Additional Terms Governing Income Verification Services and Identity Verification Services

A. Compliance Review.

Prior to Licensee receiving access to or use of the Income Verification Services or Identity Verification Services, Licensee must successfully complete a qualification process, which will include: (i) supplying RealPage with information reasonably required to identify the property that will access or use the Services and/or Licensee; and (ii) a physical site inspection, conducted by a third party, of the location where the results of the Services will be reviewed. Licensee agrees to cooperate fully with RealPage and Plaid in any periodic reviews, audits, or investigations (“Reviews”) of Licensee to verify its ongoing qualification, uses of the Information and compliance with its obligations under these terms and applicable law. Upon request from RealPage or Plaid, Licensee agrees to supply documents to verify ownership of rental units, business and professional licenses, applications and supplementary application materials, and any other documents reasonably requested by RealPage or Plaid to verify the matters in the foregoing sentence. Such Reviews will be performed during Licensee’s regular business hours and in a manner that minimizes, to the extent practicable, disruption of its business operations.

B. Income Verification Services.

The following provisions (the “Income Verification Terms”) set out terms and conditions in connection with the Income Verification Services.

1. Restrictions.

Unless Plaid specifically agrees in writing, Licensee will not, and will not enable or assist any third-party to: (i) attempt to reverse engineer (except as permitted by law), decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, or algorithms of the Plaid income verification services described at https://www.plaid.com (the “Income Verification Services” or “IV Services”); (ii) modify, translate, or create derivative works based on the IV Services; (iii) make the IV Services or information and data of Licensee’s end users (such businesses and consumers, the “End Users”) provided to Licensee via the IV Services (such information and data, the “Output”) (or any derivative work thereof) available to, or use the IV Services or Output (or any derivative work thereof) for the benefit of, anyone other than Licensee or End Users; (iv) sell, resell, license, sublicense, distribute, rent or lease any IV Services or Output to any third-party, or include any IV Services or Output (or any derivative work thereof) in a service bureau, time-sharing, or equivalent offering; (v) publicly disseminate information from any source regarding the performance of the IV Services or Output; or (vi) attempt to create a substitute or similar service through use of, or access to, the IV Services or Output. Licensee will use the IV Services and Output only in compliance with (a) the Licensee application, use case, and the terms of the Master Agreement and any product-specific exhibit, addendum, or other document governed by these Income Verification Terms, (b) the Plaid developer policies (available at https://www.plaid.com/legal), (c) Plaid’s applicable technical user documentation (available at https://www.plaid.com/docs), and (d) any agreements between Licensee and End Users (for clarity, including any privacy policy or statement). Notwithstanding anything to the contrary, the Licensee accepts and assumes all responsibility for complying with all applicable laws and regulations in connection with all of Licensee’s activities involving any IV Services, Output, or End User data. Except as set forth in any product-specific exhibit, addendum, or other document attached to these Income Verification Terms, the parties acknowledge that Plaid retrieves End User data for the IV Services (including Output) from End Users’ financial accounts on behalf, and with the authorization, of such End Users and transmits such IV Services (including Output) to RealPage and/or Licensee (via RealPage) at End Users’ request, and accordingly, Licensee will not (a) make any representation or other statement to any third party, including to End Users, that Plaid is a “consumer reporting agency,” issues or creates a “consumer report,” or is a “furnisher” of information to “consumer reporting agencies,” or that the IV Services (including Output) is a “consumer report,” in each case, as such terms are defined in the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., its implementing regulations (12 C.F.R. 1022), or analogous state laws (collectively the “FCRA”) or (b) use any IV Services or Output as, or in a manner that would cause them to be deemed, a “consumer report”; provided that, for clarity, this clause (b) does not prohibit Licensee from using solely “Assets” and “Income and Employment” Services and associated Output in connection with verification and decisioning use cases permitted by Plaid in writing such as employment verification, tenant screening, pre-screening or firm offers of credit, eligibility determination, or extension of credit by RealPage or Licensee to End Users. Notwithstanding anything to the contrary, Licensee will be bound by and will only use the IV Services or Output in compliance with the terms and conditions set forth herein.

2. Privacy and Authorizations.

Plaid and Licensee each warrant that it will provide all notices, and obtain all consents, required under applicable law for such party to process End User data in accordance with these Income Verification Terms. Neither party will knowingly (i) make representations or other statements in its privacy policy with respect to End User data that are contrary to or otherwise inconsistent with the other’s privacy policy or (ii) interfere with any independent efforts by the other party to provide End User notice or obtain End User consent. Without limiting the generality of the foregoing, Licensee will not prevent Plaid from presenting End Users with Plaid’s “Plaid Link” interface or from otherwise presenting a link to Plaid’s privacy policy (currently available at http://www.plaid.com/privacy) before End Users engage with the Licensee services in a manner that uses or otherwise implicates the Services.

3. WARRANTY; DISCLAIMER; ENFORCEMENT.

THE IV SERVICES ARE PROVIDED “AS IS.” TO THE FULLEST EXTENT PERMITTED BY LAW, NEITHER PLAID NOR ITS AFFILIATES, SUPPLIERS, LICENSORS, AND DISTRIBUTORS MAKE ANY WARRANTY OF ANY KIND, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR ANY WARRANTY THAT THE IV SERVICES ARE FREE FROM DEFECTS. PLAID DOES NOT MAKE ANY WARRANTY AS TO THE OUTPUT THAT MAY BE OBTAINED FROM USE OF THE IV SERVICES. PLAID WILL BE AN INTENDED THIRD-PARTY BENEFICIARY OF THE AGREEMENT BETWEEN REALPAGE AND LICENSEE AND MAY DIRECTLY ENFORCE SUCH AGREEMENT AGAINST LICENSEE, WITHOUT REALPAGE’S CONSENT OR PARTICIPATION, BUT SOLELY RELATING TO THE OUTPUT OR IV SERVICES PROVIDED BY PLAID TO REALPAGE OR LICENSEE.

4. FI Data.

Through the RealPage Product Centers or Plaid Services, Licensee may have access to information about or of End Users provided to Plaid by a bank, financial institution, or other financial data source (each, as designated by Plaid, “FI”, and such information, the “FI Data”).

1. Licensee Obligations.
   1. End User Consents. Licensee will provide all notices and obtain all express consents from each End User as required under applicable laws in connection with Licensee’s use, storage, and other processing of any FI Data (such notices and consents, the “Express Consents”). Express Consents will be clear and conspicuous and will generally specify the categories of FI Data that Licensee will receive and how Licensee will use, store, and otherwise process it, in addition to any other required disclosures under applicable laws. Licensee will maintain records (which may include technical logs, screenshots, versions of Express Consents obtained) to demonstrate its compliance with this Section 4(i)(a) and will promptly provide such records to Plaid upon request.
   2. Scope of Access. Licensee will only access FI Data for which it has obtained Express Consents from the End User for the use case reviewed and permitted by Plaid in writing that is consented to by the applicable End User (such use case, the “Permitted Use Case”). Key factors Plaid will consider during its review include whether the use case is appropriate and useful to provide the End User with the Licensee application that the End User has enrolled in, whether the Licensee application provides a direct benefit to the End User, and whether the use case directly supports the development of new or improved product features for the benefit of End Users, and the jurisdiction(s) in which the Licensee operates and/or stores FI Data. If Licensee possesses FI Data that exceeds the scope of the End User’s Express Consents, Licensee will use industry-standard means to permanently and securely delete (“Delete”) such FI Data. Plaid has reviewed and approved RealPage’s use case:
      • RealPage will use Plaid’s "Income" endpoint to enable Licensees to verify End Users’ income and employment in connection with Licensee’s lease or guarantor application decisions. Subject to these Income Verification Terms, RealPage will use and store data from Plaid’s income endpoint into RealPage-owned platforms accessed by Licensees to perform these verifications and validations. RealPage will provide Plaid with prior notice of, and Plaid will have the right to reject, any proposed use cases of the Plaid Services and Plaid-Provided Data that fall outside of the scope defined in the foregoing sentence.
   3. Data Use. Licensee will use, store, and otherwise process FI Data solely in accordance with the End User’s Express Consents and applicable laws.
   4. Data Disclosure. Licensee will not disclose, transfer, syndicate or distribute FI Data to any third party (including its employees, agents, contractors, and service providers accessing or using the IV Services on Licensee’s behalf) (“Data Sharing”) except in each case with the End User’s Express Consents and in accordance with applicable laws. Notwithstanding anything to the contrary, Licensee will not sell FI Data.
   5. Data Deletion. Licensee will promptly Delete any FI Data upon request by the applicable End User and acknowledges and agrees that RealPage may do the same in response to requests made to RealPage by End Users; provided that each may retain copies of the FI Data solely to the extent required by applicable laws.
   6. No Attribution. Licensee will not charge End Users any fees attributable to an FI for (a) access to its FI Data or (b) use of End User’s account with an FI in connection with the Licensee application. In addition, Licensee will not publicize its receipt of FI Data from specific FIs under the Master Agreement or this Section 4 (FI Data).
   7. No Other Access. Licensee will only access FI Data through the IV Services or another manner that uses the FI’s authorized APIs. Licensee will not “screen scrape” data from FIs or collect an End User’s log-on credentials for FI accounts and will not otherwise knowingly obtain from a third party FI Data that was originally sourced through screen scraping. Licensee will immediately Delete any such End User log-on credentials in its possession. Licensee will maintain records to demonstrate compliance with this Section 4(i)(g) and will provide them to Plaid upon request.
   8. Compliance with Laws. Licensee will comply with all applicable privacy, security, and other laws, including, as applicable, the Gramm-Leach-Bliley Act, the California Consumer Privacy Act, and all other laws relating to FI Data. Licensee will not use, store, disclose, or otherwise process any FI Data for any purpose not permitted under applicable laws.
   9. Information Security Program. Licensee will maintain a comprehensive written information security program approved by its senior management (“Infosec Program”). The Infosec Program will include administrative, technical, and physical measures designed to: (a) ensure the security of FI Data, (b) protect against unauthorized access to or use of FI Data and anticipated threats and hazards to FI Data and (c) ensure the proper disposal of FI Data. The Infosec Program will be appropriate to Licensee’s risk profile and activities, the nature of the Licensee application, and the nature of the FI Data received by Licensee. In any event, the Infosec Program will meet or exceed applicable control objectives captured in industry standards and best practices such as AICPA Trust Service Criteria for Security, NIST 800-53, or ISO 27002 and will comply with applicable laws. Licensee will use up-to-date antivirus software and anti-malware tools designed to prevent viruses, malware, and other malicious code in the Licensee application or on Licensee’s systems.
   10. Security Breach Obligations. Licensee will promptly notify Plaid (and in no event after more than 24 hours) upon becoming aware of any Security Breach via an email to security@plaid.com (with a copy to legalnotices@plaid.com), providing a description of all known facts, the types of End Users affected, and any other information that Plaid may reasonably request. Licensee will reasonably cooperate with Plaid in investigating and remediating Security Breaches. Licensee will be responsible for the costs of investigating, mitigating, and remediating the Security Breach, including costs of credit monitoring, call centers, support, and other customary or legally required remediation. “Security Breach” means any event that compromises the Licensee application or Licensee’s systems or that does or reasonably could compromise the security, integrity or confidentiality of FI Data or result in its unauthorized use, disclosure, or loss. For clarity, (i) the definition of “Security Breach” is not intended to include inconsequential incidents that occur on a daily basis such as scans, pings, or other unsuccessful attempts to penetrate computer networks or systems; and (ii) Licensee’s obligations in this section do not apply to the extent the Plaid Services fail to operate in material compliance with Plaid’s technical documentation available on Plaid’s website or if the Security Breach is directly caused by a compromise of the Plaid Services or Plaid systems or facilities owned or operated by Plaid in providing such Plaid Services.
   11. FI Confidential Information. If Plaid discloses to Licensee any confidential or proprietary materials of an FI (such materials, “FI Confidential Information”), such materials will be subject to the same obligations that apply to RealPage’s Confidential Information under the Master Agreement, which will in no event be less protective of such information than a reasonable standard of care. FI Confidential Information will also be subject to the same obligations as FI Data under this Section (i) (Licensee Obligations) of this Section 4 (FI Data).
   12. Oversight and Cooperation. Towards assessing Licensee’s material compliance with this Section 4(i), Licensee will promptly provide all reasonably necessary information and cooperation requested by Plaid, an FI, or any entity with examination, supervision, or other legal or regulatory authority over Plaid or an FI. In the event that Plaid has a good faith reason to believe that Licensee is not in material compliance with this Section 4 (FI Data), Plaid will notify Licensee and, at Plaid’s option, Licensee will promptly provide sufficient documentation to demonstrate such material compliance or submit to a third-party audit by a firm selected from a mutually-approved list of audit firms at Plaid’s expense (provided that Licensee will reimburse reasonable and actual out-of-pocket costs of such audit incurred by Plaid if the conclusion of such audit confirms Licensee’s material non-compliance) to verify such compliance. Plaid and FIs may also conduct operational assessments of Licensee, which will be subject to advance notice and will not occur more than once per year unless legally required and materially different in scope from a preceding audit.
   13. Information Sharing. Where required by an FI and to the extent relevant to an Licensee’s access or use of FI Data from that FI, Plaid may share with such FI certain information related to Licensee’s compliance with this Section 4 (FI Data), including with respect to Licensee’s Infosec Program, provided that such information Plaid shares with FI shall be treated in the same manner it treats Plaid confidential information after Plaid has entered into a written agreement with FI containing terms of confidentiality at least as stringent and protective as those in these Income Verification Terms, but in any event no less than reasonable care.
   14. Insurance. Licensee will maintain insurance coverage appropriate to Licensee’s risk profile and activities, the nature of the Licensee application, and the nature of the FI Data received by Licensee; provided that such coverage will be no less than industry standard and will include cybersecurity liability insurance.
   15. Access Frequency. The parties acknowledge that as of the Effective Date, no guidelines regarding Licensee’s frequency of “batch” pulls of End User Data (such guidelines, the “Guidelines”) apply to Plaid Licensees. Notwithstanding the foregoing, (i) Licensee will comply with any Guidelines provided in writing by Plaid; and (ii) Plaid may enforce such guidelines in accordance with its standard practices, which may include throttling, suspension, or termination of Licensee’s access.
   16. Additional FCRA Requirements. The FCRA and analogous state laws regulate the operations of consumer credit reporting agencies and apply to customers receiving Income Verification Services, such as Licensee and its third party property manager (“Manager”) (if any), as users of FI Data about consumers. The FCRA may be found at https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf. Licensee and Manager (if any) shall review and become familiar with FCRA, paying particular attention to at least the following (non-exhaustive list of) sections, which apply to Licensee and Manager (if any) as users of FI Data:
       • 604. Permissible Purposes of Reports;
       • 607. Compliance Procedures;
       • 615. Requirement on Users of Consumer Reports
       • 616. Civil Liability for Willful Noncompliance;
       • 617. Civil Liability for Negligent Noncompliance;
       • 619. Obtaining Information under False Pretenses;
       • 621. Administrative Enforcement;
       • 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies
       In addition, a copy of the Notice to Users of Consumer Reports: Obligations of Users Under the FCRA (“Notice to Users”) is available at https://realpage.force.com/screening. Licensee hereby acknowledges that it has received, reviewed, and will comply with the obligations set forth in the Notice to Users.
       By law, FI Data may be issued only if used for certain specific purposes. Under these Income Verification Terms, the only Permissible Purposes for ordering and using FI Data are stated in Section 4(i)(b) above. FCRA PROVIDES THAT ANY PERSON WHO KNOWINGLY AND WILLFULLY OBTAINS INFORMATION ON A CONSUMER FROM A CONSUMER REPORTING AGENCY UNDER FALSE PRETENSES SHALL BE FINED UNDER TITLE 18 OF THE UNITED STATES CODE OR IMPRISONED NOT MORE THAN TWO YEARS, OR BOTH.
       In addition to FCRA, other federal and state laws addressing such topics as computer crime, unauthorized access to protected databases, and use of personally identifiable information of individuals may also be applicable. Licensee agrees to comply with all relevant federal, state, and local laws, regulations, and ordinances in its use of any FI Data.
2. Suspension. Plaid may suspend or terminate Licensee’s access to the IV Services or FI Data, in whole or in part, if it reasonably believes (a) Licensee has materially breached this Section 4 (FI Data) or (b) Licensee’s use of the IV Services or FI Data could violate or give rise to liability under any Plaid agreement (including Plaid’s agreement with any FI) or pose a risk of harm, including reputational harm, to any End User, FI, the Plaid Services, or Plaid and its affiliates. Plaid will (i) provide Licensee with at least thirty (30) days’ written advance notice of any such suspension and (ii) narrowly tailor any such suspension to mitigate Plaid’s risk. Notwithstanding the foregoing, Plaid may immediately suspend Licensee’s access to any Plaid Services or FI Data without written advance notice if either of the foregoing (a)—(b) is, in Plaid’s reasonable belief, likely to result in irreparable harm to any End User, FI, the Plaid Services, or Plaid. Plaid will then provide written notice to RealPage (and RealPage will convey such notice to Licensee) as soon as practicable under the circumstances. In addition, an FI may immediately suspend Licensee’s access to FI Data with respect to such FI.
3. Indemnity. Licensee will indemnify, defend, and hold harmless each FI, Plaid, and the affiliates of each of the foregoing from any claims, actions, suits, demands, losses, liabilities, damages (including taxes), costs and expenses arising from: (a) any Security Breach resulting in unauthorized disclosure of FI Data or (b) Licensee’s unauthorized or improper use of FI Data (including any unauthorized Data Sharing, transmission, access, display, storage or loss). This Section (iii) is not subject to any limitation of liabilities set forth in the Master Agreement. Each FI is a third-party beneficiary of this Section 4(iii).
4. Modifications. Licensee acknowledges that continued access to FI Data provided by certain FIs may require modifications to this Section 4 (FI Data). In such event, Plaid will notify RealPage (and RealPage will convey such notice to Licensee) in writing in a manner consistent with notice to other Plaid partner/end clients for the same, including a description of the modifications and the effective date of such modifications. If Licensee objects to the modifications, its exclusive remedy is to cease any and all access and use of the IV Services as it relates to such FI(s). Continued access or use of such the Services after the effective date of such modifications to this Section 4 (FI Data) will constitute Licensee’s acceptance of such modifications.
5. Miscellaneous. In the event of a conflict with any other agreement (including the Master Agreement), the terms and conditions of this Section 4 (FI Data) will govern and prevail. All provisions of this Section 4 (FI Data) will remain in force in the event of this Section 4’s (FI Data) or the Master Agreement’s termination or expiration.

C. Identity Verification Services.

The following provisions (the “IDV Terms”) set out terms and conditions in connection with the Identity Verification Services.

1. DEFINITIONS

1. “End User” means an individual providing data to Licensee via the IDV Services.
2. “Licensee Data” means data in electronic form that is transmitted through the IDV Services by, on behalf of, from or to Licensee or End Users. For the avoidance of doubt: (i) Licensee Data (including Licensee Data returned to Licensee) is not Output; and (ii) Licensee Data is not the Confidential Information of either party.
3. “Identity Verification” means the IDV Services to which Licensee may submit Licensee Data provided by Licensee or End Users, as determined by Licensee via the Dashboard.
4. “Monitor” means the IDV Services that provide anti-money laundering screening.
5. “Identity Verification Services” or “IDV Services” means the Services comprised of the Identity Verification and Monitor, as applicable, and the Dashboard. For the avoidance of doubt, the IDV Services are Services.
6. “Dashboard” means the Licensee facing dashboard functionality and dashboard display services within the IDV Services.
7. “DPPA” means the Drivers Privacy Protection Act, 18 U.S.C. § 2721, et. seq.
8. “GLBA” means the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.
9. "Output” means the information and data of End Users provided to Licensee via the IDV Services (or any derivative work thereof).
10. “PII” means Licensee Data that relates to an End User and is deemed “personal data” or “personal information” (or analogous variations of such terms) under applicable privacy or data protection laws.
11. “Permitted Service Provider” means Licensee’s employees, agents, contractors, and service providers accessing or using the IDV Services on Licensee’s behalf.
12. “Process” means collect, disclose, use, store, or otherwise process.
13. "IDV Use Case” means RealPage will use Plaid's "Identity Verification" endpoint to enable Licensees to verify the identity of applicants, guarantors, and third party invitees or visitors to the property.
14. For the purposes of these IDV Terms, the terms “controller,” “processor,” and “subprocessor” have the meanings ascribed to them and are hereby deemed references to the relevant defined terms with analogous meanings, under applicable law. For example, these terms will be deemed references, as applicable, to the terms “business” and “service provider” as such terms are used in the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020.

2. IDV SERVICES

1. Access. Licensee may use the IDV Services subject to, and only in accordance with, applicable law, these IDV Terms, the Master Agreement, the IDV Use Case, and any agreements between Licensee and End Users (for clarity, including any privacy policy or terms of service) to: (i) verify, via Identity Verification’s matching of Licensee Data provided by End Users, applicable End User identities in the normal course of Licensee's business; and (ii) assess, via Monitor, the Licensee Data for certain screening purposes (e.g., to confirm that End Users do not appear on any watchlist, to provide antifraud or anti-money laundering screening services, etc.). Without limiting the generality of the foregoing, Licensee agrees that: (a) Licensee will not enable or use the “autofill” functionality of the IDV Services if Licensee is located outside of the United States; and (b) any violation of this sentence will be deemed a material breach of these IDV Terms.
2. Instructions. To enable RealPage to provide the IDV Services to Licensee, RealPage will submit Licensee’s instructions to Plaid via the Dashboard (the “Instructions”). The Instructions, based on the RealPage services ordered by Licensee, the applicable Product Specifications, and any settings selected by Licensee, will include direction regarding: (i) the applicable categories or types of Licensee Data that will be processed by the IDV Services on behalf of Licensee and its End Users; (ii) when such processing will occur; and (iii) the categories or types of End Users who will provide Licensee Data through the IDV Services.
3. Consent. Licensee represents and warrants that Licensee will provide all notices and obtain all consents and/or require that RealPage will provide all notices and obtain all consents on behalf of Licensee as required under applicable law, regulations, and third-party agreements for: (i) Licensee to Process Licensee Data; and (ii) RealPage (and its affiliates, subcontractors, subprocessors, service providers, and data sources) to provide the IDV Services by Processing such Licensee Data, and to otherwise exercise the rights described in these IDV Terms. Licensee will maintain records sufficient to demonstrate its compliance with this Section 2(iii) and will promptly provide such records to RealPage upon request.
4. Licensee Data. Licensee grants to RealPage’s IDV Services subprocessor and its affiliates and subcontractors a limited and non-exclusive license to copy, store, configure, display, back test, transmit, and otherwise Process Licensee Data as necessary to provide the IDV Services and to develop enhancements for the IDV Services in accordance with the end user privacy statement available at https://cognitohq.com/privacy-statement. Without limiting the generality of the foregoing, subprocessor may disclose Licensee Data to subcontractors subject to restrictions similar to those in these IDV Terms. Notwithstanding anything to the contrary, subprocessor may disclose Licensee Data as required by law or court order. Subject to the foregoing in this paragraph, Licensee will retain its existing rights (if any, including any ownership rights) in and to Licensee Data. For the avoidance of doubt and notwithstanding any other provisions of these IDV Terms, the parties hereto acknowledge and agree that subprocessor, subject to its compliance with applicable laws and regulations: (i) may use, reproduce, disclose, or otherwise exploit de-identified or anonymized Licensee Data (i.e., Licensee Data from which PII has been removed, de-identified, or anonymized) in any way in subprocessor’s sole discretion; and (ii) reserves the right to provide the IDV Services through use of subcontractors, affiliates, and otherwise, worldwide.

3. COMPLIANCE

1. GLBA; DPPA. Licensee certifies that all Licensee’s and Permitted Service Providers’ uses of, and purposes pertaining to, the IDV Services are and will be in accordance with and solely comprised of uses and purposes: (i) described in Section 6802(e) of GLBA and the United States Federal Trade Commission rules promulgated thereunder, as may be interpreted from time to time by a competent regulatory authority; or (ii) permitted under DPPA.
2. Processing on Licensee’s Behalf. Licensee acknowledges and agrees that, solely with regard to the Licensee Data: (i) Licensee will determine, via the Instructions, the purpose and means by which subprocessor will process Licensee Data; (ii) RealPage will require subprocessor to act on Licensee’s Instructions with respect to the details of subprocessor’s processing of Licensee Data (i.e., how, what, when, and why such Licensee Data is processed by subprocessor); and that therefore (a) Licensee will be deemed a controller with regard to such Licensee Data; (b) RealPage will be deemed a data processor with regard to Licensee Data; and (c) RealPage’s subcontractors will be deemed subprocessors with regard to Licensee Data where such subprocessors facilitate, via the IDV Services, the Licensee activities described in Section 2(i). Licensee will direct End Users to Licensee’s privacy policy for any queries or requests regarding End User rights with respect to, and the processing of, PII applicable to the IDV Services. For the avoidance of doubt, Licensee acknowledges and agrees that: (I) Licensee’s privacy policy will control and apply with respect to the processing of all PII applicable to the IDV Services; and (II) Licensee will make available and maintain all data retention policies and provisions as required under applicable law pertaining to subprocessor storage of PII on Licensees’ behalf in relation to the IDV Services provided under these IDV Terms. RealPage agrees that its IDV Services subprocessor will not, other than as expressly permitted for processors or subprocessors under applicable law: (A) process PII for any purpose (including any commercial purpose) other than as necessary to perform the IDV Services for the Licensee (which performance includes the activities described in Section 2(iv)); (B) sell or, where applicable, share (as that term is defined in the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 and any subsequent amendments) any PII; (C) process PII outside of the business relationship described in these IDV Terms; or (D) combine PII with any other personal information that subprocessor collects (directly from end users or via any third party).
3. Details of Processing. The parties acknowledge and agree that Licensee will control, via the Instructions, the types and categories of PII that may be Processed in connection with the IDV Services. For clarity, such types and categories may include names, addresses, dates of birth, phone numbers, identification documents, and images/videos (e.g., photos or selfies). RealPage agrees that such Processing will continue, as applicable, in accordance with these IDV Terms.
4. FCRA. Licensee acknowledges and agrees that: (i) neither RealPage nor its IDV Services subprocessor are a “consumer reporting agency” or a “furnisher” of information to consumer reporting agencies under the FCRA; and (ii) the Licensee Data is not a “consumer report” under the FCRA. Licensee represents and warrants that it will not, and will not permit or enable any third party to, use the IDV Services or any Licensee Data: (a) as a, or as part of a, “consumer report” as that term is defined in the FCRA; or (b) such that the IDV Services or any Licensee Data would be deemed “consumer reports” under the FCRA.
5. Licensee Responsibilities. Notwithstanding the applicability or details of Licensee’s integration involving the IDV Services, and notwithstanding anything to the contrary in these IDV Terms or any other terms of the Master Agreement, Licensee is solely responsible for its relationships with End Users, including any related billing matters, technical support, and disputes. Without limiting anything in this these IDV Terms, Licensee will publish and maintain an easily accessible and legally sufficient: (i) terms of service regarding all applicable End User use of Licensee’s services; and (ii) privacy policy. Licensee is, and will remain, solely responsible and liable for each End User’s and each Permitted Service Provider’s use of and access to the IDV Services. Licensee shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all Licensee Data, and for verifying the same.
6. Unauthorized Use. In connection with its processing of any Licensee Data, RealPage will comply with all obligations (including privacy protection obligations) applicable to it as a processor under applicable law. Licensee reserves the right to take reasonable and appropriate steps towards stopping and remediating any unauthorized use of PII. RealPage will reasonably cooperate with Licensee to facilitate such steps, including by making available to Licensee all information reasonably necessary to demonstrate RealPage’s compliance with its obligations under these IDV Terms and applicable law.

4. DISCLAIMER

Subprocessor makes no warranty with respect to, and disclaims all liability pertaining to: (i) the Instructions and any acts or omissions in accordance therewith; and (ii) the accuracy of any Licensee Data and all other data (a) uploaded or otherwise provided to or for the IDV Services by or on behalf of Licensee or End Users, and (b) Processed or provided by, or otherwise originating from, subprocessor or its data sources in relation to the IDV Services. With respect to the IDV Services, subprocessor disclaims all liability for the errors and omissions of it and its data sources.

5. EFFECT OF TERMINATION

Upon termination or expiration of an Order relating to the IDV Services: (i) Licensee will destroy or return to RealPage all IDV Services documentation provided to Licensee relating to such Order; and (ii) following RealPage’s receipt of Licensee’s request in writing, RealPage will facilitate the deletion (or return, per such request) of all Licensee Data stored on RealPage’s and its subprocessor’s servers relating to such Order, unless retention of the Licensee Data is required under applicable law. Without limiting the foregoing, RealPage and Licensee may mutually agree upon the retention periods for various types or categories of Licensee Data. Notwithstanding anything to the contrary, subprocessor disclaims all liability pertaining to: (a) deletion of Licensee Data after the termination or expiration of an Order; and (b) Licensee’s use of the IDV Services and Licensee Data after any Order termination or expiration.

6. INDEMNITY

Licensee will indemnify, defend, and hold harmless RealPage’s IDV Services subprocessor and its affiliates from any claims, actions, suits, demands, losses, liabilities, damages (including taxes), costs and expenses arising from or in connection with: (i) breaches by Licensee of these IDV Terms; (ii) acts or omissions of Licensee or its employees, affiliates, or contractors relating to the IDV Services; and (iii) the Processing of Licensee Data by Licensee or its Permitted Service Providers; and (iv) the Instructions and any acts or omissions in accordance therewith in .

7.MISCELLANEOUS

In the event of a conflict between these IDV Terms and any other terms and conditions of the Master Agreement or any agreements between Licensee and End Users (for clarity, including any privacy policy or terms of service), the terms and conditions of these IDV Terms will govern and prevail with respect to the IDV Services. RealPage may update the IDV Services and these IDV Terms from time to time.