CONSUMERCHECK.COM - USER AGREEMENT
'Additional Group Companies' means any company in which the Client has direct or indirect ownership of greater than 50% of the voting shares of the relevant company. A company shall only be an Additional Group Company for so long as the Client retains such ownership.
'The Source Data Supplier' means any of the following companies Equifax Limited registered in England Registered No. 2425920 Registered Office Capital House, 25 Chapel Street, London NW1 5DS. Equifax Limited is authorised and regulated by the Financial Conduct Authority. Equifax Touchstone Limited registered in Scotland Registered No. SC113401 Registered Office 54 Deerdykes View, Westfield Park, Cumbernauld G68 9HN. Equifax Commercial Services Limited registered in the Republic of Ireland Registered No. 215393 Registered Office IDA Business & Technology Park, Rosslare Road, Drinagh, Wexford. Callcredit Limited registered in England Registered No. 3961870 Registered Office One Park Lane, Leeds, West Yorkshire, LS3 1EP.
'The Source Data Supplier's Agent' means Credit Reports (UK) Limited of Units 4 & 5 Brightwell Barns, Waldringfield Road, Ipswich, Suffolk, IP10 0BJ.
'The Source Data Supplier's Web Sites' means all and any Internet web sites operated by The Source Data Supplier from time to time.
'Client' means the person or organisation that is applying to take The Source Data Supplier's Services by agreeing to these terms and conditions.
'Client Materials' means all Client data and materials made available to The Source Data Supplier pursuant to this agreement including (without limitation) data input onto The Source Data Supplier's databases by (or on behalf of) the Client as part of the Services.
'Confidential Information' means all trade secret and confidential or proprietary information of each party.
'Data' means all data, scores and other output and information provided by The Source Data Supplier as part of the Services.
'Documentation' means all user guides and other documentation provided by The Source Data Supplier to the Client in respect of the Services.
'DPA' means the Data Protection Act 1998.
'Permitted Purpose' means the Client's internal business purposes in accordance with the search type purposes as set up on The Source Data Supplier Services for use in accordance with the Regulations as described in Clause 6.2.
'Services' means The Source Data Supplier's XML feed credit reference service.
'Service Start Date' means the date upon which the Services are first made available to the Client.
'Software' means all software utilised by or made available by The Source Data Supplier in connection with the Services.
'Year' means each period of twelve consecutive months commencing on the Commencement Date or any anniversary thereof.
This agreement shall be deemed to have commenced on the date that the Client clicks acceptance of these terms and conditions (the 'Commencement Date') and (subject to earlier termination in accordance with the provisions of clause 9) shall continue in effect for a period agreed between the Client and The Source Data Supplier's Agent.
3 SUPPLY OF THE SERVICES
3.1 The Source Data Supplier shall use all reasonable care and skill in the provision of the Services.
3.2 The Source Data Supplier may from time to time change the form and content of the Services and/or upgrade or modify any of the methods used to access the Services.
4 USE OF THE SERVICES
4.1 The Source Data Supplier licences the Client to use the Services with effect from the Commencement Date and for the duration of this agreement for the Permitted Purpose. The Client shall not use the Services for any other purposes whatsoever.
4.2 The Client shall not sell, transfer, distribute or otherwise make the Services available to, or use the Services on behalf of, any third party other than to Additional Group Companies in accordance with Clause 4.3
4.3 The Services may be utilised by Additional Group Companies for their own internal Permitted Purposes provided that:
4.3.1 the Client shall procure that each of the Additional Group Companies shall grant the rights and comply with the obligations placed upon the Client pursuant to this agreement to the same extent as if each Additional Group Company had executed this agreement in its own right; and
4.3.2 the Client shall indemnify The Source Data Supplier against all costs, claims, demands and expenses arising out of or in connection with any claims made against The Source Data Supplier by any Additional Group Companies arising as a result of this agreement, however (subject to the provisions of Clause 8) the Client shall be entitled to bring a claim against The Source Data Supplier in respect of such costs, claims, demands and expenses incurred by any Additional Group Companies which, for the purposes of this Clause 4.3.2 shall be deemed to be costs, claims, demands or expenses of the Client.
5.1 Title, copyright and all other intellectual property rights in the Services including without limitation the Data (other than the Client's own data as provided to The Source Data Supplier) shall at all times remain vested in The Source Data Supplier (or its third party licensors) and the Client shall acquire no rights whatsoever therein save as expressly provided in this agreement.
5.2 Title, copyright and all other intellectual property rights in the Client Materials shall at all times remain vested in the Client and The Source Data Supplier shall acquire no rights whatsoever therein save as expressly provided in this agreement.
5.3 The Client grants to The Source Data Supplier:
5.3.1 A non-transferable, non-exclusive license to use and copy the Client Materials to enable The Source Data Supplier to carry out its obligations under this agreement; and
5.3.2 A non transferable, non-exclusive, perpetual license to incorporate the Client Materials into The Source Data Supplier's databases for the provision of The Source Data Supplier's services.
6 COMPLIANCE WITH LAWS
6.1 The Source Data Supplier and the Client shall at all times in respect of the subject matter of this agreement comply with all applicable laws, regulations and rules having equivalent effect including without limitation the Regulations (as hereinafter defined).
6.2 The Client acknowledges that the supply of the Services by The Source Data Supplier and use thereof is governed by various statutes regulatory requirements, codes of practice and guidelines relating to the use, provision and sharing of personal data, including without limitation, the DPA, the Principles of Reciprocity (being the rules (as amended from time to time) established by the Steering Committee on Reciprocity which govern the use of shared data in the credit industry) and the Representation of the People (England and Wales) (Amendment) Regulations 2002 (collectively 'the Regulations') and that the Regulations may change from time to time. The Client agrees that The Source Data Supplier may cease providing the whole or part of the Services (without liability) if necessary in order to enable The Source Data Supplier to comply with the Regulations.
6.3 The Client is responsible for ensuring that it retains sufficient records and audits in respect of data utilised and searches made in respect of the Services as may be required by any regulator from time to time. The Source Data Supplier is not responsible for retaining such information.
Each party shall in respect of the other party's Confidential Information keep the Confidential Information in strictest confidence and not to make the same available to any third party and only use the Confidential Information for the purposes of this agreement and ensure that only those of its employees who need to know have access to the Confidential Information.
8.1 The Client acknowledges (i) that the Data is supplied to The Source Data Supplier by third parties over whom The Source Data Supplier has no control and (ii) that where Data or information is transferred over the Internet it may be subject to interference by third parties. Therefore subject always to The Source Data Supplier's obligations under clause 3.1 The Source Data Supplier can make no warranties as to the accuracy of the Data nor the suitability of the Data for any specific purposes. The Client must satisfy itself that the Services are suitable for its own purposes.
8.2 The Source Data Supplier shall not be liable for any indirect or consequential loss or damage arising out of or in connection with this agreement or its subject matter even if The Source Data Supplier had notice of the possibility of such loss.
8.3 The Source Data Supplier shall not be liable for any loss of business, loss of profits, loss of use, loss of anticipated savings, loss of reputation, loss of goodwill or business interruption or increase in bad debt arising out of or in connection with this agreement or its subject matter even if The Source Data Supplier had notice of the possibility of such loss.
8.4 The Source Data Supplier's entire liability in respect of all claims arising out of or in connection with this agreement or its subject matter in any Year shall not exceed an amount equal to the sums paid or payable to The Source Data Supplier's Agent by the Client in respect only of the Services as defined in this agreement during that Year.
8.5 Notwithstanding any other term of this agreement, The Source Data Supplier does not limit or exclude liability for death or personal injury arising from its negligence.
8.6 Except as expressly provided in this agreement, all conditions and warranties or terms of equivalent effect whether express or implied (by statute or otherwise) are excluded to the fullest extent permitted by law.
9 SUSPENSION & TERMINATION
9.1 The Source Data Supplier may suspend the Services in response to or in compliance with any law, statute, legislation, order, regulation or guidance issued by government, a court of law, an emergency service or any other competent regulatory authority or if the security processes set up to protect the Services are breached in any way.
9.2 Either The Source Data Supplier or the Client may terminate this agreement immediately on notice if:
9.2.1 the other commits any material breach of this agreement and such breach (where capable of remedy) is not remedied to the non defaulting party's reasonable satisfaction within 14 days of notice specifying the breach and requiring its remedy; or
9.2.2 in respect of the other a resolution is passed or an order is made for winding up (save for the purpose of a bona fide reconstruction or amalgamation);or
9.2.3 in respect of the other an administration order is made, or a receiver or administrative receiver is appointed over any of its property or assets; or
9.2.4 the other is dissolved or is insolvent or would be taken to be insolvent under section 123 of the Insolvency Act 1986.
9.3 The Source Data Supplier may terminate this agreement without notice at any time if The Source Data Supplier's agreement with The Source Data Supplier's Agent in respect of the subject matter of this agreement terminates for any reason or if the Client's agreement with The Source Data Supplier's Agent in respect of the subject matter of this agreement terminates for any reason.
9.4 On termination of this agreement for whatever reason, the Client shall:
9.4.1 as soon as reasonably practicable delete all electronic copies and destroy all physical copies of any Data in its possession or control except for the Data which it is required to keep by law; and
9.4.2 return to The Source Data Supplier all assets which The Source Data Supplier has provided for the purposes of this agreement including without limitation the Software and the Documentation and any other materials provided by The Source Data Supplier relating to the Services (and all copies thereof); and
9.4.3 provide The Source Data Supplier with a certificate of compliance with the provisions of this clause signed by a duly authorised officer.
9.5 Termination is without prejudice to any antecedent breach or to any continuing obligation
10 FORCE MAJEURE
Neither party shall be liable to the other for any delay or non-performance of its obligations under this agreement arising from any cause beyond its reasonable control including (without limitation) any of the following: act of God, governmental act, war, fire, flood, explosion or civil commotion, industrial action, or failure in telecommunications service.
Any amendment, modification, variation or supplement to this agreement must be made in writing and signed by an authorised signatory of each party.
12 ASSIGNMENT AND SUB-CONTRACTING
12.1 Either party is entitled to sub-contract the performance of any of its obligations under this agreement provided that such party shall be liable for its obligations under this agreement to the same extent as if it had carried out the work itself.
12.2 Neither party may assign, transfer or otherwise make over any part of this agreement without the prior written consent of the other (such consent not to be unreasonably withheld or delayed).
If any provision of this agreement is found to be illegal or unenforceable by any court of competent jurisdiction then that provision shall be deemed to be deleted, but without affecting the remaining provisions.
Nothing in this agreement constitutes a partnership between the parties, and neither party is deemed to be the agent of the other for any purpose whatsoever. Neither party has the power or authority to bind the other or to contract in the name of the other party.
15 ENTIRE AGREEMENT
This agreement sets out the entire agreement between the parties and supersedes all oral or written agreements, representations, understandings or arrangements, relating to its subject matter. Neither party seeks to exclude liability for any fraudulent pre-contractual misrepresentation upon which the other party can be shown to have relied.
Failure by either party to exercise or enforce any rights available to that party or the giving of any forbearance, delay or indulgence is not to be construed as a waiver of that party's rights under this agreement.
17.1 Any reference to a statutory provision includes a reference to any modification or re-enactment of it from time to time.
All notices made pursuant to this agreement must be in writing an must be sent to the registered office or main trading address of the recipient.
19 GOVERNING LAW
This agreement shall be construed in accordance with English Law. The Source Data Supplier and the Client agree to submit to the non-exclusive jurisdiction of the English Courts.
20 THIRD PARTY RIGHTS
The parties confirm their intent not to confer any rights on any third parties by virtue of this agreement.
21.1 The Client shall pay The Source Data Supplier's fees and charges in place from time to time to The Source Data Supplier's Agent which fees will be specified by The Source Data Supplier's Agent under an agreement between The Source Data Supplier's Agent and the Client. Payments made to The Source Data Supplier's Agent pursuant to this agreement shall be deemed to have been made to The Source Data Supplier.
21.2 VAT is payable by the Client at the prevailing rate on all sums due under this agreement.
ConsumerCheck and ConsumerCheck.com are trading styles of Credit Reports (UK) Ltd ('Credit Rerports (UK) Ltd' - which definition shall also include any person, firm or organisation providing financial or credit data or information to Credit Reports (UK) Ltd) provides its information services ('Services' - which definition shall also include this Web site and all the information and data provided to you via this Web site) to you subject to the following notices, terms and conditions ('Terms')
BY USING THE SERVICES YOU ARE DEEMED TO HAVE ACCEPTED ALL OF THE NOTICES, TERMS AND CONDITIONS THAT APPEAR BELOW AND AGREED TO BE BOUND BY THEM. YOU MAY NOT USE THE SERVICES IF YOU DO NOT ACCEPT THESE TERMS.
Credit Reports (UK) Ltd reserves the right to modify all or any part of these Terms or make changes to the Services or to withdraw the Services or any part of them at any time at its own discretion and without notice to you.
It is therefore recommended that you revisit these Terms regularly so that you are aware of the Terms in force at any particular time. You will be deemed to be bound by those Terms prevailing at each time that you use the Services and each such use shall be a separate, discrete transaction based on the then prevailing Terms.
Any service messages which may occasionally be published (other than price and product revisions) and any statements or timings provided by any staff or help menu are intended for informal guidance only and do not form part of your contract with Credit Reports (UK) Ltd
Warranties, Liability and Disclaimers
Credit Reports (UK) Ltd provides the Services to you on an 'as is' basis. Credit Reports (UK) Ltd has made efforts to ensure that the information contained in the Services is accurate but does not give any warranty, guarantee or other term or representation of any kind, either express or implied, as to the completeness or accuracy of any such information or the credit worthiness or otherwise of any person, firm, company or other organisation referred to in the Services. Credit Reports (UK) Ltd can make no warranties as to the suitability of the Services for any specific purposes.
All material provided through the Services is for informational purposes only and must not be interpreted as an endorsement or otherwise of any specific person, firm, company or other organisation by Credit Reports (UK) Ltd. The Services are intended to provide one source of information; you should not rely exclusively on the Services but should make your own independent enquiry. In entering into any contract or other arrangement with any person, firm, company or other organisation referred to in the Services, you warrant that the you have taken all such steps as you shall consider necessary or appropriate to verify the credit worthiness or otherwise of such person, firm, company or other organisation. You are advised to exercise the standard of care in selecting or contacting any person, firm, company or other organisation from the Services as would be appropriate in selecting or contacting any other person, firm, company or other organisation with whom you have not previously dealt. The Services neither offer nor purport to offer any advice on any subject, and nothing contained in the Services is intended to be given or taken as advice on any subject.
The Services shall be provided in such manner at such times and in such places as Credit Reports (UK) Ltd shall from time to time in its absolute discretion determine. Credit Reports (UK) Ltd reserves the right to modify, alter the nature of or discontinue the Services or any part of the Services without notice.
Credit Reports (UK) shall not be liable for any typographical or other errors or omissions in the Services.
Except as may be specifically stated herein, to the fullest extent permitted by applicable law, in no event shall Credit Reports (UK) Ltd, nor any of its directors, employees or other representatives be liable for any damages, loss or claim of any kind howsoever arising out of or in connection with the use of the Services including (without limitation) compensatory, direct or indirect, special, punitive, consequential or exemplary damages, lost profits, lost sales or business, lost data or inability to use data, loss of or damage to property and claims of third parties irrespective of whether Credit Reports (UK) Ltd or any of its directors, employees or other representatives has been informed of, knew of, or should have known of the likelihood of such damages. This limitation applies to all causes of action including (without limitation) breach of contract, breach of warranty, negligence, strict liability, misrepresentation and other torts, although Credit Reports (UK) Ltd does not seek to limit its liability for death or personal injury caused by their negligence.
If Credit Reports (UK) Ltd's limitation of liability set out in this agreement shall for any reason whatever be held unenforceable or inapplicable in whole or in part, or in the event that a judgment is awarded against Credit Reports (UK) Ltd arising out of your use of the Services (other than in the case of death or personal injury) you hereby agree that Credit Reports (UK) Ltd's entire liability to you or anyone claiming through you, whether in tort or contract, arising out of any one incident or series of connected incidents shall in any event not exceed 1,000 GBP in aggregate or the cost of all reports you have purchased from Credit Reports (UK) Ltd in the 12 months preceding the date of any claim, whichever is the higher.
By their very nature, some of the facts or opinions you receive from the Services may be open to dispute, particularly by the subject company or its directors, or considered damaging or defamatory. If you breach any of the terms set out in these Terms and Conditions relating to the use of or dissemination of information from the Services, you agree to indemnify in full Credit Reports (UK) Ltd against all liabilities, claims, costs and expenses which they may incur as a result.
Restrictions on Use of the Services
THIS SERVICE IS NOT TO BE USED BY ANY ORGANISATION OR PERSON WHICH IS NOT A LIMITED COMPANY OR PUBLIC LIMITED COMPANY INCORPORATED AT COMPANIES HOUSE IN THE UNITED KINGDOM. FOR THE AVOIDANCE OF DOUBT YOU MAY NOT USE OUR SERVICE IF YOU ARE AN INDIVIDUAL, AN UNINCORPORATED BUSINESS OR ANY OTHER UNINCORPORATED ORGANISATION, OR A LIMITED PARTNERSHIP. THIS SERVICE IS NOT TO BE USED BY ANY ORGANISATION OR PERSON FOR THE PURPOSE OF SEARCHING THEIR OWN CREDIT FILE OR TO OBTAIN A CREDIT REPORT ON THEMSELVES OR ON BEHALF OF ANOTHER PERSON. USE OF THIS SERVICE FOR THIS PURPOSE IS EXPRESSLY PROHIBITED. CONSUMERS WHO WISH TO SEE THEIR OWN CREDIT FILE MUST MAKE THE APPROPRIATE APPLICATION AS SPECIFIED BY THE DATA PROTECTION ACT DIRECTLY TO THE DATA PROVIDER 'THE SOURCE DATA SUPPLIER'. THIS SERVICE CAN ONLY BE ACCESSED BY USERS WITH THE APPROPRIATE CONSUMER CREDIT LICENCE. IF YOU OPEN AN ACCOUNT AND DO NOT HAVE THE NECESSARY DATA PROTECTION REGISTRATION YOUR ACCOUNT WILL BE CLOSED AND YOU AGREE THAT ANY CREDIT PURCHASED IS NOT REFUNDABLE. YOU FURTHER AGREE THAT YOU WILL BE LIABLE FOR ALL ADMINISTRATIVE COSTS FOR CLOSING YOUR ACCOUNT IF IT HAS BEEN IMPROPERLY OPENED FOR THE PURPOSE OF ATTEMPTING TO ACCESS OUR SYSTEM WITHOUT HAVING THE APPROPRIATE AUTHORITY REQUIRED.
You confirm that you are registered under the Data Protection Act 1998 for the purposes of accessing and holding information about individuals for the purposes of assessing credit worthiness. You confirm that in accordance with the requirements of the Data Protection Act 1998, if the subject of your search is not a Limited company, it is your standard practice to notify the subject as to the purpose of the search and to obtain the subject's consent to a search being carried out with a credit reference agency which will keep a record of that search and will share information with other businesses. This includes any occasions when you may be making enquiries about the principal directors of a Limited company with a credit reference agency. You understand and agree that if at any time your Data Protection registration is allowed to lapse or is discontinued that you shall not access or attempt to access personal data from this or any other Credit Reports (UK) Ltd Limited service.
General Data Protection Regulation (GDPR)
The Client acknowledges that their use of the Service gives them access to personal data on individuals. The Client shall at all times abide by any and all requirements that apply to their organisation under the GDPR. The Client acknowledges that the GDPR includes specific requirements in respect of data breach prevention and data breach management. The Client will cooperate and assist Credit Reports (UK) Ltd in fulfilling its obligations under the GDPR in respect to the Client's use of the Services. The Client shall indemnify in full Credit Reports (UK) Ltd against all costs, claims, demands, losses and expenses which they may incur as a result of or in connection with the Client not complying with any or all of the requirements that apply to their organisation under the GDPR.
Other Conditions of Service
We may make a search with a credit reference agency, which will keep a record of that search and will share the information with other businesses. We may also make enquiries about the principal directors with a credit reference agency.
When using the service to conduct a search, you agree to use the service only for the purpose which you have stated as your reason for conducting the search and you may not conduct a search for any other purpose.
You are entitled to use the information on the Services for your own private personal use only. You may electronically copy and print in hard copy portions of the Services solely for your own private personal use. You may not use the Services or any part or copy of the Services for any commercial purposes. Any use or reproduction of the Services or any part of the Services (other than private personal use), or any modification, distribution, communication or republication of the Services or any part of the Services without the prior written permission of Credit Reports (UK) Ltd is strictly prohibited.
Credit Reports (UK) Ltd reserves the right to amend or withdraw any product or service at any time. Credit Reports (UK) Ltd reserves the right to withdraw or terminate your use of the service at any time. It is also understood that the purchase of Credits or licences does not guarantee continued availability of any product or service or customer support services and Credit Reports (UK) Ltd reserves the right to amend or withdraw any product or service at any time. The purchase of Credits or licences does not obligate Credit Reports (UK) Ltd to provide you with customer support services.
If Credits are added to your account in advance of payment you agree to settle invoices within our standard credit terms which are 14 days from date of invoice. If you have any dispute or query in respect of any invoices you agree to notify us in writing within 7 days of the date of the invoice.
Due to the nature of our service whereby we cannot reverse the provision of data when Credits are purchased or a prepayment is made for our services it is understood that Credits or prepayments are not refundable. Credits can be used to obtain our services for a maximum of 3 months from the date of purchase. Credits not used within 3 months of purchase will expire.
The data, information and material contained in the Services, all Web site design, text and graphics and the selection and arrangement thereof and all software used to operate the Services and the trademarks, logos and other intellectual property used in connection with the Services are the property of First Report Ltd. No licence of any such intellectual property rights is granted to you as a result of your use of the Services. Other product and company names mentioned in the information provided in the Services may be the trademarks of their respective owners.
This agreement constitutes the entire agreement and understanding between Credit Reports (UK) Ltd and you. It supersedes any previous agreement or understanding and may not be varied except in writing between us. All other terms and conditions, express or implied by statute or otherwise, are excluded to the fullest extent permitted by law.
Any notice required or permitted to be given by either party to the other under these Terms shall be in writing addressed to the other party at its registered office or principal place of business or such other address as may at the relevant time have been notified pursuant to this provision to the party giving the notice.
No failure or delay by either party in exercising any of its rights under this agreement shall be deemed to be a waiver of that right, and no waiver by either party of any breach of this agreement by the other shall be considered as a waiver of any subsequent breach of the same or any other provision.
If any provision of this agreement is held by any competent authority to be invalid or unenforceable in whole or in part, the validity of the other provisions of this agreement and the remainder of the provision in question shall not be affected.
Any dispute arising under or in connection with this agreement or the Services shall be referred to arbitration by a single arbitrator appointed by agreement or (in default) nominated on the application of either party by the President for the time being of The British Computer Society in accordance with the rules of The British Computer Society.
Equifax Security Requirements
These security requirements (the “Security Requirements”) apply to all External Parties accessing or using Information Services (as such terms are defined below).
Equifax reserves the right to update these Security Requirements from time to time, and such updates shall apply to all External Parties provided that reasonable prior notice is given.
These Security Requirements are not intended to replace the External Party’s own security policies, but rather set out the minimum security measures Equifax requires the External Party to implement in order to access or make use of Information Services.
For the purposes of these Security Requirements, the following terms shall mean as follows:
“Agreement” means the agreement under which the External Party receives or assists in the provision of Information Services;
“Authorised User” means an individual that the External Party has authorised to use or access Information Services, in accordance with the terms of the Agreement;
“External Party” means the third party either in receipt of Information Services (in the case of resellers, customers and clients) or assisting in the provision of Information Services (in the case of suppliers) under the relevant Agreement;
“External Party Resources” means systems, software and resources used by or on behalf of the External Party to access or use the Information Services;
“Equifax Data” means any information provided by or on behalf of Equifax, excluding information provided to Equifax by the External Party;
“Equifax Systems” means any systems and software owned or operated by or on behalf of Equifax;
“Information Services” means access to or use of any Equifax Systems or Equifax Data;
“Permitted Assets” means a laptop controlled by the External Party and used by an Authorised User as their primary computer for the purposes of using or accessing the Information Services;
“Security Incident” means any security incident across the External Party’s enterprise related to use of Information Services or resulting in the unlawful or unauthorised disclosure of or access to, Equifax Data or Equifax Systems.
3. ‘KNOW-YOUR-CLIENT’ (KYC)
Equifax may perform KYC checks on new External Parties using internal and external resources. These checks will include verifying the identities of key individuals (for example, company directors) to prevent and detect crime. Equifax may also make periodic searches at credit reference agencies and fraud prevention agencies as part of Equifax’s initial and ongoing security credentialing process. Any personal data used for these checks shall be processed in accordance with the ‘Credit Reference Agency Information Notice’ (CRAIN) and the ‘Equifax Information Notice’ (EIN). Copies of which can be found here:
CRAIN - www.equifax.co.uk/crain
EIN - www.equifax.co.uk/ein
4. AUTHORISED USERS
4.1 The External Party will:
4.1.1 ensure that only Authorised Users access or make use of the Information Services;
4.1.2 ensure that Authorised Users do not access or utilise Information Services including, as applicable, ordering credit reports) for personal reasons or provide them to any third party unless expressly permitted by any agreement between the External Party and Equifax;
4.1.3 ensure that all devices used by the External Party to order or access the Information Services are placed in a secure location and accessible only by Authorised Users, and that such devices are secured when not in use through such means as screen locks, shutting power controls off, or other reasonable security procedures, including those procedures described in more detail below;
4.1.4 take all necessary measures to prevent unauthorised ordering of or access to the Information Services by any person other than an Authorised User for permissible purposes, including, without limitation: limiting the knowledge of the External Party security codes, any telephone access number(s) Equifax provides, and any passwords the External Party may use, to those individuals with a need to know; changing the External Party’s user passwords at least every ninety (90) days, or sooner if an Authorised User is no longer responsible for accessing the Information Services, or if the External Party suspects an unauthorised person has learned the password; and using all security features in the software and hardware the External Party uses to order or access the Information Services;
4.1.5 not use (or permit the use of) personal computers, hard drives, portable or removable data storage equipment or media (including but not limited to laptops, zip drives, tapes, disks, CDs, DVDs, software, and code) to store and/or access the Information Services;
4.1.6 monitor compliance with the obligations of these Security Requirements, and immediately notify Equifax if the External Party suspects or knows of any unauthorised access or attempt to access the Information Services, including a review of each Equifax invoice for the purpose of detecting any unauthorised activity;
4.1.7 implement security best practices to ensure data integrity so that the repudiation of significant facts is negated by functionality involving a secure digital signature or another form of adequate proof that an Authorised User (and no other person) performed a particular task; and
4.1.8 to the extent that the External Party is permitted to use a third party vendor to access Information Services, be responsible for the third party vendor's use of the External Party's member numbers, security access codes, or passwords, and the External Party will ensure the third party vendor safeguards the External Party’s security access code(s) and passwords through the use of security requirements that are no less stringent than those applicable to the External Party under these Security Requirements.
5. SECURITY INCIDENTS AND INVESTIGATIONS
5.1 In addition to any notifications required under the Agreement, the External Party must notify Equifax as soon as possible, but within twenty-four (24) hours, following its awareness of a Security Incident. All such notifications shall be made to the Equifax Security Incident Response Team (E-SIRT) at 1-888-257-8799 (+1-678-795-7106 from outside the US) or via email at firstname.lastname@example.org.
5.2 In relation to each Security Incident, the External Party shall:
5.2.1 take all reasonable action to resolve or mitigate the impact of the Security Incident and include a description of the steps taken, together with a summary of the issue giving rise to the Security Incident (if known), to Equifax as soon as possible;
5.2.2 maintain, for a mutually agreed-upon length of time, all system records and access logs related to the Information Services impacted by the Security Incident, which Equifax may review and inspect with reasonable notice (for the avoidance of doubt, the External Party shall not be required to disclose to Equifax confidential information not related to the Information Services); and
5.2.3 provide any other information that Equifax reasonably requests pertaining to the Security Incident and cooperate fully with Equifax to thoroughly investigate any such Security Incident.
5.3 The External Party shall monitor External Party Resources for Security Incidents and other suspicious activities; including suspicious external activity (including, but not limited to, unusual increase in network traffic, unauthorized probes, scans or break-in attempts) as well as suspicious internal activity (including, but not limited to, unusual increase in utilization/load, unauthorized system administrator access, unauthorized changes to External Party Resources or network, system or network misuse or Information Assets theft or mishandling).
5.4 The External Party shall document and implement a Security Incident response plan which all External Party Employees are required to follow in the event that a Security Incident is suspected or confirmed; this Security Incident response plan shall include notifications, points of contact, backup procedures and all relevant actions that are required to recover from a Security Incident.
6. INFORMATION SECURITY REQUIREMENTS
6.1 The External Party shall implement and maintain an information security program that includes appropriate organisational, technical and physical safeguards reasonably designed to accomplish the following:
6.1.1 ensure the security and confidentiality of Equifax Data;
6.1.2 protect Equifax Data and Equifax Systems from a Security Incident; and
6.1.3 dispose of Equifax Data (as permitted by the Agreement) in a secure manner.
6.2 Operational Security
Without prejudice to the generality of section 6.1 (above), the External Party shall:
6.2.1 designate an employee or employees to coordinate its information security program;
6.2.2 monitor and identify internal and external risks to the security, confidentiality and integrity of the Information Services and assess the sufficiency of any safeguards in place to control such risks (“Risk Assessments”);
6.2.3 design and implement safeguards to control the risks identified through Risk Assessments, and regularly test or otherwise monitor the effectiveness of such safeguards;
6.2.4 restrict access to Information Services only to Authorised Users with an approved business need to have such access, and perform regular entitlement reviews to ensure such access is authorised and appropriate;
6.2.5 encrypt all Equifax Data during transmission or when at rest (including when stored on backup media), and such encryption methods must meet one of the following minimum encryption requirements:
184.108.40.206 Advanced Encryption Standard (AES), minimum 128-bit key; or
220.127.116.11 Triple Data Encryption Standard (3DES), minimum 168-bit key, encrypted algorithms;
6.2.6 use one-way hashing methods to store any passwords intended for use in relation to the Information Services;
6.2.7 establish a key management process for protection of cryptographic keys;
6.2.8 at least annually complete a security scan of the External Party Resources (a “Security Scan”), and correct all significant vulnerabilities within a reasonable amount of time, based on the potential impact of the vulnerability;
6.2.9 upon request, provide summary results of the Security Scan to Equifax, together with a summary of any subsequent remediation;
6.2.10 implement security changes and patches to External Party Resources in a timely manner, as directed by the system manufacturer and subject to appropriate testing, ensuring that in any event, changes and patches are be implemented either:
18.104.22.168 within ninety (90) days of their release; or
22.214.171.124 no later than twenty four (24) hours after their release unless a longer period is recommended by the manufacturer, in relation to security changes and patches correcting critical or immediate security risks, subject to appropriate testing as circumstances may allow;
6.2.11 maintain individual access and accountability controls for each Authorised User;
6.2.12 provide and maintain secure authentication mechanisms for External Party Resources that cannot be bypassed (for example, best practice would include the use of one time passwords, smart cards or biometric devices), and to the extent that passwords are used, they shall follow security best practices regarding the following:
126.96.36.199 length of password
188.8.131.52 complexities to include, but not be limited to, both alphabetic and numeric
184.108.40.206 password aging
220.127.116.11 password history
18.104.22.168 repeating characters
22.214.171.124 maximum invalid account login attempts
126.96.36.199 account lockout time limit; and
188.8.131.52 inactive session timeouts;
6.2.13 ensure that all tokens given to Authorised Users as part of two-factor authentication are unique to single users, and the External Party shall inform Authorised Users that they are responsible for all activities performed with their token and that sharing of tokens is strictly forbidden;
6.2.14 only grant remote access to Information Services to an Authorised User via approved two-factor authentication;
6.2.15 prohibit the use of personal or third party devices to access or use Information Services including, but not limited to, home personal computers (PCs)/laptops, personal mobile devices, personal email accounts, public PCs or PC kiosks;
6.2.16 configure devices that use or access Information Services, to disable split tunnelling (the avoidance of doubt, ‘split tunneling’ refers to the ability to remotely connect to an internal corporate network (e.g. VPN) and connect to an external untrusted network simultaneously);
6.2.17 actively review of audit logs on devices allowing remote-access connectivity and/or mobile usage in relation to the Information Services, and such reviews shall be conducted at least once a month and logs shall be retained for a minimum of ninety (90) days online and one (1) year offline;
6.2.18 prohibit persistent connections to any External Party Resources that contain, or have access to, Information Services without permission by Equifax, and Equifax has the right to refuse, disconnect or otherwise limit any persistent connection to Information Services at any time, for any reason and without warning; and
6.2.19 protect External Party Resources which hold or access Information Services, with multiple layers of network security including, but not limited to firewalls, routers and intrusion detection/prevention devices (IDS/IPS).
6.3 Physical Security
Without prejudice to the generality of section 6.1 (above), the External Party shall:
6.3.1 secure the perimeters of all facilities in which Information Services will be accessed and/or stored (“Facilities”), ensuring that the external walls of such Facilities are of solid construction and all external doors are suitably protected against unauthorized access (for example, by using control mechanisms, bars, alarms and locks);
6.3.2 use of video surveillance to record access to Facilities to deter intruders, protect employees and be used as evidence in any civil or criminal proceedings, ensuring that recordings are retained for a minimum of thirty (30) days;
6.3.3 secure all doors with automatic closing devices such that all doors shall be secured at all times, and ensure that all fire doors on a security perimeter of a Facility are alarmed;
6.3.4 restrict access to Facilities to authorized personnel only; visitors must be logged and escorted at all times;
6.3.5 Facility doors and windows are locked when unattended, and additional external protection is provided for windows, particularly at ground level so as to not allow access or viewing of the interior of a Facility where access to or use of Information Services is undertaken;
6.3.6 install suitable, monitored intruder detection systems at Facilities, which shall be regularly tested;
6.3.7 ensure comprehensive surveillance of all external doors and windows and ensure that unoccupied areas are alarmed at all times;
6.3.8 ensure that systems and cabinets containing Information Services are secured when not in use for direct console access.
7. Information Handling and Destruction
7.1 Except as set forth herein or otherwise specified in the Agreement, the External Party shall, in accordance with the requirements set forth below or in accordance with any timeframe specified by Equifax, destroy all Equifax Data once it is no longer needed for the purposes for which it was provided and permitted to be used under the Agreement.
7.2 In relation to the destruction of Equifax Data:
7.2.1 paper, compact disks (CDs) and any other media that can be shredded or otherwise destroyed (“Shreddable Media”) must be completely destroyed such that the results are not readable or useable for any purpose; and
7.2.2 Shreddable Media may be destroyed at a location other than the External Party’s Facilities, but it must be transferred in a secured, locked container with chain of custody documentation, and the External Party shall remain liable and responsible for the destruction regardless of where the activity occurs and by whom the destruction is performed.
7.3 The External Party must not ship hardware or software between the External Party’s locations or to third parties without deleting number(s), security codes, telephone access number(s) and passwords relevant to the Information Services.
8. Access Verification
8.1 The External Party shall implement a documented process to enable and record Authorised User access to Information Services.
8.2 Once an Authorised User has been authenticated as described above, the External Party shall employ a verification scheme that identifies the Authorised User and provides an acceptable measure of security for access to Information Services.
8.3 The External Party must have procedures in place that create appropriate audit trails for access to Information Services and retain those audit trails for not less than ninety (90) days online and one (1) year offline.
8.4 The External Party must take steps to protect access to Information Services by timing out the Authorised User session after a period of inactivity not to exceed fifteen (15) minutes.
9. External Party Personnel Security
The External Party must have a documented procedure in place to validate its personnel before granting them access to or use of Information Services (i.e. permitting them to be Authorised Users), which include the following:
9.1 Personnel Screening
The External Party must have a documented pre-employment screening process that includes, but is not limited to a criminal history check (as permitted by applicable), which includes a review of any criminal offenses included on the individual’s law enforcement records for the past five (5) years (excluding of any time served).
The External Party shall require that all personnel sign an acknowledgement of compliance with the External Party’s security policy and be provided a copy (or otherwise be made aware of) these Security Requirements, prior to providing the individual with access to or use of Information Services.
9.3 Record Keeping
The External Party shall:
9.3.1 maintain a written procedure for how the External Party complies with the personnel screening and on-boarding requirements;
9.3.2 retain a copy of documentation which validates that the appropriate level of personnel screening requirements has been completed by the External Party; and
9.3.3 allow Equifax to review such documentation upon request.
9.4 Change in circumstances
If the External Party becomes aware of any information that wold result in an Authorised User failing any of the requirements in this section 9, the External Party shall promptly remove the Authorised User’s access to and use of any Information Services, and if any device used by such Authorised User (such as key card or remote access token) cannot be recovered and returned to the External Party, Equifax shall be immediately notified to the extent that such device could enable a third party to access or use Information Services.
9.5 Security Awareness Program
The External Party shall implement and maintain an ongoing security awareness program to educate its Authorised Users regarding security issues and the requirements of this document, and shall ensure that Authorised Users are recertified at least annually and shall maintain documentation evidencing such training. The program must include, but should not be limited to, education regarding the following:
9.5.1 Email usage
9.5.2 Password management
9.5.3 Social Engineering, including phishing
9.5.4 Mobile device usage
9.5.5 Use of social media during job hours
9.5.6 How to contact management to report a security concern
10. External Party Resources
10.1 Anti-Virus and Protections against Malware and Malicious Code
10.1.1 The External Party must not permit removable devices or media such as, but not limited to mobile devices (excluding Permitted Assets), Universal Serial Bus (USB) drives, magnetic tapes, digital video disks (DVDs) and CDs to connect to any Information Services or other External Party Resource where Information Services is held or processed. All methods of removable storage shall be blocked.
10.1.2 The External Party shall keep its External Party Resources free of known viruses and other exploitive or destructive computer code, and otherwise ensure that:
10.1.3 it employs a regularly updated and current virus scanning software product in an active monitoring mode when using Information Services;
10.1.4 critical operating system and application software security patches, as determined by the software vendor, are applied to the device in a timely manner, here such devices are used to access Information Services; and
10.1.5 any applications developed by the External Party, used for access to any Information Services, are subject to a documented Software Development Life Cycle (SDLC) and include application security testing.
11. Business Continuity and Disaster Recovery
Business Continuity Plan (BCP)
11.1 The External Party shall implement and maintain a documented BCP and shall make a copy of the BCP available to Equifax on request.
11.2 The BCP shall include, at a minimum, the following information:
11.2.1 critical functions identified;
11.2.2 critical resources identified including, but not limited to, personnel, hardware, software and documentation;
11.2.3 strategy for critical functions and steps for restoration for all functions impacting (or likely to impact) Equifax;
11.2.4 call lists for personnel, suppliers and customers;
11.2.5 service levels as they pertain to business functions
11.2.6 workarounds where necessary
11.2.7 dependency on any critical Information Technology (IT) functions, as referenced by a specific Disaster Recovery Plan (please see the Disaster Recovery subsection below).
11.3 The External Party shall ensure that there is a person charged with the responsibility of developing and maintaining the BCP, and the BCP shall be updated and tested at least annually, with test results retained until at least completion of the next testing occurrence.
11.4 The External Party shall implement and maintain a documented disaster recovery plan and tested disaster recovery capabilities, which can recover within an appropriate amount of time those critical business functions/services for which Equifax has contracted (as applicable), and restore connectivity from the External Party to Equifax.
11.5 In keeping with industry standards and best practices, the External Party’s plans shall be reviewed and successfully tested at a minimum annually.
11.6 The External Party shall make available, upon written request, the most current test report for systems or critical business processes utilized in support of Equifax (as applicable) with summary of corrective actions accomplished for any identified substantive plan or provisioning shortfalls discovered in the testing process.
11.7 Unless otherwise agreed in writing, the External Party shall back-up Equifax Data in a periodic and timely manner, ensuring backup copies are labelled, logged and an up-to-date inventory kept.
12. PCI Data Security
12.1 Payment Card Industry (PCI) Data is comprised of cardholder account numbers, security codes and personal identification (PIN) numbers and any other categories of data subsequently identified by PCI Security Standards Council (SSC) as being subject to its Data Security Standards, which are currently published at the following URL: https://www.pcisecuritystandards.org. If the External Party receives PCI Data from Equifax, the External Party represents and warrants that it has in place, and shall maintain in place for as long as it has possession of and/or access to PCI Data, a compliant system for transmission, reception, storage and use of such PCI Data. In addition, the External Party represents and warrants that it can now and shall continue to be able to evidence that it has been deemed PCI Compliant by PCI and shall maintain such designation during the time period the External Party has possession of and/or access to PCI Data. The External Party will provide annual attestation that it is compliant with current Payment Card Industry Data Standard.
12.2 In the event of an actual or suspected Security Incident regarding PCI Data, the External Party shall immediately notify Equifax and cooperate with the investigative actions of VISA, MasterCard, American Express, Discover Financial Services, JCB International, its representatives, other card providers, Equifax and/or its affiliates, or any appropriate law enforcement entity.