A. General Terms for TruValidate Services

1. End User desires to obtain certain of TransUnion’s fraud prevention products and services, which may include, but shall not be limited to, Identity Verification (“Identity Verification”), Device Risk, which may include a mobile software development kit (together “Device Risk”), Fraud Alerts (“Fraud Alerts”), Account Opening Fraud Score (“Fraud Score”), Phone Verification (“Phone Verification”), Email Verification (“Email Verification”), One-Time Passcode (“One-Time Passcode”), Document Verification, which may include a mobile software development kit (“Document Verification”), and/or Knowledge-based Verification (“KBV Service”) collectively referred to herein as the “TruValidate Services,” and all information derived from the TruValidate Services collectively referred to herein as “TruValidate Services Information”.

2. End User agrees to the following terms and conditions:

2.1. End User and its employees shall comply with all applicable federal, state and local laws, statutes, rules and regulations including, but not limited to, Section (6802) (e) of the Gramm-Leach-Bliley Act (“GLBA”), Title V, Subtitle A, Financial Privacy (15 U.S.C. § 6801-6809) and the United States Federal Trade Commission rules promulgated thereunder, all other applicable privacy laws, “do not call” laws, the Drivers Privacy Protection Act (18 U.S.C. § 2721 et seq.) (“DPPA”) and similar and/or associated state laws and regulations governing the use and disclosure of drivers’ license information, and the Telephone Consumer Protection Act (47 U.S.C. § 227) (“TCPA”), Foreign Corrupt Practices Act of 1977 (15 U.S.C. §§ 78dd-1, et seq.) (“FCPA”), the California Consumer Privacy Act, (California Civil Code §1798.100 et seq.) (“CCPA”), and similar and/or associated state laws and regulations. End User and its employee’s, agent(s), or contractor(s) shall comply with relevant Federal and State laws regulating the collection, use, and retention of biometric information.

2.2. End User shall comply with all terms and guidelines contained in documentation provided by TransUnion, which may include, but is not limited to, TransUnion user guides configuration or options documents, data flows, API specifications, business processes and business process flows, reports, records, written designs, specifications, requirements, user manuals, user guides, operations manuals, training materials, and other related documentation (together, the “Documentation”) provided by TransUnion in connection with the TruValidate Services.

2.3. TransUnion and its affiliates, and Third-Party Service Providers may use the data that End User provides pursuant to this TruValidate Addendum as necessary to deliver the TruValidate Services to End User.

2.4. With respect to each End User request for TruValidate Services, End User hereby certifies that End User is the user of the Services and that End User and its employees will request, obtain and use such Services only for the following GLB Permitted Use (“Permitted Use”):

2.4.1. To use in the normal course of business to verify the accuracy of information submitted by the consumer and if it is not correct, to obtain the correct information, but only to protect against or prevent actual fraud, unauthorized transactions, claims or other liability.

2.5. End User shall not use the TruValidate Services, in whole or in part, as a factor in establishing a consumer’s eligibility for credit, insurance, health care, employment, or for any other “permissible purpose” as defined by the FCRA. End User shall not take any “adverse action”, as defined by the FCRA, based in whole or in part on the TruValidate Services, against any consumer.

2.6. In no event shall End User use any of the TruValidate Services, in whole or in part, as a factor in establishing an individual’s creditworthiness or eligibility for (i) credit or insurance, or (ii) employment, nor for any other purpose under the FCRA.

2.7. To the extent that any TruValidate Service contains, in whole or in part, Consumer Reports as defined in the FCRA, End User certifies that it will request and use these Services solely for one of the permissible purposes certified in the Service Agreements. End User may request and use Account Verification only subject to the written authorization of the subject consumer.

3. End User shall keep all log-in identification codes (each a "User ID"), associated passwords, and other alphanumeric codes (each a “Password”) used to access and obtain the TruValidate Services or TruValidate Services Information confidential and secure and shall be responsible for controlling the use of each such User ID and Password to access the TruValidate Services or TruValidate Services Information as authorized herein. In the event of any actual or suspected unauthorized use, misappropriation or other compromise of User IDs and/or Passwords, End User shall promptly, but in no event later than forty-eight (48) hours after the discovery of any of the foregoing, notify TransUnion in writing at databreach@transunion.com or other such email address that TransUnion may communicate.

4. End User shall implement, and shall take sufficient measures to maintain reasonable and appropriate administrative, technical, and physical security safeguards (“Safeguards”) consistent with industry standards, and applicable law and regulatory guidance designed to: (i) ensure the security and confidentiality of non-public personal information as such term is defined under GLB (“NPI”); (ii) protect against anticipated threats or hazards to the security or integrity of NPI; and (iii) protect against unauthorized access, acquisition, or use of NPI.

4.1. In the event of any actual or suspected misappropriation or unauthorized use, access, acquisition, or disclosure of any NPI, TruValidate Services, and/or TruValidate Services Information, End User shall, unless required by law, promptly, but in no event later than forty-eight (48) hours after the discovery of any of the foregoing, notify TransUnion in writing at databreach@transunion.com, or other such email address that TransUnion may communicate, and fully cooperate with TransUnion in mitigating any damages arising from such event. Such cooperation shall include, but not be limited to, allowing TransUnion to reasonably participate in the investigation of the cause and extent of such misappropriation or unauthorized use, access, acquisition, or disclosure. Such cooperation shall not relieve End User of any liability it may have as a result of such a misappropriation or unauthorized use, access, acquisition, or disclosure. End User agrees, that to the extent any such misappropriation, unauthorized use, access, acquisition, or disclosure, or other event is due to End User’s (including, without limitation, its Affiliates’ employee’s, agent’s or contractor’s) negligence, intentional wrongful conduct, or breach of this Agreement, End User shall be responsible for any required notifications, consumer, public, or otherwise, and credit monitoring (with such credit monitoring provided by TransUnion or its Affiliates), and all costs associated therewith; provided, however, that other than except to the extent required to comply with applicable law, End User shall make no public notification, including but not limited to press releases or consumer notifications, of the potential or actual occurrence of such misappropriation or unauthorized use, access, acquisition, or disclosure without TransUnion’s prior written consent, and, with respect to any such notifications or credit monitoring offering required by applicable law(s), End User shall not use any TransUnion name, trade name, trademark, service mark, or logo in any such notifications without the prior written approval of TransUnion.

5. Subject to the terms and conditions herein, TransUnion hereby provides End User a limited, nonexclusive, non-transferable, non-sub licensable, revocable license to use the TruValidate Services (together with all content therein, and all applications, programs, license keys, patches, updates, or upgrades provided by TransUnion, and any improvements, modifications, enhancements, fixes and revised versions of any of the foregoing, and any derivative works of any of the foregoing, and any combination of the foregoing, collectively defined herein as the “Software”, during the term of the applicable Service Agreements, solely for the purposes described herein and in the Documentation. As between the parties, TransUnion retains all right, title, and interest in and to the Software and Service and all copies and derivative works thereof, which rights include, but are not limited to, patent, copyright, trademark, trade secret, and all other intellectual property rights. TransUnion reserves all rights not expressly granted herein and, except as expressly granted in the Service Agreement, no right or license is granted to End User hereunder, express or implied or by way of estoppel, to any technology or intellectual property rights.

6. End User shall not, directly or indirectly, authorize any person or entity to: (i) sell, rent, lease, distribute, redistribute or transfer the TruValidate Services or any software development kit, as applicable, or any rights in any of the Software, or use the TruValidate Services in a hosted or managed services environment; (ii) reverse engineer, decompile, disassemble, re-engineer or otherwise create or attempt to create or permit, allow, or assist others to create or derive the source code of the TruValidate Services, or its structural framework; (iii) modify or create derivative works of the Software; (iv) use the TruValidate Services in whole or in part for any purpose except as expressly provided under this Agreement or in the Documentation; (vi) remove any proprietary notice, labels, or marks on or in Software; or (vii) disable or circumvent any access control or related device, process or procedure established with respect to the Software. End User may not use the TruValidate Services for illegal or unlawful or malicious activities.

7. During the term of Service Agreements, TransUnion may, upon reasonable notice and during normal business hours, audit End User’s policies, procedures, and records which pertain to the Service Agreements to ensure compliance with the terms thereof.

B. Service-Specific Terms

1.TransUnion has the right to offer services obtained in part from third parties that provide data and/or services as part of the Services (“Third Party Service Providers”), and use thereof is governed by terms and conditions set forth in the Service Agreements, this Addendum and additional terms and conditions contained in this Exhibit A.

2. Fraud Alerts. End User’s use of the Fraud Alerts is subject to the Permitted Use certification above.

3. Email Verification. In addition to the General Terms set forth above, if End User would like to receive Email Verification services, the Service Agreements shall include terms substantially similar to the following:

3.1 END USER AGREES THAT EMAIL VERIFICATION SERVICES ARE PROVIDED “AS IS”, “AS AVAILABLE” AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. TRANSUNION DOES NOT WARRANT THAT END USER’S ACCESS TO THE EMAIL VERIFICATION SERVICES WILL BE UNINTERRUPTED, ERROR FREE, OR SECURE, THAT DEFECTS WILL BE CORRECTED, EMAIL DELIVERABILITY WILL IMPROVE, OR THAT THE EMAIL VERIFICATION SERVICES WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

4. Device Risk. In addition to the General Terms set forth above, if End User would like to receive Device Risk, the Service Agreements shall include terms substantially similar to the following:

4.1 The Device Risk service, which may also include a mobile software-development kit, analyzes the attributes of a device or individual input elements, some of which may be governed by the GLBA, used in a transaction, and provides a rating score and other attributes based on the data analyzed. End User acknowledges that Device Risk are obtained in part from Third Party Service Providers.

4.2 Device Risk is being provided for End User’s internal purposes and End User shall not: (i) interfere with or disrupt the integrity of performance of Device Risk or the data contained therein; or (ii) attempt to gain unauthorized access to Device Risk or related systems or networks. End User shall: (a) promptly comply with any request from TransUnion to delete Device Risk information or documentation; and (b) promptly inform TransUnion if End User becomes aware that any personal data connected with the Service Agreements is impermissibly accessed or used in violation of this Service Agreements.

4.3 End User shall not, and shall not permit any employee or third party to: (a) copy all or any portion of any Device Risk materials; (b) decompile, disassemble or otherwise reverse engineer Device Risk; (c) modify, translate, or otherwise create any derivative works based upon Device Risk; (d) distribute, disclose, market, rent, lease, assign, sublicense, pledge or otherwise transfer Device Risk, or any materials derived therefrom, in whole or in party, to any third party; or (e) remove or alter any copyright, trademark, or other proprietary notices, legends, symbols, or labels appearing on Device Risk.

4.4 THE DEVICE RISK SERVICES INCLUDING, WITHOUT LIMITATION, ANY DEVICE RISK MATERIALS, ARE PROVIDED AS IS. TRANSUNION AND ITS DEVICE RISK THIRD PARTY SERVICE PROVIDERS HEREBY DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF ANY KIND WHATSOEVER, WHETHER EXPRESS, IMPLIED (EITHER BY FACT OR BY OPERATION OF LAW), OR STATUTORY, RELATING TO DEVICE RISK AND THE SOFTWARE, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ALL WARRANTIES THAT MAY ARISE FROM A COURSE OF DEALING, COURSE OF PERFORMANCE, OR TRADE PRACTICE. TRANSUNION DOES NOT WARRANT THAT DEVICE RISK OR THE SOFTWARE WILL BE ERROR FREE, COMPLETELY SECURE, OR BE PROVIDED (OR BE AVAILABLE) WITHOUT INTERRUPTION. TRANSUNION MAKES NO WARRANTIES OR REPRESENTATIONS REGARDING ACCURACY OF INFORMATION CONTENT OR SYSTEM INTEGRATION, OR THE APPROPRIATENESS OF THE SOFTWARE FOR ANY PARTICULAR SYSTEM. THE DEVICE RISK SERVICES AND THE SOFTWARE ARE NOT FAULT TOLERANT AND ARE NOT DESIGNED NOR INTENDED FOR USE IN ANY ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. THIS SECTION SHALL BE ENFORCEABLE TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

4.5 TransUnion reserves the right to suspend or terminate End User’s access to Device Risk, without notice, if End User’s use of Device Risk would constitute a violation of applicable law, would cause TransUnion or its Device Risk Third Party Service Providers to be in violation of applicable law, or if End User violates any term of the Service Agreements.

5 Phone Verification and One-Time Passcode. In addition to the General Terms set forth above, if End User would like to receive Phone Verification and One-Time Passcode, the Service Agreements shall include terms substantially similar to the following:

5.1 End User acknowledges that Phone Verification and One-Time Passcode are obtained in part from Third Party Service Providers.

5.2 When utilizing One-Time Passcode, End User shall provide its customers any and all disclosures or explanations required under law concerning the customers’ utilization of One-Time Passcode, including, but not limited to, those disclosures regarding additional data fees and text messaging and/or phone call rates. End User shall obtain and secure any and all consents and authorizations from its customers that may be required by any law, rule or regulation in order to authorize the placement of an outbound, automated telephone call or text message. End User agrees that TransUnion will in no way be liable for End User’s failure to provide such disclosures or explanations, or for failing to obtain all required consents and authorizations.

5.3 End User shall not, and shall not permit any employee or third party to, use Phone Verification and/or One-Time Passcode to transmit Inappropriate Content. For purposes of this Addendum, Inappropriate Content means any content which is: (a) unsolicited, including without limitation, unauthorized “bulk” messages; (b) a cause of the introduction or “viruses”, “worms”, “Trojan Horses”, “e-mail bombs”, “cancelbots” or other similar computer programming routines into TransUnion’s or its service providers’ platform; (c) unlawful; (d) infringes the intellectual program rights of any person; or (e) executes, initiates or causes “phishing” or social engineering activities.

5.4 THE PHONE VERIFICATION AND ONE-TIME PASSCODE SERVICES INCLUDING, WITHOUT LIMITATION, ANY PHONE VERIFICATION AND/OR ONE-TIME PASSCODE MATERIALS, ARE PROVIDED AS IS, AS AVAILABLE. TRANSUNION AND ITS PHONE VERIFICATION AND ONE-TIME PASSCODE THIRD PARTY SERVICE PROVIDERS HEREBY DISCLAIM ALL OTHER REPRESENTATIONS, WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED (EITHER IN FACT OR BY OPERATION OF LAW), OR STATUTORY, WITH RESPECT TO PHONE VERIFICATION AND ONE-TIME PASSCODE INCLUDING, WITHOUT LIMITATION, ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ANY WARRANTY THAT THE PROVISION OF PHONE VERIFICATION AND ONE-TIME PASSCODE WILL BE UNINTERRUPTED OR ERROR-FREE, ANY WARRANTY NON-INFRINGEMENT, AND ALL WARRANTIES THAT MAY ARISE FROM A COURSE OF DEALING, COURSE OF PERFORMANCE, OR TRADE PRACTICE. TRANSUNION AND ITS PHONE VERIFICATION AND ONE-TIME PASSCODE THIRD PARTY SERVICE PROVIDERS DO NOT WARRANT THAT PHONE VERIFICATION AND ONE-TIME PASSCODE ARE ERROR-FREE. TRANSUNION AND ITS PHONE VERIFICATION AND ONE-TIME PASSCODE THIRD PARTY SERVICE PROVIDERS DISCLAIM ALL WARRANTIES NOT EXPRESSLY SET FORTH HEREIN.

5.5 TransUnion reserves the right to suspend or terminate End User’s access to Phone Verification and/or One-Time Passcode, without notice, if End User’s use of Phone Verification and/or One-Time Passcode would constitute a violation of applicable law, regulation, and/or judicial action, would cause TransUnion or its Phone Verification and One-Time Passcode Third Party Service Providers to be in violation of applicable law, regulation and/or judicial action, if End User violates any term of the Service Agreements, or if fraudulent or spam transactions are being submitted.

6 Document Verification. In addition to the General Terms set forth above, if End User would like to receive Document Verification services, the Service Agreement shall include terms substantially similar to the following:

6.1 End User hereby acknowledges that in order to utilize the Document Verification services, End User will collect from End User's customer(s) certain information, as further described in the Documentation, which may include biometric information ("Document Verification Information"). Document Verification Information is Confidential Information pursuant to the Service Agreements.

6.2 Where applicable, the Document Verification services may not be accessible or usable, in whole or in part, until End User’s relevant Document Verification accounts have been established and appropriately configured.

6.3 End User shall restrict access and use of the Document Verification services to machine-readable, executable, object-code form only.

6.4 End User is responsible for procuring and operating all computer systems, software, and telecommunications equipment and services required to meet the minimum technical specifications necessary for End User’s access and use of the Document Verification services. End User acknowledges that End User may be unable to access or utilize some or all aspects of the Document Verification services unless such minimum technical specifications are met.

6.5 The Document Verification services are being provided for End User’s internal purposes and End User shall not: (i) interfere with or disrupt the integrity of performance of the Document Verification services or the data contained therein; or (ii) attempt to gain unauthorized access to the Document Verification services or related systems or networks.

6.6 Prior to collecting any Document Verification Information from any of its customers, End User shall obtain and secure any and all required consents and authorizations from its customer(s) (“Consent Records”). As part of obtaining such records, End User must:

6.6.1.1 Notify its customer(s) as to the purpose for collecting the Document Verification Information and that such information will be shared with certain parties as needed to perform the Document Verification services; and

6.6.1.2 Obtain consent from its customer(s) allowing the collection, use, and storage of such Document Verification Information by End User, TransUnion, and other third parties who process data to perform Document Verification services.

6.7 End User agrees to maintain any and all Consent Records in an electronic format for a period of five (5) years and shall promptly make such electronic records available for inspection by TransUnion upon TransUnion’s reasonable request. For the avoidance of doubt, End User’s obligations to store End User Consent Records will survive termination of this Addendum or any Service Agreement to which Document Verification is subject.

6.8 End User agrees to destroy, delete, and dispose of any Document Verification Information received from TransUnion as part of the Document Verification services within six months of receiving such information. Such destruction, deletion, and/or disposal of such consumer information shall be performed in a manner designed to reasonably prevent continued use of or unauthorized access to such consumer information.

6.9 THE DOCUMENT VERIFICATION SERVICE IS PROVIDED ‘AS-IS’ AND TRANSUNION AND ITS DOCUMENT VERIFICATION THIRD PARTY SERVICE PROVIDERS HEREBY DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF ANY KIND WHATSOEVER, WHETHER EXPRESS, IMPLIED (EITHER BY FACT OR BY OPERATION OF LAW), OR STATUTORY, RELATING TO THE DOCUMENT VERIFICATION SERVICES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ALL WARRANTIES THAT MAY ARISE FROM A COURSE OF DEALING, COURSE OF PERFORMANCE, OR TRADE PRACTICE. TRANSUNION DOES NOT WARRANT THAT THE DOCUMENT VERIFICATION SERVICES OR THE SOFTWARE WILL BE ERROR-FREE, OR BE PROVIDED (OR BE AVAILABLE) WITHOUT INTERRUPTION. TRANSUNION MAKES NO WARRANTIES OR REPRESENTATIONS REGARDING ACCURACY OF INFORMATION CONTENT OR SYSTEM INTEGRATION, OR THE APPROPRIATENESS OF THE SOFTWARE FOR ANY PARTICULAR SYSTEM. THE DOCUMENT VERIFICATION SERVICES AND THE SOFTWARE ARE NOT FAULT TOLERANT AND ARE NOT DESIGNED NOR INTENDED FOR USE IN ANY ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. FOR THE AVOIDANCE OF DOUBT, TRANSUNION DOES NOT REPRESENT OR WARRANT TO END USER OR ANY END USER THAT THE DOCUMENT VERIFICATION SERVICES WILL IDENTIFY ALL SECURITY THREATS OR ANY PARTICULAR SECURITY THREAT, IDENTITY THEFT, OR FRAUD. THIS SECTION SHALL BE ENFORCEABLE TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

6.10 End User will defend and indemnify TransUnion and TransUnion's Third Party Service Providers against any third-party claims arising out of a breach of the obligations contained herein.

6.11 TransUnion reserves the right to suspend or terminate End User’s access to the Document Verification services, (a) if End User’s use of the Document Verification services would constitute a violation of applicable law; (b) would cause TransUnion or its Document Verification Third Party Service Providers to be in violation of applicable law; (c) if End User violates any terms or conditions contained herein; or (d) End User fails to pay all outstanding amounts due within sixty (60) days.

6.12 End User will not submit identifying documents from any member state of the European Union and/or the United Kingdom.

6.13 End User acknowledges and agrees that TransUnion may from time to time amend the requirements that must be met by End User for continued use of the Document Verification services.