Propertyware and On-Site Screening Services Agreement

Screening Terms and Conditions

Please carefully read these Screening Terms and Conditions (“Screening Terms”). By executing an order form (“Order Form”) that incorporates by reference these Screening Terms (or otherwise indicating acceptance of these Screening Terms via, for example, a click-through electronic acceptance), Subscriber agrees, as a Property Owner (defined below) or as agent for such Property Owner, to these Screening Terms whereby RealPage, Inc. or its subsidiary, RP On-Site LLC, licenses its applicant screening software and services (the “Services”). The “Subscriber” is the party identified on the Order Form or on whose behalf the click-through acceptance process is completed, provided, however, that all references herein to Subscriber shall include the Property Owner if Subscriber is acting on behalf of Property Owner in agreeing to these Screening Terms. The Order Form identifies the Services that Subscriber wishes to license and the commercial terms for such license(s).

The party licensing and providing the Services to Subscriber will be referred to herein as “RealPage.” RealPage may amend these Screening Terms from time to time, in its sole discretion, by providing Subscriber written notice by electronic mail, or by regular mail, or by posting the updated terms and conditions on this website. Subscriber should access and review these Screening Terms regularly. If Subscriber determines that these Screening Terms are unacceptable at any time, then Subscriber must immediately discontinue its access to or use of the Services. Subscriber’s access to or use of the Services after RealPage has made such changes available, will constitute Subscriber’s agreement to such changes.

Subscriber manages residential properties (each a “Property”), either on its own behalf as the owner of the Property (“Property Owner”), or as an agent of the Property Owner. Through use of the Services, Subscriber accesses information from the databases of the national credit bureaus (“Credit Bureaus”), third party databases and from databases owned by RealPage or its affiliates. Such information may include, without limitation, credit history, credit and other scores, criminal history, judgment and eviction filing history and individual resident rental history (all of the information available through use of the Services is hereinafter referred to as the “Information“). Subscriber desires to license access to and use the Services in connection with leasing one or more Properties or, in the case of employment screening Services, in connection with its internal business operations. Once the parties have executed an Order Form and Subscriber has indicated its acceptance of these terms and conditions, the parties shall have created a binding, legally enforceable obligation for RealPage to provide and Subscriber to accept and pay for each of the Services implemented by RealPage for each Property at Subscriber’s request, subject to the terms and conditions of the Order Form and these Screening Terms (collectively referred to herein as the “Agreement”).

Subscriber represents and warrants to RealPage that it is the Property Owner or the duly appointed agent of the Property Owner of each Property for which the Services will be implemented and has the authority either on its own behalf or pursuant to such agency agreement to: (i) execute the Order Form; (ii) agree to these Screening Terms and enter into the Agreement on behalf of each such Property Owner; and (iii) pay all invoices for all fees and charges associated with implementation (including Fees), access and use of the Services.

1. License Grant to Access and Use. RealPage hereby grants to Subscriber, with regard to each Property for which the Services are implemented by RealPage, a limited, revocable, terminable, non-transferable, non-exclusive, use-restricted license to access the Services and use the Services solely for management and operation of each such Property or, in the case of employment screening Services, management of the Subscriber’s internal business operations (“License”). Any use of the Services by or for any Property shall be subject to the terms of the applicable Agreement. All rights not specifically identified in the foregoing License are reserved to RealPage. Except to the extent set forth in this Section 1, RealPage grants no additional rights or licenses in or with regard to the Services, and reserves for itself all such additional rights and licenses.

2. Charges and Payments. Subscriber shall pay RealPage for the Services provided hereunder in accordance with the terms of the applicable Order Form. Subscriber shall pay any tax (and related interest and penalties) imposed for its access to or use of the Services, or as a result of the existence or operation of the Agreement, including any tax that Subscriber is required to withhold or deduct from payments to RealPage, other than tax imposed on RealPage’s net income or corporate existence. Notwithstanding any other provision in these Screening Terms, and unless otherwise provided on the applicable Order Form, RealPage may adjust prices for the Services at any time with at least 15 days prior notice to Subscriber (“Notice”), which Notice may be provided by email or via the Propertyware or screening Services website or application.

3. Term and Termination of Agreement and License. The term of the Agreement (“Term”) shall commence on the date of Activation of any Service hereunder (“Activation” is defined as whenever Subscriber is enabled to order Information through the Service, regardless of whether the Service is in production) and continue until the expiration of the last expiring License Term granted hereunder. The license for each Service granted herein for each Property (“License Term”) will commence on the date of Activation of the Service as to the Property and will continue until the last day of the twelfth calendar month next following the calendar month in which Activation occurs (unless earlier terminated pursuant to the terms of the Agreement). Thereafter, the License Term shall automatically renew for additional one year License Term(s) unless either RealPage or Subscriber shall have given the other written notice of termination no less than 30 days prior to such expiration of the initial License Term or any renewal License Term. The expiration or termination of the License for a particular Service will not cause the termination of any other Service. Notwithstanding the foregoing, if the screening Services were purchased in a bundle with the Propertyware Service, the License Term for such screening Services shall, unless otherwise provided on the applicable Order Form, continue until the expiration or termination of the agreement and license(s) for the Propertyware Service with which the screening Services was bundled and purchased. Notwithstanding anything to the contrary in the Agreement, RealPage may immediately suspend or terminate all or part of the Services provided under the Agreement, without prior notice, if in its reasonable judgment: (i) Subscriber breaches any material provision of any Agreement (including an Agreement for the provision of Services for another Property), including without limitation, violation of the Fair Credit Reporting Act, 15 U.S.C. Section 1681 et seq., as amended (the “FCRA”) or any other applicable law, ordinance or regulation; or (ii) RealPage cannot perform its duties under the Agreement for whatever reason, including, but not limited to, a change in any law. If RealPage determines that it is not feasible to provide to Subscriber such suspended or terminated Service, RealPage is not obligated to provide a replacement Service. Notwithstanding the foregoing and where not otherwise prohibited by the law or the rules, RealPage will use reasonable efforts to provide prior notice of any suspension or termination to Subscriber.

4. Service Warranty; Remedies; Intellectual Property Indemnity

(a) Service Warranty. RealPage warrants that each Service will perform the functions set forth in the then-current version of the Product Specifications applicable to the Service, if used in the manner and environment described in such Specifications. The most current version of Product Specifications can be found at http://www.specifications.controls.realpage.com/.

RealPage may change the Product Specifications at any time; provided however, RealPage shall not do so in a manner that would materially modify or remove material functionality of the Services without prior written notice to Subscriber, unless prior notice is not reasonably practicable in order to permit RealPage to comply with any laws or third-party licensing requirements. RealPage shall have no responsibility for failures of any Service arising from any misuse of a Service, equipment or communications malfunction or other software products not licensed by RealPage.

(b) Remedy for Breach & For Claims Relating to the Information Subject to the limitations set forth herein, a Subscriber’s or Property Owner’s sole remedy for all claims (whether in contract, tort, negligence, strict liability, or otherwise) relating to the Information provided (or not provided) hereunder or for any breach of the above Service warranty, shall be (i) RealPage’s re-run of the Information request if such can be accomplished through the exercise of commercially reasonable efforts or (ii) if RealPage is unable to provide such remedy, and the Information supplied (or not supplied) causes the Subscriber to incur direct and verified expenses, RealPage shall grant Subscriber a credit of an amount equal to the Fee for the applicable Information. The foregoing states Subscriber’s sole and exclusive remedy and RealPage’s sole and exclusive liability with regard to the Information provided (or not provided) or for any breach of warranty hereunder.

(c) Intellectual Property Indemnity. If a third party makes a claim against Subscriber that the access to the Service or use of the Service licensed by Subscriber in accordance with the terms of the Agreement, excluding any of the Subscriber Data (as defined in Section 5 below), directly infringes any United States patent issued as of the date of the Agreement or any copyright or trademark, (“IP Claim”), RealPage will indemnify and defend Subscriber against the IP Claim and pay all costs and expenses (including reasonable legal fees, including on appeal) incurred and all damages finally awarded against Subscriber by a court of competent jurisdiction or agreed to in a written settlement agreement signed by RealPage arising out of such IP Claim, provided that: (i) Subscriber promptly notifies RealPage in writing of Subscriber’s receipt of notification of an actual or potential IP Claim; (ii) RealPage may assume sole control of the defense of such claim with counsel of its choice and all related settlement negotiations; and (iii) Subscriber provides RealPage, at RealPage’s request, with reasonable assistance, information and authority necessary to perform RealPage’s obligations under this Section. If RealPage believes that any Service is likely to be determined to be an infringement or misappropriation of a patent, copyright, trade secret, trademark, or other proprietary right, RealPage may (i) modify or replace such Service to make it non-infringing; provided, however, no such replacement or modification shall substantially impair the functionality or performance of such Service (ii) acquire for Subscriber a license to continue to use the Service; or (iii) terminate the license with respect to the infringing Service and refund to Subscriber any fees pre-paid by Subscriber with respect to the infringing Service. RealPage shall have no obligation to Subscriber with respect to any IP Claim if such IP Claim is based upon: (i) Subscriber Data; (ii) Subscriber’s use of a Service in a manner not expressly authorized by the Agreement; (iii) the combination, operation or use of a Service with third-party material that was not provided by RealPage, if Subscriber’s liability would have been avoided in the absence of such combination, operation or use; or (iv) modification of a Service other than as authorized in writing by RealPage. THE FOREGOING STATES REALPAGE’S SOLE OBLIGATION AND SUBSCRIBER’S SOLE REMEDY FOR ANY CLAIMS RELATED TO INFRINGEMENT OF INTELLECTUAL PROPERTY.

5. Order and Supply of Information; Use of Subscriber Data. When initially establishing an account with RealPage, Subscriber’s administrative personnel (“Administrative Personnel”) will undergo (and must pass) a qualification process, which will include: (i) supplying RealPage with information reasonably required to identify the Property, Subscriber, and, if applicable, any Property manager; and (ii) a physical site inspection, conducted by a third party, of the location where the screening reports will be reviewed. Subscriber certifies on behalf of itself and all its users of the Services that they shall order Information and shall use Information: (i) solely for the following permissible purposes: (1) to determine the eligibility (a) for tenancy of persons or businesses from whom Subscriber has accepted a signed lease application relating to tenancy at the Property, or (b) of a person who has applied in writing to serve as a guarantor of such a lease transaction; and (2) solely relating to the On-Site Screening Service, to evaluate a consumer for employment, promotion, reassignment, or retention as an employee (“Employment Purposes”) (collectively, the “Permissible Purposes” and each, individually, a “Permissible Purpose“); and (ii) solely for Subscriber’s one-time use (e.g., Subscriber may use a consumer report requested through an On-Site Screening Service to determine eligibility for employment, but Subscriber may not later use that same consumer report to determine eligibility for promotion). When Subscriber desires to receive Information concerning individuals for the Permissible Purpose, Administrative Personnel will supply RealPage with Subscriber Data reasonably required to identify the prospective resident or employee. Upon receipt of this Subscriber Data, RealPage shall use commercially reasonable efforts to furnish the requested Information to Subscriber. RealPage shall be under no obligation to provide any Information in any instance in which doing so would result in any violation of RealPage’s obligations under the FCRA and any other applicable law or regulation or of RealPage’s agreements with the Credit Bureaus or any other data provider. If no Information or only partial Information is available from any data provider or from RealPage’s own resources, RealPage shall be relieved of the obligation hereunder to supply such Information or component thereof.

Subscriber agrees that with respect to any credit or other scores (the “Scores”) provided as part of the Information, Subscriber may store Scores solely for the Subscriber’s own one-time use in furtherance of the Permissible Purpose. Subscriber shall not use the Scores for model development or model calibration, and shall not reverse engineer the Scores. All Scores provided hereunder will be held in the strictest confidence, and may never be sold, licensed, copied, reused, disclosed, reproduced, revealed or made accessible, in whole or in part, to any person except (i) to Administrative Personnel with a need to know in the course of their employment; (ii) when accompanied by the corresponding reason codes (when provided by RealPage) and a narrative description of the factors adversely impacting the Score, to the consumer who is the subject of the Score; or (iii) as required by law.

Subscriber hereby grants to RealPage, with regard to the data (in any form, including, for example, images or text) entered into the screening platform or software by Subscriber, its agent or applicant (or by RealPage at Subscriber’s direction), or otherwise provided to RealPage by Subscriber, its agent or applicant, in connection with Subscriber’s use of the Services (“Subscriber Data”), a perpetual, irrevocable, royalty-free, world-wide, non-exclusive right and license to access, use, extract, aggregate, compile, reproduce, modify, adapt, create derivative works from, display, store, transmit to its affiliates, or incorporate in other works in any form, media, or technology now known or later developed, the Subscriber Data for the following “Permitted Purposes”: (i) support and provision of a product or service purchased by or provided to Subscriber from RealPage or its affiliates under any agreement between Subscriber and RealPage or its affiliate, (ii) maintenance, operation, and enhancement of a product or service, including any database in which Subscriber Data resides (iii) internal statistical analysis regarding Subscriber Data or (iv) distribution or publication, solely in an Aggregated Form, of Subscriber Data in summary and benchmark reports. “Aggregated Form” means that Subscriber Data shall be combined with data from a minimum of four (4) additional properties.

6. Subscriber’s Representations, Warranties & Covenants. Subscriber represents, warrants and covenants to RealPage that: (i) it will not request or use any Information for any purpose prohibited by the terms of the Agreement, the FCRA or by other applicable law or regulation; (ii) it will request and use Information only for the Permissible Purposes; (iii) it will not request or use Information from a Screening Service hereunder other than the On-Site Screening Service for Employment Purposes; (iv) it has received and reviewed the “Additional Screening Terms and Conditions” appended to these Screening Terms and agrees to comply with the provisions therein, as may be modified from time to time by RealPage; (v) it will request and use Information solely as an end user; (vi) it will not resell, attempt to resell nor disclose any portion of the Information to any third party; (vii) it understands that Credit Bureau fraud alerts are merely an indication that it should take additional steps to verify an applicant’s identity and thus it agrees to do so and that it will not make any leasing, employment or other eligibility decisions with respect to a consumer based solely on the appearance of one or more Credit Bureau fraud alerts in a consumer report provided hereunder; (viii) it will use the Information entirely at its own risk; (ix) it will bring no action or claim, and hereby irrevocably and completely waives and releases all future actions and claims, against RealPage or any Credit Bureau or other data provider for any injury or damage arising from or attributable to the provision, non-provision or use of any Information; (x) RealPage shall have no obligation or liability for delays or nonperformance by the Credit Bureaus or any other data provider; (xi) it understands and acknowledges that RealPage only reports the Information from public records such as criminal and eviction data made available by the public record source at the time the record was collected and so it may be incomplete; (xii) it understands and acknowledges that due to the organization of criminal records and/or the nature of the query there will be instances where no criminal information is reported with regard to persons who, in fact, have criminal records; (xiii) it understands and acknowledges that there is a wide diversity in the types of criminal records made available by various jurisdictions and in the content of such records; (xiv) it understands and acknowledges certain laws restrict the use of certain criminal records for purposes related to housing or accommodations; (xv) it will use reasonable judgment with regard to undertaking independent verification of all negative criminal and eviction Information; (xvi) only Administrative Personnel having a direct need to know and whose duties reasonably relate to processing applications for leases will be permitted to employ the RealPage Service to order, receive or use Information; (xvii) all Administrative Personnel have read these Screening Terms, including, without limitation, the Section entitled “FCRA Requirements” and the “Additional Screening Terms and Conditions” and have agreed to comply with all obligations stated in those Sections which are applicable to them; (xviii) all Administrative Personnel will maintain all Information in strictest confidence and disclose it only as permitted by the Agreement, the FCRA or by other applicable law; and (xix) Subscriber Data is correct and accurate and that Subscriber owns all right, title and interest in and to Subscriber Data (including, without limitation, all intellectual property rights), or possesses sufficient rights to grant to RealPage the license set forth in Section 5 above.

7. Indemnification by Subscriber. Subscriber, at its own expense, shall indemnify, defend and hold harmless RealPage, and its affiliates, and their directors, officers, employees, agents and vendors (each an “Indemnified Party”) from and against losses, costs, and expenses (including legal fees and expenses) actually and reasonably incurred by an Indemnified Party in connection with any liability (including, without limitation, third party claims by applicants or residents) arising from Subscriber’s (or any user using Subscriber’s username or password) (i) access to or use of the Services hereunder (including, without limitation, any claim asserted with regard to Subscriber Data or RealPage’s use or possession thereof), (ii) request for, access to, unauthorized access to, use or misuse of, possession of, disclosure of or reliance upon Information, (iii) use of any Information in connection with any “scoring” model or procedure, (iv) violation of the Agreement, the FCRA or other applicable laws; or (v) failure to comply with the terms of use for any third‐party application or service used by Subscriber in conjunction with the Services. RealPage shall promptly notify Subscriber of any claim or action of a third party as to which RealPage may seek indemnification hereunder. RealPage’s failure to notify Subscriber shall not relieve Subscriber of the obligation to indemnify RealPage unless such failure to notify shall have materially impaired Subscriber’s ability to defend such claim or action.

8. Document Retention Period. Subscriber agrees to maintain all signed rental (or guarantor) applications and any written consents to screening from rental applicants, employment applicants or employees pursuant to which Subscriber requests Information hereunder, as well as all other documentation serving to demonstrate permissible purpose under the FCRA, for a period of at least five years from the date of the Information request. Subscriber further agrees to promptly make such documentation available to RealPage upon RealPage’s request.

9. FCRA Requirements. The FCRA and analogous state laws regulate the operations of consumer credit reporting agencies and apply to Screening Services customers, such as Subscriber, as users of Information about consumers. The FCRA may be found at >www.ftc.gov/os/statutes/fcrajump.htm<. Subscriber shall review and become familiar with the FCRA, paying particular attention to at least the following (non-exhaustive list of) sections, which apply to Subscriber as a user of consumer reports and provider of Subscriber Data:

604. Permissible Purposes of Reports 607. Compliance Procedures 615. Requirement on users of consumer reports 616. Civil liability for willful noncompliance 617 Civil liability for negligent noncompliance 619 Obtaining information under false pretenses 621 Administrative Enforcement 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies

In addition, a copy of the “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA” (“Notice to Users”) is appended to these Screening Terms. Subscriber hereby acknowledges that it has received, reviewed and will comply with the obligations set forth in the Notice to Users.

By law, consumer reports may be issued only if used for certain specific purposes. The only Permissible Purposes for ordering and using a consumer report are stated in Section 5 above. THE FCRA PROVIDES THAT ANY PERSON WHO KNOWLINGLY AND WILLFULLY OBTAINS INFORMATION ON A CONSUMER FROM A CONSUMER REPORTING AGENCY UNDER FALSE PRETENSES SHALL BE FINED UNDER TITLE 18 OF THE UNITED STATES CODE OR IMPRISONED NOT MORE THAN TWO YEARS, OR BOTH.

In addition, a copy of the “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA” (“Notice to Users”) is appended to these Screening Terms. Subscriber hereby acknowledges that it has received, reviewed and will comply with the obligations set forth in the Notice to Users.

In addition to the FCRA, other federal and state laws addressing such topics as computer crime, unauthorized access to protected databases, and use of personally identifiable information of individuals may also be applicable. Subscriber agrees to comply with all relevant federal, state and local laws, regulations and ordinances in its use of any Information or the Services.

10. Additional Employment Purposes Terms and Conditions. Subscriber agrees that it will not request, or cause to be requested, a consumer report for Employment Purposes with respect to any consumer, unless (i) a clear and conspicuous disclosure has previously been made in writing to the consumer, in a document consisting solely of the disclosure, that a consumer report may be obtained for employment purposes; and (ii) the consumer has authorized in writing the procurement of the consumer report by Subscriber. Subscriber further agrees that before taking any adverse action with respect to any consumer, based in whole or in part on a consumer report for Employment Purposes relating to that consumer, Subscriber shall provide to the consumer: (i) a copy of the report; and (ii) a written description of the consumer’s rights under the FCRA in a format approved by the Federal Trade Commission. Subscriber agrees and certifies that information from the consumer report will not be used in violation of any applicable federal, state or local equal opportunity law, regulation or ordinance.

11. Investigative Consumer Report. Subscriber certifies and agrees that it will not request, or cause to be requested, an investigative consumer report (as defined under Section 603(e) of the FCRA) with respect to any consumer, unless: (a) it is clearly and accurately disclosed to the consumer that an investigative consumer report (including information as to his or her character, general reputation, personal characteristics and mode of living, whichever are applicable) may be made, and such disclosure (i) is made in a writing mailed, or otherwise delivered, to the consumer, not later than three days after the date on which the report was first requested, and (ii) includes a statement informing the consumer of his or her right to request the additional disclosures regarding the nature and scope of the investigation (“Investigative Report Disclosure”); (b) the Investigative Report Disclosure includes a written summary of the rights of the consumer prepared pursuant to Section 609(c) of the FCRA; and (c) if the consumer makes a written request within a reasonable amount of time after receipt of the Investigative Report Disclosure, Subscriber makes a complete and accurate written disclosure of the nature and scope of the investigation requested. Subscriber agrees to provide this information to the consumer no later than 5 days after the request for such disclosure was received from the consumer or such report was first requested, whichever is later.

12. WARRANTY DISCLAIMER. OTHER THAN AS EXPRESSLY AND SPECIFICALLY SET FORTH IN THESE SCREENING TERMS, NEITHER REALPAGE NOR ITS VENDORS MAKE ANY WARRANTY, GUARANTY, REPRESENTATION OR COVENANT OF ANY TYPE, EXPRESS OR IMPLIED, WITH REGARD TO ANY ASPECT OF THE SERVICES. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING AND OTHER THAN AS EXPRESSLY AND SPECIFICALLY SET FORTH IN THESE SCREENING TERMS, REALPAGE AND ITS VENDORS HEREBY DISCLAIM ANY WARRANTY OR LIABILITY CONCERNING (I) THE ACCURACY, CORRECTNESS, CURRENCY, AVAILABILITY, RELIABILITY, LOSS OF SUBSCRIBER DATA, PERFORMANCE, SUITABILITY, COMPATIBILITY, NON-INFRINGEMENT, MERCHANTABILITY, TIME OF PERFORMANCE OR FITNESS FOR A PARTICULAR PURPOSE OF; (II) CONTINUOUS, UNINTERRUPTED OR ERROR-FREE ACCESS TO OR USE OF; OR (III) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE INFORMATION OR ANY SERVICE.

13. LIMITATION ON TYPES OF DAMAGES. NEITHER REALPAGE NOR ITS VENDORS SHALL BE LIABLE TO SUBSCRIBER FOR INDIRECT, INCIDENTAL, PUNITIVE, EXEMPLARY, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUES OR REPUTATIONAL HARM, FOR ANY MATTER RELATED TO OR ARISING IN CONNECTION WITH THE AGREEMENT, WHETHER BASED ON ONE OR MORE ACTIONS OR CLAIMS IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHER LEGAL OR EQUITABLE THEORY, AND EVEN IF NOTIFIED OF THE POSSIBILITY OF SUCH DAMAGES (FOR CLARITY, DAMAGES RECOVERABLE UNDER AN INDEMNITY CLAIM ARE DEEMED TO BE DIRECT DAMAGES PAYABLE TO THE INDEMNIFIED PARTY).

14. LIMITATION ON AMOUNT OF DAMAGES. NEITHER REALPAGE NOR ITS VENDORS SHALL BE LIABLE TO SUBSCRIBER FOR ANY DAMAGES, WHETHER ARISING IN CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE IN AN AMOUNT EXCEEDING THE AGGREGATE OF THE FEE PAID BY SUBSCRIBER FOR ALL SERVICES LICENSED FOR THE PROPERTY TO WHICH THE CLAIM RELATES DURING THE 12 MONTH PERIOD PRECEDING THE OCCURRENCE OF THE EVENT THAT GAVE RISE TO THE DAMAGES.

15. Force Majeure. RealPage will not be liable to Subscriber for any damages or injury, direct or indirect, caused by any delay or failure in its performance of any of the acts and obligations required by the Agreement if and to the extent that such delay or failure arises for reasons beyond the reasonable control of RealPage, including, without limitation, Third Party System Failures. For the purposes of the Agreement, “Third Party System Failures” means, as it relates to third party software, hardware or systems, computer downtime; utility or telecommunication interruption; failure, fluctuation or delay; computer virus; electrical surge; or line-noise interference.

16. Essential Nature. The indemnification in Section 7, the limitations set forth in Sections 12, 13, and 14 constitute (i) essential inducements to RealPage to accept the Agreement, (ii) major predicates of the price charged by RealPage for access to and use of the Services, and the use of the Information; and (iii) conditions precedent to RealPage’s agreement to be bound by the provisions of the Agreement. No access to or use of the Services or use of the Information is authorized except subject to these indemnifications, limitations and disclaimers.

17. Survival of Terms. The provisions of the Agreement applicable to (i) any License for a Service; (ii) outstanding obligations of Subscriber at the date of termination; (iii) warranty disclaimer; (iv) indemnification; (v) limitation of liability, types of recoverable damages and amount of recoverable damages; (vi) integration; (vii) survival of terms; (viii) confidentiality and non-disclosure; and (ix) limitation of actions will survive termination or expiration of the Agreement.

18. Amendment. The Agreement may be amended, altered or modified only by an instrument in writing, specifying such amendment, alteration or modification, executed by both parties.

19. RealPage’s Ownership. Subscriber acknowledges that RealPage is the owner of all Services, the RealPage content (except for third party content), the RealPage databases and the RealPage data and that all Services are protected by copyright, trade secret and other intellectual property laws and legal precedent of the United States and other jurisdictions. No title to or ownership of any Service is transferred to Subscriber by operation of the Agreement.

20. Sale of the Property. Where Subscriber sells or otherwise transfers a Property, the Agreement relating to such Property, together with any applicable addenda, shall terminate at the end of the month in which the sale or transfer occurs. Where a Property is sold or transferred, unless RealPage has received written instructions from the parties to the contrary, (i) RealPage will consider Subscriber Data for the Property stored in any Service to have vested in the new owner of the Property; and (ii) Manager shall no longer be permitted access to the Subscriber Data.

21. Miscellaneous. For purposes of the disclaimer of warranties and consequential damages, limitation of liability and Subscriber indemnities, the term “RealPage” shall be deemed to include all RealPage licensors of software and providers of services and information made a part of the Services. If any part of the Agreement is held to be invalid, illegal, or unenforceable, such part will be treated as severable, and the remaining portions of the Agreement shall continue to be valid and enforceable as to the parties hereto. Nothing in the Agreement, express or implied, is intended to confer upon any person or entity other than the parties and their respective successors and assigns, any rights, remedies, obligations or liabilities. The failure of either party hereto at any time to enforce any of the provisions of the Agreement shall not be deemed or construed to be a waiver of any such provision, nor, in any manner, affect the validity of the Agreement, any provision hereof or the right to thereafter enforce each and every provision of the Agreement. No waiver of any breach of any of the provisions of the Agreement shall be effective unless set forth in a written instrument executed by a duly authorized officer of the party against whom enforcement of such waiver is sought, nor shall it be deemed or construed to be a waiver of any succeeding or other breach of the Agreement. Unless otherwise provided in these Screening Terms, all notices required to be given hereunder shall be given in writing and shall be delivered either by hand, by certified mail with proper postage affixed thereto, or by commercial overnight carrier addressed to the Subscriber at the address set forth in the Order Form or to RealPage at 2201 Lakeside Blvd., Richardson, TX 75082, Attn: Chief Legal Officer, or such other person and address as may be designated from time to time in writing. All such communications shall be deemed received by the other party upon the earlier of actual receipt or actual delivery. Subscriber may not assign the Agreement or any rights granted therein prior to RealPage’s qualification of all of the assignee’s end users of Information. These Screening Terms — together with any applicable addenda, schedules, Order Forms and Product Specifications — sets forth the entire understanding of the parties hereto with respect to the subject matter hereof and supersedes, replaces and terminates all prior and contemporaneous letters of intent, agreements, covenants, negotiations, arrangements, communications, representations, advertisements, selling brochures, sales presentations, understandings or warranties, whether oral or written, by any officer, employee or representative of either party with respect to the subject matter hereof. Neither party is relying upon any warranties, representations, assurances or inducements not expressly set forth herein. THE AGREEMENT SHALL BE GOVERNED BY AND CONSTRUED AND ENFORCED UNDER THE LAWS OF THE STATE OF TEXAS (WITHOUT REGARD TO ANY CONFLICTS OF LAW RULES THAT WOULD REQUIRE THE APPLICATION OF THE SUBSTANTIVE LAWS OF ANOTHER JURISDICTION). THE PARTIES CONSENT TO (AND WAIVE ANY OBJECTION TO THE PERSONAL AND EXCLUSIVE JURISDICTION OF THE FEDERAL AND STATE COURTS IN DALLAS COUNTY, TEXAS.

All users of consumer reports must comply with all applicable regulations. Information about applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau’s website, www.consumerfinance.gov/learnmore.

NOTICE TO USERS OF CONSUMER REPORTS:
OBLIGATIONS OF USERS UNDER THE FCRA

The Fair Credit Reporting Act (FCRA), 15 U.S.C. §1681-1681y, requires that this notice be provided to inform users of consumer reports of their legal obligations. State law may impose additional requirements. The text of the FCRA is set forth in full at the Consumer Financial Protection Bureau’s (CFPB) website at www.consumerfinance.gov/learnmore. At the end of this document is a list of United States Code citations for the FCRA. Other information about user duties is also available at the Bureau’s website. Users must consult the relevant provisions of the FCRA for details about their obligations under the FCRA.

The first section of this summary sets forth the responsibilities imposed by the FCRA on all users of consumer reports. The subsequent sections discuss the duties of users of reports that contain specific types of information, or that are used for certain purposes, and the legal consequences of violations. If you are a furnisher of information to a consumer reporting agency (CRA), you have additional obligations and will receive a separate notice from the CRA describing your duties as a furnisher.

  1. Obligations of All Users of Consumer Reports
    1. Users Must Have a Permissible Purpose

      Congress has limited the use of consumer reports to protect consumers’ privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:

      • As ordered by a court or federal grand jury subpoena. Section 604(a)(1)
      • As instructed by the consumer in writing. Section 604(a)(2)
      • For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account. Section 604(a)(3)(A)
      • For employment purposes, including hiring and promotion decisions, where the consumer has given written permission. Section 604(a)(3)(B) and 604(b)
      • For the underwriting of insurance as a result of an application from a consumer. Section 604(a)(3)(C)
      • When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer. Section 604(a)(3)(F)(i)
      • To review a consumer’s account to determine whether the consumer continues to meet the terms of the account. Section 604(a)(3)(F)(ii)
      • To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status. Section 604(a)(3)(D)
      • For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E)
      • For use by state or local officials in connection with the determination of child support payments, or modifications and enforcement thereof. Sections 604(a)(4) and 604(a)(5).

      In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of “prescreened” information are described in Section VII below.

    2. Users Must Provide Certifications

      Section 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

    3. Users Must Notify Consumers When Adverse Actions Are Taken

      The term “adverse action” is defined very broadly by Section 603. “Adverse actions” include all business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined by Section 603(k) of the FCRA – such as denying or canceling credit or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.

      1. Adverse Actions Based on Information Obtained From a CRA

        If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be done in writing, orally, or by electronic means. It must include the following:

        • The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report.
        • A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made.
        • A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer makes a request within 60 days.
        • A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.
      2. Adverse Actions Based on Information Obtained from Third Parties Who Are Not Consumer Reporting Agencies

        If a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type of consumer information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification. The user must provide the disclosure within a reasonable period of time following the consumer’s written request.

      3. Adverse Actions Based on Information Obtained From Affiliates

        If a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure set forth in I.C.1 above.

    4. Users Have Obligations When Fraud and Active Duty Military Alerts are in Files

      When a consumer has placed a fraud alert, including one relating to identity theft, or an active duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active duty alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the identity of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in the consumer’s alert.

    5. Users Have Obligations When Notified of an Address Discrepancy

      Section 605(h) requires nationwide CRAs, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer’s file. When this occurs, users must comply with regulations specifying the procedures to be followed. Federal regulations are available at www.consumerfinance.gov/learnmore.

    6. Users Have Obligations When Disposing of Records

      Section 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. Federal regulations have been issued that cover disposal.

  2. Creditors Must Make Additional Disclosures

    If a person uses a consumer report in connection with an application for, or a grant, extension, or provision of, credit to a consumer on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person must provide a risk-based pricing notice to the consumer in accordance with regulations prescribed by the Consumer Financial Protection Bureau.

    Section 609(g) requires a disclosure by all persons that make or arrange loans secured by residential real property (one to four units) and that use credit scores. These persons must provide credit scores and other information about credit scores to applicants, including the disclosure set forth in Section 609(g)(1)(D) (“Notice to the Home Loan Applicant”).

  3. Obligations Of Users When Consumer Reports Are Obtained For Employment Purposes
    1. Employment Other Than in the Trucking Industry

      If information from a CRA is used for employment purposes, the user has specific duties, which are set forth in Section 604(b) of the FCRA. The user must:

      • Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained.
      • Obtain from the consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment.
      • Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer.
      • Before taking an adverse action, the user must provide a copy of the report to the consumer as well as the summary of the consumer’s rights. (The user should receive this summary from the CRA.). A Section 615(a) adverse action notice should be sent after the adverse action is taken.

      An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2).

      The procedures for investigative consumer reports and employee misconduct investigations are set forth below.

    2. Employment in the Trucking Industry

      Special rules apply for truck drivers where the only interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report relied upon by the trucking company by contacting the company.

  4. Obligations When Investigative Consumer Reports Are Used

    Investigative consumer reports are a special type of consumer report in which information about a consumer’s character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by an entity or person that is a consumer reporting agency. Consumers who are the subject of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the following:

    • The user must disclose to the consumer that an investigative consumer report may be obtained. This must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below, and the summary of consumer rights required by Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the investigation.)
    • The user must certify to the CRA that the disclosures set forth above have been made and that the user will make the disclosure below.
    • Upon written request of a consumer made within a reasonable period of time after the disclosures required above, the user must make a complete disclosure of the nature and scope of the investigation. This must be made in a written statement that is mailed, or otherwise delivered, to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later in time.

  5. Special Procedures for Employee Investigations

    Section 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self- regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.

  6. Obligations Of Users Of Medical Information

    Section 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in federal regulations) – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation, or order).

  7. Obligations Of Users Of “Prescreened” Lists

    The FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circumstances. Section 603(l), 604(c), 604(e), and 615(d). This practice is known as “prescreening” and typically involves obtaining from a CRA a list of consumers who meet certain pre-established criteria. If any person intends to use prescreened lists, that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance, and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that:

    • Information contained in a consumer’s CRA file was used in connection with the transaction.
    • The consumer received the offer because he or she satisfied the criteria for credit worthiness or insurability used to screen for the offer.
    • Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on credit worthiness or insurability, or the consumer does not furnish required collateral.
    • The consumer may prohibit the use of information in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. This statement must include the address and the toll-free telephone number of the appropriate notification system.

    In addition, once the CFPB has established the format, type size, and manner of the disclosure required by Section 615(d), with which users must comply. The relevant regulation is 12 CFR 1022.54.

  8. Obligations of Resellers
    1. Disclosure and Certification Requirements

      Section 607(e) requires any person who obtains a consumer report for resale to take the following steps:

      • Disclose the identity of the end-user to the source CRA.
      • Identify to the source CRA each permissible purpose for which the report will be furnished to the end-user.
      • Establish and follow reasonable procedures to ensure that reports are resold only for permissible purposes, including procedures to obtain:
        1. the identity of all end-users;
        2. certifications from all users of each purposes for which reports will be used; and
        3. certifications that reports will not be used for any purpose other than the purpose(s) specified to the reseller. Resellers must make reasonable efforts to verify this information before selling the report.
    2. Reinvestigations by Resellers

      Under Section 611(f), if a consumer disputes the accuracy or completeness of information in a report prepared by a reseller, the reseller must determine whether this is a result of an action or omission on its part and, if so, correct or delete the information. If not, the reseller must send the dispute to the source CRA for reinvestigation. When any CRA notifies the reseller of the results of an investigation, the reseller must immediately convey the information to the consumer.

    3. Fraud Alerts and Resellers

      Section 605A(f) requires resellers who receive fraud alerts or active duty alerts from another consumer reporting agency to include these in their reports.

  9. Liability For Violations Of The FCRA

    Failure to comply with the FCRA can result in state government or federal government enforcement actions, as well as private lawsuits. Sections 616, 617, and 621. In addition, any person who knowingly and willfully obtains a consumer report under false pretenses may face criminal prosecution. Section 619.

    The CFPB’s website, www.consumerfinance.gov/learnmore , has more information about the FCRA, including publications for businesses and the full text of the FCRA.

    Citations for the FCRA sections in the U.S. Code, 15 U.S.C.§ 1681 et seq.:

    Section 602 – 15 U.S.C. 1681
    Section 603 – 15 U.S.C. 1681a
    Section 604 – 15 U.S.C. 1681b
    Section 605 – 15 U.S.C. 1681c
    Section 605A – 15 U.S.C. 1681cA
    Section 605B – 15 U.S.C. 1681cB
    Section 606 – 15 U.S.C. 1681d
    Section 607 – 15 U.S.C. 1681e
    Section 608 – 15 U.S.C. 1681f
    Section 609 – 15 U.S.C. 1681g
    Section 610 – 15 U.S.C. 1681h
    Section 611 – 15 U.S.C. 1681i
    Section 612 – 15 U.S.C. 1681j
    Section 613 – 15 U.S.C. 1681k
    Section 614 – 15 U.S.C. 1681l
    Section 615 – 15 U.S.C. 1681m
    Section 616 – 15 U.S.C. 1681n
    Section 617 – 15 U.S.C. 1681o
    Section 618 – 15 U.S.C. 1681p
    Section 619 – 15 U.S.C. 1681q
    Section 620 – 15 U.S.C. 1681r
    Section 621 – 15 U.S.C. 1681s
    Section 622 – 15 U.S.C. 1681s-1
    Section 623 – 15 U.S.C. 1681s-2
    Section 624 – 15 U.S.C. 1681t
    Section 625 – 15 U.S.C. 1681u
    Section 626 – 15 U.S.C. 1681v
    Section 627 – 15 U.S.C. 1681w
    Section 628 – 15 U.S.C. 1681x
    Section 629 – 15 U.S.C. 1681y

Additional Screening Terms and Conditions

These Additional Screening Terms and Conditions are subject to and by this reference made a part of the agreement between the RealPage entity providing a screening product or service (the “RealPage Party”) and Manager or Subscriber, and apply to any applicant screening product or service (“Screening Product Center”) purchased by Subscriber or Manager. Capitalized terms used in these Additional Screening Terms and Conditions that are defined in any underlying master agreement between the parties or any addendum thereto and not otherwise defined herein shall have the meanings assigned in such master agreement or addendum. The term “Site Owner” as used herein shall be deemed to refer to Property Owner, where the term “Property Owner” is defined and used in the underlying screening agreement between the parties and to Subscriber on its own behalf and in its capacity as the agent of Property Owner.

1. Information from the Death Master File

Information included in screening reports available from the Screening Product Centers (“Screening Reports”) may include information from the national credit bureaus and the Death Master File (“DMF”), as issued by the United States Social Security Administration (“SSA”). For example, a Screening Report might contain an alert that the social security number entered by the applicant belongs to someone who is deceased.

Pursuant to Section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R. § 1110.102, access to the DMF is restricted to only those entities that have: (i) a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R. § 1110.102(a)(1); and (ii) systems, facilities and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security and appropriate use of such information, pursuant to requirements reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986, and agrees to satisfy such similar requirements. Site Owner’s continued use of a Screening Product Center affirms its commitment to comply with these terms and all applicable laws. Site Owner acknowledges that it will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or other indicia within a Screening Report.

2. Additional Rules Regarding Vermont Consumers

Site Owner certifies that it will comply with applicable provisions under Vermont law. In particular, Site Owner certifies that it will order information services relating to Vermont residents that are credit reports as defined by the Vermont Fair Credit Reporting Act (“VFCRA”), only after Site Owner has received prior consumer consent in accordance with VFCRA Section 2480e and applicable Vermont Rules. Site Owner further certifies that the below copy of Section 2480e of the Vermont Fair Credit Reporting Statute was received.

Vermont Fair Credit Reporting Statute, 9 V.S.A. § 2480e (1999) § 2480e. Consumer consent (a) A person shall not obtain the credit report of a consumer unless: 1. the report is obtained in response to the order of a court having jurisdiction to issue such an order; or 2. the person has secured the consent of the consumer, and the report is used for the purpose consented to by the consumer.(b) Credit reporting agencies shall adopt reasonable procedures to assure maximum possible compliance with subsection (a) of this section.(c) Nothing in this section shall be construed to affect:1. the ability of a person who has secured the consent of the consumer pursuant to subdivision (a)(2) of this section to include in his or her request to the consumer permission to also obtain credit reports, in connection with the same transaction or extension of credit, for the purpose of reviewing the account, increasing the credit line on the account, for the purpose of taking collection action on the account, or for other legitimate purposes associated with the account; and 2. the use of credit information for the purpose of prescreening, as defined and permitted from time to time by the Federal Trade Commission.

VERMONT RULES *** CURRENT THROUGH JUNE 1999
AGENCY 06. OFFICE OF THE ATTORNEY GENERAL
SUB-AGENCY 031. CONSUMER PROTECTION DIVISION
CHAPTER 012. Consumer Fraud–Fair Credit Reporting
RULE CF 112 FAIR CREDIT REPORTING
CVR 06-031-012, CF 112.03 (1999)
CF 112.03 CONSUMER CONSENT

(a) A person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing if the consumer has made a written application or written request for credit, insurance, employment, housing or governmental benefit. If the consumer has applied for or requested credit, insurance, employment, housing or governmental benefit in a manner other than in writing, then the person required to obtain consumer consent pursuant to 9 V.S.A. §§ 2480e and 2480g shall obtain said consent in writing or in the same manner in which the consumer made the application or request. The terms of this rule apply whether the consumer or the person required to obtain consumer consent initiates the transaction.

(b) Consumer consent required pursuant to 9 V.S.A. §§ 2480e and 2480g shall be deemed to have been obtained in writing if, after a clear and adequate written disclosure of the circumstances under which a credit report or credit reports may be obtained and the purposes for which the credit report or credit reports may be obtained, the consumer indicates his or her consent by providing his or her signature.

(c) The fact that a clear and adequate written consent form is signed by the consumer after the consumer’s credit report has been obtained pursuant to some other form of consent shall not affect the validity of the earlier consent.

3. Additional Rules for California Retail Sellers.

Provisions of the California Consumer Credit Reporting Agencies Act, as amended effective July 1, 1998, will impact the provision of consumer reports to Site Owner under the following circumstances: (a) if Site Owner is a “retail seller” (defined in part by California law as “a person engaged in the business of selling goods or services to retail buyers”) and is selling to a “retail buyer” (defined as “a person who buys goods or obtains services from a retail seller in a retail installment sale and not principally for the purpose of resale”) and a consumer about whom Site Owner is inquiring is applying, (b) in person, and (c) for credit. Under the foregoing circumstances, a consumer reporting agency, before delivering a consumer report to Site Owner, must match at least three (3) items of a consumer’s identification within the file maintained by the consumer reporting agency with the information provided it in connection with the in-person credit transaction. Compliance with this law further includes Site Owner’s inspection of the photo identification of each consumer who applies for in-person credit, mailing extensions of credit to consumers responding to a mail solicitation at specified addresses, taking special actions regarding a consumer’s presentment of a police report regarding fraud, and acknowledging consumer demands for reinvestigations within certain time frames.

In compliance with Section 1785.14(a) of the California Civil Code, Site Owner hereby certifies to the RealPage Party that Site Owner is NOT a retail seller, as defined in Section 1802.3 of the California Civil Code (“Retail Seller”) and does not issue credit to consumers who appear in person on the basis of applications for credit submitted in person (“Point of Sale”).

If Site Owner subsequently becomes a Retail Seller, Site Owner agrees: (i) to provide written notice to the RealPage Party and obtain the RealPage Party’s written consent prior to ordering consumer reports in connection with an in-person credit transaction, which consent may be withheld or limited if the RealPage Party is unable to provide such reports or certain Information requested by Site Owner in compliance with applicable law (e.g., the RealPage Party’s or its data provider’s data does not contain at least three items of information required to be matched against the consumer’s identifying information); (ii) to acquire a new subscriber number for use in processing consumer report inquiries that result from in-person credit applications covered by California law, with the understanding that all inquiries using this new subscriber number will require that Site Owner supply at least three items of identifying information from the applicant; and (iii) to comply with all applicable requirements under California law for a Retail Seller conducting Point of Sale transactions.

4. Access Security Requirements

The following information security controls are required to reduce unauthorized access to consumer information. It is your responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to get an outside service provider to assist you. The RealPage Parties reserve the right to make changes to these Access Security Requirements without prior notification. The information provided herewith provides minimum baselines for information security. As used herein, the term “RealPage Party data” includes, without limitation, information from a third party data provider (e.g., Credit Bureau) that is supplied by a RealPage Party to the Site Owner under this Agreement.

In accessing a Screening Product Center, you agree to follow these security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store Information or the RealPage Parties’ data:

A. Implement Strong Access Control Measures

1) All credentials such as user names/identifiers (user IDs) and user passwords must be kept confidential and must not be disclosed to an unauthorized party. No one from a RealPage Party will ever contact you and request your credentials.

2) If using third party or proprietary system to access a RealPage Party’s systems, ensure that the access must be preceded by authenticating users to the application and/or system (e.g. application based authentication, Active Directory, etc.) utilized for accessing a RealPage Party’s data/systems.

3) Create a unique user ID for each user to enable individual authentication and accountability for access to a RealPage Party’s services. Each user of the system access software must also have a unique logon password.

4) User IDs and passwords shall only be assigned to authorized individuals based on least privilege necessary to perform job responsibilities.

5) User IDs and passwords must not be shared, posted, or otherwise divulged in any manner.

6) Develop strong passwords that are:

  • Not easily guessable (i.e., your name or company name, repeating numbers and letters or consecutive numbers and letters)
  • Contain a minimum of eight (8) alphabetic and numeric characters for standard user accounts
  • For interactive sessions (i.e., non system-to-system) ensure that passwords/passwords are changed periodically (every 90 days is recommended)

7) Passwords must be changed immediately when any system access software is replaced by another system access software or is no longer used; the hardware on which the software resides is upgraded, changed or disposed; or there is any suspicion of password being disclosed to an unauthorized party.

8) Ensure that passwords are not transmitted, displayed or stored in clear text; protect all end user (e.g. internal and external) passwords using, for example, encryption or a cryptographic hashing algorithm also known as “one-way” encryption. When using encryption, ensure that strong encryption algorithms are utilized (e.g. AES 256 or above).

9) Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.

10) Active logins to credit information systems must be configured with a 30 minute inactive session timeout.

11) Ensure that personnel who are authorized access to Information and Screening Reports have a business need to access such information and understand these requirements to access such information only for the Permissible Purpose for which the information was requested, and solely and exclusively for Site Owner’s one-time use.

12) Ensure that Peer-to-Peer file sharing software is not installed on systems used to access, transmit or store Information, including Credit Bureau data.

13) Ensure that its employees do not access their own credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a credit transaction or for the Permissible Purpose.

14) Implement a process to terminate access rights immediately for users who access Information and Screening Reports when those users are terminated or when they have a change in their job tasks and no longer require access to Information and Screening Reports.

15) Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned.

16) Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations.

17) Implement physical security controls to prevent unauthorized entry to company’s facility and access to systems used to obtain Information and Screening Reports. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.

B. Maintain a Vulnerability Management Program

1) Keep operating system(s), firewalls, routers, servers, personal computers (laptops and desktops) and all other systems current with appropriate system patches and updates.

2) Configure infrastructure such as firewalls, routers, servers, tablets, smart phones, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, and removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.

3) Implement and follow current best security practices for computer virus detection scanning services and procedures

  • Use, implement and maintain a current, commercially available anti-virus software on all systems, if applicable anti-virus technology exists. Anti-virus software deployed must be capable to detect, remove, and protect against all known types malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
  • Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
  • If you suspect an actual or potential virus infecting a system, immediately cease accessing the system and do not resume using the system until the virus has been eliminated.

C. Protect Data

1) Develop and follow procedures to ensure that data (including Information) is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.).

2) RealPage Party data and Information are classified Confidential and must be secured in accordance with the requirements mentioned in this document at a minimum.

3) Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the information.

4) Encrypt all Experian data and information when stored electronically on any system including but not limited to laptops, tablets, personal computers, servers, databases using strong encryption such AES 256 or above.

5) RealPage Party data and Information must not be stored locally on smart tablets and smart phones such as iPads, iPhones, Android based devices, etc.

6) When using smart tablets or smart phones to access RealPage Party data or Information, ensure that such devices are protected via device pass-code.

7) Applications utilized to access Experian data via smart tablets or smart phones must protect data while in transmission such as SSL protection and/or use of VPN, etc.

8) Only open email attachments and links from trusted sources and after verifying legitimacy.

9) When no longer in use, ensure that hard-copy materials containing RealPage Party data and Information are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.

10) When no longer in use, electronic media containing RealPage Party data or Information is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).

D. Maintain an Information Security Policy

1) Develop and follow a security plan to protect the confidentiality and integrity of personal consumer information as required under the GLB Safeguards Rule (16 CFR Part 314).

2) Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.

3) Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe RealPage Party data or Information may have been compromised, immediately notify the RealPage Party within twenty-four (24) hours or per agreed contractual notification timeline (See also Section H).

4) The Fair and Accurate Transactions Act (FACTA) Disposal Rules require that Site Owner implement appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.

5) Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security in the organization and at the Site level.

6) When using third party service providers (e.g. application service providers) to access, transmit, store or process Information from Experian, ensure that service provider is compliant with the Experian Independent Third Party Assessment (EI3PA) program, and registered in Experian’s list of compliant service providers. If the service provider is in the process of becoming compliant, it is Site Owner’s responsibility to ensure the service provider is engaged with Experian and an exception is granted in writing.

E. Build and Maintain a Secure Network

1) Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.

2) Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.

3) Administrative access to firewalls and servers must be performed through a secure internal wired connection only.

4) Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services, and network traffic.

5) Change vendor defaults including but not limited to passwords, encryption keys, SNMP strings, and any other vendor defaults.

6) For wireless networks connected to or used for accessing or transmission of RealPage Party data or Information, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks.

7) When using service providers (e.g., software providers) to access RealPage Party systems, access to third party tools/services must require multi-factor authentication.

F. Regularly Monitor and Test Networks

1) Perform regular tests on information systems (port scanning, virus scanning, internal/external vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.)

2) Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit RealPage Party data or Information and maintain an audit trail history for at least three months for review; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on daily or weekly basis and that follow-up to exceptions is required.

3) Use current best practices to protect telecommunications systems and any computer system or network device(s) used to access RealPage Party services, systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by:

  • protecting against intrusions;
  • securing the computer systems and network devices;
  • and protecting against intrusions of operating systems or software.

G. Mobile and Cloud Technology

1) Storing Credit Bureau data on mobile devices is prohibited. Any exceptions must be obtained from the Credit Bureau via the RealPage Party in writing; additional security requirements will apply.

2) Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.

3) Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.

4) Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.

5) Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is Credit Bureau data to be exchanged between secured and non-secured applications on the mobile device.

6) In case of non-consumer access, that is, commercial/business-to-business (B2B) users accessing Credit Bureau data via mobile applications (internally developed or using a third party application), ensure that multi-factor authentication and/or adaptive/risk-based authentication mechanisms are utilized to authenticate users to application.

7) When using cloud providers to access, transmit, store, or process Credit Bureau data ensure that:

  • Appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations
  • Cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent as approved/recognized by the applicable Credit Bureau:
    • ISO 27001 PCI DSS o EI3PA
    • SSAE 16 – SOC 2 or SOC3
    • FISMA
    • CAI / CCM assessment

H. General

1) The RealPage Party (along with any of its third party vendors whose information may be included in any Screening Report) may from time to time audit the security mechanisms Site Owner maintains to safeguard access to Credit Bureau or other data provider information, systems and electronic communications. Audits may include examination of systems security and associated administrative practices.

2) Site Owner shall be responsible for and ensure that third party software, which accesses the RealPage Party information systems, is secure, and protects this vendor software against unauthorized modification, copy and placement on systems which have not been authorized for its use.

3) Site Owner shall conduct software development (for software which accesses the RealPage Party information systems; this applies to both in-house or outsourced software development) based on the following requirements:

  • Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
  • Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
  • Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.

4) Reasonable access to audit trail reports of systems or software utilized to access Credit Bureau or other data provider systems shall be made available upon request, for example during breach investigation or while performing audits.

5) In the event Site Owner experiences a security incident involving RealPage Party data or Information, Site Owner will fully cooperate with the RealPage Party and its data provider in a security assessment process and promptly remediate any finding.

6) Data requests from Site Owner to a RealPage Party must include the IP address of the device from which the request originated (i.e., the requesting client’s IP address), where applicable.

7) Site Owner shall report actual security violations or incidents that impact a RealPage Party or its data provider to the RealPage Party within twenty-four (24) hours. Site Owner agrees to provide notice to the RealPage Party of any confirmed security breach that may involve data related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 972-820-4914, Email notification should be sent to infosec@realpage.com.

8) Site Owner understands that its use of RealPage Party networking and computing resources may be monitored and audited by RealPage, without further notice.

9) When using third party service providers to access, transmit, or store Information or RealPage Party data, additional documentation may be required by the RealPage Party.

5. Internet Delivery Security Requirements

In addition to the above, the following requirements apply where Site Owner and its employees or authorized agents are provided access to a Screening Product Center via Internet.

General requirements:

  1. Site Owner (“Company”) shall designate in writing, an employee to be its Head Security Designate, to act as the primary interface with the RealPage Party on systems access related matters. The Company’s Head Security Designate will be responsible for establishing, administering and monitoring all Company employees’ access to RealPage Party provided services which are delivered over the Internet (“Internet access”), or approving and establishing Security Designates to perform such functions.

  2. The Company’s Head Security Designate or Security Designate shall in turn review all employee requests for Internet access approval. The Head Security Designate or its Security Designate shall determine the appropriate access to each RealPage Party product based upon the legitimate business needs of each employee. The RealPage Party shall reserve the right to terminate any accounts it deems a security threat to its systems and/or consumer data.

  3. Unless automated means become available, the Company shall request employee’s (Internet) user access via the Head Security Designate/Security Designate in writing, in the format approved by the RealPage Party. Those employees approved by the Head Security Designate or Security Designate for Internet access (“Authorized Users”) will be individually assigned unique access identification accounts (“User ID”) and passwords/passphrases (this also applies to the unique Server-to-Server access IDs and passwords/passphrases). The RealPage Party’s approval of requests for (Internet) access may be granted or withheld in its sole discretion. The RealPage Party may add to or change its requirements for granting (Internet) access to the services at any time (including, without limitation, the imposition of fees relating to (Internet) access upon reasonable notice to Company), and reserves the right to change passwords/passphrases and to revoke any authorizations previously granted. Note: Partially completed forms and verbal requests will not be accepted.

  4. An officer of the Company agrees to notify the ReaPage Party in writing immediately if it wishes to change or delete any employee as a Head Security Designate, Security Designate, or Authorized User; or if the identified Head Security Designate, Security Designate or Authorized User is terminated or otherwise loses his or her status as an Authorized User.

Roles and Responsibilities

  1. Company agrees to identify an employee it has designated to act on its behalf as a primary interface with the ReaPage Party on systems access related matters. This individual shall be identified as the “Head Security Designate.” The Head Security Designate can further identify a Security Designate(s) to provide the day to day administration of the Authorized Users. Security Designate(s) must be an employee and a duly appointed representative of the Company and shall be available to interact with the ReaPage Party on information and product access, in accordance with the above Access Security Requirements. The Head Security Designate Authorization Form must be signed by a duly authorized representative of the Company. Company’s duly authorized representative (e.g. contracting officer, security manager, etc.) must authorize changes to Company’s Head Security Designate. The Head Security Designate will submit all requests to create, change or lock Security Designate and/or Authorized User access accounts and permissions to the ReaPage Party’s systems and information (via the Internet). Changes in Head Security Designate status (e.g. transfer or termination) are to be reported to the ReaPage Party immediately.

  2. As a client to the ReaPage Party products and services via the Internet, the Head Security Designate is acting as the duly authorized representative of Company.

  3. The Security Designate may be appointed by the Head Security Designate as the individual that the Company authorizes to act on behalf of the business in regards to the ReaPage Party product access control (e.g. request to add/change/remove access). The Company can opt to appoint more than one Security Designate (e.g. for backup purposes). The Company understands that the Security Designate(s) it appoints shall be someone who will generally be available during normal business hours and can liaise with the ReaPage Party’s Security Administration group on information and product access matters.

  4. The Head Designate shall be responsible for notifying their corresponding ReaPage Party representative in a timely fashion of any Authorized User accounts (with their corresponding privileges and access to application and data) that are required to be terminated due to suspicion (or actual) threat of system compromise, unauthorized access to data and/or applications, or account inactivity.

Designate

  1. Must be an employee and duly appointed representative of Company, identified as an approval point for Company’s Authorized Users.

  2. Is responsible for the initial and on-going authentication and validation of Company’s Authorized Users and must maintain current information about each (phone number, valid email address, etc.).

  3. Is responsible for ensuring that proper privileges and permissions have been granted in alignment with Authorized User’s job responsibilities.

  4. Is responsible for ensuring that Company’s Authorized Users are authorized to access the ReaPage Party’s products and services.

  5. Must disable Authorized User ID if it becomes compromised or if the Authorized User’s employment is terminated by Company.

  6. Must immediately report any suspicious or questionable activity to the ReaPage Party regarding access to the ReaPage Party’s products and services.

  7. Shall immediately report changes in their Head Security Designate’s status (e.g. transfer or termination) to the ReaPage Party.

  8. Will provide first level support for inquiries about passwords/passphrases or IDs requested by your Authorized Users.

  9. Shall be available to interact with the ReaPage Party when needed on any system or user related matters.