Common use of Topic Description Clause in Contracts

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without Xxxxxx Mae’s prior written approval, except on a need‐to‐know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with Xxxxxx Xxx.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with Xxxxxx Mae in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by Xxxxxx Xxx related to the access and use of Xxxxxx Mae’s systems or any Licensed Materials.  Not transmit to Xxxxxx Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or Xxxxxx Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of Xxxxxx Xxx or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of Xxxxxx Mae or any Third‐Party Licensor (or other third‐party owner). Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with Xxxxxx Xxx in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; and  Licensee must promptly notify Xxxxxx Mae of any Data Breach in writing ‐‐ at xxxxxxx_xxxxxxxxxxxx@xxxxxxxxx.xxx ‐‐ and must take all steps reasonably requested by Xxxxxx Xxx to mitigate the consequences of such Data Breach.

Topic Description. Licensee Responsibilities Licensee must:  • Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  • Not disclose Confidential Information to third parties, without Xxxxxx Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  • Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with Xxxxxx Xxx.  • Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with Xxxxxx Mae in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  • Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  • Comply with all reasonable security policies and procedures required by Xxxxxx Xxx related to the access and use of Xxxxxx Mae’s systems or any Licensed Materials.  • Not transmit to Xxxxxx Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or Xxxxxx Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of Xxxxxx Xxx or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of Xxxxxx Mae or any Third‐Party Licensor (or other third‐party owner). Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with Xxxxxx Xxx in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; and  Licensee must promptly notify Xxxxxx Mae of any Data Breach in writing ‐‐ at xxxxxxx_xxxxxxxxxxxx@xxxxxxxxx.xxx ‐‐ and must take all steps reasonably requested by Xxxxxx Xxx to mitigate the consequences of such Data Breach.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without Xxxxxx Mae’s prior written approval, except on a need‐to‐know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with Xxxxxx XxxMae.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with Xxxxxx Mae Xxx in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by Xxxxxx Xxx related to the access and use of Xxxxxx Mae’s systems or any Licensed Materials.  Not transmit to Xxxxxx Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or Xxxxxx Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of Xxxxxx Xxx Mae or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of Xxxxxx Mae Xxx or any Third‐Party Licensor (or other third‐party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all Xxxxxx Mae mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with Xxxxxx Xxx in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify Xxxxxx Mae of any Data Breach in writing ‐‐ at xxxxxxx_xxxxxxxxxxxx@xxxxxxxxx.xxx ‐‐ and must take taking all steps reasonably requested by Xxxxxx Xxx Mae to mitigate the consequences of such Data Breach. Licensee must fully cooperate with Xxxxxx Xxx to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify Xxxxxx Mae's Privacy Office (see E‐1‐03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from Xxxxxx Mae's Privacy Office (see E‐1‐03, List of Contacts in the Selling Guide) to use Xxxxxx Mae's name if the Licensee intends to refer to Xxxxxx Xxx in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to Xxxxxx Mae's Privacy Office (see E‐1‐03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies Xxxxxx Xxx may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give Xxxxxx Mae notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self‐regulatory authority that has authority to regulate or oversee Xxxxxx Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. Xxxxxx Mae may remove from Xxxxxx Mae’s systems any material transmitted by Licensee that Xxxxxx Mae determines is in violation of law or the Agreement or that Xxxxxx Xxx determines may lead to a Performance Incident or Data Breach. Xxxxxx Mae has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. A4. Feedback on New Processes and Technologies, Technology Upgrades, or Service Offerings Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by Xxxxxx Xxx. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants Xxxxxx Mae an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. A5. Loan Quality, Loan Performance Data and NPI Xxxxxx Xxx may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the Gramm‐Xxxxx‐Xxxxxx Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without Xxxxxx Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with Xxxxxx XxxMae.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with Xxxxxx Mae Xxx in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by Xxxxxx Xxx related to the access and use of Xxxxxx Mae’s systems or any Licensed Materials.  Not transmit to Xxxxxx Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or Xxxxxx Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of Xxxxxx Xxx Mae or any Third‐Party Third-Party Licensor (or other third‐party third-party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of Xxxxxx Mae Xxx or any Third‐Party Third-Party Licensor (or other third‐party third-party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all Xxxxxx Mae mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with Xxxxxx Xxx in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify Xxxxxx Mae of any Data Breach in writing ‐‐ at xxxxxxx_xxxxxxxxxxxx@xxxxxxxxx.xxx ‐‐ and must take taking all steps reasonably requested by Xxxxxx Xxx Mae to mitigate the consequences of such Data Breach. Licensee must fully cooperate with Xxxxxx Xxx to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify Xxxxxx Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from Xxxxxx Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) to use Xxxxxx Mae's name if the Licensee intends to refer to Xxxxxx Xxx in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to Xxxxxx Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies Xxxxxx Xxx may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give Xxxxxx Mae notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self-regulatory authority that has authority to regulate or oversee Xxxxxx Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. Xxxxxx Mae may remove from Xxxxxx Mae’s systems any material transmitted by Licensee that Xxxxxx Mae determines is in violation of law or the Agreement or that Xxxxxx Xxx determines may lead to a Performance Incident or Data Breach. Xxxxxx Mae has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. A4. Feedback on New Processes and Technologies, Technology Upgrades, or Service Offerings Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by Xxxxxx Xxx. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants Xxxxxx Mae an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. A5. Loan Quality, Loan Performance Data and NPI Xxxxxx Xxx may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the Xxxxx-Xxxxx-Xxxxxx Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without Xxxxxx Fannie Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with Xxxxxx Xxx.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with Xxxxxx Mae Xxx in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by Xxxxxx Xxx related to the access and use of Xxxxxx Mae’s systems or any Licensed Materials.  Not transmit to Xxxxxx Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or Xxxxxx Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of Xxxxxx Xxx or any Third‐Party Third-Party Licensor (or other third‐party third-party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of Xxxxxx Mae Xxx or any Third‐Party Third-Party Licensor (or other third‐party third-party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all Xxxxxx Xxx mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with Xxxxxx Xxx in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify Xxxxxx Mae of any Data Breach in writing ‐‐ at xxxxxxx_xxxxxxxxxxxx@xxxxxxxxx.xxx ‐‐ and must take taking all steps reasonably requested by Xxxxxx Xxx to mitigate the consequences of such Data Breach. Licensee must fully cooperate with Xxxxxx Xxx to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) to use Fannie Mae's name if the Licensee intends to refer to Xxxxxx Mae in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies Xxxxxx Xxx may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give Xxxxxx Xxx notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self-regulatory authority that has authority to regulate or oversee Fannie Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. Xxxxxx Xxx may remove from Fannie Mae’s systems any material transmitted by Licensee that Xxxxxx Xxx determines is in violation of law or the Agreement or that Xxxxxx Xxx determines may lead to a Performance Incident or Data Breach. Xxxxxx Xxx has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. A4. Feedback on New Processes and Technologies, Technology Upgrades, or Service Offerings Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by Xxxxxx Xxx. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants Xxxxxx Xxx an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. A5. Loan Quality, Loan Performance Data and NPI Xxxxxx Xxx may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the Xxxxx-Xxxxx-Xxxxxx Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.

Topic Description. Licensee Responsibilities Licensee must:  • Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  • Not disclose Confidential Information to third parties, without Xxxxxx Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  • Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with Xxxxxx Xxx.  • Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  ° These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  ° Licensee must collaborate with Xxxxxx Mae in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  • Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  • Comply with all reasonable security policies and procedures required by Xxxxxx Xxx related to the access and use of Xxxxxx Mae’s systems or any Licensed Materials.  • Not transmit to Xxxxxx Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or Xxxxxx Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of Xxxxxx Xxx or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of Xxxxxx Mae or any Third‐Party Licensor (or other third‐party owner). Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with Xxxxxx Xxx in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; and  Licensee must promptly notify Xxxxxx Mae of any Data Breach in writing ‐‐ at xxxxxxx_xxxxxxxxxxxx@xxxxxxxxx.xxx ‐‐ and must take all steps reasonably requested by Xxxxxx Xxx to mitigate the consequences of such Data Breach.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without Xxxxxx Fannie Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with Xxxxxx Xxx.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with Xxxxxx Mae Xxx in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by Xxxxxx Xxx related to the access and use of Xxxxxx Mae’s systems or any Licensed Materials.  Not transmit to Xxxxxx Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or Xxxxxx Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of Xxxxxx Xxx or any Third‐Party Third-Party Licensor (or other third‐party third-party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of Xxxxxx Mae Xxx or any Third‐Party Third-Party Licensor (or other third‐party third-party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all Xxxxxx Xxx mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with Xxxxxx Xxx in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify Xxxxxx Mae of any Data Breach in writing ‐‐ at xxxxxxx_xxxxxxxxxxxx@xxxxxxxxx.xxx ‐‐ and must take taking all steps reasonably requested by Xxxxxx Xxx to mitigate the consequences of such Data Breach. Licensee must fully cooperate with Xxxxxx Xxx to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) to use Fannie Mae's name if the Licensee intends to refer to Xxxxxx Xxx in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies Xxxxxx Xxx may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give Xxxxxx Xxx notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self-regulatory authority that has authority to regulate or oversee Fannie Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. Xxxxxx Xxx may remove from Fannie Mae’s systems any material transmitted by Licensee that Xxxxxx Xxx determines is in violation of law or the Agreement or that Xxxxxx Xxx determines may lead to a Performance Incident or Data Breach. Xxxxxx Xxx has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. A4. Feedback on New Processes and Technologies, Technology Upgrades, or Service Offerings Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by Xxxxxx Xxx. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants Xxxxxx Xxx an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. A5. Loan Quality, Loan Performance Data and NPI Xxxxxx Xxx may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the Xxxxx-Xxxxx-Xxxxxx Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.