Global Debt Registry Terms of Use

Revision Date: 12/19/2016

This Terms of Use Agreement (hereafter “Terms of Use” or “User Agreement”) between you (“user” or “you”) and GDR Acquisition Company, LLC d/b/a Global Debt Registry (“GDR”). This User Agreement and all policies posted on our sites set out the terms on which GDR offers you access to and use of our sites, services, registry, applications and tools (collectively, the “Services”). You may not access any of the Services unless you are an employee or authorized agent of a Subscriber to GDR. A “Subscriber” is defined as an organization or natural person that has executed a Subscription Agreement and/or Participation Agreement (the “Registry Agreement”) with GDR for access to any or all of the Services. Any Subscription Agreement executed with GDR as defined above is incorporated into this User Agreement. If there is any conflict between this User Agreement and the terms of the Registry Agreement, the terms of the Registry Agreement will apply. You agree to comply with all the above when accessing or using our Services. By accessing this website you acknowledge that you have read and understood this User Agreement and voluntarily agree to be bound by the User Agreement. You also agree to comply with all laws and regulations applicable to the use of the Internet. As used herein, GDR”s “website” shall include all online interfaces between you and GDR, including web applications, file exchanges, etc.

If you do not agree with this User Agreement, then do not use this website.

  1. Users GDR shall make its Services available to the employees and authorized agents of any Subscriber of GDR, as designated by the Subscriber. Each User shall be issued a User Name and Password for accessing the Services. You shall not transfer a User Name and Password to any other Party without the prior written consent of GDR.

  2. Venue & Jurisdiction Applicable to Use Claims relating to your use of the Services are governed by the laws of Delaware. You hereby unconditionally, voluntarily, and irrevocably consent to submit to the exclusive jurisdiction of the state and federal courts located in Wilmington, Delaware for any litigation concerning your use of the Services.

  3. Privacy If you or GDR receives data from the other party which is considered confidential under federal and/or state law, we mutually agree to comply with all such federal and state laws and regulations, including, without limitation, the federal Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), and the Fair and Accurate Credit Transactions Act (“FACTA”). In addition, if either party receives data which is considered confidential under private or industry requirements (i.e., payment card brands data security standard), we mutually agree to comply with such private or industry requirements. Collectively, any information which must be protected under federal and/or state law or under industry requirements is referred to as nonpublic personal information (“Confidential Data”). See our Privacy Policy for details on how Confidential Data is used by GDR, and for specific information as to access rights to Confidential Data. You hereby agree to grant the same level of protection to Confidential Data as GDR, consistent with the protections set forth herein and in the Privacy Policy.

  4. Change of Terms We may make changes to these Terms of Use from time to time. If we do this, we will post the changed Terms of Use on the Website and will indicate at the top of the page the date the Terms of Use were last revised. You understand and agree that your continued use of the Services or the Website after we have made any such changes constitutes your acceptance of the new Terms of Use.

  5. Alteration of Services Subject to the terms of the Registry Agreement, GDR may change, suspend or discontinue any feature, aspect, product, good or service available through the Services, and may alter the availability of any feature of the Services at any time. GDR may add, remove or modify any content of its Services, including content provided by third parties, at any time.

  6. User Conduct You agree to use the Services only for their intended, lawful purposes. GDR reserves the right to prohibit any conduct involving the Services that it deems reasonably to be inappropriate, unlawful, and/or may compromise the security of the data stored, processed and/or transmitted by GDR, or to prevent any violation of FCRA, GLBA, FACTA or any other applicable federal or state law or regulation.

You agree not to take any action which will disrupt access by you or any other authorized User to the Services. You agree not to interfere with or compromise the security of GDR’s network - or any device on the network - used to support this website. You agree not to intentionally attempt to access any portion of the Services, or any device on the network platform on which this website is hosted, from which you are restricted. You agree that you are solely responsible for any actions you undertake while accessing the Services. Further, you agree you will comply with all applicable local, state, national and international and the Internet, including United States copyright and export regulations. You agree to reimburse GDR for any penalties, fines, awards, and expenses, both direct and incidental, which are incurred by GDR resulting from your violation provisions of this User Agreement. You agree not to distribute viruses or any other technologies that may harm GDR, or the interests or property of users. You agree not to use any robot, spider, scraper or other automated means to access our Services for any purpose. You agree not reproduce, perform, display, distribute, reverse engineer, or prepare derivative works from content that belongs to or is licensed to GDR, or that comes from the Services and belongs to another GDR user or to a third party including works covered by any copyrights, trademark, patent, or other intellectual property right, except with prior express permission of GDR and/or any other party holding the right to license such use. You agree not to commercialize any GDR application or any information or software associated with such application. You agree not to circumvent any technical measures we use to provide the Services. You agree not to use the Services outside of the United States. You agree that if at any time you receive communication from a consumer in any form challenging the accuracy or integrity of the data provided by GDR to User, you shall immediately notify GDR in writing. GDR may/will forward such information to third party data sources so that they can investigate the consumer inquiry.

  1. Limitation on Usage Subject to the Registry Agreement, GDR may limit your access to the Services without notice to you. If we believe or discover that you are abusing GDR in any of the ways mentioned above or otherwise, we may, in our sole discretion, take any steps to prevent and mitigate such abuse such as limiting, suspending, or terminating your user account(s) and access to our Services, delaying or removing hosted content, and taking technical and/or legal steps to prevent you from using our Services. We may cancel unconfirmed accounts or accounts that have been inactive for a long time or modify or discontinue our Services. Additionally, we reserve the right to refuse or terminate our Services to anyone for any reason at our discretion.

  2. Links to and From Other Web Pages This User Agreement applies only to GDR’s Services. These terms do not apply to third party websites that you may access from links on a GDR website. Similarly, the terms and conditions of any website you have visited prior to arriving at a GDR website do not apply to GDR’s website - even if you navigated to GDR’s Services from a link on another website.

Links to or from another website are not, nor should they be implied to be, an endorsement, authorization, sponsorship, or affiliation by GDR respect to any third party, their products and/or services.

  1. Copyright, Trademark and Intellectual Property

All information, content and material (“Content”) through this Website is owned by or licensed to GDR, other than any Content provided by you to GDR. GDR and its licensors retain all rights in this Content.

All Content, including but not limited to the Web site design, data file exchanges, text, drawings, photographs, graphics, sound recordings and video recordings, are protected by copyrights owned by GDR or its licensors. The Content may not be modified, copied, distributed, downloaded, displayed, e-mailed, transmitted or sold in any form, in whole or in part, without the prior written consent of the respective copyright owner.

If you display, copy, distribute, print and/or download the Content on this Web site then you may not modify Content and you must retain all copyright and other proprietary notices contained in the Content. If you have been granted permission to use Content by GDR for purposes other than personal use, the following notice must be prominently displayed with the CONTENT ““Copyright GDR; used by express permission.”

The permission granted herein terminates automatically if you breach these terms or conditions. Upon termination, you must immediately destroy all Content you displayed, copied, distributed, printed and/or downloaded.

GDR’s intellectual property may not be used with any service or product that is not GDR’s or authorized by GDR. Intellectual property may not be used in any manner that is likely to cause confusion among GDR Clients. Other registered trademarks, trademarks, product names, company names, service marks and otherwise protected property displayed on this Web site are the property of their respective owners and are subject to the terms and conditions applied by those owners to their intellectual property.

You may not use Content in any manner that disparages GDR.

Except where otherwise indicated, the Content on GDR’s website is the exclusive property of GDR or has been licensed to GDR, and is protected by U.S. and International Copyright law.

You may not mirror Content contained in this Web site on any other Web site or server.

  1. Digital Millennium Copyright Act

GDR, its affiliates, officers, directors, employees, agents or any such similarly situated persons or entities are not liable for damages resulting from any infringement resulting from your actions involving copyrighted or proprietary right protected material. Further, you will reimburse GDR for any expenses incurred by GDR as a result of actions taken by you which are in violation of this section of the User Agreement.

GDR, pursuant to the Digital Millennium Copyright Act, designates our Compliance office to receive complaints and notices of suspected copyright infringements. Our Compliance Administrator can be reached via e-mail at compliance@globaldebtregistry.com and by regular mail at 3 Mill Road, Suite 304, Wilmington, DE 19806.

If you have a good faith belief that your copyright has been infringed by any Content on any GDR website, then please notify our Compliance Administrator who can be reached at compliance@globaldebtregistry.com and 3 Mill Road, Suite 304, Wilmington, DE 19806. Please provide, in writing, the following information:

  1. a statement that you have a good faith belief that your copyright has been infringed and that the disputed use was not authorized by either the copyright owner;

  2. the agent of the copyright owner or by operation of law i.e., fair use);

  3. a description of the copyrighted work that you believe has been infringed; a description of the location of the allegedly infringing material;

  4. your name, address, telephone number and e-mail address; and

  5. a statement, made under penalty of perjury, that your notice of copyright infringement is accurate and that you are either the copyright owner or are a person authorized to act on behalf of the copyright owner.

Your notice of copyright infringement must contain either the electronic or physical signature of either the copyright owner or a person authorized to act on behalf of the copyright owner.

  1. DISCLAIMERS We provide the website “as-is,” “with all faults” and “as available.” We do not guarantee the accuracy or timeliness of information available from the website unless otherwise provided for in this website or by written statement provided to you by an authorized officer of GDR.

Further, GDR gives no express warranties, guarantees or conditions regarding any information provided by any participant in the GDR registry and the associated Services. GDR provides all information as it was provided to GDR.

Any warranties, guarantees or conditions which are established, defined and/or acknowledged by any User of the Services are exclusively the warranties, guarantees or conditions of the offering party.

You acknowledge you will not include GDR as a party in any dispute which arises from warranties, guarantees or conditions made by another party participating in any GDR services.

  1. LIMITATION OF LIABILITY

GDR WILL NOT BE LIABLE FOR ANY DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO DIRECT, INDIRECT, INCIDENTAL, PUNITIVE AND/OR CONSEQUENTIAL DAMAGES, ARISING FROM YOUR USE OF THE SERVICES.

IN ANY JURISDICTION WHERE EXCLUSION OR LIMITATION OF LIABILITY FOR ANY TYPE OF DAMAGE IS PROHIBITED, GDR’S LIABILITY IS LIMITED TO THE MAXIMUM EXTENT ALLOWED BY THAT JURISDICTION.

  1. Indemnity

You agree that you will indemnify, defend and hold harmless GDR and its officers, directors, employees, agents, successors and assigns (each, an “Indemnified Person”) from any and all losses, liabilities, damages (including taxes), and all related costs and expenses, including reasonable legal fees and disbursements and costs of investigation, litigation, settlement, judgment, interest and penalties (collectively, “Losses”), and threatened Losses due to, arising from or relating to third party claims, demands, actions or threat of action (whether in law, equity or in an alternative proceeding) arising from or relating to:

your breach of any warranties in this Agreement; any actual or alleged infringement, violation or misappropriation of the Intellectual Property Rights of any third person by o (i) any Deliverables provided by either party or

o (ii) Either party’s use of those Deliverables, without alteration and modification, in the manner anticipated by this Agreement;

either party’s actual or alleged breach of any of the confidentiality or privacy provisions in this Agreement; or grossly negligent, willful or reckless acts or omissions of or by either party (each, an “Indemnified Claim”) unless any such indemnified claim results from the gross negligence, fraud, or willful misconduct of the other party. No settlement or compromise that imposes any liability or obligation on any Indemnified Person will be made without the Indemnified Person’s prior written consent (not to be unreasonably withheld). If you fail to defend an Indemnified Person as provided in herein after reasonable notice of an Indemnified Claim, you will be bound:

to indemnify and reimburse the Indemnified Person for any Losses incurred by any Indemnified Person, in its sole discretion, to defend, settle or compromise the Indemnified Claim; and

by the determination of facts common to an action and subsequent action to enforce the Indemnified Person’s reimbursement rights. 14. Severability

A court may hold that we cannot enforce a part of this contract as written. If this happens, then GDR will replace that part with terms that most closely match the intent of the part that we cannot enforce. The rest of this contract will not change. This is the entire contract between GDR and us regarding use of the website. It supersedes any prior contract or statements regarding your use of the service. If either party has confidentiality obligations related to the service, those obligations remain in force. The section titles in the contract do not limit the other terms of this contract.

  1. Information Security Controls Requirements

Prior to accessing the Services, you are responsible for implementing, at a minimum, the following information security controls:

A. Implement Strong Access Control Measures.

A.1. Not provide Subscriber’s credentials or employee (or other authorized personnel) passwords to an unauthorized person.

A.2. With respect to credentials and passwords for proprietary or third party system access software, (a) hide or embed them; (b) ensure that they are known only by Subscriber’s supervisory personnel; and (c) prevent unauthorized persons from having knowledge of them.

A.3. Create a separate, unique user ID for each user to enable individual authentication and accountability for access to Services.

A.4. Ensure that user IDs are not shared and that no peer-to-peer file sharing is enabled on users’ profiles.

A.5. Keep user passwords confidential.

A.6. Develop strong passwords that contain a minimum of seven (7) alpha/numeric characters for standard user accounts and are not easily guessable, for example, that do not use an employee’s name or Subscriber name or repeated or consecutive numbers and letters.

A.7. Implement password protected screensavers with a maximum fifteen (15) minute time-out to protect unattended workstations.

A.8. Configure active logins to consumer report information systems with a thirty (30) minute inactive session timeout.

A.9. Restrict the number of key Subscriber personnel who have access to Services.

A.10. Ensure that Customer personnel who are authorized to access Services have a business need to access them and understand that they are permitted to access them only for the purposes permitted under the Agreement.

A.11. Ensure that Subscriber and Subscriber’s employees do not access Services related to Subscriber employees or their family member(s) or friend(s), unless it is in connection with a purpose permitted by the Agreement.

A.12. Implement a process to terminate access rights to Services immediately for users who are no longer employees of Subscriber or whose job tasks change such that they no longer require access to such information.

A.13. After normal business hours, ensure that all devices or systems used to obtain consumer report information are turned off and locked.

A.14. Implement physical security controls to prevent unauthorized entry to Subscriber’s facility and access to systems used to obtain Services.

B. Maintain a Vulnerability Management Program.

B.1. Keep operating system(s), firewalls, routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates.

B.2. Configure infrastructure such as firewalls, routers, personal computers, and similar components to current industry-best security practices, including disabling unnecessary services or features; removing or changing default passwords, IDs and sample files/programs; and enabling the most secure configuration features to avoid unnecessary risks.

B.3. Implement and follow current industry-best security practices for virus detection scanning services and procedures, including but not limitation, the following:

   Use, implement and maintain a current, commercially available virus detection/scanning product on all computers, systems and networks.
   If Subscriber suspects an actual or potential virus, immediately cease accessing the system and only resume the inquiry process when the virus has been resolved and eliminated.
   On a weekly basis at a minimum, keep anti-virus software up-to-date by checking or configuring auto updates and installing new virus definition files.
   Implement and follow current industry-best security practices for computer anti-spyware scanning services and procedures:
   Use, implement and maintain a current, commercially available computer anti-spyware scanning product on all computers, systems and networks.
   If Subscriber suspects actual or potential spyware, immediately cease accessing the system and only resume the inquiry process when the problem has been resolved and eliminated.
   Keep anti-spyware software up-to-date by checking or configuring all auto updates and installing new anti-spyware definition files weekly, at a minimum. If Subscriber's computers have unfiltered or unblocked access to the Internet, thus permitting access to known problematic websites), complete anti-spyware scans more frequently than weekly. C.     Protect Data.

C.1. Develop and follow procedures to ensure that data is protected throughout its entire information lifecycle (including creation, transformation, use, storage and secure destruction) regardless of the media used to store the data (e.g., tape, disk, paper, etc.).

C.2. Classify the Services as Confidential Information and take appropriate actions to secure the data to ensure that it remains confidential.

C.3. Address all aspects of the lifecycle of the data in transmitting, disclosing, storing, and destroying it.

C.4. Encrypt all GDR outputs when stored on any laptop computer using AES or 3DES with 128-bit key encryption, at a minimum.

C.5. Open email attachments and links only from trusted sources and only after verifying legitimacy.

D. Maintain an Information Security Policy.

D.1. Develop and follow a security plan to protect the confidentiality and integrity of NPI.

D.2. Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information and to permit identification and prosecution of violators.

D.3. Properly dispose of any NPI or compilation of NPI derived from Services that Subscriber maintains or possesses.

D.4. Implement and maintain ongoing mandatory security training and awareness programs sufficient to educate Subscriber’s managers and employees about maintaining data security within the organization.

E. Build and Maintain a Secure Network.

E.1. Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.

E.2. Ensure that internal private Internet Protocol (“IP”) addresses are not publicly accessible or natively routed to the Internet.

E.3. Allow administrative access to firewalls and servers only through a secure internal wired connection.

E.4. For any stand-alone computers that directly access the Internet, deploy a desktop firewall that is installed and configured to block unnecessary/unused ports, services and network traffic.

E.5. Encrypt wireless access points with a minimum of WPA2 encryption.

E.6. Disable vendor default passwords, SSIDs and IP addresses on wireless access points and restrict authentication on the configuration of the access point.

E.7 Make sure that all participating network devices “ including routers, computers, time-servers, printers, Internet fax machines, and some telephones “ have a unique IP address.

F. Regularly Monitor and Test Networks.

F.1. Perform regular tests on information systems, including port scanning, virus scanning and vulnerability scanning.

F.2. Use current best practices to protect Subscriber’s telecommunications systems and any computer system or network device(s) Subscriber uses to provide access to Services, including selecting and implementing controls that reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party; securing the computer systems and network devices; and protecting against intrusions of operating systems or software.

  1. FCRA and GLBA Compliance

A. You agree that the information contained in the Services is limited to “transaction and experience information” as discussed in Article 603(d)(2)(A)(i) of the FCRA, and not “other information” as discussed in Article 603(d)(2)(A)(iii) of the FCRA. With respect to Subscriber’s use of any of the Services, you acknowledge and agree that you will not use the Services to determine any consumer’s eligibility for credit, insurance, employment or for any other permissible purpose as defined in FCRA.

B. “NPI” means “Nonpublic Personal Information” as used in Title V of GLBA. The Services may include NPI. You and GDR will, and will cause our respective employees, data partners and subcontractors, if applicable, to, keep NPI confidential and may use and disclose NPI only as necessary to carry out its obligations and responsibilities set forth herein for which the NPI was disclosed to the other party and in accordance with the GLBA. You and GDR will, and will require our respective employees, data partners and subcontractors, if applicable, to, implement and maintain an appropriate safeguards program for NPI consistent with this Agreement to: (a) ensure the security and confidentiality of NPI; (b) protect against any threats or hazards to the security or integrity of NPI; and (c) prevent unauthorized access to or use of NPI. You and GDR hereby mutually agree that you will immediately notify each other in writing if either party becomes aware: (i) of any disclosure or use of any NPI by a party or any of a party”s representatives, data partners, employees and subcontractors, if applicable, in breach of this Agreement; and (ii) of any disclosure of any NPI to a party hereto or any of the party”s data partners, employees and subcontractors, if applicable, where the purpose of such disclosure is not known to the party hereto or the party”s data partners, employees and subcontractors. You will fully participate in any investigations of an alleged breach of NPI conducted by GDR or a third party authorized by GDR to conduct the investigation, and you agree to be forthright regarding the facts and circumstances of the alleged breach when notifying GDR of the alleged breach and cooperating with any investigation of the alleged breach.