Follow Us

Certifications

Contents

Introduction

This is a listing of common certifications in relation to services that General Information Solutions LLC ("Vendor") provides to its customers. The certifications are made by the customer or other recipient of Vendor's services ("Customer") The agreement between Customer and Vendor or some other document signed or acknowledged on Customer's behalf (in either case, the "Agreement") will identify the specific certifications applicable to the use of Vendor's services. The agreement or other documents may explicitly modify or qualify these certifications. Vendor also acknowledges for each certification that Customer's purchase of compliance-related services may fulfill specific certifications. To the extent that both a certification requires something to occur before Customer orders a service and Vendor provides Customer another service that fulfills that requirement, Customer orders the first service only upon the other service fulfilling the requirement. Each certification has a date of its last update associated with it (n for the form of yyyymmdd).

As used in each certification:

  • "Report" means the information that Vendor provides to Customer through its services; and
  • "Subject" means the individual that a Report is about.

Standard Certifications

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to the "standard" certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a Report:

  1. the limited-use certifications;
  2. the consumer-reporting certifications;
  3. the employment-related-screening certifications, unless Customer orders the service in question through an account that Customer and Vendor have specifically identified for orders for services used to investigate misconduct by Customer's current employees;
  4. the misconduct-investigation certifications, if Customer orders the service in question through an account that Customer and Vendor have specifically identified for orders for services used to investigate misconduct by Customer's current employees;
  5. the social-security-number-validation certifications if Customer orders any service identified in them;
  6. the name-and-address-history certifications if Customer orders any service identified in them;
  7. the driving-record certifications, if Customer orders any service identified in them;
  8. the international-information certifications, if Customer orders any service identified in them;
  9. the security certifications;
  10. the compliance-audit certifications;
  11. the compliance-information certifications related to the services identified in them; and
  12. the information-usage certifications.

Limited-use Certifications

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to limited-use certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following by ordering or receiving a Report:

  1. Customer will be the end-user of the Report.
  2. Customer will not resell the Report.
  3. Customer will not disclose, distribute, or publish the Report to anyone other than to (1) the Subject or the Subject's agent, (2) Customer's agents, lawyers, and auditors, (3) governmental agencies conducting investigations or exercising their supervisory authority, (4) Customer's business client to allow the client to retrospectively audit Customer's conformity to any agreement governing the business relationship between Customer and its client, and (5) anyone else to the extent required by law, court order, or subpoena. The foregoing sentence does not prohibit Customer from informing third parties of its decision that was based on a Report.
  4. Customer will not use the Report other than internally in a single use (but subsequent explanation, defense, or justification of that use is not a separate use) and as required by law.
  5. Customer will not maintain a database that includes information from the Report and that Customer (or anyone else) uses to produce new reports (including new "consumer reports" as defined in the FCRA).
  6. Customer will not process, use, or disclose information from the Report for any purpose other than a legitimate business purpose or other than in the ordinary course of business.
  7. Unless the Agreement explicitly states otherwise, Customer will not transfer or process the information in the Report outside of the United States.
  8. Customer will reproduce, and not remove, any notice, disclaimer, or other statement in a Report.
  9. Customer will inform Vendor in writing of any change in the purpose for which it uses Reports.
  10. Customer will not use any information from the Report for any unsolicited communication (including phone call, text message, mail, email, or fax) other than communications required by law.
  11. Customer will not to use any information in the Report to blackmail, harass, or humiliate anyone else.
  12. Unless expressly stated in the Agreement, Customer is not in (and will not use any Report in the conduct of) any of the following types of businesses: adult entertainment, bail bonding, check cashing (except as a bank), credit counseling, credit repair, dating or match-making, financial counseling (except housing counseling), genealogical or heir research, insurance claims management or review (except as an insurer), legal representation, locating missing children, massages, running a pawn shop, spiritual counseling, subscriptions (magazines, book clubs, record clubs, etc.), tattoos, and third-party repossession.
  13. If Vendor or its information supplier has reason to believe that Customer is violating any of these certifications, that Customer is violating any law, or that Customer's use of the Reports would cause Vendor or its information supplier to violate any law, then Vendor may temporarily suspend Customer's access to Reports, but only if Vendor informs Customer of the suspension by the most expeditious means available, identifies the basis of that suspension, uses reasonable efforts to limit the suspension to Reports affected by that basis, works with Customer to remediate any violation, and immediately restores access when Customer remediates the violation or shows that there was no violation.

Consumer-reporting Certifications

revision 20170801

If the Agreement says that the Customer makes, certifies to, or agrees to consumer-reporting certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following by ordering or receiving a Report:

  1. The Fair Credit Reporting Act, regulations issued under it, and similar state laws (collectively, the "FCRA") regulate most of the information that Vendor provides to Customer through its Reports and that bears on an individual's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living (that information being "Consumer Reporting Information"). The FCRA more intensively regulates Vendor's Reports in which Vendor obtains Consumer Reporting Information by interviewing someone, which are called "investigative consumer reports." The federal FCRA statute begins at 15 U.S.C. § 1681 [see http://www.ftc.gov/os/statutes/fcradoc.pdf]; most federal regulations begin at 12 C.F.R. part 1022 [see http://www.gpo.gov/fdsys/browse/collectionCfr.action?collectionCode=CFR]. Customer will comply with the FCRA.
  2. Customer has received the Consumer Financial Protection Bureau's "Notice to Users of Consumer Reports: Obligation of Users under the FCRA" [see http://www.geninfo.com/docs/Obligations-of-Users.pdf], which appears at 12 C.F.R. part 1022 appendix N and which explains many of Customer's duties under the FCRA.
  3. Customer has received the Consumer Financial Protection Bureau's "A Summary of Your Rights under the Fair Credit Reporting Act" [see http://www.geninfo.com/docs/Summary-of-Rights.pdf] (the "Summary of Rights"), which appears at 12 C.F.R. part 1022 appendix K and which explains to the Subject many of the Subject's rights under the FCRA.
  4. Customer will not use the Consumer Reporting Information in a Report for any purpose other than the FCRA-permitted purpose that Customer certified to Vendor.
  5. If Vermont's law applies to the Report, Customer acknowledges receipt of section 2480e of the Vermont FairCreditReporting Act [available at http://legislature.vermont.gov/statutes/section/09/063/02480e].
  6. Customer acknowledges that obtaining information about a Subject from Vendor under false pretenses is a federal crime.

Employment-related-screening Certifications

revision 20170801

If the Agreement says that the Customer makes, certifies to, or agrees to the "employment," "employment-purposes," or "employment-related" certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a Report:

  1. Consumer Reporting Information in the Report will be used only as a "consumer report" under the FCRA and only for "employment purposes" under the FCRA (which, according to the Federal Trade Commission, includes relationships other than normal employment, such as individual independent contractors and individual insurance agents).
  2. Information in the Report will not be used in violation of any applicable federal or state equal employment opportunity law or regulation.
  3. Some certifications depend on whether Customer is both (1) considering the Subject as an applicant for a position regulated by either or both of (i) the federal department of transportation under a specific statute that allows the department to establish qualifications and maximum service hours for the trucking industry or (ii) a state transportation agency and (2) has interacted with the Subject only by mail, phone, computer, or similar means. If both of these conditions are fulfilled, then the Report is for "Trucking.

Disclosure or Notice

  1. Unless the Report is for Trucking, Customer has given the Subject clear, conspicuous, written disclosure (in a document consisting solely of the disclosure) that a consumer report may be obtained for employment purposes.
  2. If the Report is for Trucking, Customer has given the Subject an oral, written, or electronic notice that (1) a consumer report may be obtained for employment purposes; (2) the Subject has the right to obtain a free copy of any report on which the Customer based adverse action by requesting it from Vendor within 60 days; and (3) the Subject has the right to dispute the accuracy or completeness of any information in any report.
  3. If the Report is governed by the California Investigative Consumer Reporting Agencies Act, Customer has given the Subject clear, conspicuous, written disclosure (in a document consisting solely of the disclosure) (1) that an investigative consumer report may be obtained for employment purposes; (2) that the report may include information on the consumer's character, general reputation, personal characteristics, and mode of living; (3) that identifies the name, mailing address, telephone number, and website address of the consumer reporting agency providing the report, and (4) that summarizes the Subject's rights under California Civil Code § 1786.22 (including that, if the Subject provides proper identification, the Subject may inspect our files about the Subject by mail, by telephone, or in person, that we will provide the Subject with trained personnel and explanation of any codes to help understand those files, and that another person who provides identification may accompany the Subject, all for free).
  4. If the Report is an investigative consumer report under the FCRA, Customer has given the Subject (1) a clear and accurate disclosure that an investigative consumer report including information on the Subject's character, general reputation, personal characteristics, and mode of living, whichever are applicable, may be made, (2) a statement that that the Subject has the right to obtain a complete and accurate disclosure of the scope and nature of the investigation performed; and (3) the Summary of Rights. If the Subject requests, Customer will make a complete and accurate disclosure of the nature and scope of the investigation and deliver that disclosure to the Subject within five days.

Authorization or Consent

  1. Unless the Report is for Trucking, Customer has obtained the Subject's written authorization (which may be on the disclosure document) for Customer to procure the Report.
  2. If the Report is for Trucking, Customer has obtained the Subject's consent (orally, in writing, or electronically) to Customer obtaining the Report.
  3. If the Report is governed by the California Investigative Consumer Reporting Agencies Act, Customer has obtained the Subject's written authorization to obtain the report.
  4. If the Report is governed by the Colorado Consumer Credit Reporting Act, Customer has (1) informed the Subject that it may request a report and (2) the Subject consented in writing to that request.
  5. If the Report is governed by the New Jersey Fair Credit Reporting Act, Customer has given the Subject clear, conspicuous, written disclosure (in a document consisting solely of the disclosure) that a consumer report or investigative consumer report may be obtained for employment purposes and the Subject has authorized Customer to obtain the report.
  6. If the Report is governed by the Vermont Fair Credit Reporting Act, Customer has secured the Subject's written consent to obtain the Report and will use the Report only for the purpose to which the Subject consented.

Additional Disclosures

  1. If California's Consumer Credit Reporting Agencies Act governs the Report, Customer has given the Subject a notice (1) that a credit report will be used, (2) that identifies the basis for requesting the credit report under California Labor Code § 1024.5, (3) that identifies the consumer reporting agency providing the credit report, and (4) that has a box that the Subject may check to request a copy of the credit report. If the Subject checked the box, Customer will provide a copy of the credit report to the Subject.
  2. If California's Investigative Consumer Reporting Agencies Act governs the Report, Customer has given the Subject a form with a box that the Subject could check to request a copy of the Report. If the Subject checked that box, Customer will send a copy of the Report to the Subject within three business days after receiving the Report.
  3. If Minnesota Statutes chapter 13C governs the Report, Customer has given the Subject a written disclosure that (1) accompanies any application for employment that Customer provided to the Subject, (2) states that Customer may obtain a consumer report, (3) states that the Subject may obtain a complete and accurate disclosure of the nature and scope of the Report, and (4) includes a box that the Subject may check to request a copy of the Report. If the Subject checked that box, Customer will provide the Subject a copy of the Report.
  4. If New York's Fair Credit Reporting Act governs the Report, Customer has given the Subject written disclosure that Customer will, upon the Subject's request, inform the Subject whether it requested a consumer report and, if so, of the name and address of the consumer reporting agency that issued it. If the Subject requests this information, Customer will provide it in writing.
  5. If Oklahoma Statute § 24-148 governs the Report, Customer has given the Subject a form with a box that the Subject may check to request a copy of the Report. If the Subject checked that box, Customer will provide the Subject a copy of the Report.
  6. If the Report is an investigative consumer report governed by Minnesota Statutes chapter 13C, Customer has given the Subject a written statement that the Report may include information obtained through personal interviews.
  7. If the Report is an investigative consumer report governed by the New York Fair Credit Reporting Act, Customer gave the Subject (1) a copy of Article 23-A of the New York Corrections Law and (2) a written statement that, upon written request, Customer will inform the Subject whether it ordered an investigative consumer report and, if so, of the name and address of the consumer reporting agency that provided the investigative consumer report. If the Subject requests this information, Customer will provide it in writing and will inform the Subject in writing that the Subject may inspect and receive a copy of the investigative consumer report by contacting the consumer reporting agency.
  8. If the Report is an investigative consumer report governed by the New York Fair Credit Reporting Act, Customer obtained the Subject's written authorization to obtain an investigative consumer report.
  9. If the Report is governed by New York's Fair Credit Reporting Act and includes criminal conviction information, Customer will provide the Subject with a written copy of Article 23-A of the New York Corrections Law.
  10. Customer has (or will have timely) made any additional disclosures, offered any additional information, and obtained any additional authorizations required by state or local law.

Adverse Action

  1. Customer will not take any adverse action based on information in the Report unless: (1) Customer has considered any explanation (including any evidence of rehabilitation) to the extent required by law; and (2) the information has a relationship to the Subject's duties that is sufficient to satisfy applicable law.
  2. Unless the Report is for Trucking:
    1. Customer will provide the Subject, before taking any adverse action based on information in the Report, with the Summary of Rights and a copy of the report it received.
    2. Customer will not take any adverse action based on information in the Report unless (i) Customer has given the Subject a reasonable period after providing the notice described above (of at least 5 business days if the notice was mailed) in which to dispute or explain the information, and (ii) the Subject has not disputed any information or that dispute has been resolved.
    3. When Customer takes adverse action based on information in the Report, Customer will give the Subject oral, electronic, or written notice: (1) of the adverse action being taken; (2) of Vendor's name, mailing address, toll-free telephone number, and website address; (3) that Vendor did not make the decision to take the adverse action and is unable to provide the reasons why the adverse action was taken; (4) that the Subject can obtain a free copy of a report on the Subject by requesting one from Vendor within 60 days; and (5) that the Subject may dispute the accuracy or completeness of any information provided by Vendor.
  3. If the Report is for Trucking:
    1. Within three business days after taking adverse action based on information in the Report, Customer will give the Subject oral, written, or electronic notice: (1) that adverse action was taken in whole or in part based on a consumer report received from a consumer reporting agency; (2) of Vendor's name, address, and phone number; (3) that Vendor did not make the decision to take the adverse action and is unable to provide the Subject the specific reasons why the adverse action was taken; (4) that the Subject may obtain a copy of the report on providing proper identification; and (5) that the Subject may dispute the accuracy or completeness of any information provided by the consumer reporting agency.
    2. If the Subject requests, the Customer will (within three days of the receiving the Subject's request and proper identification) send or provide the Subject a copy of a report and a copy of the Summary of Rights.
  4. To the extent required by law, Customer will inform the Subject of the reason for any adverse action taken based on information in the Report when applicable law requires.
  5. If the report is governed by the New Jersey Fair Credit Reporting Act, Customer will provide the Subject, before taking any adverse action based on information in the Report, with the Summary of Rights and a copy of the report it received.
  6. If the report is governed by the New Jersey Fair Credit Reporting Act, Customer will not take any adverse action based on information in the Report unless: (1) Customer has given the Subject a reasonable period after providing the notice described above (of at least 5 business days if the notice was mailed) in which to dispute or explain the information; and (2) the Subject has not disputed any information or that dispute has been resolved.

Employee-misconduct-investigation Certification

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to the "misconduct," "investigation," "misconduct-investigation," or "employee-misconduct" certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a Report:

  1. Customer is currently investigating either suspected misconduct relating to employment or compliance with law, the rules of a "self-regulatory organization" as defined in the FCRA, or its pre-existing, written policies as an employer.
  2. If California's Investigative Consumer Reporting Agencies Act governs the Report, the Subject is the subject of the investigation.
  3. If Minnesota States chapter 13C governs the Report, the investigation is into either (1) a current violation of a criminal or civil statute by a current employee or (2) employee conduct for which the employer may be liable.
  4. The Report is not governed by New Jersey's Fair Credit Reporting Act or New York's Fair Credit Reporting Act.
  5. Customer will not request a credit report as part of a Report if the Report will be governed by California or Vermont law.
  6. Customer is not investigating the Subject's credit worthiness, credit standing, or credit capacity, even if that is relevant to its investigation.
  7. Customer will not give the Report to anyone except (1) its employees and other agents, (2) an officer, agency, or department of any federal, state, or local government, (3) a "self-regulatory organization" as defined in the FCRA with regulatory authority over it or its employee who is being investigated; or (4) as required by law.
  8. If Customer takes adverse action based on the Report, Customer will promptly disclose to the Subject a summary of the nature and substance of the Report, except that Customer need not disclose the sources of information for any part of the Report that is an investigative consumer report.
  9. Customer has (or will have timely) made any additional disclosures, offered any additional information, and obtained any additional authorizations required by state law.

Social-security-number-validation Certifications

revision 20170602

""Social Security Number Validation" means the service of comparing a Subject's social security number against the Social Security Administration format and death master index file. The format comparison usually (but not always) determines whether the social security number is a possible social security number, the year range and state of issuance, and whether the social security number may have been issued before the Subject's year of birth. The format comparison will not be able to determine this information for social security numbers issued after the Social Security Administration began randomizing newly issued numbers. Comparison to the death master index file may determine whether the social security number belongs to a person listed as deceased.

If the Agreement says that the Customer makes, certifies to, or agrees to social-security number-validation or social-security-number-verification certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a Social Security Number Validation:

  1. Customer acknowledges that the Social Security Number Validation's failure to confirm the identity of the Subject is not positive disconfirmation of the identity of the Subject. The Social Security Number Validation does not disconfirm the identity of any Subject. Customer will not treat the Social Security Number Validation as disconfirming the identity of any Subject.
  2. Customer may use the Social Security Number Validation to decide whether or not to request additional information or documents in order to confirm the Subject's identity. Customer will not use the Social Security Number Validation for any other purpose. Without limiting the generality of this prohibition, Without limiting the generality of this prohibition, Customer will Customer will not make any FCRA-regulated eligibility decision or make any FCRA-regulated adverse action where the decision or action is based on the Social Security Number Validation.
  3. For the death master file information that Vendor provide to Customer, Customer:
    1. has a legitimate fraud prevention interest in obtaining that information or has a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty, which (in either case) is confirming that the Subject is not committing identity fraud by providing a deceased individual's a social security number;
    2. have systems, facilities, and procedures in place to safeguard that information and have experience in maintaining the confidentiality, security, and appropriate use of that information, both under requirements reasonably similar to those in section 6103(p)(4) of the Internal Revenue Code of 1986;
    3. will satisfy those requirements;
    4. will not, during the three years after the death of a deceased person, disclose death master file information about that deceased person to any person who:
      1. does not meet the requirements of these certifications related to death master file information;
      2. uses the information for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; or
      3. further discloses the information to any person other than a person who meets the requirements of these certifications related to death master file information; and
    5. will not, during the three years after the death of a deceased person, use death master information about that deceased person for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty.

Name-and-address-history Certifications

revision 20170602

"Name & Address History" means those services that (a) retrieve names and addresses associated with a social security number in a non-governmental database, (b) compare retrieved names and addresses with those supplied by any other source, or (c) both, but does not include a credit report.

If the Agreement says that the Customer makes, certifies to, or agrees to social-security number-validation or social-security-number-verification certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a Name & Address History:

  1. Customer acknowledges that the Name & Address History's failure to confirm the identity of the Subject is not positive disconfirmation of the identity of the Subject. The Name & Address History does not disconfirm the identity of any Subject. Customer will not treat the Name & Address History as disconfirming the identity of any Subject.
  2. Customer acknowledges that the Name & Address History's provision of other names associated with a Subject's social security number does not mean that the Subject actually used those names or has ever misrepresented his or her identity. Customer will not treat the Name & Address History as doing so.
  3. Customer will not use the Name & Address History for any purpose other than in conjunction with protecting against or preventing actual or potential fraud, unauthorized transactions, claims, or other liability. This permitted use may include (a) deciding whether to obtain additional information or documents to confirm the Subject's identity, (b) selecting names, jurisdictions, or both names and jurisdictions for which to obtain information such as criminal history information, (c) determining whether Vendor performed its obligations for a Report about the Subject, and (d) demonstrating that a Name & Address History was obtained before obtaining other information about a Subject.
  4. Customer acknowledges that the Name & Address History information is not part of any "consumer report" governed by the FCRA. Customer will not to use any Name & Address History information in any manner that would make it a consumer report. In particular, Customer will not make any FCRA-regulated eligibility decision or make any FCRA-regulated adverse action where the decision or action is based on the Name & Address History information itself (as opposed to other information that Vendor discovers based on use of the Name & Address History information).
  5. Customer will treat Name & Address History information as confidential, including by limiting access to those personnel who need to know the information for legitimate reasons; requiring those personnel to keep the information confidential; safeguarding the information using reasonable and appropriate administrative, technical, and physical security safeguards; protecting against reasonably anticipated threats to the information; and protecting against unauthorized access, use, control, and disclosure of the information.
  6. Customer will comply with the portions of the Gramm-Leach-Bliley Act [which is 15 U.S.C. §§ 6801-09], under which the Name & Address History information is "non-public personal information" and which limits further disclosure.

Driving-record Certifications

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to social-security number-validation or social-security-number-verification certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a driving record (commonly known as a "motor vehicle report"):

  1. Except with respect to any Subject that holds or claims to hold a commercial driver's license, Customer will not use any driving record information in a Report for any purpose other than verifying the accuracy of personal information submitted by the Subject to Customer (such as the existence of a valid driver's license or qualifying driving record) and, if that information is not correct, obtaining the correct information, but only for the purpose of preventing fraud by the Subject. For any Subject that holds or claims to hold a commercial driver's license, Customer may also use the driving record information in a Report to obtain or verify information required in chapter 313 of title 49 of the United States Code (which regulates to commercial motor vehicle operators).
  2. Customer has obtained the written permission of the Subjectto obtain the Subject's driving record.
  3. Customer will maintain a copy of that written permission (including the name of the Subject) for a period of at least five years following the date Vendor provides a Report including the Subject's driving record.
  4. Customer will comply with the Driver's Privacy Protection Act, any state law adopted under or to implement it, and any related regulations.
  5. Customer acknowledges that, for some states, Vendor cannot obtain driving records unless (a) Customer completes and signs additional agreements and other forms that law or information suppliers require and (b) any agency or supplier that mandates that it approve these agreements or forms provides the required approval. Customer does not certify or promise that it will sign those agreements or forms, but will comply with them if it does sign them.

International-information Certifications

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to international certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a Report based on information from outside the United States:

  1. As a condition to Vendor providing the Report, Customer must provide the following documents (in the form that Vendor provides to Customer) for each international Report that Customer requests: (a) an international consent that includes explicit, opt-in consent to transfer information to the United States, (b) proof of identification, and (c) any additional forms required to obtain information from specific countries.
  2. If Customer has self-certified the Privacy Shield Principles and Supplemental Principles (the "Principles") to the United States Department of Commerce and has indicated to that Department that it chooses to extend Privacy Shield benefits to human resources personnel information transferred to the United States, then Customer will (a) adhere to the Principles for all information from the European Union or Switzerland in Reports that Vendor provides to Customer and (b) assure that the documents by which it fulfills the Principles concerning notice and choice for those Reports also fulfill Vendor's duties under those Principles for those Reports.
  3. For information from the European Union or Switzerland, Customer will (a) process the information only for the limited purposes specified in the consent that the Subject provided; (b) provide the same level of protection as the Principles, (c) will notify Vendor if it makes a determination that it can no longer provide that level of protection; (d) if it makes that determination, cease processing the information or take other reasonable and appropriate steps to remediate the inability to provide that level of protection; (e) permit Vendor to provide the Subject with access to information about the Subject that either Customer provided to Vendor or that Vendor obtained for Customer; and (f) permit Vendor to correct, amend, or delete that information if it is inaccurate of processed in violation of the Principles.
  4. If Vendor requests, Customer will complete and sign the standard contractual clauses annexed to European Commission Decision 2004/915/EC [see http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/cct-responsable%20vers%20responsable%202004-en.pdf].
  5. Customer will abide by all non-US laws applying to information that Vendor obtains from non-US jurisdictions and provides to Customer.
  6. Customer acknowledges that Vendor has no control over or ability to predict the availability of information from jurisdictions outside the United States. Currently available information for a country might become unavailable with or without notice. In those cases, Vendor will be unable to provide the international Report. Vendor cannot provide any assurance that Vendor will retrieve information outside of the United States within any set period of time. Therefore, no other statement concerning the timeliness of Vendor's services applies to information from outside the United States.

Security certifications

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to security certifications (or includes any substantively equivalent statement), then Customer (by ordering a Report) certifies and agrees that it will use the following security procedures in order to protect the data in the Report and rights of privacy that the Subject has in some of it:

  1. Customer will use reasonable and appropriate administrative, technical, and physical security procedures to protect against (1) reasonably foreseeable threats and hazards to the confidentiality of that information in the Report and (2) unauthorized access to, use of, control over, or disclosure of that information.
  2. Customer will maintain and follow a written security policy that is designed to comply with all laws related to the protection of information that Vendor provides to Customer.
  3. Customer will restrict the ability to access the Report to those personnel who have a need to know the information contained in it.
  4. Customer will ensure that any of its computers from which a person could access Reports are secure and are locked or turned off when unattended by Customer's personnel who have a need to know information in the Report.
  5. Customer will secure all stored copies (whether printed or electronic) of any Report.
  6. Customer shall not store any information in any Report except as required to use the Report as the Agreement permits.
  7. Customer will protect its account names and passwords so that only its authorized personnel know them. Customer will not post these credentials anywhere. Customer will ensure that any software that it uses to access Vendor's website or system hides Customer's credentials so only specially authorized personnel can know them. Customer will assign a unique username and password to each user of any such software. Customer acknowledges that Vendor never asks for credentials by telephone; Customer will not disclose its credentials by telephone.
  8. Customer will inform Vendor immediately if Customer believes that anyone has gotten unauthorized access to, use of, control over, or disclosure of any information that Vendor provided to Customer (unless that information was encrypted and Customer has no reason to believe that the decryption key was compromised). Customer will reasonably cooperate with Vendor (and Vendor's information suppliers) in mitigating any resulting damage.

Compliance-audit Certifications

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to the audit or assessment certifications (or includes any substantively equivalent statement), then Customer will cooperate with Vendor's audits into Customer's use of the Reports and promptly correct any deficiencies found, each on the following conditions:

  1. Vendor must limit the purpose of the audit to assuring Customer's compliance with applicable law, the Agreement, other certifications that Customer provided, and any requirements imposed by information suppliers.
  2. Vendor must give Customer written notice of the commencement of the audit.
  3. Vendor must give Customer at least 14 days in which to respond to information requests, unless applicable law or an information supplier imposes a shorter time period or unless Vendor commences the audit in response to an audit, complaint, or investigation by any information supplier suppliers, any government agency, any Better Business Bureau of similar organization, or any Subject.
  4. If Vendor requires an in-person meeting for the audit, Vendor must conduct the meeting at Customer's facility, during Customer's normal business hours, with at least 14 days' notice.

Compliance-information Certifications

revision 20170602

Vendor publishes a periodic electronic newsletter to its customers. One section of this newsletter summarizes new statutes (and some federal regulations) that relate to consumer reports and other information in Vendor's services. Additionally, from time to time, Vendor send to its customers an email alert on important changes in the legal environment. Finally, Vendor makes certain compliance-related resources available to its customers electronically accessible through its website.

If the Agreement says that the Customer makes, certifies to, or agrees to the compliance-information or compliance-consulting certifications (or includes any substantively equivalent statement), then Customer acknowledges that:

  1. Vendor is not a law firm, does not provide legal advice, and does not function as Customer's legal counsel.
  2. Vendor advises Customer to assure its compliance with law through its own legal counsel. Customer has independently educated itself about how the law regulates its use of Vendor's services.

Information-usage Certifications

revision 20170602

If the Agreement says that the Customer makes, certifies to, or agrees to the information-usage certifications (or includes any substantively equivalent statement), then Customer makes, certifies, and agrees to the following certifications by ordering or receiving a Report:

  1. Vendor may use any information that Customer or a Subject supplies and personally identifies a Subject to investigate, prepare, re-investigate, and correct a Report about the Subject that Customer has ordered and, in the event of an error, to take measures to prevent recurrence of the error. In doing so, Vendor may provide that information to organizations that had data about the Subject before Vendor requested it (including courts, government agencies, consumer reporting agencies, employers, schools, and other data sources). Vendor does not control these organizations and does not undertake to require them to maintain the confidentiality of the information that Vendor supplies to them.
  2. Vendor may use any information that Customer or a Subject supplies and personally identifies a Subject to determine whether Reports that Vendor provides Customer and Reports that Vendor provides its other clients are about the same Subject, so that Vendor may cross-check them for accuracy.
  3. Vendor may use any telephone number or physical or electronic address that Customer or a Subject supplies to communicate with or provide notices to the Subject about the Report.
  4. Vendor may use add information that Vendor found in public records as a result of preparing a Report for Customer to a proprietary database of public records, regardless of any contrary terms in the Agreement.
  5. Vendor may supply information obtained or confirmed through a Subject's dispute of a Report to other consumer reporting agencies through one or more clearinghouses for the purpose of preventing future errors in consumer reports.