The URL can be used to link to this page

Home My WebLink AboutP-21-501 ClearStar Inc. Amendment 1.pdf P-21-501 1 AMENDMENT NO. 1 TO SERVICE AGREEMENT 2 This Amendment No. 1 to Service Agreement ("Amendment No. 1") is dated November 3 14, 2023, and is between ClearStar, Inc. dba Employment Screening Resources, a Georgia 4 corporation ("Contractor"), and the County of Fresno, a political subdivision of the State of 5 California ("County"). 6 Recitals 7 A. On January 27, 2022, the County and the Contractor entered into an agreement for 8 employment screening services, which is County agreement number P-21-501 ("Agreement"). 9 B. The Agreement had an initial term of one (1) year, which may be extended for two (2) 10 additional one (1) year periods, upon the written approval of both parties. On January 26, 2023, 11 the Agreement expired. However, employment screening services are still needed and the 12 County will benefit from continuing the Agreement through this Amendment No. 1 allowing the 13 Agreement to remain in effect for an additional year. By way of this Amendment No. 1, the 14 County and Contractor now wish to and agree to extend the Agreement for the first additional 15 one (1) year period, to expire on January 26, 2024. 16 C. NOW, THEREFORE, for good and valuable consideration, the receipt and adequacy of 17 which is hereby acknowledged, County and Contractor agree as follows: 18 1. This Amendment No. 1 shall serve as a one-year extension of the Agreement through 19 January 26, 2024, in accordance with the Agreement. 20 2. County and Contractor agree to remove the existing Exhibit B —Terms of Service, and 21 replace it with a new Exhibit B — Terms of Service, attached to this Amendment No. 1 and 22 incorporated by this reference. 23 3. County and Contractor agree to the addition of Exhibit E —TU Access Security 24 Requirements, attached to this Amendment No. 1 and incorporated by this reference. 25 4. County and Contractor agree to replace the existing Exhibit D — EVS Terms and 26 Conditions, with Exhibit D attached to this Amendment No. 1 and is incorporated by this 27 reference. 28 1 P-21-501 1 5. County and Contractor agree to replace the existing Exhibit C — Pricing, with Exhibit C 2 attached to this Amendment No. 1 and is incorporated by this reference. 3 6. Section 16— ENTIRE AGREEMENT located on page 15, lines 8 through 11, is deleted 4 in their entirety and replaced with the following: 5 "This Agreement constitutes the entire Agreement between the Contractor and County with 6 respect to the subject matter hereof and supersedes all previous Agreement negotiations, 7 proposals, commitments, writings, advertisements, publications, and understandings of any 8 nature whatsoever unless expressly included in this Agreement. In the event of any 9 inconsistency in interpreting the documents which constitute this Agreement, the 10 inconsistency shall be resolved by giving precedence in the following order of priority: (1) the 11 text of this Amendment No. 1 (2) the Agreement (3) the Agreement including all exhibits (4) 12 all exhibits." 13 7. When both parties have signed this Amendment No. 1, the Agreement, and this 14 Amendment No. 1 together constitute the Agreement. 15 8. The Contractor represents and warrants to the County that: 16 a. The Contractor is duly authorized and empowered to sign and perform its obligations 17 under this Amendment No. 1. 18 b. The individual signing this Amendment No.1 on behalf of the Contractor is duly 19 authorized to do so and his or her signature on this Amendment No.1 legally binds 20 the Contractor to the terms of this Amendment No. 1. 21 9. The parties agree that this Amendment No. 1 may be executed by electronic signature 22 as provided in this section. 23 a. An "electronic signature" means any symbol or process intended by an individual 24 signing this Amendment No. 1 to represent their signature, including but not limited 25 to (1) a digital signature; (2) a faxed version of an original handwritten signature; or 26 (3) an electronically scanned and transmitted (for example by PDF document) 27 version of an original handwritten signature. 28 2 P-21-501 1 b. Each electronic signature affixed or attached to this Amendment No. 1 (1) is deemed 2 equivalent to a valid original handwritten signature of the person signing this 3 Amendment No. 1 for all purposes, including but not limited to evidentiary proof in 4 any administrative or judicial proceeding, and (2) has the same force and effect as 5 the valid original handwritten signature of that person. 6 c. The provisions of this section satisfy the requirements of Civil Code section 1633.5, 7 subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3, Part 8 2, Title 2.5, beginning with section 1633.1). 9 d. Each party using a digital signature represents that it has undertaken and satisfied 10 the requirements of Government Code section 16.5, subdivision (a), paragraphs (1) 11 through (5), and agrees that each other party may rely upon that representation. 12 e. This Amendment No. 1 is not conditioned upon the parties conducting the 13 transactions under it by electronic means and either party may sign this Amendment 14 No.1 with an original handwritten signature. 15 10. This Amendment No. 1 may be signed in counterparts, each of which is an original, and 16 all of which together constitute this Amendment No. 1. 17 11. The Agreement as amended by this Amendment No. 1 is ratified and continued. All 18 provisions of the Agreement and not amended by this Amendment No. 1 remain in full force and 19 effect. 20 [SIGNATURE PAGE FOLLOWS] 21 22 23 24 25 26 27 28 3 P-21-501 1 The parties are signing this Amendment No. 1 on the date stated in the introductory 2 clause. 3 ClearStar, Inc COUNTY OF FRESNO 4 5 6 Nicolas Dufour, EV General Counsel Manuel Vilanova, Deputy Director 7 6250 Shiloh Rd, Suite 300 Alpharetta, GA 30005 8 For accounting use only: 9 Org No.: 10100400 10 Account No.: 7295 Fund No.: 0001 11 Subclass No.: 1000 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4 P-21-501 Exhibit B Terms of Service This Terms of Service ("TOS"),which is effective upon mutual execution by the Parties, is by and between ClearStar, Inc., D/B/A Employment Screening Resources ("CONTRACTOR") a Georgia Corporation and, Name of Entity: County of Fresno Type of Entity: Government Agency Organized under the laws of: California hereinafter("COUNTY"). CONTRACTOR and COUNTY may also be referred to individually as a ("Party") or collectively as the ("Parties"). 1.Contractor Description of Services. A. Where a permissible purpose exists under applicable law,upon request,CONTRACTOR will provide COUNTY with Consumer Reports, Investigative Consumer Reports, and/or Consumer Credit Reports (individually "Report", and collectively"Reports"), as those terms are defined in the Fair Credit Reporting Act ("FCRA"), and as may be further defined in applicable state statutes. B. For Services that are ordered Fully Utilizing (as that term is defined below) CONTRACTOR's automated applicant facing screening processes, CONTRACTOR will provide COUNTY with the service of administrative fulfillment of COUNTY's obligations to provide the subject of a Report(the "Consumer") required notices and disclosures and to obtain the Consumer's prior written authorization. Where instructed to do so by COUNTY, CONTRACTOR will also process adverse action notices and related documents in the administrative fulfillment of COUNTY'S obligations to provide such documents to the consumer.The fulfillment of the above will be undertaken so as to meet the certifications COUNTY makes in the following sections of the TOS: 1. COUNTY's FCRA procurement and use obligations found in Section 4.13. numbers 3,4,and 5;and 2. COUNTY's California Investigative Consumer Report procurement and use obligations found in Section 4.C.1. letters b, c, d and e, and Sections 4.C.2. and 4.C.3. C. Where COUNTY places orders not Fully Utilizing CONTRACTOR's automated applicant facing screening processes,the obligations referred to in Sections 1.13.1 and 1.13.2 are solely borne by COUNTY without any administrative involvement by CONTRACTOR. D. "Fully Utilizing" shall mean COUNTY's use of CONTRACTOR's applicant invite system that brings applicants online to receive disclosures, provide consent, enter demographic data, and where it is applicable, use of CONTRACTOR's automated online adverse action system. 2. Performance CONTRACTOR will use its best efforts to provide timely reporting of available information in a manner consistent with generally accepted standards of business practices in its industry—typically within one (1)to three (3) business days. However, COUNTY hereby acknowledges that from time to time, Reports may be delayed due to circumstances beyond the control of CONTRACTOR. CONTRACTOR is not responsible for delays or failures in performance resulting from acts beyond its control. Such acts shall include, but shall not be limited to, Acts of God, strikes, lock-outs, riots, governmental regulations including those superimposed after the fact, fire, system failures, disruption In communications, earthquakes, and/or other disasters. P-21-501 3.Termination If COUNTY receives a notice of termination from CONTRACTOR due to the nonpayment for Services rendered, COUNTY will have fifteen (15) days to cure the nonpayment and return the account to normal status. If COUNTY fails to uphold its legal obligations under Section 4 of the TOS, CONTRACTOR may, at its sole discretion, discontinue providing Services until COUNTY corrects any failure(s) brought to its attention or cancel the TOS immediately upon written notice to COUNTY. 4. Pricing and Billing A.Current Prices and/or Contract Pricing do not include third-party access or processing fees that may be incurred by CONTRACTOR in connection with the Services rendered.These fees include but are not limited to; state criminal record access fees; motor vehicle record access fees; county criminal record court fees; access fees charged by licensing authorities to verify licenses or credentials; third-party employment history services; third-party education history services; drug screening and occupational health collection and testing fees; and international in-country acquisition fees ("Third-Party Fees").Such fees are set by third parties and are subject to modification by the source without prior notice to CONTRACTOR. Third Party Fees are passed through to County without markup or handling charges of any kind. B. If County cancels an order before its completion, County is responsible for and will be charged for any services performed or fees that have been incurred by CONTRACTOR to the point of cancelation. 5.Certifications and Acknowledgments The following certifications and service-related acknowledgments are required before Services can be rendered. A. CONTRACTOR hereby certifies that: 1. It is a consumer reporting agency ("CRA") as defined in the FCRA, 15 U.S.C. §1681 et. seq., as amended, that Reports are prepared in accordance with applicable sections of the FCRA, the Consumer Reporting Employment Clarification Act of 1998 and the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act") (Public Law 108-159), Section 506 of the Gramm-Leach- Bliley Act (Public Law 106-102), Drivers Privacy Protection Act. 18 USC § 2721 et. seq, ("DPPA"), as well as all other applicable laws; 2. It complies with all applicable provisions of the FCRA, and all applicable state and local laws; and 3. It takes appropriate measures to protect the privacy and confidentiality of all personally identifiable and other confidential Consumer information, including appropriate security measures to protect information in all CONTRACTOR systems. 4. It retains authorizations, disclosures, Consumer Reports, and re-investigation files on U.S. residents for a period of five (5) years from the time of the report. B. Each time a Report is requested, COUNTY hereby certifies, acknowledges and agrees as follows: 1. Reports will be ordered and utilized only for the following permissible purpose under the FCRA: "Employment Purposes" as that term is defined in the FCRA. See 15 U.S.0 § 1681b(a)(3)(B), including evaluating a Consumer for employment, promotion, reassignment, or retention as an employee; and/or work to be performed under contract; and/or working in volunteer positions, P-21-501 where in each case the Consumer has given prior written permission. COUNTY will not order a Report for any other purpose. 2. COUNTY will not use information from any Report in violation of any applicable federal or state equal employment opportunity law, or regulation. COUNTY further agrees to comply with applicable state and federal laws and regulations currently in place, as well as any updates, additions to or replacements of those laws and regulations, specifically including the requirements of the FCRA. 3. Before making any request for a Report from CONTRACTOR, COUNTY will obtain written permission from the Consumer authorizing procurement of the Report, and will maintain such permission on file for a minimum of six(6)years. 4. Where COUNTY orders "Consumer Reports," COUNTY certifies that before making any request for a Consumer Report from CONTRACTOR, a clear and conspicuous disclosure, in a document consisting solely of the disclosure, has been made in writing to the Consumer explaining that a Consumer Report may be obtained for employment purposes, as outlined in 15 U.S.C. § 1681b. 5. Where COUNTY orders "Investigative Consumer Reports" from CONTRACTOR, COUNTY certifies that it shall comply with additional requirements pertaining to Investigative Consumer Reports, as outlined in 15 U.S.C. § 1681d. Among other things, COUNTY shall clearly and accurately disclose to the Consumer that an Investigative Consumer Report, including information as to his/her character,general reputation, personal characteristics,and mode of living,whichever are applicable, may be obtained. The disclosure shall be made in writing and mailed or otherwise delivered to the Consumer not later than three (3)days after the date on which the Investigative Consumer Report was first requested and will include a summary of the Consumer's rights provided for under 15 U.S.C. §1681g(c). The disclosure shall also include a statement informing the Consumer of his/her right to submit a written request for additional information, under 15 U.S.C. § 1681d(b), within a reasonable period of time after the receipt by him/her of the foregoing disclosure. Upon receipt of such request, COUNTY shall disclose in writing to the Consumer the nature and scope of the investigation,which shall be complete and accurate.The disclosure must be mailed or otherwise delivered to the Consumer not later than five (5) days after the date on which the request for additional disclosure was received from the Consumer or the date the COUNTY first requested the report, whichever is later. 6. COUNTY will comply with its legal responsibilities under the FCRA, requiring an end-user to provide the Consumer with adverse action notices where information in a Consumer Report, in whole or in part, results in a determination by the end-user that they intend to take an adverse action, such as not hiring, retaining, reassigning or promoting the Consumer. The currently required notices that must be provided before adverse action is taken must include: a. providing preliminary adverse action notice to the Consumer, along with a copy of the Report and A Summary of Your Rights under the Fair Credit Reporting Act prepared by the Consumer Financial Protection Bureau ("CFPB") and made part of every CONTRACTOR Report, b. allowing the Consumer a reasonable period of time to consider the information in the Report and to contact COUNTY or CONTRACTOR if the Consumer wishes to provide any other information the Consumer would like to have considered, C. providing CONTRACTOR's contact details which are contained in the Report, and P-21-501 d. after waiting the appropriate waiting period, providing a final adverse action notice to the Consumer if a final adverse decision is made pursuant to FCRA section 615, 15 U.S.C. 1681m. 7. COUNTY agrees that if it functions as a recruiter or staffing company placing temporary or permanent workers, or a company that places individuals to work under contract, COUNTY is responsible for complying with FCRA adverse action notices, whether or not the COUNTY's customer provides COUNTY with background check standards, and whether or not COUNTY's customer sees the Report. 8. COUNTY will review and maintain on file copies of two (2) documents prepared by the CFPB and provided by CONTRACTOR on its website at www.CONTRACTORcheck.com. These are: 'Notices to Users of Consumer Reports: Obligations of Users under the FCRA' located at http://www.Contractorcheck.com/file/CONTRACTOR_N EW-CFPB_Notice-to-Users-of- ConsumerReports-Obligations-of-Users-Under-the-FCRA.pdf and 'A Summary of Your Rights Under the FCRA' (intended for the subject of the Report) at http://www.Contractorcheck.com/file/cfpb_consumer-rights-summary_2018-09.pdf 9. COUNTY acknowledges any person who knowingly and willfully obtains information on a Consumer from a CRA under false pretenses shall be fined under Title 18 or imprisoned not more than two (2)years, or both. 10. Criminal and Public Records: COUNTY acknowledges that court record searches are undertaken only in jurisdictions where the subject has had a physical presence over the last seven (7)years, or other agreed upon timeframe: (1) as provided by the COUNTY, (2) as provided by the Consumer, (3) and/or as developed in a Social Security number trace ("Identified Jurisdiction(s)"). Apart from the identified jurisdictions, CONTRACTOR does not independently investigate whether other jurisdictions may be appropriate to search and CONTRACTOR does not conduct court record searches in any jurisdiction outside of those described above. CONTRACTOR uses the provided name and demographics to search central courthouse records in each Identified Jurisdiction for felony and available misdemeanor records in accordance with applicable court rules, federal and/or state laws. CONTRACTOR does not conduct searches at municipal, justice or city courts. Non-criminal court records may also be found in Reports. Reportability, in all cases, is determined by CONTRACTOR in its sole discretion. 11. Credit Reports a. Prior to Access: COUNTY acknowledges that it is a credit bureau contractual prerequisite that an on-site inspection is made to confirm that COUNTY is an established business with a legitimate need for access to Employment Purpose Consumer Credit Reports and that an inspection fee may apply. b. State and Local Laws: COUNTY understands that multiple states and localities restrict the use of credit reports for public and/or private sector employers unless they have a specific permissible purpose allowed for under applicable law. COUNTY understands that such restrictions exist and agrees to comply with and monitor all such credit check laws, as appropriate. COUNTY shall only order credit reports from CONTRACTOR if it has a permissible purpose under not just federal law but state and local law as well. C. Trans Union Credit Reporting Requirements P-21-501 If credit reports are ordered, COUNTY agrees to accept Trans Union credit reporting requirements as outlined in Exhibit E — TU Access Security Requirements, which is attached to Amendment No. 1 to the Agreement and is incorporated by this reference. 12. When placing an order for a Report from Employment Screening Resources through an integration with a third-party online platform, COUNTY leverages CONTRACTOR's integration technology to submit the certification shown below simultaneously with each individual order and directs CONTRACTOR not to begin processing until a copy of the certification is attached to the order record: By placing an order for a Consumer Report and/or an Investigative Consumer Report from Employment Screening Resources, you certify that you have complied with the FCRA and all applicable law, including as follows: 1. You are requesting the report for an employment purpose as defined in the Fair Credit Reporting Act. The Consumer has received a clear and conspicuous disclosure in a document that consists solely of the disclosure stating that a Consumer Report may be obtained for employment purposes. The Consumer has authorized in writing the procurement of the Consumer Report that is being ordered. 2. The consumer has received a written disclosure that an Investigative Consumer Report about him or her may be obtained. The disclosure further stated that an Investigative Consumer Report will have information bearing on the consumer's character, general reputation, personal characteristics, and mode of living, whichever are applicable. The disclosure also stated that the consumer has a right to request additional disclosures as to the nature and scope of the investigation and that the consumer can exercise this right by making a written request to End-User within a reasonable period of time after the receipt of the disclosure. End-User has provided the consumer an up-to-date copy of the federal notice entitled "A Summary of Your Rights under the Fair Credit Reporting Act." If a consumer requests information as to the nature and scope of Employment Screening Resources'investigation,End-User will comply with the requirements set forth in Section 1681 d of the Fair Credit Reporting Act. 3. In using a Consumer Report or an Investigative Consumer Report for employment purposes, End-User certifies that information from the report(s)to be provided by Employment Screening Resources will not be used in violation of any applicable Federal or State equal employment opportunity law or regulation, or any other applicable law. 4. Where the consumer will be employed in a jurisdiction that requires a conditional offer of employment, a conditional offer was made prior to initiating this background check request. 5. Before taking any adverse action based in whole or in part on the Consumer Report, EndUser will provide to the consumer to whom the Consumer Report relates or authorize Employment Screening Resources on End-User's behalf to provide to the consumer to whom the Consumer Report relates:(a)a copy of the Consumer Report;(b)a copy of the "Summary of Rights Under the Fair Credit Reporting Act" and any applicable state or local summary of rights; (c) a reasonable opportunity of time to correct any erroneous information contained in the Consumer Report (and provide Employment Screening Resources' name and contact information); and if the consumer is ultimately P-21-501 disqualified, (d) provide an adverse action letter, including the statutorily required notices identified in 15 U.S.C. ,§ 1681m and applicable state and local law. 13. Verifications: a. COUNTY acknowledges that domestic verifications including but not limited to education, employment, licensure and certification are undertaken at the primary source or designated third-party record keeper(s) and that unless otherwise provided for, four (4) confirmation attempts will be made during the normal business hours of the verifying party over four (4) business days. Any verification not completed within that timeframe will be closed and reported as not performable. b. COUNTY acknowledges that international verifications are subject to time, process, and language differences that may result in widely varying turn-around times. Where a delay is encountered due to additional information being required from the subject, CONTRACTOR will make those information requests through the CONTRACTOR Applicant Portal. CONTRACTOR and COUNTY will agree upon COUNTY specific process and time period for closing international verifications. Any verification not completed within the agreed-upon time frame will be closed and reported as not performable. C. TALX Corporation ("TALX"): TALX is the provider of Equifax Verification Solutions employment information ("EVS") for employers who outsource their employment verifications function to TALX.Where TALX EVS is received is used in the preparation of County's Reports its use by County is subject to the following conditions. If products and services provided to Client include The Work Number reports from TALX Corporation,a provider of EVS,COUNTY will comply with EVS requirements as identified in a new Exhibit D—EVS Terms and Conditions, which is attached to Amendment No. 1 to the Agreement and is incorporated by this reference. d. County will hold TALX and all its agents harmless on account of any expense or damage arising or resulting from the publishing or other disclosure of EVS information by County, its employees or agents. e. County will hold TALX and all its agents harmless on account of any expense or damage arising or resulting from the publishing or other disclosure of EVS information by County, its employees or agents outside of Employment Purposes as defined in 5.13.1 of this Agreement. f. County recognizes that TALX does not guarantee the accuracy or completeness of EVS information and County releases TALX and TALX's agents, employees, affiliated credit reporting agencies and independent contractors from any liability,including negligence, in connection with the provision of EVS information and from any loss or expense suffered by County resulting directly or indirectly from use of EVS information. County covenants not to sue or maintain any claim, cause of action, demand, cross-action, counterclaim,third-party action or other form of pleading against TALX,TALX's agents, employees, affiliated credit reporting agencies, or independent contractors arising out of or relating in any way to the accuracy, validity, or completeness of any EVS information. g. TALX may periodically conduct audits of County regarding its compliance with the FCRA and other certifications in this Agreement.Audits will be conducted by email whenever P-21-501 possible and will require County to provide documentation as to permissible use of particular EVS information. 14. COUNTY Accounts The CONTRACTOR system supports both Primary Accounts and subsidiary accounts ("Sub- Account(s)") (collectively "Account(s)"). By entering into this TOS, COUNTY will be issued a single Primary Account for its use to obtain Services, and where COUNTY has entered into the appropriate addendum to the TOS, one or more Sub-Accounts as follows: a. Sub-Accounts can be created under the following circumstances. i. Organizational Requirements: COUNTY has organizational requirements that are best accommodated by CONTRACTOR creating one or more SubAccounts under COUNTY's Primary Account. ii. Internal Use: Where COUNTY wants to separate orders and results by region,division,district, location, billing code,and/or other similar groupings, CONTRACTOR will, upon request, provide COUNTY with Sub-Account(s) that support those requirements. 1. Those having access to either the COUNTY's Primary or internal SubAccounts must be employees of the COUNTY and/or individuals or entities under written contract with COUNTY to provide outsourced human resources management service(s) ("Authorized Agent(s)"). Authorized Agents must be disclosed to CONTRACTOR by COUNTY and must be vetted by CONTRACTOR before they are provided access to COUNTY's Accounts. iii. Related Entities: COUNTY may have one or more related entities that (a) may be wholly owned by COUNTY, (b) where COUNTY holds majority control or (c) where COUNTY has executive authority over the related entity ("Controlled Entity)"). Upon COUNTY's request, a Controlled Entity may be provided with Services through a dedicated Sub-Account created for this purpose. 1. Each Controlled Entity must be disclosed to CONTRACTOR by COUNTY documenting the means of control and must be vetted by CONTRACTOR before a Sub-Account is created for their use. 2. COUNTY is responsible for providing written notice to the Controlled Entity Sub-Account users of the end-user legal obligations found in Section 5.13 of the TOS,along with copies of the documents referenced therein. iv. Unrelated Entitles: Where COUNTY has a written contract with one or more entities that COUNTY does not own or control ("Unrelated Entity") SubAccounts can be created as follows: 1. Where COUNTY is engaged in recruiting, staffing or contracted services ("Staffing Firm") and either (a) places Consumers to perform contracted services, or(b)where COUNTY is pursuing the Consumer's permanent or temporary placement with an Unrelated Entity ("Provided Worker(s)") a Sub-Account may be created for that purpose.The Unrelated Entity will not have access to the Sub-Account P-21-501 but may receive a copy of a Provided Worker's Report as is provided for in the Authorization and Consent to Background Investigation signed by the Consumer. 2. Where COUNTY provides business management services under contract with an Unrelated Entity, a Sub-Account may be created for that purpose where both COUNTY and the Unrelated Entity may procure and view completed Reports. Prior to access being granted, each COUNTYmanaged Unrelated Entity must enter into an End-User Services Agreement with CONTRACTOR. b. Compliance Where a Staffing Firm procures Consumer Reports from CONTRACTOR and places Provided Workers, the Staffing Firm will be responsible for the End-User obligations found in Section 5.13.5 of this Agreement. In all other cases, the employer of record that procures Reports will be responsible for those obligations. c. Billing Where COUNTY wants CONTRACTOR to directly bill a Controlled or Unrelated Entity with direct Account access for Services rendered under those Accounts, COUNTY will become responsible for and will make payment to CONTRACTOR for all amounts due, once such account becomes sixty (60) days in arrears. 15. SSN Trace COUNTY acknowledges that SSN Trace results are not part of the Consumer Reports procured under this TOS, and certifies it will not use trace results as the basis for any employment decisions or for taking any adverse action.The SSN Trace service associates a given name and SSN number against databases assembled from private-sector sources,and serves primarily as a locator tool to establish likely jurisdictions to search for public records. The inclusion of information from the SSN Trace is only provided to confirm that the service was performed. C. Special Requirements for Employers Who Perform Background Checks in California: As COUNTY is located in the State of California, if COUNTY's request for and/or use of Reports pertains to a California resident or worker, COUNTY certifies as follows: 1. Before procuring or causing an Investigative Consumer Report to be made,that all of the following apply: a. That COUNTY's permissible purpose for obtaining such an Investigative Consumer Report is an Employment Purpose, as defined in Section 5.13.1 of this TOS. If there is a change in purpose, COUNTY must notify CONTRACTOR prior to obtaining any Investigative Consumer Report based on those changed permissible purposes. b. That COUNTY has provided the Consumer with a clear and conspicuous disclosure in writing at any time before the report is procured or caused to be procured in a document that consists solely of the disclosure that: i. An Investigative Consumer Report may be obtained, ii. The permissible purpose is identified, iii. The Investigative Consumer Report may include information on the Consumer's character, general reputation, personal characteristics and mode of living, P-21-501 iv. Identifies the name, address and telephone number and website of the agency conducting the investigation, and v. Notifies the Consumer of the nature and scope of the investigation requested, including a summary of the provisions of Civil Code section 1786.22, relating to a Consumer's rights to review their files. c. That the Consumer has authorized the procurement of the report in writing. d. COUNTY has provided a check-off box on appropriate paperwork so that the Consumer may request a copy of any report that is ordered. e. Upon request of the Consumer, COUNTY will provide them with a copy of their Investigative Consumer Report, either directly,or through a contract with another party. If such a request has been made by a Consumer, COUNTY will send a copy of the Investigative Consumer Report to the Consumer within three (3) business days of the date that the Investigative Consumer Report is provided to COUNTY. 2. COUNTY will provide a check-off box on the disclosure or a separate consent form so that the Consumer may request a copy of the Investigative Consumer Report,and will provide a copy of such report if so requested (directly or through a contract with another party). COUNTY will send a copy of the Investigative Consumer Report to the Consumer within three (3) business days of the date that the Investigative Consumer Report is provided to COUNTY. 3. In the event COUNTY takes an adverse action under circumstances in which a Report regarding the Consumer was obtained, COUNTY shall so advise the Consumer, supply the name and address of the CRA, and provide the Consumer a written notice of rights under California law. D. Special Circumstances and Limitations for Employers Who Perform International Background Checks Where Report subjects reside outside of the United States, CONTRACTOR warrants that information obtained and used in the preparation of Reports is obtained legally from authorized sources in accordance with prevailing data protection and data transfer laws, and that CONTRACTOR will provide the subject and/or any authorized information source with all notice,disclosure,or consent documents that are legally required in the subject's country of residence, in connection with obtaining the information not employment law in general. Where County orders Reports on subjects that are not United States residents that will be employed in a facility outside of the United States, CONTRACTOR is not responsible for any international County obligations related to obtaining and using Reports for employment purposes including but not limited to where County sought or obtained a Report related to a person who was not a legally permissible subject of the Report; or where a decision by County not to hire, or other employment decision based on a Report, was unlawful or failed to follow legally required processes including any required notice, disclosure, or consent related to the employment decision. E. Additional Requirements for Motor Vehicle Records (MVRs) and Driving Records COUNTY hereby certifies that Motor Vehicle Records and/or Driving Records(MVRs)shall only be ordered in compliance with the Driver Privacy Protection Act ("DPPA" at 18 U.S.C. § 2721 et seq.) and any applicable laws. COUNTY further certifies that no MVRs shall be ordered without first obtaining the written consent of the Consumer to obtain "driving records," evidence of which shall be transmitted to CONTRACTOR in the form of the Consumer's signed release authorization form. COUNTY also certifies that it will use this information only in the normal course of business to obtain lawful information relating to the holder of a commercial driver's license or to verify information provided by an applicant or employee. P-21-501 COUNTY shall not transmit any data contained in the resulting MVR via the public internet, electronic mail, or any other unsecured means. F. COUNTY acknowledges and agrees to the following provisions regarding the preparation and use of Reports: 1. CONTRACTOR does not render any opinions as to whether a person should be employed.COUNTY is the sole decision-maker concerning fitness and eligibility for employment. 2. CONTRACTOR retrieves records based on identifying information provided by COUNTY and/or the Consumer, and does not independently verify the identifying information submitted to CONTRACTOR is actually true and correct. In other words, CONTRACTOR is not in the business of "verifying the Consumer's true identity." 3. Although CONTRACTOR takes steps to ensure all of its procedures are in compliance with federal state laws, rules and regulations, and although CONTRACTOR will from time to time consult with COUNTY on industry best practices, CONTRACTOR does not offer or provide legal advice to its clients and does not function as legal counsel. COUNTY understands that it is fully responsible for all aspects of its own legal compliance and that it has not ultimately relied on CONTRACTOR for any legal or compliance advice. 4. COUNTY acknowledges that information divulged by the Consumer to CONTRACTOR may not result in specific inquiries being undertaken absent COUNTY's preexisting instructions on how to proceed in these cases. In addition, even where CONTRACTOR acts upon such instructions and specific inquiries are made,the results may not be reportable due to legal restrictions on reporting adverse information. 5. Reports provided by CONTRACTOR to COUNTY are considered confidential by law. Upon receipt, COUNTY shall treat all Reports, and any other documentation received from CONTRACTOR, in strict confidence, and shall not reveal or make such information accessible in any manner, whatsoever, to any third-party except as otherwise permitted by law or with the Consumer's written consent. Such information shall be maintained in a confidential manner to which access is restricted. Only those employees of COUNTY with a legitimate need to view and evaluate the Report shall have access to it.COUNTY shall supply to CONTRACTOR the name and phone number of a contact person or persons with whom CONTRACTOR may discuss the contents of Reports furnished to COUNTY. COUNTY shall dispose of Reports and any other documents containing personally identifiable information received from CONTRACTOR in accordance with the FTC Rule on disposal. https://www.ftc.gov/tipsadvice/business-center/guidance/disposing-consumer- report-information-rule-tells-how 6. COUNTY acknowledges that CONTRACTOR is legally required to identify and vet its End-Users before Reports are procured and that any of the status changes found in this paragraph will require CONTRACTOR to re-identify and re-vet the changed entity. Therefore, COUNTY shall immediately notify CONTRACTOR in any of the following events: change in ownership of COUNTY of over fifty percent (50%), a merger, or a change in name or change in the nature of COUNTY's business that in any way affects COUNTY's rights to request Reports. G. CONTRACTOR Access Security Requirements. CONTRACTOR recognizes its obligation to support and implement policies that protect the confidential nature of the information in our database and assure respect for Consumers' rights to privacy. Only companies who are approved members of our service and have a permissible purpose for obtaining Reports are permitted access to the CONTRACTOR system and its underlying information. P-21-501 It is a requirement that all CONTRACTOR clients take precautions to secure any system or device used to access CONTRACTOR's Reports from unauthorized access.To that end, the following requirements have been established for the protection of everyone, including COUNTY and Consumers: 1. CONTRACTOR usernames and passwords must be protected in such a way that this sensitive information is known only to key personnel. Under no circumstances shall unauthorized persons have knowledge of CONTRACTOR usernames and passwords.The information shall not be posted in any manner within COUNTY's facility. 2. It is COUNTY's responsibility to protect usernames and passwords to the CONTRACTOR website or online system, and COUNTY shall take reasonable measures to prevent the unauthorized use or breach of data,sharing or display of any CONTRACTOR passwords,and will notify CONTRACTOR immediately if unauthorized use is discovered, or if an employee is no longer authorized to utilize a CONTRACTOR supplied password. 3. CONTRACTOR usernames and passwords shall not be released bytelephone to an unknown caller, even if the caller claims to be a CONTRACTOR employee. CONTRACTOR will never call COUNTY and ask for its password. 4. If applicable, any system access software COUNTY may use, whether developed by COUNTY or purchased from a third-party vendor, must have CONTRACTOR usernames and passwords hidden or embedded so that the password is known only to the person to whom it was issued and authorized supervisory personnel. Each user of COUNTY's system access software must then be assigned unique login passwords. 5. COUNTY will maintain a commercially adequate firewall and anti-virus protection at all times. 6. Any terminal devices or computers used to obtain Reports from CONTRACTOR shall be placed in a secure location within COUNTY's facility where they cannot be viewed by unauthorized persons. access to the devices shall be restricted from unauthorized persons using customary information security standards. 7. Each person requesting Reports must log in only under their own username and password, so CONTRACTOR knows who requested each report. 8. Any devices/systems used to obtain Reports should be turned off and locked after regular business hours, when unattended by COUNTY's key personnel. 9. Hardcopy Reports shall be secured within COUNTY's facility and protected against release or disclosure to unauthorized persons. 10. COUNTY will dispose of Reports in hardcopy or electronic form in a manner rendering information inaccessible, unreadable, and unrecoverable per current regulations of the FTC. The following methods of destruction are permitted: 1) burning, pulverizing, or shredding, 2) destroying or erasing or overwriting electronic files so they cannot be read or restored, and/or 3) after conducting due diligence, hiring a document destruction company. Further information about the requirements for proper disposal of Reports and related information is available online at www.ftc.gov. 11. COUNTY certifies that it shall implement and maintain a comprehensive information security program written in one or more readily accessible parts, and that contains administrative, technical, and physical safeguards that are appropriate to COUNTY's size and complexity, the nature and scope of its activities, and the sensitivity of the information provided to the COUNTY P-21-501 by CONTRACTOR,and that such safeguards shall be reasonably designed to(i) ensure the security and confidentiality of the information and Services provided by CONTRACTOR, (ii) protect against any anticipated threats or hazards to the security or integrity of such information,and (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer. H. COUNTY certifies that each time it orders a Report, it is reaffirming the above Certifications and Acknowledgements. 7.Assignment. County may not assign any of its rights or delegate any of its obligations under this Agreement without the prior written consent of CONTRACTOR; provided, however, that County may assign its rights or delegate its duties without the prior written consent of CONTRACTOR if such assignment or delegation is to: (i) an affiliate of County; (ii) a successor of County by consolidation, merger or operation of law; or (iii) a purchaser of all or substantially all of the assigning or delegating County's assets. Any purported assignment or delegation in violation of this Section 8 is void. P-21-501 Exhibit CLEARST R Package Price Schedule: Employment Verification $8.81 Education Verification $8.81 Employment Credit Report $9.91 Professional Reference $11.02 Trace for Streamline $0.00 National Federal Court Criminal Record $23.96 WebCCF - 7 Panel Urinalysis $38.56 Personal Reference $11.02 National Federal District Court Civil Record $16.52 Streamline National Criminal - All Names $5.51 CBSV - Consent Based Social Security $8.81 Bankruptcy, Liens & Judgements Search $7.71 County Court Criminal Record Check $5.51 County Civil Court Record Search - WC $13.22 Driving Record Check $3.30 Statewide Criminal Record Checks $11.02 Validation - Statewide Repository $0.00 Validation - County Court Criminal $0.00 Package Services Pkg Service No Service Description Charge SLRT 12958 ESR BNDL 1283 $31 90 Pkg Components: Service No Service Description Charge Limit Exceeded Chg SLRT_00010 County Court Criminal Record Check $0.00 0 $0.00 SLRT_00016 Employment Verification $0.00 1 $8.81 SLRT 00017 Education Verification $8.81 1 $8 81 SLRT 00075 National Federal Court Criminal Record Che $0.00 0 $0.00 SLRT 11467 Streamline National Criminal All Names $5-51 1 $5 51 Pkg Service No Service Description Charge SLRT_13455 ESR BNDL 2462 $31.90 Pkg Components: Service No Service Description Charge Limit Exceeded Chg SLRT_00010 County Court Criminal Record Check $0.00 0 $0.00 SLRT_00015 Driving Record Check $3.30 1 $3.30 SLRT_00016 Employment Verification $0.00 1 $8.81 SLRT 00017 Education Verification $8.81 1 $8.81 - SLRT_00021 Employment Credit Report $9.91 $9.91 SLRT 00075 National Federal Court Criminal Record Che $0.00 0 $0.00 - SLRT_11467 Streamline National Criminal All Names is $5.51 MEL. $5.51 Page 1 Copyright 2023 C1earStar,Inc. Unless otherwise noted,prices quoted do not include any applicable access fees charged by courts,law enforcement agencies,state departments of motor vehicles, schools,employers,third-parry collection sites,or other information sources. Client is responsible for any and all applicable access fees. All pricing,access fees, service offerings,service availability and service descriptions are subject to change without prior notice. Prior notice will be provided whenever feasible. Federal, state and local laws may restrict your use of the information provided. Federal,state and local laws may also restrict our reporting of certain information,including limitations on the type of information and age of information reported. P-21-501 Exhibit CLEARST R Pkg Service No Service Description Charge SLRT 14091 ESR BNDL 1571 $31.90 Pkg Components: Service No Service Description Charge Limit Exceeded Chg SLRT_00010 County Court Criminal Record Check $0.00 0 $0.00 SLRT_00015 Driving Record Check $3.30 1 $3.30 SLRT_00016 Employment Verification $0.00 1 $8.81 SLRT 00017 Education Verification $8.81 1 $8.81 SLRT_00021 Employment Credit Report $9.91 1 $9.91 SLRT 00037 Professional Reference $11.02 1 $11.02 SLRT 00075 National Federal Court Criminal Record Che $0.00 0 $0.00 SLRT_10023 Personal Reference $11.02 1 $11.02 SLRT 11467 Streamline National Criminal All Names $5.51 1 $5.51 Pkg Service No Service Description Charge SLRT 14092 ESR BNDL 1180 $0.00 Pkg Components: Service No Service Description Charge Limit Exceeded Chg SLRT_00010 County Court Criminal Record Check $0.00 0 $0.00 SLRT_00011 County Civil Court Record Search-1N1C $13.22 1 $'13.22 SLRT_00015 Driving Record Check $3.30 1 $3.30 SLRT 00017 Education Verification $8.81 1 $8.81 SLRT_00021 Employment Credit Report $9.91 1 $9.91 SLRT 00037 Professional Reference $11.02 1 $11.02 SLRT 00056 Trace for Streamline $0.00 1 $0.00 SLRT_10023 Personal Reference $11.02 1 $11.02 SLRT_11723 CBSV-Consent Based Social Security Num $8.81 1 $8.81 SLRT_12417 Bankruptcy,Liens&Judgments Search $7.71 1 $7.71 Pkg Service No Service Description Charge SLRT 14093 ESR BNDL 0626 $31.90 SLRT_00010 County Court Criminal Record Check $0.00 0 $0.00 SLRT_00011 County Civil Court Record Search-1 N IC $13.22 1 $13.22 SLRT_00021 Employment Credit Report $9.91 1 $9.91 SLRT 00056 Trace for Streamline $0.00 1 $0.00 SLRT 00075 National Federal Court Criminal Record Che $0.00 0 $0.00 Pkg Service No Service Description Pre-Selected 1 Visible Charge SLRT_14094 ESR BNDL 2884 WY y $31.90 Pkg Components: Service No Service Description Charge Limit Exceeded Chg SLRT_00010 County Court Criminal Record Check $0.00 0 $0.00 SLRT_00011 County Civil Court Record Search-1N1C $13.22 1 $13.22 SLRT_00021 Employment Credit Report $9.91 1 $9.91 SLRT 00056 Trace for Streamline $0.00 1 $0.00 SLRT_00075 National Federal Court Criminal Record Che $0.00 0 $0.00 - SLRT_12417 Bankruptcy,Liens&Judgments Search $7.71 1 $7.71 Page 2 Copyright 2023 C1earStar,Inc. Unless otherwise noted,prices quoted do not include any applicable access fees charged by courts,law enforcement agencies,state departments of motor vehicles, schools,employers,third-parry collection sites,or other information sources. Client is responsible for any and all applicable access fees. All pricing,access fees, service offerings,service availability and service descriptions are subject to change without prior notice. Prior notice will be provided whenever feasible. Federal, state and local laws may restrict your use of the information provided. Federal,state and local laws may also restrict our reporting of certain information,including limitations on the type of information and age of information reported. P-21-501 Exhibit C CLEAR Surcharges incurred by ClearStar in data collection are passed onto client at cost and are not included in the pricing schedule above. This pricing offer is valid for 30 days from the date of this proposal. ASSUMPTIONS: • When the results of the National Criminal Database Check reflect a record or flag,the result must be verified at the source. ClearStar estimates this could occur in approximately 14%of National Criminal Database searches. The demographic profile of your company's applicants/employees might be different than the national average and result in a different record rate. Your company should be prepared to have a County Criminal search added to a background screen when the National Criminal search returns a record and when, if a County Criminal, State Criminal and/or National Federal Criminal was already in the package,the record returned from the National Criminal search is in a different county than covered by the County Criminal, State Criminal and/or National Federal search was selected for. The charge for this verification is additional and not included in any package pricing. • Assume 7-year history on criminal records unless source provides more or less as a standard. • Compliance Best Practices for requesting All Names All Statewide Level searches or All Names All County Level searches—ClearStar will order the statewide search where available and will only order the counties in jurisdictions where there is no statewide available. For example, for a GA resident, they want the GCIC and all the GA counties. Since this could result in the reporting of duplicate records (which would take us out of compliance per recent FTC and CFPB enforcement actions), ClearStar will not be offering a duplication of products (which should help reduce your screening fees per applicant). If a customer requests all names all statewide searches and all names all counties, we would order the statewide where available, and we would only order the counties in jurisdictions where there is no statewide available. Page 3 Copyright 2023 ClearStar,Inc. Unless otherwise noted,prices quoted do not include any applicable access fees charged by courts,law enforcement agencies,state departments of motor vehicles, schools,employers,third-parry collection sites,or other information sources. Client is responsible for any and all applicable access fees. All pricing,access fees, service offerings,service availability and service descriptions are subject to change without prior notice. Prior notice will be provided whenever feasible. Federal, state and local laws may restrict your use of the information provided. Federal,state and local laws may also restrict our reporting of certain information,including limitations on the type of information and age of information reported. P-21-501 Exhibit D EVS Terms and Conditions EVS Employment Information (as defined below) will be received by COUNTY through Clearstar subject to the following conditions (the "Terms and Conditions"): 1. Any information services and data originating from EVS (the "EVS Employment Information") will be requested only for Client's exclusive use and held in strict confidence except to the extent that disclosure to others is required or permitted by law. Only designated representatives of Client will request EVS Employment Information on Client's employees, and employees will be forbidden to obtain EVS Employment Information on themselves, associates or any other persons except in the exercise of their official duties. Client will not disclose EVS Employment Information to the subject of the EVS Employment Information except as permitted or required by law, but will refer the subject to EVS. 2. Client will be charged for the EVS Employment Information by CRA, which is responsible for paying EVS for the EVS Employment Information; provided, however, should the underlying relationship between Client and CRA terminate at any time during the term of this Agreement, charges for the EVS Employment Information will be invoiced to Client, and Client will be solely responsible to pay EVS directly. 3. Fair Credit Reporting Act Certification. Client certifies that it will order EVS Employment Information, which is a consumer report as defined by the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. ("FCRA"), only when Client intends to use the EVS Employment Information: (a) in accordance with the FCRA and all state law counterparts; and for the following permissible purpose:for employment purposes; provided, however, that Client certifies that, before ordering EVS Employment Information to be used in connection with employment purposes, it will clearly and conspicuously disclose to the Consumer, in a written document consisting solely of the disclosure, that Client may obtain EVS Employment Information for employment purposes, and will also obtain the Consumer's written authorization to obtain or procure EVS Employment Information relating to that Consumer. Client further certifies that it will not take adverse action against the Consumer based in whole or in part upon the EVS Employment Information without first providing to the Consumer to whom the EVS Employment Information relates a copy of the EVS Employment Information and a written description of the Consumer's rights as prescribed by the Consumer Financial Protection Bureau ("CFPB") under Section 609(c)(3) of the FCRA, and also will not use any EVS Employment Information in violation of any applicable federal or state equal employment opportunity law or regulation. Client will use EVS Employment Information ordered under this Agreement for the foregoing purpose and for no other purpose. Client acknowledges that it has received from ClearStar a copy of the consumer rights summary as prescribed by the CFPB. P-21-501 It is recognized and understood that the FCRA provides that anyone "who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be fined under Title 18, United States Code, imprisoned for not more than two (2)years, or both." EVS may periodically conduct audits of Client regarding its compliance with the FCRA and other certifications in this Agreement. Audits will be conducted by email whenever possible and will require Client to provide documentation as to permissible use of particular EVS Employment Information. In addition, ClearStar will be required to provide documentation indicating CRA validated the legitimacy of Client prior to contract execution and will also provide a copy of agreement between ClearStar and Client. Client gives its consent to EVS to conduct such audits and agrees that any failure to cooperate fully and promptly in the conduct of any audit, or Client's material breach of this Agreement, constitute grounds for immediate suspension of the Service or termination of this Agreement. If EVS terminates this Agreement due to the conditions in the preceding sentence, Client (i) unconditionally releases and agrees to hold EVS harmless and indemnify it from and against any and all liabilities of whatever kind or nature that may arise from or relate to such termination, and (ii) covenants it will not assert any claim or cause of action of any kind or nature against EVS in connection with such termination. Client will comply with the applicable provisions of the FCRA, Federal Equal Credit Opportunity Act and any amendments to it, all state law counterparts of them, and all applicable regulations promulgated under any of them including, without limitation, any provisions requiring adverse action notification to the Consumer. 4. Data Security. This Section 6 applies to any means through which Client orders or accesses EVS Employment Information including, without limitation, system-to- system, personal computer or the Internet. The term "Authorized User" means an employee of Client that Client has authorized to order the EVS Employment Information and who is trained on Client's obligations under this Agreement with respect to the ordering and use of the EVS Employment Information, including Client's FCRA and other obligations with respect to the access and use of consumer reports. a. With respect to handling the EVS Employment Information, Client agrees to: • ensure that only Authorized Users can order or have access to EVS Employment Information, • ensure that Authorized Users do not order EVS Employment Information for personal reasons or provide them to any third party except as permitted by this Agreement, • inform Authorized Users that unauthorized access to consumer reports may subject them to civil and criminal liability under the FCRA punishable by fines and imprisonment, • ensure that all devices used by Client to order or access the EVS Employment Information are placed in a secure location and accessible only by Authorized Users and that such devices are secured when not in use through such means as screen locks, shutting power controls off, or other commercially reasonable security procedures, P-21-501 • take all necessary measures to prevent unauthorized ordering of EVS Employment Information by any persons other than Authorized Users for permissible purposes, including, without limitation, • limiting the knowledge of the Client security codes, member numbers, User IDs, and any passwords Client may use (collectively, "Security Information"), to those individuals with a need to know, (b) changing Client's user passwords at least every ninety (90) days, or sooner if an Authorized User is no longer responsible for accessing the EVS Employment Information, or if Client suspects an unauthorized person has learned the password, and (c) using all security features in the software and hardware Client uses to order EVS Employment Information, • in no event access the EVS Employment Information via any hand-held wireless communication device, including but not limited to, web enabled cell phones, interactive wireless pagers, personal digital assistants(PDAs), mobile data terminals, and portable data terminals, • not use non-company owned assets such as personal computer hard drives or portable and/or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs, and DVDs) to store EVS Employment Information. • encrypt EVS Employment Information when it is not in use and with respect to all printed EVS Employment Information store in a secure, locked container when not in use and completely destroyed when no longer needed by cross-cut shredding machines (or other equally effective destruction method) such that the results are not readable or useable for any purpose, (i) if Client sends,transfers or ships any EVS Employment Information, encrypt the EVS Employment Information using the following minimum standards, which standards may be modified from time to time by EVS: Advanced Encryption Standard (AES), minimum 128- bit key or Triple Data Encryption Standard (31DES), minimum 168- bit key encrypted algorithms, (ii) monitor compliance with the obligations of this Section 6, and immediately notify EVS if Client suspects or knows of any unauthorized access or attempt to access the EVS Employment Information, including, without limitation, a review of EVS invoices for the purpose of detecting any unauthorized activity, • not ship hardware or software between Client's locations or to third parties without deleting all Security Information and any EVS Employment Information, • if Client uses a Service Provider to establish access to EVS Employment Information, be responsible for the Service Provider's use of Security Information, and ensure the Service Provider safeguards Security Information through the use of security requirements that are no less stringent than those applicable to Client under this Section 6, P-21-501 • use commercially reasonable efforts to assure data security when disposing of any consumer information or record obtained from the EVS Employment Information. Such efforts must include the use of those procedures issued by the federal regulatory agency charged with oversight of Client's activities (e.g. the Consumer Financial Protection Bureau, the applicable banking or credit union regulator) applicable to the disposal of consumer report information or records. • use commercially reasonable efforts to secure EVS Employment Information when stored on servers, subject to the following requirements: (i) servers storing EVS Employment Information must be separated from the internet or other public networks by firewalls which are managed and configured to meet industry accepted best practices, (ii) protect EVS Employment Information through multiple layers of network security, including but not limited to, industry-recognized firewalls, routers, and intrusion detection/prevention devices (IDS/IPS), (iii) secure access (both physical and network) to systems storing EVS Employment Information, which must include authentication and passwords that are changed at least every ninety (90) days; and (iv) all servers must be kept current and patched on a timely basis with appropriate security specific system patches, as they are available, • not allow EVS Employment Information to be displayed via the internet unless utilizing, at a minimum, a three-tier architecture configured in accordance with industry best practices, and • use commercially reasonable efforts to establish procedures and logging mechanisms for systems and networks that will allow tracking and analysis in the event there is a compromise, and maintain an audit trail history for at least three (3) months for review by EVS. (b) If EVS reasonably believes that has violated this Section 6, EVS may, in addition to any other remedy authorized by this Agreement, with reasonable advance written notice to Client and at EVS's sole expense, conduct, or have a third party conduct on its behalf, an audit of Client's network security systems, facilities, practices and procedures to the extent EVS reasonably deems necessary, including an on-site inspection, to evaluate Client's compliance with the data security requirements of this Section 6. 5. Client certifies that it has received and read the"Notice to Users of Consumer Reports, Obligations of Users" which explains Client's obligations under the FCRA as a user of consumer information. P-21-501 Exhibit E TU Access Security Requirements Access Security Requirements It is a requirement that all Clients and End-Users take precautions to secure any system or device used to access consumer credit information. To that end, the following requirements have been established: 1. Implement Strong Access Control Measures 1.1 Client account numbers and passwords must be protected in such a way that this sensitive information is known only to key personnel. Under no circumstances should unauthorized persons have knowledge of passwords. The information should not be posted in any manner within Client's facility. Do not provide account numbers, Subscriber Codes or passwords to anyone. 1.2 Any system access software used, whether developed by Client's company or purchased from a third party vendor, must have account numbers and passwords "hidden" or embedded so that the password is known only to supervisory personnel. 1.3 Each user of Client's system access software must then be assigned unique log- on passwords. Develop strong passwords that are: • Not easily guessable (i.e. user name or company name, repeating numbers and letters or consecutive numbers and letters) • obtain a minimum of eight (8) alpha/numeric characters for standard user accounts • Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. • Active logins to credit information systems must be configured with a 30 minute inactive session, timeout. 1.4 Client must request that account number, Subscriber Code and/or password be changed immediately when: • Any system access software is replaced by another system access software or • is no longer used; • The hardware on which the software resides is upgraded, changed or disposed of. 1.5 Account numbers and passwords are not to be discussed by telephone to any unknown caller, even if the caller claims to be an employee. 1.6 Create a separate, unique user ID's for each user to enable individual authentication and accountability for access to the credit reporting agency's P-21-501 infrastructure. Each user of the system access software must also have a unique logon password. 1.7 Ensure that user IDs are not shared and that no Peer-to-Peer file sharing is enabled on those users' profiles. 1.8 The ability to obtain credit information must be restricted to a few key personnel. 1.9 Ensure that Client and Client's employees do not access personal credit reports or those reports of any family member(s) or friend(s) unless it is in connection with a Permissible Purpose under your agreement with ClearStar. 1.10 Implement a process to terminate access rights immediately for users who access credit reporting agency credit information when those users are terminated or when they have a change in their job tasks and no longer require access to that credit information. 1.11 Any terminal devices used to obtain credit information should be placed in a secure location within Client's facility. Access to the devices should be difficult for unauthorized persons. 1.12 Any devices/systems used to obtain consumer reports should be turned off after normal business hours, when unattended by key personnel. 1.13 Hard copies and electronic files of consumer reports are to be secured within Client's facility and protected against release or disclosure to unauthorized persons. 1.14 Hard copy consumer reports are to be shredded or destroyed, rendered unreadable, when no longer needed and when it is permitted to do so by applicable regulations(s). 1.15 Electronic files containing consumer report data and/or information will be completely erased or rendered unreadable when no longer needed and when destruction is permitted by applicable regulation(s) 2. Maintain a Vulnerability Management Program 2.1 Keep operating system(s), Firewalls, Routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates. 2.2 Configure infrastructure such as Firewalls, Routers, personal computers, and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks. 2.3 Implement and follow current best security practices for Computer Virus detection scanning services and procedures: • Use, implement and maintain a current, commercially available Computer Virus detection/scanning product on all computers, systems and networks. P-21-501 • If Client suspects an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated. • Keep anti-virus software up-to-date by vigilantly checking or configuring auto updates and installing new virus definition files. 2.4 Implement and follow current best security practices for computer anti-Spyware scanning services and procedures: • Use, implement and maintain a current, commercially available computer anti-Spyware scanning product on all computers, systems and networks. • If Client suspects actual or potential Spyware, immediately cease accessing the system and do not resume the inquiry process until the problem has been resolved and eliminated. • Keep anti-Spyware software up-to-date by vigilantly checking or configuring auto updates and installing new anti-Spyware definition files. If Client's computers have unfiltered or unblocked access to the Internet (which prevents access to some known problematic sites), then it is recommended that anti-Spyware scans be completed more frequently than weekly. 3. Protect Data 3.1 Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (i.e., tape, disk, paper, etc.) 3.2 All credit reporting agency data is classified as confidential and must be secured to this requirement at a minimum. 3.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the Iifecycle of the information. 3.4 Only open email attachments and links from trusted sources and after verifying legitimacy. 3.5 The FACTA Disposal Rules requires implementation of appropriate measures to dispose of any sensitive information related to consumer credit reports and records that will protect against unauthorized access or use of that information.