PCI DSS v3.2.1 accredited
This TransUnion Partner (Third Party) Security Requirements Addendum (the "Addendum") is an addendum to the service agreement (“Agreement”) entered into by TransUnion and Partner for certain services to be provided to or received from TransUnion, and governs the access to Consumer Credit Data and TransUnion Confidential Information by Partner. This Addendum shall form part of and be incorporated by reference into the Agreement. In the event of a conflict between this Addendum and the Agreement, this Addendum shall prevail. Subject to the terms and conditions set out in this Addendum, all clauses of the Agreement shall remain in full force and effect and the rights and obligations of the Parties set out in the Agreement shall continue to apply.
1. Definitions. Terms not defined in this Addendum have the meanings set forth in the Agreement.
1.1 "Addendum" is defined in the introductory paragraph;
1.2 “Affiliate“ means, with respect to an entity, any other entity that Controls, is Controlled by, or is under common Control with, that entity;
1.3 “Applicable Authorities” means the regulator(s) of the credit provider(s) and relevant authorities or public bodies, which: (i) regulate the handling of Personal Data and Consumer Credit Data by credit reference agencies or Credit Data Smart under the Applicable Laws; and/or (ii) the MCRA User Group (the governing body of Credit Data Smart) considers it appropriate to consult for comments or directions on governance and operation of Credit Data Smart, in each case, from time to time;
1.4 “Applicable Laws” means any applicable local, national, federal, supranational, state, regional, provincial or other statute, law, ordinance, regulation, rule, code, guidance, approach document, order, direction, circular, published practice or concession, regulatory requirement or expectation, judgment or decision of an Applicable Authority or any other governmental or regulatory authority;
1.5 “Cloud Technology” has the meaning defined in Section 12.3 of this Addendum;
1.6 “Consumer Credit Data” means any personal data concerning an individual collected by a credit provider in the course of or in connection with the provision of consumer credit, or any personal data collected by or generated in the database of a credit reference agency including the mortgage count) in the course of or in connection with the providing of consumer credit reference service;
1.7 "Credit Data Smart”, alternatively known as the “Multiple Credit Reference Agencies Model” or “MCRA Model”, means the multiple credit reference agencies model established by The Hong Kong Association of Banks, The DTC Association (The Hong Kong Association of Restricted Licence Banks and Deposit-Taking Companies) and the Hong Kong S.A.R. Licensed Money Lenders Association Ltd. and supported by the Hong Kong Monetary Association, to enhance the resilience and sustainability of services provided by credit reference agencies to credit providers in Hong Kong;
1.8 “Critical Vulnerability” means any vulnerability with a CVSS v3.0 score of 9.0 or higher that could reasonably be expected to impact the Services performed under the Agreement;
1.9 “High Risk Vulnerability” means any vulnerability with a CVSS v3.0 score between 7.0 and 8.9 that could reasonably be expected to impact the Services performed under the Agreement;
1.10 “Partner” means the counterparty to TransUnion entering into the Agreement with TransUnion, to provide services to, or receive services from, TransUnion;
1.11 “Party” means a party to the Agreement (i.e. TransUnion or Partner);
1.12 “Prescribed Consent” has the meaning ascribed to it under Personal Data (Privacy) Ordinance (Cap. 486 of the laws of Hong Kong);
1.13 “Prohibited Activities" means, with regard to any TransUnion Confidential Information and/or Consumer Credit Data, to use with any blockchain technology, reverse engineer, disassemble, decompile, translate, copy, reproduce, re-engineer; attempt to determine the variables or data elements that affect the features; seek to obtain or derive any source codes, underlying ideas, algorithms, file formats, or non-public application program interfaces; or otherwise create or attempt to create or permit, allow or assist others to create or derive the source code, its structural framework, including any credit scores, or attempt to create a credit score or product to compete with, or be substitute for, any part of the services offered under the Agreement, Unauthorized Use or any violation of Applicable Law;
1.14 “Reportable Breach” has the meaning defined in Section 17 of this Addendum;
1.15 “TransUnion” mean the TransUnion entity entering into the Agreement with Partner (e.g. TransUnion Credit Information Services Limited, or TransUnion Limited), and shall include its Affiliates;
1.16 “TransUnion Confidential Information” means information relating to Services to be provided to Partner, which is considered to be confidential or proprietary to TransUnion in the process of providing Services to Partner. Such Information may include, but shall not be limited to, information and material related pricing, technical specifications, solution design and architecture, product development and implementation plans, as well as other operation, business, financial and technical information of TransUnion; and
1.17 “Unauthorized Use” means any misappropriation, unauthorized use, unauthorized access, unauthorized disclosure or other compromise of TransUnion Confidential Information and/or Consumer Credit Data, including but not limited to a Reportable Breach. Unauthorized Use will also include the transfer of TransUnion Confidential Information and/or Consumer Credit Data outside of Hong Kong, including with respect to Cloud Technology, or enabling access to TransUnion Confidential Information and/or Consumer Credit Data by any third party from outside Hong Kong, without prior notice and approval from TransUnion.
2. Security and Confidentiality. Partner is obligated to protect TransUnion Confidential Information and Consumer Credit Data, and with respect to the Consumer Credit Data, to comply with the purpose of data transfer for processing and all applicable data protection principles. To this end, Partner shall develop and maintain an information security program that is designed to protect information processing system(s) and media containing TransUnion Confidential Information and Consumer Credit Data from internal and external security threats, and to prevent unauthorized disclosure of Consumer Credit Data or TransUnion Confidential Information. Partner’s information security program shall align to ISO 27002:2022, NIST 800-53, any successor standard as promulgated by the International Organization for Standardization or National Institute of Standards and Technology, or another industry standard mutually agreed by the parties. If Partner stores, process or transmits payment card primary account numbers or cardholder data then Partner shall comply with the then current PCI-DSS standard.
2.1 Furthermore, Partner agrees and undertakes that it shall, at all times whether before or after the termination of the Agreement:
(a) not to use and disclose Consumer Credit Data for purposes other than the purposes as written in the Prescribed Consent; or for its own purposes;
(b) not transfer or disclose any Credit Report, Consumer Credit Data or Credit Scores to any person who is not authorised or permitted to receive such data under the Agreement or the Applicable Laws;
(c) use its reasonable endeavours to ensure that Services are only requested by its authorised personnel which will only obtain the Services in accordance with their official duties; and
(d) use its reasonable endeavours to ensure that its personnel shall comply with the applicable terms of the Agreement.
2.2 Partner further understands that Consumer Credit Data is strictly subject to the original collection purposes and matters ancillary thereto and TransUnion will not disclose or use the same save in strict compliance with such purposes and it is a condition of this Addendum that the Partner fully cooperates in ensuring that there is full compliance with the same.
3. Security Policy. Partner shall develop and maintain a documented set of rules and procedures that regulate the use of information, including its receipt, transmission, processing, storage, controls, distribution, retrieval, access, and presentation. This includes the applicable laws, rules, and practices that regulate how an organization manages, protects, and distributes confidential information.
3.1 Formal Security Policy. Partner will have an information security policy that is approved by and reviewed by Partner’s senior management at least annually and if significant changes occur to ensure its continued compliance with this Agreement. Partner communicates and socializes its Information Security Policy to its Personnel no less than annually. Partner’s Information Security Policy will include, to the extent applicable to the Services Provided to TransUnion or as part of its daily operations, documented policies that address the requirements identified in this Agreement and as otherwise necessary to comply with Hong Kong laws and Credit Data Smart requirements as necessary.
3.2 International Organization for Standardization (ISO). Partner shall maintain an Information Security program aligned with ISO 27002: 2022 international or National Institute of Standards and Technology (NIST) standards, as modified from time to time (including, but not limited to any successor standard as promulgated by the ISO or NIST).
3.3 Payment Card Industry Data Security Standards (PCI DSS). If Partner stores, processes or transmits payment card primary account numbers or cardholder data then Partner shall comply with the current PCI DSS standard.
3.4 Security Policy Review. Partner will review the information security policy at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.
3.5 Statement on Standards for Attestation Engagements and Compliance (SSAE). At least annually, Partner must have an SSAE 18, SOC 2 as well as an Independent Network and Application Penetration Test performed and, upon request, provide these reports to TransUnion.
3.6 Each of these reviews, reports, and tests will be of an industry standard scope. Without limitation of TransUnion’s other rights and remedies under the Agreement, Partner will (a) remediate all Critical Vulnerabilities identified in such reviews/tests and shall consider in good faith the implementation of any other reasonable recommendations made by TransUnion; (b) upon TransUnion’s request, provide TransUnion with the status of the remediation and implementation; and (c) with respect to any High Risk Vulnerabilities that are identified and not remediated within 30 days, promptly provide TransUnion with a detailed mitigation process (including a description of the relevant compensating controls) to reduce the risk to Partner’s environments and systems that include TransUnion Confidential Information and Consumer Credit Data.
4. Organizational Security. Partner has established organizational requirements ensuring proper competence and training of staff, personnel security policy and agreements and an appropriately-sized and accountable security organization.
4.1 Information Security Organization. Partner implements organizational requirements to validate the competence and training of its Personnel, and to maintain an appropriately-sized and accountable security organization. Partner has an established information security function lead by a named individual who is accountable for information security initiatives and other defined job responsibilities determined by Partner. Partner requires its affiliates and subsidiaries to maintain effective information security measures designed to protect confidential information from unauthorized disclosure or misuse of confidential information (including TransUnion Confidential Information and Consumer Credit Data).
4.2 Security Requirement Persistence. Partner will require its affiliates and subsidiaries to maintain effective information security measures designed to protect confidential information from unauthorized disclosure or use of confidential information, including TransUnion Confidential Information and Consumer Credit Data.
5. Human Resources Security. Partner must have policies that address the following controls.
5.1 Background Checks. Partner shall conduct pre-employment background checks on all Personnel who will perform work under the Agreement or that will have access to TransUnion's or its customers' technology systems, facilities and/or confidential, proprietary and/or sensitive information. Partner will comply with all applicable laws, including fair employment practices and equal employment opportunity, when conducting pre-employment background screenings.
5.2 Non-Disclosure Agreement. All Personnel must be bound by Non-Disclosure/Confidentiality Agreement before they can perform any service that requires access to TransUnion Confidential Information and Consumer Credit Data.
5.3 Communication. Partner must communicate and socialize its information security policy to its Personnel no less than annually. Personnel must be trained to identify and report suspected security weaknesses and incidents. The methods used to communicate should include training programs, internal communications, and internal portals. Education, awareness, and cross-training program attendance reports must be maintained and made available to TransUnion upon TransUnion’s reasonable request.
5.4 Security Awareness Training. Prior to receiving access to TransUnion Confidential Information and Consumer Credit Data, Partner shall provide security awareness training appropriate to each Personnel's respective job function, and periodically provide updated security awareness training to ensure Personnel are made aware of organizational changes and evolving threats, trends, and technologies.
5.5 Training. Partner must monitor training and job competence using a formal performance and appraisal process.
5.6 Removal of Access Rights. Partner shall immediately remove the access rights of all Personnel with access to information processing system(s) or media containing TransUnion Confidential Information and Consumer Credit Data upon termination of their employment, or adjust such access rights upon change of job function.
6. Asset Management. Partner maintains effective controls, policies and procedures to protect Partner assets that store, process, transfer or otherwise access TransUnion Confidential Information and Consumer Credit Data. Partner maintains a current and accurate inventory of critical hardware and critical software assets that are used to store, process, transfer or otherwise access TransUnion Confidential Information and Consumer Credit Data.
6.1 Asset Management Procedures. Partner maintains asset management procedures that address the following: personally owned equipment; storage devices; re-use and disposal of Partner-managed equipment (e.g., workstations, mobile devices, hardware necessary to operate Partner's information technology systems); data integrity; and handling and storage of vital records.
6.2 Asset Inventory. Partner will maintain an inventory of critical hardware and critical software assets. There must be a critical hardware asset document that shall include the asset control tag, physical location, asset owner, operating system, environment, asset classification. There must be a critical software asset document that shall include environment (e.g., development, test, or production), software version, host name and location and software licenses. Partner will perform a periodic asset recertification on all assets. Any asset addition or removal from the facility must be documented.
6.3 Personally Owned Equipment. TransUnion Confidential Information and Consumer Credit Data must not be stored on personally owned equipment.
6.4 Acceptable Use. Partner will maintain guidance on the acceptable use of information and assets which is based on and consistent with ISO/IEC 27002:2022 or its successor, is approved by Partner’s management, and is published and communicated to all Personnel.
6.5 Equipment Use While On TransUnion Premises. While on TransUnion’s premises, Partner will not connect equipment (physically or via a wireless connection) to TransUnion systems unless necessary to perform its obligations under the Agreement. This equipment must be scanned for malware by TransUnion prior to use.
6.6 Portable Devices. TransUnion Confidential Information, with the exception of business contact information, and Consumer Credit Data may not be stored on portable devices and/or portable media including, but not limited to, laptops, Personal Digital Assistants, MP3 devices, and USB devices.
6.7 Equipment. Partner maintains procedures for the disposal and reuse of its equipment (e.g., workstations, mobile devices, hardware necessary for the operation of Partner's information technology systems).
6.8 Back-up Media Destruction. Procedures must be defined to instruct personnel on the proper methods for back-up media destruction. Back-up media destroyed by a third party must have documented procedures for destruction confirmation (e.g., certificate of destruction). Evidence of off-site media destruction must be obtained.
6.9 Data Integrity. Partner shall ensure that any data stored, received, controlled, or otherwise accessed is accurate and reliable. Inspection procedures must be in place to validate data integrity.
6.10 Media and Vital Records. Partner shall establish and ensure compliance with policies for handling and storing data. Partner shall ensure safe, secure disposal of media and secure media in transit or transmission to and from Partner.
6.11 Handling and Storage. Electronic or paper records movement procedures must be documented and shall include safe storage and the secure transportation from source to destination, including transit stops.
6.12 Paper Record Control. Paper records containing TransUnion Confidential Information and Consumer Credit Data must be stored in secure bins. Access to bins must be limited to selected staff only. Access recertification must be performed periodically. Retention procedures for all paper records must be no less than that required by industry standards. Document destruction or shredding must be performed in a secure manner in accordance with the requirements of the Agreement. If a third party is used for secure shredding/destruction, a services contract with confidentiality and security terms must be in place and must be documented as a third party relationship.
6.13 Transportation Logistics. To the extent Partner transports media containing Consumer Credit Data and/or TransUnion Confidential Information, the Partner utilized for transportation of media must be licensed and bonded. Controls must be in place to safeguard media/vital records during transportation. Emergency procedures must be documented and an incident is reported if any media/vital record is lost or unrecoverable during transport.
7. Logical Access Procedures. Partner maintains logical access control procedures that address the following: process for requesting, approving, and provisioning access; user access (local or remote) based on job function (role/profile based, least privilege); periodic user access recertification; procedures for onboarding and offboarding users; procedures for user inactivity threshold leading to account suspension and removal; and clear definitions of who is permitted to access, process, or store data.
7.1 Logical Access. Partner shall ensure authentication and authorization controls are appropriately robust for the risk of the data, application, and platform, monitor access rights to ensure they are minimum required for the current business needs of the users, log access and security events and use software that enables rapid analysis of user activities.
7.2 User Access Management. Partner shall:
7.2.1 Perform recurring reviews of users' access and access rights to ensure that they are appropriate for each user's role.
7.2.2 Employ a formal user registration and de-registration procedure for granting and revoking access and access rights.
7.2.3 National identifiers or Social Security Numbers must not be utilized as user IDs for logon to applications.
7.3 Privilege Access. Partner maintains processes for the management of privileged user accounts that is consistent with the following requirements: Partner limits creation and access of privileged accounts to a pre-authorized set of users; maintenance of a review and governance process for privileged user accounts; and strong access mechanisms control and limit usage of privileged accounts. Access to firewall configuration must be limited to a small set of super users who have the appropriate approvals.
7.3.1 Partner shall have a documented process for the management of privileged user accounts that includes: (a) that the creation and access of privileged accounts are limited to a pre-authorized set of users, (b) that a review/governance process is maintained, and, (c) usage of privileged accounts are controlled through strong access mechanisms.
7.4 Access Review. Perform recurring reviews of users’ access and access rights to ensure that they are appropriate for the users’ role.
7.5 Password Policy. Partner's password policy is consistent with industry standards, and includes: the password cannot be shared; the password is communicated separately from the User ID; the initial password generated is random; forced initial password change; a minimum password length; minimum password complexity; password history; passwords lock when the threshold for allowable attempts is reached; a secure process for password resets; passwords are saved only as one-way hash/encrypted files; access to password files are restricted to system administrators; and service account credentials are not be stored in clear text in any application.
7.6 Clean Desk. The Partner shall have a defined clean desk/clear screen policy.
7.7 Data Center Location. Data Center Locations shall be located within Hong Kong. Partner shall not send TransUnion Confidential Information and/or Consumer Credit Data outside of Hong Kong without prior notice and approval from TransUnion.
7.8 Access by Personnel Outside Hong Kong. Prior to allowing access to TransUnion Confidential Information and Consumer Credit Data by parties outside Hong Kong via remote access, release to the parties, or any other means, Partner will:
7.8.1 Submit a written request for the access to TransUnion and receive consent for the access.
7.8.2 Perform a risk assessment to identify and mitigate risks to TransUnion Confidential Information from this access.
7.8.3 Impose the same requirements on its offshore Personnel and will remain fully responsible for such Personnel’s compliance.
7.9 Access Reporting. Upon request by TransUnion, Partner will provide TransUnion with a report annually identifying the location(s) (i.e. city, state, and country) where any TransUnion Confidential Information and Consumer Credit Data may be stored, accessed, or processed.
8. Encryption Policy. Partner shall have a documented data security policy that dictates encryption technical architecture and use, and the encryption method and strength used to protect TransUnion Confidential information and Consumer Credit Data must be defined. Acceptable encryption algorithms include AES or algorithms outlined in FIPS 140-2 (or its successor standard).
8.1 Encryption. TransUnion Confidential Information (including authentication credentials) and Consumer Credit Data, shall be encrypted while in transit over any public shared network, non-wired network, and at rest. Key management procedures must be employed that assure the confidentiality, integrity, and availability of cryptographic key material. Use of encryption products must comply with local restrictions and regulations on the use of encryption in a relevant jurisdiction.
8.2 Encryption Uses. TransUnion Confidential Information and Consumer Credit Data must be encrypted while in transit over any public shared network and non-wired network. Approved and dedicated staff must be responsible for encrypting/decrypting the data (if manual), laptops and other mobile devices must be encrypted, removable storage devices must be encrypted. VPN transmissions must be over an encrypted tunnel and encryption automation details of storage and transmission between Partner and TransUnion must be documented.
8.3 Website. Partner shall establish controls to encrypt any TransUnion Confidential Information and Consumer Credit Data entered via a website application hosted, developed, or supported by Partner.
8.4 Encryption Key Management. Partner shall have a documented Cryptographic Key Management procedure that includes key rotation, and access to encryption keys must be restricted to named administrators. Encryption keys must be protected in storage. Whenever it is permitted by technology, data-encrypting keys must not be stored on the same systems that perform encryption/decryption operations.
9. Physical and Environmental Security. Partner has effective controls in place to protect against unauthorized physical penetration, damage from environmental contaminants, and electronic penetration through active or passive electronic emissions.
9.1 Physical Controls. Partner must have documented Physical Security controls that include:
9.1.1 Access control procedures that restrict physical access (e.g., badge access, turnstile entry doors, and security guards). A record of all accesses will be securely maintained for a minimum of ninety (90)-days and physical access must be periodically recertified.
9.1.2 Intrusion detection alarms at egress/ingress points and monitored when triggered.
9.1.3 Monitoring external doors to Partner’s facility.
9.1.4 Monitoring cameras to cover sensitive areas in the facility.
9.1.5 Monitoring equipment (CCTV) feed either internally or externally by a qualified team.
9.1.6 Requirement that all Personnel wear some form of visible identification to identify them as employees, contractors, visitors, et cetera.
9.1.7 Visitation procedures that require that visitors to secure areas be supervised, or cleared via an appropriate background check for non-escorted access. Date and time of entry and departure will be recorded and kept for a minimum of ninety (90) days.
9.2 Environmental Controls. Partner must have documented Environmental Security Controls that include that server(s) and computer equipment must be located in an environmentally appropriate area with the following controls: (a) climate control (temperature and humidity), (b) system thermostat sensor, (c) raised floor, (d) smoke detector, (e) heat detector, (f) fluid or water sensors, (g) CCTV installation points, (h) fire suppression system, (i) Uninterruptable Power Supply (UPS), (j) power generators, and (k) fire extinguisher equipment. The controls must be tested periodically.
9.3 Staff Training.
9.3.1 Individuals with physical and environmental monitoring responsibility must be trained on their response to monitored events.
9.3.2 Training must include procedures that include notification of alerts to qualified personnel, and alert communication and/or escalation by monitoring staff.
10. Operations. Partner shall have documented Information Technology operations procedures to ensure correct and secure operations of its Information Technology assets.
10.1 Operational Procedures and Responsibilities. Partner’s operational procedures address: security patches; vulnerability management; default passwords; registry settings; file directory rights; user permissions; day-to-day operations; error handling; regular maintenance windows; maintenance and troubleshooting of systems; procedures to manage SLAs/KPIs; and the reporting structure for escalations.
10.2 Operating System. Partner shall have documented operating system versions implemented for environments associated with work performed under the Agreement. A minimum-security baseline must be established for the operating systems and versions. Multiple simultaneous logins to the environment shall be restricted to authorized administrators, for legitimate business reasons, with multifactor authentication, limited to time durations required to complete a task, and documented and validated by an audit of log reports. Procedures for authorizing and tracking administrator passwords must be documented. Administrator passwords must be configured to expire frequently commensurate with the impact of their unauthorized use. Unsupported operating systems must not be used.
10.3 Standard Builds. Partner’s information systems must be deployed with appropriate security configurations and reviewed periodically to ensure compliance with Partner’s security policies and standards.
10.4 System Patches. Implements and maintains a security patch process, which includes requirements for patch deployment completion time windows based upon criticality (e.g., critical, high, medium, and low).
10.5 Server Configuration Availability. Partner shall maintain standard security configuration documentation related to the work performed under the Agreement. Security hardening must be documented. Procedures must include: (a) security patches, (b) vulnerability management, (c) default passwords, (d) registry settings, (e) file directory rights and (f) permissions.
10.6 Desktop Controls. End-users must not be permitted to be local administrators to their workstations. Key desktop security settings (e.g., screen saver, anti-virus) must be unalterable by end-users. Policy must include language preventing employees and contractors from storing any information that is classified as “TransUnion Confidential” on their desktops. Partner must not allow the users with access to TransUnion data the ability to write from their desktop to a device (CD, DVD, and USB). When writing is permitted, this must be done on an exception basis and the business justification documented.
10.7 Problem Management. Partner shall have a documented problem management procedure that includes: (a) identification, (b) assignment of severity to each problem, (c) communication, (d) resolution, (e) training (if required), (f) testing/validation and (g) reporting.
10.8 Change Management. Partner shall ensure that changes to the system, network, applications, and data file structures, other system components and physical/environmental changes are monitored and controlled through a formal change control process. Changes must be reviewed, approved, and monitored during post-implementation to ensure the desired result is accurate.
10.9 Change Policy and Procedure. The change policy must include (a) application changes, (b) operating system changes, (c) network infrastructure changes, (d) firewall changes, (e) clearly defined roles and responsibilities (including separation of duties), (f) impact or risk analysis of the change request, (g) testing prior to implementation, (h) security implications review, (i) authorization and approval, (j) post-installation validation, (k) back-out or recovery plans, (l) management sign-offs, (m) post-change review, and, (n) notification to TransUnion for failed key changes affecting work performed for TransUnion.
10.9.1 Firewall changes must be performed via a change management process.
10.10 Emergency Fix. Emergency change procedures must have stated roles/responsibilities for request and notification for key changes impacting services or that decreases the level of security protections. This must include post-change implementation validation and documentation updates.
10.11 System Modification. Before Partner may modify its systems containing TransUnion Confidential Information and Consumer Credit Data in a way that could adversely and materially impact the security of its systems, Partner must send a thirty (30)-day advance written notice to TransUnion containing a reasonably detailed description of the proposed modification and a representation and warranty that: (a) the proposed modifications will not pose any new or additional risks to any TransUnion Confidential Information and Consumer Credit Data; and (b) Partner’s systems will continue to comply with the terms of the Agreement and this Addendum.
10.12 Intrusion Detection Administration. Intrusion detection tools must be running on servers or inline where TransUnion Confidential Information and Consumer Credit Data is stored, processed, or accessed. Intrusion detection tools must perform real-time scanning and signatures must be updated in a timely manner. Automated alerting must be defined to appropriate individuals as part of the intrusion detection systems. Alert events must include: (a) unique identifier, (b) date, (c) time, (d) priority level identifier, (e) source IP address, (f) destination IP address, (g) event description, (h) notification sent to the security team and (i) event status.
10.13 Anti-Virus and Malicious Code. Servers, workstations, and internet gateway devices must be updated periodically with the latest anti-virus definitions. Defined procedures must highlight anti-virus updates. Anti-virus tools must be configured to run weekly scans, virus detection, real- time file write activity, and signature file updates. Laptops and remote users must be covered under virus protection. Partner shall have procedures documented and in place to detect and remove any unauthorized or unsupported application.
10.14 Back-up and Off-site Storage. Partner shall have a defined back-up policy and associated procedures for performing back-up of data in a scheduled and timely manner. Effective controls must be established for performing back-up of data in a scheduled and timely manner.
10.15 Back-up Process. Back-up and off-site storage procedures must be documented. Procedures must encompass the ability to fully restore applications and operating systems. Periodic testing of successful restoration from back-up media must be demonstrated and the on-site staging area must have documented and demonstrated environmental controls.
10.16 Off-site Storage. Physical security plan/policy for the off-site facility must be documented. Access controls must be enforced at entry points and storage rooms. Access to the off-site facility must be restricted and there must be an approval process to obtain access. Electronic transmissions of data to off-site locations must be encrypted. Back-up storage devices must be encrypted and secure transportation of media to and from off-site locations must be defined.
10.17 Security Event Monitoring. Partner records potential security events (e.g., via log files), monitors ongoing security events, and resolves such security events in a timely manner. Partner documents the resolution and outcome of resolved security events. Where applicable, Partner implements and maintains monitoring tools on network components, workstations, applications to monitor user activity. Partner has defined roles that are responsible for responding to security events. Partner records changes to critical system configurations through configuration checking tools or other logs. Partner maintains logs in accordance with its document retention schedule, and prohibits log alteration by its Personnel.
10.18 Vulnerability Management. Partner continuously gathers and analyzes information regarding new and existing threats and vulnerabilities, attacks on similarly situated service providers, and the effectiveness of Partner's existing security controls.
10.19 Vulnerability Policy and Procedure. Vulnerability testing must be performed against internal/external networks and/or specific hosts. Vulnerability scans must be run periodically and critical vulnerabilities remediated within a defined and reasonable timeframe. Environments containing TransUnion Confidential Information must be covered as part of the scope of the tests.
10.20 Penetration Tests. At least once annually, Partner shall engage a nationally recognized, industry leading third party of Partner’s choosing to conduct or attest to an external penetration test of Partner’s external-facing and internal environments. Partner shall provide industry standard reviews and assessment performed by its professional external auditors, including the results of the penetration test, to TransUnion upon request.
10.20.1 Issues rated as critical or high risk must be remediated within the timelines consistent with industry standards for consumer reporting industry. Partner shall immediately notify TransUnion of any critical/high vulnerabilities that will not be remediated within those timeframes.
10.21 Reporting. Partner shall report any Critical Vulnerability that could reasonably be expected to impact the work performed under the Agreement within twelve (12) hours of Partner’s discovery and/or receipt of notice of such Critical Vulnerability if Partner is not able to remediate any such Critical Vulnerability within such time period. In addition, Partner shall actively monitor industry resources (e.g., https://nvd.nist.gov/home.cfm, pertinent software vendor mailing lists and websites and information from subscriptions to automated notification services) for applicable security alerts and, within twelve (12) hours of its discovery, notify TransUnion of a “zero-day” Critical Vulnerability in Partner’s external-facing or internal environments (each, a “Critical Vulnerability”) to the extent Partner reasonably believes such zero day Critical Vulnerability would impact the confidentiality and/or integrity of TransUnion Confidential Data. Such notice shall include the perceived impact and a written and detailed plan to appropriately and urgently remediate such Critical Vulnerability. Partner shall also provide written confirmation as soon as each such Critical Vulnerability has been remediated.
10.22 Vulnerability Remediation. Partner periodically conducts vulnerability scans of its information technology systems (including environments that store, access, or process TransUnion Confidential Information and/or Consumer Credit Data), and remediates vulnerabilities within a defined, reasonable timeframe. Partner shall report any vulnerability with a CVSS v3.0 score of 9.0 or higher that could reasonably be expected to impact the work performed under the Agreement (each, a "Critical Vulnerability") within fifteen (15) days of Partner's discovery and/or receipt of notice of such Critical Vulnerability if Partner is not able to remediate any such Critical Vulnerability within such time period. For a vulnerability with a CVSS v3.0 score between 7.0 and 8.9 (each, a "High Severity Vulnerability") Partner shall promptly document and implement a remediation plan, and, if Partner is unable to remediate within thirty (30) days, Partner shall provide TransUnion with reasonable updates on the status of such remediation. Partner will promptly provide TransUnion with a detailed mitigation process to reduce the risk to Partner's environments and systems that include TransUnion Confidential Information and Consumer Credit Data. In addition, Partner shall actively monitor industry resources (e.g., https://nvd.nist.gov/home.cfm, pertinent software vendor mailing lists and websites, and subscriptions to automated notification services) for applicable security alerts and, within twenty-four (24) hours of its discovery, notify TransUnion of a "zero-day" emergency vulnerability in Partner's external-facing or internal environments to the extent Partner reasonably believes such vulnerability would impact the confidentiality and/or integrity of TransUnion Confidential Information and Consumer Credit Data. Such notice shall include the perceived impact and a written and detailed plan to appropriately and urgently remediate such zero-day vulnerability. Partner shall also provide written confirmation as soon as each such zero-day vulnerability has been remediated.
11. Third Party Audit; Testing.
11.1 Requirements. At least annually, Partner shall engage a nationally recognized, industry leading third party of Partner's choosing to conduct an SSAE 18, SOC 2 Type II audit, as well as independent penetration tests of Partner's external-facing network, internal environment, and applications. Such audit shall specifically include the Partner’s relevant operations in relation to the handling and storage of Consumer Credit Data. Partner shall, upon request, provide these reports to TransUnion. Any audit pursuant to this Section may also be conducted by TransUnion employees, agents, or representatives, Credit Data Smart and Applicable Authorities during Partner’s normal business hours. Partner shall reasonably cooperate with TransUnion in all audits including, with regard, but not limited to, requests to correct any deficiencies within a period of time agreed upon by the Parties. Partner’s obligation to comply with the this Addendum shall in no event be deemed contingent upon or otherwise affected by, TransUnion’s audit rights, nor shall any request by TransUnion to correct any deficiencies, or any failure or election by TransUnion to not make any such request in connection with any audit, constitute a waiver of any of its rights or a course of conduct by TransUnion.
11.2 Corrective Action. Without limitation of TransUnion's other rights and remedies under the Agreement, Partner shall: remediate all Critical Vulnerabilities identified in such reviews/tests, and shall consider in good faith the implementation of any other reasonable recommendations made by TransUnion; upon TransUnion's request, provide TransUnion with the status of the remediation and implementation; and with respect to any High Risk Vulnerabilities that are identified and not remediated within thirty (30) days, promptly provide TransUnion with a detailed mitigation process (including a description of the relevant compensating controls) to reduce the risk to Partner's environments and systems that include TransUnion Confidential Information.
11.3 Additional Audits. If TransUnion has a good faith or reasonable belief of potential non-compliance by Partner with the applicable terms of this Addendum, TransUnion may, conduct on-site security reviews and disaster recovery testing with prior 30 day’s notice on Partner’s system containing any TransUnion Confidential Information and otherwise audit Partner’s operations directed related to the Agreement for compliance with this Addendum.
11.4 Additional Reports. In addition to any other reporting requirements set forth in this Addendum or the Agreement, Partner shall provide to TransUnion, a summary (which shall, when it becomes available, include indicators of compromise (IOCs) and/or the tools, tactics, and procedures (TTPs) employed) of any incidents and breaches that materially impact the confidentiality of TransUnion Confidential Information.
12. Communications and Connectivity. Partner must implement robust controls over its communication network to safeguard data, tightly control access to network devices through management approval and subsequent audits, disable remote communication if not business need exists, log and monitor remote access, secure remote access devices and use strong authentication and encryption to secure communications.
12.1 Data Return/destruction. All TransUnion Confidential Information and Consumer Credit Data must be stored/maintained in a manner that allows for its return and/or secure destruction upon TransUnion’s request.
12.2 Firewalls. A firewall management process must be documented. The development, test, and production environments must be either firewalled or physically separate from one another.
12.3 Cloud Technology. Partner shall adequately safeguard TransUnion Confidential Information and Consumer Credit Data and stored, processed, or transmitted using Cloud Technology. “ Cloud Technology” is defined as any externally hosted technology offering for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
12.4 Cloud Minimum Control Requirements. All of the requirements in this Addendum apply to any use of cloud technology to store, process or transmit TransUnion Confidential Information and Consumer Credit Data.
12.5 Cloud Pre-Approval and Specific Requirements. Partner shall inform TransUnion of and obtain TransUnion’s written approval of Cloud Technology before it is used to store, process or transmit TransUnion Confidential Information and Consumer Credit Data. Partner shall have the following specific requirements in place for Cloud Technology: (a) physical restrictions must be in place to limit access to privileged user self-service functionality; (b) Partner’s Personnel with responsibilities for implementing or managing Partner’s use of Cloud Technology must be formally trained in the secure implementation and use of those services; (c) where technically feasible, web proxy (URL) filtering of Cloud Technology must be in place, with unapproved access to cloud technology blocked by default; (d) where material changes are planned to the approved use of an external Cloud Technology that stores, processes or transmits TransUnion Confidential Information and Consumer Credit Data, TransUnion must approve the proposed changes before they are executed; and (e) when disengagement of a Cloud Technology service provider occurs, data must be securely destroyed in accordance with the requirements of the Agreement and this Addendum.
12.6 Network/Communications Security Policy. Partner shall ensure that all firewall rules and router Access Control Lists (ACLs) are reviewed and approved by network administrators. IP addresses in the ACLs must be specific and anonymous connections must not be allowed. Ports and traffic paths not required for business purposes must be blocked. Periodic recertification and authorization of firewall rules must be performed. A current data flow diagram must exist to identify the paths/environments where TransUnion Confidential Information is collected, accessed, and /or stored.
12.7 Remote Access Administration. Partner shall ensure that unauthorized remote connections must be disabled as part of the standard configuration. The remote connection setting must be set for no split tunneling and remote sessions setting must prevent local storage and local printing of TransUnion Confidential Information by the remote device. Data flow in the remote connection must be encrypted and multifactor authentication must be utilized.
12.8 Mobile Computing. Partner shall ensure that mobile computing (where permitted) is performed over encrypted channels and that Partner seeks TransUnion’s prior approval before processing or storing any TransUnion Confidential Information on a mobile device. Wireless access to Partner’s network must be configured to require authentication.
12.9 Web Access. Web content filtering and Data Loss Prevention applications must be in place to restrict external webmail, instant messaging, file sharing, and other data leak vectors.
12.10 Website Configuration. Partner’s website configuration must include: (a) multi-tiered security architecture that is separates the web presentation, (b) business logic and data tier into distinct network security zones, (c) website design must force removal of cached data as part of the process upon session termination, (d) web server hardening- configurations relating to cookies must protect them from disclosure, (e) where risk assessments or external requirements indicate the use of single-factor authentication is inadequate, the resource must implement multifactor authentication (“MFA”). MFA requires the user to provide authentication credentials from a minimum of two different factors for authentication and must meet the criteria for strong multi-factor authentication, (f) network-level restriction (whitelisting) must be in place to secure TransUnion Confidential Information, (g) passwords/PINs must be entered in non-display fields, (h) periodic penetration testing must be performed against the website, (i) tools/solutions must be in place to monitor website uptime and (j) restrictions must be placed on web server resources to limit denial of service (DoS) attacks.
12.11 Network Identification. Partner will document and keep current a network diagram highlighting key internal network components, network boundary components, and DMZ environment.
12.12 Data Transmission Controls. Partner shall have a documented Data Transmission Control procedure that includes: (a) check sums and counts that are employed to validate that the data transmitted is the same as the data received, (b) procedures for records sent through a third party carrier, (c) return receipt controls, and, (d) that digital certificates are utilized to ensure data integrity during transmission.
12.13 Data Transaction Controls. Partner shall have documented controls to prevent or identify duplicate transactions in financial messages.
12.14 E-mail and Instant Messaging. Partner shall have policies and procedures established and adhered to that ensure proper control of an electronic mail and/or instant messaging (“IM”) system that displays and/or contains TransUnion Confidential Information.
12.15 Authorized E-mail Systems. Use of non-corporate/personal e-mail solutions must be restricted based on policy. Preventive controls must be in place to prevent Consumer Credit Data or information classified as “TransUnion Confidential” from being sent externally through e-mail without encryption. Preventive and detective controls must block malicious e-mails/attachments. Policy must prohibit auto-forwarding of e-mails. E-mails with information classified as “Confidential” or contains personally identifiable information must be encrypted if leaving the Partner network. The encryption mechanism may be automated (e.g., Transport Layer Security) or manual (e.g., WinZip). If Partner is sending e-mails on behalf of TransUnion, additional controls must be implemented to restrict spam and phishing.
12.16 Authorized IM Systems. Access to external IM must be prohibited from Partner’s network based on policy. If internal IM is used, specific policies must restrict the conduct of TransUnion business over internal IM. TransUnion Confidential Information must only be shared with users on a “need to know” basis.
13. System Development. Partner shall have an established Software Development Life Cycle (“SDLC”) for the purpose of defining, acquiring, developing, enhancing, modifying, testing, or implementing information systems.
13.1 SDLC Requirements.
13.1.1 Version control and release management procedures.
13.1.2 Security activities that foster development of secure software (e.g., requirements in requirements phase, secure architecture design, static code analysis during development and dynamic scanning or penetration test of code during QA phase with High and above vulnerabilities remediated before moving to the next phase).
13.1.3 Software security testing must occur based on the Open Web Application Security Project (OWASP) Top 10 and SysAdmin, Audit, Networking, and Security Institute (SANS) Top 25 software security risks or comparable replacement and should include: (a) cross site scripting (XSS), (b) injection flaws, (c) malicious file execution, (d) insecure direct object, (e) reference cross site request forgery (CSRF), (f) information leakage and improper error handling, broken authentication and session management, (g) insecure cryptographic storage, (h) insecure communication, and (i) failure to restrict URL access.
13.1.4 SDLC methodology must include: (a) validation of security requirements (e.g., IS sign-offs, periodic IS reviews, static/dynamic scanning); (b) requirements for documentation; and (c) must be managed by appropriate access controls.
13.1.5 Where assessments are required, artifacts must be provided that evidence completion of application testing. Code certification must be performed to include security review when developed by third parties.
13.1.6 Software executables related to client/server architecture that is involved in handling TransUnion Confidential Information must be penetration tested.
13.1.7 Software vulnerability assessments must be conducted on an on-going basis internally or using external experts and any gaps identified must be remediated in a timely manner.
13.1.8 The development, test, and production environments must be either firewalled or physically separate from one another.
13.1.9 If TransUnion Confidential Information is used in a test environment, the level of controls must be consistent with production controls. Production data must be sanitized before used in non-production environments and developer access to production environments must be restricted by policy and in implementation.
13.1.10 Third Party and Open Source Code used in Partner-provided applications must be appropriately licensed, inventoried, supported, patches applied timely and evaluated for security defects on an on-going basis.
14. Third-Party Management. Unless otherwise allowed by TransUnion in writing, Partner is not allowed to share and transfer TransUnion Confidential Information or Consumer Credit Data to third parties (including without limitation Partner’s service providers, sub-contractors and customers). In the event a third party is permitted to access TransUnion Confidential Information or Consumer Credit Data under the Agreement, Partner acknowledges and agrees to impose the same obligations as required by TransUnion in the Agreement and be responsible for the acts and omissions of its subcontractors or third-parties, notwithstanding TransUnion’s right to exercise oversight as set forth herein, and regardless of whether, or to what extent, TransUnion exercises such oversight.
14.1 Partner shall implement procedures to establish appropriate contracts for third parties prior to initiation of services, and ensures appropriate data security language is incorporated into such contracts. As part of its third-party management program, Partner shall also maintain documented procedures regarding third party due diligence, risk assessment and strategic planning, and oversight of third parties.
14.2 Oversight of Third-Party Relationships. Partner shall have a risk-based process to ensure appropriate monitoring mechanisms have been established for all dependent third parties and sub-contractors.
14.3 Risk Assessment and Strategic Planning. Partner has a process to identify all dependent third-parties and perform an appropriate risk assessment associated with the services provided by or received from Partner.
14.4 Selecting a Dependent Third-Party and Due Diligence. Partner shall have a risk-based process to review all dependent third-party providers to ensure they can provide appropriate control environment associated with the services provided by or received from Partner.
14.5 Regeneration of Data. Partner will use commercially reasonable efforts to promptly replace or regenerate from Partner’s machine-readable media any data, programs or information handled or stored by Partner that has lost or damaged or obtain a new copy of the lost or damaged data, programs or information.
14.6 Third Party Relationships. Partner shall adequately identify, assess, manage, and monitor all dependent third-parties to ensure an appropriate control environment. Replacement or risk mitigation strategies must be in place for operating systems, software applications, and critical infrastructure nearing the end of life.
15. Incident Response. Partner shall have a documented plan and associated procedures in case of an information security incident. The plan must clearly articulate the responsibilities of personnel and identify relevant notification parties. Incident response personnel must be trained and the plan must be tested periodically.
15.1 Equipment. Partner must have notification procedures in the event of any lost or misplaced assets, which shall include notification to TransUnion where TransUnion Confidential Information and Consumer Credit Data is on or in the lost or misplaced assets.
15.2 Incident Response Process. The Incident Response policy and procedure must be documented and include the following: (a) defined organizational structure, (b) identified response team, (c) documented availability of the response team, and (d) documented timelines for incident detection and disclosure.
15.2.1 The Incident Response process lifecycle includes the following steps (i) identification, (ii) assignment of severity to each incident, (iii) communication, (iv) resolution, (v) training, (vi) testing, and (vii) reporting.
15.2.2 Incidents must be classified and prioritized and incident response procedures must include notification to TransUnion.
15.2.3 The incident response process must be executed as soon as Partner is aware of the incident, irrespective of time of day.
16. Destruction, Return of Consumer Credit Data or TransUnion Confidential Information.
16.1 Upon termination of the Agreement for whatever reason, Partner shall return to TransUnion or destroy, at TransUnion's option, all such Consumer Credit Data or TransUnion Confidential Information including any notes, reports or other information incorporating or derived from such Consumer Credit Data or TransUnion Confidential Information. Partner shall provide written certification to TransUnion that same has been completed within thirty (30)-days, or such longer period as mutually agreed to by the parties. If applicable, Partner shall also return any TransUnion-managed equipment (e.g., laptops) in accordance with TransUnion's instructions. Any destruction of TransUnion Confidential information and Consumer Credit Data shall use any and all means (including shredding or incineration in compliance with NIST SP 800-88, as may be updated from time to time) of deleting all data and information to ensure that the data and information deletion is permanent and cannot be retrieved, in whole or in part, by any data or information retrieval tools or similar means.
16.2 The foregoing notwithstanding:
(i) Partner shall have the right to retain a copy of Consumer Credit Data or TransUnion Confidential Information solely to the extent that such TransUnion Confidential Information and Consumer Credit Data must be retained for record retention requirements or legal, regulatory, or other governmental compliance purposes, provided that any Consumer Credit Data or TransUnion Confidential Information so retained shall continue to be subject to the terms of the Agreement; and
(ii) Partner shall not retain any Consumer Credit Data for any period longer than is reasonably necessary.
17. Security Breach, Reportable Breach. Unless prohibited by law, Partner shall notify TransUnion of (i) the theft, loss or unauthorized disclosure, acquisition, access to or misuse of TransUnion Confidential Information and Consumer Credit Data in the possession or control of Partner or any third party providing services to Partner; or (ii) a compromise of the confidentiality and/or integrity of any hardware, software, network (including any “cloud” network), or telecommunications or information technology systems used by Partner to transmit, store, process or otherwise handle TransUnion Confidential Information and Consumer Credit Data (“Reportable Breach”) as soon as Partner knows or reasonably suspects that such Reportable Breach exists or did exist, and in any event within twelve (12) hours of such knowledge or suspicion. In the event Partner is prohibited by law from providing such notice, it shall nonetheless provide as much of the foregoing information as it is permitted to provide under law at the earliest practicable time it is permitted to do so under law. Information related to the Reportable Breach shall be provided to TransUnion and shall contain the following: (a) all material facts pertaining to the Reportable Breach including the approximate start and end date of the Reportable Breach; (b) the date Partner became aware of the Reportable Breach; (c) how Partner became aware of the Reportable Breach; (d) background circumstances and investigative findings relating to the Reportable Breach; (e) the date Partner notified or estimates that it intends to notify consumers and/or government officials and /or third parties of the Reportable Breach; and (f) the actions or steps Partner has taken or will take regarding any consumer affected by the Reportable Breach. In addition Partner shall update TransUnion if Partner knows or reasonably suspects that information provided by Partner to TransUnion was inaccurate or has become inaccurate; provide other information which TransUnion reasonably requests to comply with any legal or regulatory obligation, regulatory guidance or contract obligation.
18. NOTWITHSTANDING ANY OTHER PROVISION IN THIS AGREEMENT, IT SHALL BE AN OBLIGATION OF PARTNER AT ANY TIME TO IMMEDIATELY BRING TO TRANSUNION’S ATTENTION ANY ABNORMALITY OR SECURITY BREACH OF WHATEVER NATURE.
19. Business Continuity, Disaster Recovery. Partner shall have the following formal documented recovery plans to include annual testing to identify the resources and specify actions required to help minimize losses in the event of a disruption to the business unit, support group unit, application or infrastructure component.
19.1 Business Recovery Plans. Formal business resiliency plans must be in place with comprehensive recovery strategies to address business interruptions. The plans must have an acceptable alternative work location in place to ensure service level commitments are met.
19.2 Technology Recovery. There must be a documented technology recovery plan in place with comprehensive strategies to minimize service interruptions and ensure recovery of system infrastructure, databases, and application.
20. Indemnification. This Section shall only apply to the extent that the rights and obligations regarding indemnification have not already been stipulated under the Agreement: To the extent such claims arise from a Party’s negligence or intentional wrongful conduct, such Party (“Indemnitor”) agrees to and hereby indemnifies and saves the other Party (“Indemnitee”) harmless from and against any and all third party claims of any kind, including but not limited to liability for injury to persons or damage to property, arising out of the Indemnitor’s performance under the Agreement including this Addendum, including any and all expenses, costs, attorneys' fees, settlements, judgments or awards incurred by the Indemnitee in the defense of any such claim or lawsuit. The defense against any such claims shall be conducted and controlled by the Indemnitor, at its own expense. Without Indemnitee’s written consent, Indemnitor shall not agree to a settlement that admits anything on behalf of Indemnitee or imposes on Indemnitee any obligation other than the payment of amounts subject to indemnification by Indemnitor. The Indemnitee shall provide the Indemnitor with all reasonably necessary assistance, information, and authority to perform the above.
21. Additional Rights to Suspend or Terminate. In addition to TransUnion’s right to suspend and/or terminate as set forth elsewhere in the Agreement, TransUnion may suspend and/or terminate the Agreement without liability if: (i) there is change in law, regulation or legal and/or regulatory action (real or threatened) or guidance provided to TransUnion related to performance of the Agreement which, in TransUnion’s good faith determination, renders a continuation of the performance of the Agreement a violation of Applicable Law or otherwise inadvisable; (ii) material breach or the inability and/or failure by Partner to comply with the Agreement including this Addendum; (iii) Partner experiences any Unauthorized Use; or (iv) TransUnion reasonably believes that Partner is or has engaged in any Prohibited Activities.
22. Termination Based on Default. After providing a written notice to the defaulting Party (“Notice of Default”) and following the expiration of the cure period set forth in the following Section 22 (Cure Period), the non-defaulting Party may immediately terminate the Agreement:
22.1 where the defaulting Party is in breach of any of the terms, conditions, obligations, covenants, agreements, representations or warranties contained in the Agreement, including Unauthorized Use and violation of Applicable Laws;
22.2 where the defaulting Party has filed a petition or application under any bankruptcy act, receivership statute or like law or statute as they now exist or may be subsequently amended, or had such a petition or application filed by any third party against it, where such petition or application is not dismissed or otherwise favorably resolved within ninety (90) days; or
22.3 where the Party has dissolved and/or ceased business operations.
23. Cure Period. Upon receipt of a Notice of Default, the defaulting Party shall have thirty (30) days in which to cure the default, provided that such default is capable of being cured. If the default has not been cured during this period, then the non-defaulting Party may terminate the Agreement immediately following expiration of the cure period. In the event of a default which is not capable of being cured by Partner, such as, for example, an Unauthorized Use, TransUnion may immediately terminate the Agreement. Such rights will be without prejudice to the non-defaulting Party’s other available legal remedies. During any notice and cure period, the Parties shall continue to be bound by all of the terms and conditions of the Agreement including this Addendum.
24. Notwithstanding the foregoing, the Partner understands and accepts that TransUnion is obligated to ensure that its services and the services of the CDS model will not be disrupted by any termination and the Partner shall do all things reasonably required of it by TransUnion in order to comply with such obligation, including the required procedures set forth under the TransUnion Exit Management Plan.
Updated as of October, 2024
v.202410