized Employee with adequate training regarding these Access Security Requirements, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and other applicable laws, and will require the Authorized Employee to agree to comply with all such requirements and laws (together, “Employee Requirements”). 

2. Any system access software Client uses must have Client’s account number and password "hidden" or embedded so that the password is known only to Authorized Employees. Password files must be encrypted (128-bit encryption or stronger). Each Authorized Employee of Client’s system access software must then be assigned unique log-ons and passwords. 

3. The ability to obtain Information Services must be restricted to Authorized Employees. User IDs and passwords must be deactivated immediately upon an Authorized Employee’s termination or change of job assignment. 

4. Passwords must conform to the following best practices: Minimum 8 characters in length, Mix of alpha, numeric, and special characters, Passwords must expire every 90 days, No re-use of a password for 6 months, No caching of passwords. Client’s passwords are not to be discussed by telephone to any caller, even if the caller claims to be an employee of Upsell LLC DBA teo. 

5. Any terminal devices used to obtain Information Services must be placed in a secure location within Client’s facility. Access to the devices must be difficult for unauthorized persons. Any devices/systems used to obtain Information Services must be secured after normal business hours, or when unattended by Authorized Employees. 6. Hard copies and electronic files of Information Services are to be secured within Client’s facility and protected against release or disclosure to unauthorized persons and are to be shredded or destroyed, rendered unreadable, when no longer needed and when it is permitted to do so by applicable law. Electronic files containing Information Services addressed in this agreement must be completely erased or rendered unreadable when no longer needed and when destruction is permitted by applicable law. 

7. When processing a consumer credit report, only complete and correct information will be used including the consumer’s full name including suffix (if any), social security number and minimum 24 months address. Credit Reports will not be ordered for employment purposes unless approved in writing by Upsell LLC DBA teo. Client employees are prohibited from obtaining Credit Reports on themselves or any other persons, except in the exercise of their official duties. 

8. The only acceptable electronic media for receiving and/or transmitting Information Services or any part thereof, are via private networks, via secure internet connections (if approved by Upsell LLC DBA teo in writing), or via traditional facsimile. Information Services may not be received and/or transmitted via any non secure methods including internet e-mail or via non-private facsimile (e.g., facsimile machines located in public venues.) 

9. If unauthorized access to Credit Data is discovered or suspected, Client shall immediately (within 24 hours of discovery) notify Upsell LLC DBA teo and further undertake all remedial efforts within Client’s power and control to cure such unauthorized access. 

10. In the event Client intends to share with or otherwise disclose consumer reports or credit risk scores (together, “Credit Reports”) to a third party (other than an Authorized Employee, the consumer to whom the report/scores relate, or as otherwise required by law), Client must (a) notify Upsell LLC DBA teo’s Compliance Department in writing prior to such sharing or disclosure, and (b) comply with Upsell LLC DBA teos Secondary Use policy which may be modified by Upsell LLC DBA teo from time to time. 

11. If employees of Client will be storing Information Services on any portable device such as laptop computers, these devices must Utilize full disk encryption and pre-boot authentication to encryption software. 


Notice to Users of Consumer Reports: Obligations of users under the FCRA 

All users subject to the Federal Trade Commission’s jurisdiction must comply with all applicable regulations, including regulations promulgated after this notice was prescribed in 2004. Information about applicable regulations currently in effect can be found at the Commission’s Web site, Persons not subject to the Commission’s jurisdiction should consult with their regulators to find any relevant regulations. 

The Fair Credit Reporting Act (FCRA),15 U.S.C. 1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Federal Trade Commission's Website at At the end of this document is a list of United States Code citations for the FCRA. Other information about user duties is also available at the Commission’s Web site. Users must consult the relevant provisions of the FCRA for details about their obligations under the FCRA. 

The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or that are used for certain purposes, and the legal consequences of violations. If you are a furnisher of information to a consumer reporting agency (teo), you have additional obligations and will receive a separate notice from the teo describing your duties as a furnisher. 

I. OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS A. Users Must Have a Permissible Purpose Congress has limited the use of consumer reports to protect consumers' privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are: 

• As ordered by a court or a federal grand jury subpoena. Section 604(a)(1) 

• As instructed by the consumer in writing. Section 604(a)(2) 

• For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer's account. Section 604(a)(3)(A) 

• For employment purposes, including hiring and promotion decisions, where the consumer has given written permission. Sections 604(a)(3)(B) and 604(b).2 

• For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C) 

• When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(a)(3)(F)(i) 

• To review a consumer's account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii) 

• To determine a consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status. Section 604(a)(3)(D) 

• For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E) 

• For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof. Sections 604(a)(4) and 604(a)(5) In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of "prescreened" information are described in Section VII below. 

B. Users Must Provide Certifications

Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (teo) unless the person has certified to the teo the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose. 

C. Users Must Notify Consumers When Adverse Actions Are Taken The term "adverse action" is defined very broadly by Section 603. "Adverse actions" include all business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined by Section 603(k) of the FCRA – such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. 

1. Adverse Actions Based on Information Obtained From a teo If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be done in writing, orally, or by electronic means. It must include the following: 

• The name, address, and telephone number of the teo (including a toll-free telephone number, if it is a nationwide teo) that provided the report. 

• A statement that the teo did not make the adverse decision and is not able to explain why the decision was made. 

• A statement setting forth the consumer's right to obtain a free disclosure of the consumer's file from the teo if the consumer makes a request within 60 days. • A statement setting forth the consumer's right to dispute directly with the teo the accuracy or completeness of any information provided by the teo. 

2. Adverse Actions Based on Information Obtained From Third Parties Who Are Not Consumer Reporting Agencies If a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon information from a person other than a teo, and the information is the type of consumer information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification. The user must provide the disclosure within a reasonable period of time following the consumer's written request. 

3. Adverse Actions Based on Information Obtained From Affiliates If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above..4 

D. Users Have Obligations When Fraud and Active Duty Military Alerts are in Files When a consumer has placed a fraud alert, including one relating to identity theft, or an active duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active duty alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the identity of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in the consumer’s alert. 

E. Users Have Obligations When Notified of an Address Discrepancy

Section 605(h) requires nationwide CTIs, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer’s file. When this occurs, users must comply with regulations specifying the procedures to be followed, which will be issued by the Federal Trade Commission and the banking and credit union regulators. The Federal Trade Commission’s regulations will be available at 

F. Users Have Obligations When Disposing of Records Section 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. The Federal Trade Commission, the Securities and Exchange Commission, and the banking and credit union regulators have issued regulations covering disposal. The Federal Trade Commission’s regulations may be found at 

V. SPECIAL PROCEDURES FOR EMPLOYEE INVESTIGATIONS Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation. 

VI. OBLIGATIONS OF USERS OF MEDICAL INFORMATION Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in regulations issued by the banking and credit union regulators) – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation, or order). 

VII. OBLIGATIONS OF USERS OF "PRESCREENED" LISTS The FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circumstances. Sections 603(l), 604(c), 604(e), and 615(d). This practice is known as "prescreening" and typically involves obtaining from a teo a list of consumers who meet certain pre-established criteria. If any person intends to use prescreened lists, that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance, and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that: 

• Information contained in a consumer's teo file was used in connection with the transaction. 

• The consumer received the offer because he or she satisfied the criteria for credit worthiness or insurability used to screen for the offer. 

• Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on credit worthiness or insurability, or the consumer does not furnish required collateral. 

• The consumer may prohibit the use of information in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the teo that provided the report. The statement must include the address and toll-free telephone number of the appropriate notification system. In addition, once the Federal Trade Commission by rule has established the format, type size, and manner of the disclosure required by Section 615(d), users must be in compliance with the rule. The FTC’s regulations will be at

LIABILITY FOR VIOLATIONS OF THE FCRA Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619. The FTC’s Web site,, has more information about the FCRA, including publications for businesses and the full text of the FCRA. Citations for FCRA sections in the U.S. Code, 15 U.S.C. § 1681 et seq.: 

Section 602 15 U.S.C. 1681, Section 603 15 U.S.C. 1681a, Section 604 15 U.S.C. 1681b, Section 605 15 U.S.C. 1681c, Section 605A 15 U.S.C. 1681cA, Section 605B 15 U.S.C. 1681cB, Section 606 15 U.S.C. 1681d, Section 607 15 U.S.C. 1681e, Section 608 15U.S.C. 1681f, Section 609 15 U.S.C. 1681g ,Section 610 15 U.S.C. 1681h ,Section 611 15 U.S.C. 1681i ,Section 612 15 U.S.C. 1681j, Section 613 15 U.S.C. 1681k , Section 614 15 U.S.C. 1681l, Section 615 15 U.S.C. 1681m ,Section 616 15 U.S.C. 1681n, Section 617 15 U.S.C. 1681o, Section 618 15 U.S.C. 1681p, Section 619 15 U.S.C. 1681q, Section 620 15 U.S.C. 1681r, Section 621 15 U.S.C. 1681s, Section 622 15 U.S.C. 1681s-1, Section 623 15 U.S.C. 1681s-2, Section 624 15 U.S.C. 1681t, Section 625 15 U.S.C. 1681u, Section 626 15 U.S.C. 1681v, Section 627 15 U.S.C. 1681w, Section 628 15 U.S.C. 1681x, Section 629 15 U.S.C. 1681y 

Experian Requirements 

Customer, in order to receive consumer credit information from Experian Information Solutions, Inc, agrees to comply with the following conditions required by Experian, which may be in addition to those outlined in the Customer Service Agreement (“Agreement”), of which these conditions are made a part. Customer understands and agrees that Experian’s delivery of information to Customer via teo is specifically conditioned upon Customer’s agreement with the provisions set forth in this Agreement. Customer understands and agrees that these requirements pertain to all of its employees, managers and owners and that all persons having access to Experian credit information, whether existing or future employees, will be trained to understand and comply with these obligations. 

1. Customer hereby agrees to comply with all current and future policies and procedures instituted by teo and required by Experian. teo will give Customer as much notice as possible prior to the effective date of any such new policies required in the future, but does not guarantee that reasonable notice will be possible. Customer may terminate this agreement at any time after notification of a change in policy in the event Customer deems such compliance as not within its best interest. 

2. Customer agrees that Experian shall have the right to audit records of Customer that are relevant to the provision of services set forth in this Agreement and to verify, through audit or otherwise, that Customer is in compliance with applicable law and the provisions of this Agreement and is fact the end user of the credit information with no intention to resell or otherwise provide or transfer the credit information in whole or in part to any other person or entity. Customer authorizes teo to provide to Experian, upon Experian’s request, all materials and information

relating to its investigations of Customer. Customer further agrees that it will respond within the requested time frame indicated for information requested by Experian regarding Experian consumer credit information. Customer understands that Experian may require teo to suspend or terminate access to Experian information in the event Customer does not cooperate with any such an investigation or in the event Customer is not in compliance with applicable law or this Agreement. Customer shall remain responsible for the payment for any services provided to Customer by teo prior to any such discontinuance. 

3. Customer certifies that it is not a reseller of the information, a private detective agency, bail bondsman, attorney, credit counseling firm, financial counseling firm, credit repair clinic, pawn shop (except companies that do only Title pawn), check cashing company, genealogical or heir research firm, dating service, massage or tattoo service, asset location service, a company engaged in selling future services (health clubs, etc.), news agency, business that operates out of an apartment or a residence, an individual seeking information for his private use, an adult entertainment service of any kind, a company that locates missing children, a company that handles third party repossession, a company seeking information in connection with time shares or subscriptions, a company or individual involved in spiritual counseling or a person or entity that is not an end-user or decision-maker, unless approved in writing by Experian. Customer further certifies that Experian data may only be used for the permissible purpose stated in the agreement, and any/all fraud products will only be used to protect against fraud. 

4. Customer agrees that it will maintain proper access security procedures consistent with industry standards and that if a data breach occurs or is suspected to have occurred in which Experian information is compromised or is potentially compromised, Customer will take the following action: a. Customer will notify teo within 24 hours of a discovery of a breach of the security of consumer reporting data if the personal information of consumers was, or is reasonably believed to have been, acquired by an unauthorized person. Further, Customer will actively cooperate with and participate in any investigation conducted by teo or Experian that results from Customer’s breach of Experian consumer credit information. b. In the event that Experian determines that the breach was within the control of Customer, Customer will provide notification to affected consumers that their personally sensitive information has been or may have been compromised. Experian will have control over the nature and timing of the consumer correspondence related to the breach when Experian information is involved. c. In such event, Customer will provide to each affected or potentially affected consumer, credit history monitoring services for a minimum of one (1) year, in which the consumer’s credit history is monitored and the consumer receives daily notification of changes that may indicate fraud or ID theft, from at least one (1) national consumer credit reporting bureau. d. Customer understands and agrees that if the root cause of the breach is determined by Experian to be under the control of the Customer (i.e., employee fraud, misconduct or abuse; access by an unqualified or improperly qualified user; improperly secured website, etc.), Customer may be assessed an expense recovery fee. 

Experian Access Security Requirements 

The following information security controls are required to reduce unauthorized access to consumer information. It is your (company provided access to Experian systems or data, referred to as the “Company”) responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you. Experian reserves the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security. 

In accessing Experian’s services, Company agrees to follow these security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Experian data: 

1. Implement Strong Access Control Measures

1.1 All credentials such as User names/identifiers (user IDs) and user passwords must be kept confidential and must not be disclosed to an unauthorized party. No one from Experian or Upsell LLC DBA teo will ever contact you and request your credentials. 1.2 If using third party or proprietary system to access Experian’s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing Experian data/systems. 1.3 If the third party or third party software or proprietary system or software, used to access Experian data/systems, is replaced or no longer in use, the passwords should be changed immediately. 1.4 Create a unique user ID for each user to enable individual authentication and accountability for access to Experian’s infrastructure. Each user of the system access software must also have a unique logon password. 1.5 User IDs and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job responsibilities. 1.6 User IDs and passwords must not be shared, posted, or otherwise divulged in any manner. 1.7 Develop strong passwords that are: 

• Not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters) 

• Contain a minimum of eight (8) alphabetic and numeric characters for standard user accounts 

• For interactive sessions (i.e. non system-to-system) ensure that passwords/passwords are changed periodically (every 90 days is recommended) 1.8 Passwords (e.g. subscriber code passwords, user password) must be changed immediately when: 

• Any system access software is replaced by another system access software or is no longer used 

• The hardware on which the software resides is upgraded, changed or disposed 

• Any suspicion of password being disclosed to an unauthorized party (see section 4.3 for reporting requirements) 1.9 Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithm are utilized (e.g. AES 256 or above). 1.10 Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended. 1.11 Active logins to credit information systems must be configured with a 30 minute inactive session timeout. 1.12 Ensure that personnel who are authorized access to credit information have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the Permissible Purpose Information section of the membership application. 1.13 Company must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store Experian data. 1.14 Ensure that Company employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for another permissible purpose. 1.15 Implement a process to terminate access rights immediately for users who access Experian credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information. 1.16 Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned. 1.17 Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations. 1.18 Implement physical security controls to prevent unauthorized entry to Company’s facility and access to systems used to obtain credit information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key. 

2. Maintain a Vulnerability Management Program 

2.1 Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops) and all other systems current with appropriate system patches and updates.

2.2 Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks. 2.3 Implement and follow current best security practices for computer virus detection scanning services and procedures: 

• Use, implement and maintain a current, commercially available anti-virus software on all systems, if 

• applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits. 

• Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti- virus software is enabled for automatic updates and performs scans on a regular basis. 

• If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated. 

3. Protect Data 

3.1 Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.). 3.2 Experian data is classified Confidential and must be secured to in accordance with the requirements mentioned in this document at a minimum. 3.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information. 3.4 Encrypt all Experian data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such AES 256 or above. 3.5 Experian data must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc. 3.6 When using smart tablets or smart phones to access Experian data, ensure that such devices are protected via device pass-code. 3.7 Applications utilized to access Experian data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN, etc. 3.8 Only open email attachments and links from trusted sources and after verifying legitimacy. 3.9 When no longer in use, ensure that hard-copy materials containing Experian data are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed. 3.10 When no longer in use, electronic media containing Experian data is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing). 

4. Maintain an Information Security Policy 

4.1 Develop and follow a security plan to protect the confidentiality and integrity of personal consumer information as required under the GLB Safeguards Rule. 4.2 Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations. 4.3 Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe Experian data may have been compromised, immediately notify Upsell LLC DBA teo within twenty-four (24) hours or per agreed contractual notification timeline (See also Section 8). 


4.4 The FACTA Disposal Rules requires that Company implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information. 4.5 Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security in the organization. 4.6 When using third party service providers (e.g. application service providers) to access, transmit, store or process Experian data, ensure that service provider is compliant with Experian Independent Third Party Assessment (EI3PA) program, and registered in Experian list of compliant service providers. If the service provider is in process of becoming compliant, it is Company responsibility to ensure the service provider is engaged with Experian and exception is granted in writing. Approved certifications in lieu of EI3PA can be found in the Glossary section. 

5. Build and Maintain a Secure Network 

5.1 Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices. 5.2 Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used. 5.3 Administrative access to firewalls and servers must be performed through a secure internal wired connection only. 5.4 Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic. 5.5 Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults. 5.6 For wireless networks connected to or used for accessing or transmission of Experian data, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks. 5.7 When using service providers (e.g. software providers) to access Experian systems, access to third party tools/services must require multi-factor authentication. 

6. Regularly Monitor and Test Networks 

6.1 Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.) 6.2 Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit Experian data; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required. 6.3 Use current best practices to protect telecommunications systems and any computer system or network device(s) used to provide Services hereunder to access Experian systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by: 

• protecting against intrusions; 

• securing the computer systems and network devices; and protecting against intrusions of operating systems or software. 

7. Mobile and Cloud Technology 

7.1 Storing Experian data on mobile devices is prohibited. Any exceptions must be obtained from Experian in writing; additional security requirements will apply. 7.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks. 

Confidential – All Rights Reserved – Upsell LLC DBA teo – 2019 1407 N Batavia St #201 Orange CA 92865 – (844) 217-5633 F (888) 313-5589 

- 23 - 

7.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated. 7.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other. 7.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Experian data to be exchanged between secured and non-secured applications on the mobile device. 7.6 In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Experian data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application. 7.7 When using cloud providers to access, transmit, store, or process Experian data ensure that: 

• Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations 

• Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by Experian: oISO 27001 oPCI DSS oEI3PA oSSAE 16 – SOC 2 or SOC3 oFISMA oCAI / CCM assessment 

8. General 

8.1 Experian may from time to time audit the security mechanisms Company maintains to safeguard access to Experian information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices 8.2 In cases where the Company is accessing Experian information and systems via third party software, the Company agrees to make available to Experian upon request, audit trail information and management reports generated by the vendor software, regarding Company individual Authorized Users. 8.3 Company shall be responsible for and ensure that third party software, which accesses Experian information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use. 8.4 Company shall conduct software development (for software which accesses Experian information systems; this applies to both in-house or outsourced software development) based on the following requirements: 8.4.1 Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks. 8.4.2 Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated. 8.4.3 Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other. 8.5 Reasonable access to audit trail reports of systems utilized to access Experian systems shall be made available to Experian upon request, for example during breach investigation or while performing audits 8.6 Data requests from Company to Experian must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable. 8.7 Company shall report actual security violations or incidents that impact Experian to Experian within twenty-four (24) hours or per agreed contractual notification timeline. Company agrees to provide notice to Experian of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 800-295-4305, Email notification will be sent to [email protected] . 8.8 Company acknowledges and agrees that the Company (a) has received a copy of these requirements, (b) has read and understands Company’s obligations described in the requirements, (c) will communicate the contents of the

applicable requirements contained herein, and any subsequent updates hereto, to all employees that shall have access to Experian services, systems or data, and (d) will abide by the provisions of these requirements when accessing Experian data. 8.9 Company understands that its use of Experian networking and computing resources may be monitored and audited by Experian, without further notice. 8.10 Company acknowledges and agrees that it is responsible for all activities of its employees/Authorized users, and for assuring that mechanisms to access Experian services or data are secure and in compliance with its membership agreement. 8.11 When using third party service providers to access, transmit, or store Experian data, additional documentation may be required by Experian. 

Record Retention: The Federal Equal Credit Opportunity Act states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, Experian requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a consumer complaint that your company impermissibly accessed their credit report, Experian will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract. 

“Under Section 621 (a) (2) (A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation.” 

Internet Delivery Security Requirements In addition to the above, following requirements apply where Company and their employees or an authorized agent/s acting on behalf of the Company are provided access to Experian provided services via Internet (“Internet Access”). 

General requirements: 1. The Company shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with Experian on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to Experian provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions. 2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each Experian product based upon the legitimate business needs of each employee. Experian shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data. 3. Unless automated means become available, the Company shall request employee's (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by Experian. Those employees approved by the Head Security Designate or Security Designate for Internet access ("Authorized Users") will be individually assigned unique access identification accounts ("User ID") and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). Experian's approval of requests for (Internet) access may be granted or withheld in its sole discretion. Experian may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted. 4. An officer of the Company agrees to notify Upsell LLC DBA teo in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User. 

Roles and Responsibilities 1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with Experian on systems access related matters. This individual shall be identified as the "Head Security Designate." The Head 

Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with Experian on information and product access, in accordance with these Experian Access Security Requirements. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to Experian's systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to Upsell LLC DBA teo immediately. 2. As a Client to Experian's products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company. 3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to Experian product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with Experian's Security Administration group on information and product access matters. 4. The Head Designate shall be responsible for notifying their corresponding Experian representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity. 

Designate 1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users. 2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.). 3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User's job responsibilities. 4. Is responsible for ensuring that Company’s Authorized Users are authorized to access Experian products and services. 5. Must disable Authorized User ID if it becomes compromised or if the Authorized User's employment is terminated by Company. 6. Must immediately report any suspicious or questionable activity to Experian regarding access to Experian's products and services. 7. Shall immediately report changes in their Head Security Designate's status (e.g. transfer or termination) to Experian. 8. Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users. 9. Shall be available to interact with Experian when needed on any system or user related matters. 

Acknowledge that many services containing Experian information also contain information from the Death Master File as issued by the Social Security Administration (“DMF”); certify pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102 that, consistent with its applicable FCRA or GLB use of Experian information, the client’s use of deceased flags or other indicia within the Experian information is restricted to legitimate fraud prevention or business purposes in compliance with applicable laws, rules regulations, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1); and certify that the client will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within the Experian information. 

Certify that the client shall implement and maintain a comprehensive information security program written in one or more readily accessible parts and that contains administrative, technical, and physical safeguards that are appropriate to the client’s size and complexity, the nature and scope of its activities, and the sensitivity of the information 

provided to the client by Reseller; and that such safeguards shall include the elements set forth in 16 C.F.R. § 314.4 and shall be reasonably designed to (i) insure the security and confidentiality of the information provided by Reseller, (ii) protect against any anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer. 

Certify that the client is the end user and will not further sell the information. 


Computer Virus - A Computer Virus is a self-replicating computer program that alters the way a computer operates, without the knowledge of the user. A true virus replicates and executes itself. While viruses can be destructive by destroying data, for example, some viruses are benign or merely annoying. 

Confidential - Very sensitive information. Disclosure could adversely impact your company. 

Encryption - Encryption is the process of obscuring information to make it unreadable without special knowledge. 

Firewall - In computer science, a Firewall is a piece of hardware and/or software which functions in a networked environment to prevent unauthorized external access and some communications forbidden by the security policy, analogous to the function of Firewalls in building construction. The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle. Information Lifecycle - (Or Data Lifecycle) is a management program that considers the value of the information being stored over a period of time, the cost of its storage, its need for availability for use by authorized users, and the period of time for which it must be retained. 

IP Address - A unique number that devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). Any All participating network devices - including routers, computers, time-servers, printers, Internet fax machines, and some telephones - must have its own unique IP address. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. It is important to keep your IP address secure as hackers can gain control of your devices and possibly launch an attack on other devices. 

Peer-to-Peer - A type of communication found in a system that uses layered protocols. Peer-to-Peer networking is the protocol often used for reproducing and distributing music without permission. 

Router - A Router is a computer networking device that forwards data packets across a network via routing. A Router acts as a junction between two or more networks transferring data packets. 

Spyware - Spyware refers to a broad category of malicious software designed to intercept or take partial control of a computer's operation without the consent of that machine's owner or user. In simpler terms, spyware is a type of program that watches what users do with their computer and then sends that information over the internet. 

Experian Independent Third Party Assessment Program - The Experian Independent 3rd Party Assessment is an annual assessment of an Experian Reseller’s ability to protect the information they purchase from Experian. EI3PASM requires an evaluation of a Reseller’s information security by an independent assessor, based on requirements provided by Experian. EI3PASM also establishes quarterly scans of networks for vulnerabilities. 

ISO 27001 /27002 - IS 27001 is the specification for an ISMS, an Information Security Management System (it replaced the old BS7799-2 standard) The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code 

of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. 

Vermont Statute 

Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (1999) § 2480e. Consumer consent 

(a) A person shall not obtain the credit report of a consumer unless: (1) the report is obtained in response to the order of a court having jurisdiction to issue such an order ; or (2) the person has secured the consent of the consumer, and the report is used for the purpose consented to by the consumer. 

(b) Credit reporting agencies shall adopt reasonable procedures to assure maximum possible compliance with subsection (a) of this section. 

(c) Nothing in this section shall be construed to affect: (1) the ability of a person who has secured the consent of the consumer pursuant to subdivision (a)(2) of this section to include in his or her request to the consumer permission to also obtain credit reports, in connection with the same transaction or extension of credit, for the purpose of reviewing the account, increasing the credit line on the account, for the purpose of taking collection action on the account, or for other legitimate purposes associated with the account ; and (2) the use of credit information for the purpose of prescreening, as defined and permitted from time to time by the Federal Trade Commission. 


(a) A person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing if the consumer has made a written application or written request for credit, insurance, employment, housing or governmental benefit. If the consumer has applied for or requested credit, insurance, employment, housing or governmental benefit in a manner other than in writing, then the person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing or in the same manner in which the consumer made the application or request. The terms of this rule apply whether the consumer or the person required to obtain consumer consent initiates the transaction. 

(b) Consumer consent required pursuant to 9 V.S.A. §§ 2480e and 2480g shall be deemed to have been obtained in writing if, after a clear and adequate written disclosure of the circumstances under which a credit report or credit reports may be obtained and the purposes for which the credit report or credit reports may be obtained, the consumer indicates his or her consent by providing his or her signature. (c) The fact that a clear and adequate written consent form is signed by the consumer after the consumer's credit report has been obtained pursuant to some other form of consent shall not affect the validity of the earlier consent. 

California End User 

END USER CERTIFICATION OF COMPLIANCE California Civil Code • Section 1785.14(a

Section 1785.14(a), as amended, states that a consumer credit reporting agency does not have reasonable grounds for believing that a consumer credit report will only be used for a permissible purpose unless all of the following requirements are met: 

Section 1785.14(a)(1) states: “If a prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the consumer credit reporting agency shall, with a reasonable degree of certainty, match at least three categories of identifying information within the file maintained by the consumer credit reporting agency on the consumer with the information provided to the consumer credit reporting agency by the retail seller. The categories of identifying information may include, but are not limited to, first and last name, month and date of birth, driver ’s license number, place of employment, current residence address, previous residence address, or social security number. The categories of information shall not include mother’s maiden name.” 

Section 1785.14(a)(2) states: “If the prospective user is a retail seller, as defined in Section 1802.3, and intends to issue credit to a consumer who appears in person on the basis of an application for credit submitted in person, the retail seller must certify, in writing, to the consumer credit reporting agency that it instructs its employees and agents to inspect a photo identification of the consumer at the time the application was submitted in person. This paragraph does not apply to an application for credit submitted by mail.” 

Section 1785.14(a)(3) states: “If the prospective user intends to extend credit by mail pursuant to a solicitation by mail, the extension of credit shall be mailed to the same address as on the solicitation unless the prospective user verifies any address change by, among other methods, contacting the person to whom the extension of credit will be mailed.” In compliance with Section 1785.14(a) of the California Civil Code, End User hereby certifies to Consumer Reporting Agency as follows: 

End User is not a retail seller, as defined in Section 1802.3 of the California Civil Code (“Retail Seller ”) and issues credit to consumers who appear in person on the basis of applications for credit submitted in person (“Point of Sale ”). End User also certifies that if End User is a Retail Seller who conducts Point of Sale transactions, End User will, beginning on or before July 1, 1998, instruct its employees and agents to inspect a photo identification of the consumer at the time an application is submitted in person. 

End User also certifies that it will only use the appropriate End User code number designated by Consumer Reporting Agency for accessing consumer reports for California Point of Sale transactions conducted by Retail Seller. 

If End User is not a Retail Seller who issues credit in Point of Sale transactions, End User agrees that if it, at any time hereafter, becomes a Retail Seller who extends credit in Point of Sale transactions, End User shall provide written notice of such to Consumer Reporting Agency prior to using credit reports with Point of Sale transactions as a Retail Seller, and shall comply with the requirements of a Retail Seller conducting Point of Sale transactions, as provided in this certification. 

Disposal of Consumer Information 

As used herein, the term “Consumer Information” shall mean any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer Information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind dat

“Dispose,” “disposing,” or “disposal” means: (1) The discarding or abandonment of consumer information, or (2) The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. 

Proper Disposal of Consumer Information 

(a) Standard. Any person who maintains Consumer Information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. 

(b) Examples. Reasonable measures to protect against unauthorized access to or use of Consumer Information in connection with its disposal include the following examples: 

(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed. 

(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed. 

(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. 

(4) For persons who maintain consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (b)(1) and (2) of this section.

Copyright 2019 UpSell LLC DBA RevStack, Teo, HelloMya & Subsidiaries