Last Updated: February 17, 2023
If you subscribe to APM or APM PLUS, then you may elect to apply for our online tenant screening services (the “Screening Services”). Your use of the Screening Services is governed by the Terms of Service and the terms and conditions set forth below (the “Screening Terms”). Capitalized terms used but not otherwise defined below shall have the meaning given in the Terms of Service. The Screening Terms and Terms of Service are intended to be read and work together; however, in the event of any irreconcilable conflict between the Screening Terms and the Terms of Service, the Screening Terms shall prevail. If you do not apply for Screening Services, the Screening Terms do not apply and shall not be enforced.
1\. Use of the Screening Services
1\.1 Purpose; Compliance
You may use the Screening Services solely to screen prospective tenants (“Applicants”) for the purposes of making informed decisions about their suitability as a tenant. Your use of the Screening Services is subject to your compliance with these Screening Terms. In the event you fail to comply with these Screening Terms, as determined in our sole discretion, we may terminate your access to the Screening Services in whole or in part.
1\.2 Authorized Use
Subject to your compliance with these Screening Terms and payment of all fees for the Screening Services, you are hereby authorized to request and use the criminal, eviction, employment, income, and/or credit information (collectively, the “Information”) of your Applicants solely to enable you to make informed decisions in the tenant screening process (“Permissible Purpose”). You certify and warrant that you will request and use the Information solely on Applicants and solely for the Permissible Purpose, and for no other purpose. In the event that you violate these Screening Terms or any related policies or guidelines, we reserve the right to restrict or terminate your access to the Screening Services.
1\.3 End User Certification
1\.3.1 Certification. You certify that you are an end-user of the Information (including, without limitation, the credit information) and that you will not resell, rent, lease, sublicense, deliver, display, distribute or otherwise transfer such Information to any third party, except as expressly required by applicable laws. You shall receive and maintain all Information in strict confidence and shall: (a) request the Information pursuant to the procedures prescribed by us; (b) request and use the Information solely for a certified one-time use for the Permissible Purpose; (c) not disclose the Information to any third party except, if required by applicable laws, to the subject of the Information in connection with an adverse action based on the Information; and (d) comply with all applicable laws, rules, regulations and guidelines in your use of the Information.
1\.3.2 California Certification. You also certify that, under the Investigative Consumer Reporting Agencies Act (“ICRAA”), California Civil Code Sections 1786
et seq., and the Consumer Credit Reporting Agencies Act (“CCRAA”), California Civil Code Sections 1785.1
et seq., if you are located in the State of California, and/or your request for and/or use of the Information pertains to a California resident, you will do the following: (a) request and use the Information solely for a permissible purpose identified under California Civil Code Sections 1785.11 and 1786.12; (b) as required by California Civil Code Section 1786.16(a)(3), notify the Applicant in writing that an investigative consumer report and/or consumer credit report will be made regarding the Applicant’s character, general reputation, personal characteristics and mode of living, which shall include the name and address of the investigative consumer reporting agency that will prepare the report, as well as a summary of the provisions of California Civil Code Section 1786.22, no later than three days after the date on which the Information was first requested; (c) provide the Applicant a means by which he/she may indicate on a written form, by means of a box to check, that the Applicant wishes to receive a copy of any investigative consumer report and/or consumer credit report that is prepared as set out in California Civil Code Section 1786.16(b)(1); and (d) comply with California Civil Code Sections 1785.20 and 1786.40 if the taking of adverse action is a consideration, which shall include, but may not be limited to, advising the Applicant against whom an adverse action has been taken that the adverse action was based in whole or in part upon information contained in an investigative consumer report and/or consumer credit report, informing the Applicant in writing of the name, address, and telephone number of the investigative consumer reporting agency or consumer reporting agency, and provide the Applicant of a written notice of his/her rights under the ICRAA and the CCRAA.
1\.4 Compliance
You agree and warrant that the Information will not be used in violation of any applicable federal, state or local laws, rules, regulations or guidelines, including but not limited to the Fair Credit Reporting Act 15 U.S.C. 1681
et seq. (“FCRA”), Equal Credit Opportunity Act, the Fair Housing Act, Title VII of the Civil Rights Act of 1964 and any state or local law equivalent of such laws. You accept full responsibility for complying with all such laws and for using the Information you receive in a legally acceptable fashion. It shall be your sole responsibility to ensure that you are in full compliance with applicable laws and all of our policies and procedures before requesting or using any Information, and you understand that a failure to do so may subject you to civil or criminal liability. You acknowledge that you will be receiving credit information of the Applicants from one or more national credit bureaus (a “National Credit Bureau”). Being the recipient of consumer information, you are required to comply with the provisions of the FCRA and certify that you have received, read and understand the Obligations of Users under the FCRA and shall comply with the FCRA Requirements listed below.
1\.5 Applicant Consent
You will obtain permission in writing from each Applicant before using the Screening Service to obtain any Information of such Applicant. You will collect separate permission in writing from each Applicant for each screening report which is run using the Screening Services that contain the Information (“Screening Report”). Each written permission is to be used one time only. If you wish to run an additional Screening Report on an Applicant, you must obtain an additional separate written permission. You will retain consent forms and any adverse action notices in your records in accordance with applicable laws. Further, you agree to provide copies of any and all of the foregoing materials to us upon our request.
1\.6 Information Security
You agree to have reasonable procedures for the fair and equitable use of the Information and to secure against unauthorized access, use, disclosure and loss. You agree to take reasonable security measures to protect the security and dissemination of the Information including, without limitation, restricting terminal access, utilizing passwords to restrict access to terminal devices, and securing access to, dissemination and destruction of electronic and hard copy reports. Without limiting the foregoing, you represent and warrant that you shall comply with the Access Security Requirements, listed below, as amended from time to time. You shall implement security breach notification procedures in accordance with applicable laws. In the event of a security breach, you shall immediately notify us in writing and comply with our compliance requirements and those of the National Credit Bureaus and under any applicable laws.
1\.7 No Warranties
You understand that we obtain the Information reported through the Screening Service from various third party sources “AS IS,” and therefore are providing the information to you “AS IS.” You further agree that we cannot and will not, for the fee charged for the Screening Service, be an insurer or guarantor of the accuracy or reliability of the Information. You release us, our employees, our third party information providers, agents and independent contractors from liability for any loss or expense suffered as a result of any inaccuracy in the Information.
1\.8 Certain Limitation of Screening Services
Without limiting any part of Section 1.7 (No Warranties), you acknowledge and agree to the following express limitations of the Screening Services:
1\.8.1. A part of the Screening Services are a search of United States databases of landlord-tenant and criminal records (“Public Records”). In certain situations, the availability of Public Records is limited by our compliance with federal, state, and local regulations and laws, as well as industry guidelines and best practices. We will not report or provide Public Records when not permitted by law, or contrary to industry guidelines and best practices as determined by us in our sole discretion.
1\.8.2 We reserve the right to report any Public Records with only a seven (7) year look back period.
1\.8.3 There are certain courts and jurisdictions where Public Records are not made available through electronic means or certain Public Records are subject to additional costs. In such circumstances, we may not obtain such Public Records and report them to you.
1\.8.4 We apply certain matching and filtering rules to Public Records before disclosing such Public Records on our Screening Reports. These rules include a requirement for certain information to be present and matched; the type and amount of information varies depending on the circumstances. At times, including where a name is identified by us as a “common name,” we require certain specific data to be present and matched before a Public Record can be reported on a Screening Report. This additional data and matching requirement is intended to help ensure Public Records are attributed to the correct individual. In cases where certain specific data is not available to meet our matching and filtering rules, the applicable Public Record will not be reported on Screening Reports.
1\.9 No Legal Opinion
We do not guarantee your compliance with all applicable laws in your use of the Information, and do not provide legal or other compliance related opinions upon which you may rely in connection with your use of the Information. You understand that any conversation or communication with our employees or representatives regarding searches, verifications or other services offered by us are not to be considered a legal opinion regarding such use. You agree that you will consult with your own legal or other counsel regarding the use of the Information, including but not limited to, the legality of using or relying on the Information.
1\.10 Decisions
All rental decisions will be made by you. You acknowledge and agree that we only apply your policies to the Information and provide preliminary recommendations as to actions concerning an Applicant. You further acknowledge and agree that all decisions whether or not to accept a particular Applicant, as well as the length of and terms of any rental, will be made by you. You are also solely responsible for setting your policies in line with federal, state and local laws and rules, and are solely responsible for reviewing the contents of any Screening Report provided and the Information contained therein before making a decision on an Applicant. We shall have no liability to you or any other person or entity for any acceptance of, or the failure to accept, an Applicant, or the terms of any such acceptance, regardless of whether or not your decision was based on recommendations, reports or other information provided to you by us.
1\.11 Right to Inspect
We may inspect your offices and records to verify qualification and compliance under these Screening Terms and applicable laws. In addition, you agree to supply any qualifying documents requested by us including, without limitation, documents to verify ownership of rental units and business and professional licenses. You agree to cooperate fully and unconditionally with us in any periodic reviews, audits or investigations of your compliance with the obligations under these Screening Terms and applicable laws.
1\.12 Death Master File
1\.12.1 Access to the Death Master File (“DMF”) as issued by the Social Security Administration requires an entity to have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R § 1110.102(a)(1).
1\.12.2 The National Technical Information Service has issued the Interim Final Rule for temporary certification permitting access to the DMF. Pursuant to section 203 of the Bipartisan Budget Act of 2013 and 15 C.F.R SS 1110.102, access to the DMF is restricted to only those entities that have a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule regulation, or fiduciary duty, as such business purposes are interpreted under 15 C.F.R §1110.102(a)(1). As our screening reports may contain information from the DMF, we would like to remind you of your continued obligation to restrict your use of deceased flags or other indicia within any of our screening reports to legitimate fraud prevention or business purposes in compliance with applicable laws, rules, and regulations and consistent with your applicable FCRA (15 U.S.C. §1681
et seq) or Gramm-Leach-Bliley Act (15 U.S.C. §6801
et seq) use. Your continued use of the Screening Services affirms your commitment to comply with these Screening Terms and all applicable laws.
1\.12.3 You acknowledge you will not take any adverse action against any consumer without further investigation to verify the information from the deceased flags or any other indicia within one of our screening reports.
1\.12.4 Furthermore, you agree to notify AppFolio Consumer Relations (
www.appfolio.com/consumer) should you observe any DMF information on one of our screening reports.
1\.13 Certification of Information Security Program
You certify that you shall implement and maintain a comprehensive information security program written in one or more readily accessible parts and that contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of the information provided to you by us; and that such safeguards shall include the elements set forth in 16 C.F.R. § 314.4 and shall be reasonably designed to (i) ensure the security and confidentiality of the information provided by us, (ii) protect against any anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer.
2\. FCRA Requirements
2\.1 Familiarity with FCRA
The FCRA applies to you as a user of consumer information. We suggest that you and your employees become familiar with the following sections in particular: § 604. Permissible Purposes of Reports; § 607. Compliance Procedures; § 615. Requirement on users of consumer reports; § 616. Civil liability for willful noncompliance; § 617. Civil liability for negligent noncompliance; § 619. Obtaining information under false pretenses; § 621. Administrative Enforcement; § 623. Responsibilities of Furnishers of Information to Consumer Reporting Agencies; § 628. Disposal of Records. Each of these sections is of direct consequence to users who obtain reports on consumers.
2\.1.1 As directed by the law, consumer reports may be issued only if they are to be used for extending credit, review or collection of an account, employment purposes, underwriting insurance or in connection with some other legitimate business transaction such as in investment, partnership, etc.
2\.1.2 You certify that you have read the “
Notice of Users of Consumer Reports, Obligations of Users” and that you have received a copy of the
consumer rights summary as prescribed by the Consumer Financial Protection Bureau (“CFPB”) under § 609 of the FCRA.
2\.1.3 You certify that under your FCRA duties outlined in Section 2.1, you will not take adverse action against a consumer based in whole or in part upon Information in a Screening Report without providing to the consumer to whom the Information relates an FCRA compliant adverse action letter, along with a written description of the consumer’s rights as prescribed by the CFPB.
2\.1.4 We strongly endorse the letter and spirit of the FCRA. We believe that this law and similar state laws recognize and preserve the delicate balance between the rights of the consumer and the legitimate needs of commerce.
2\.1.5 In addition to the FCRA, other federal and state laws addressing such topics as computer crime and unauthorized access to protected databases have also been enacted. As a user of consumer reports, we expect that you and your staff will comply with all relevant federal statutes and the statutes and regulations of the states in which you operate.
2\.2 Access Security Requirements
2\.2.1 We must work together to protect the privacy and information of consumers. The following information security measures are designed to reduce unauthorized access to consumer information. It is your responsibility to implement these controls. If you do not understand these requirements or need assistance, it is your responsibility to employ an outside service provider to assist you. We reserve the right to make changes to these Access Security Requirements without notification. The information provided herewith provides minimum baselines for information security. The term “Authorized User(s)” means you, and your employees that you have authorized to view and utilize the Screening Services, and with respect to the access and use of Screening Reports, have been trained on your obligations under this agreement, and with relevant federal and state laws.
2\.2.2 In accessing AppFolio’s Screening Services, you agree to follow these security requirements. These requirements are applicable to all systems and devices used to access, transmit, process, or store the Information:
2\.2.3 Implement Strong Access Control Measures, including as follows:
(a) Do not provide your AppFolio user names/identifiers (user IDs) or user passwords to anyone. No one from AppFolio will ever contact you and request your password.
(b) Proprietary or third party system access software must authenticate Authorized Users before accessing the Information. Additionally, such systems should have AppFolio password(s) hidden.
(c) Ensure that passwords are not transmitted, displayed or stored in clear text.
(d) Authorized Users must change their AppFolio password immediately when: (i) any system access software is replaced by another system access software or is no longer used; (ii) the hardware on which the software resides is upgraded, changed or disposed of; or (iii) any suspicion exists of their password being disclosed to an unauthorized party.
(e) Protect Authorized Users’ AppFolio password(s) so that only key personnel know this sensitive information. Unauthorized personnel should not have knowledge of these password(s). User IDs and passwords shall only be assigned to Authorized Users based on least privilege necessary to perform job responsibilities.
(f) Create a separate, unique user ID for each user to enable individual authentication and accountability for access to AppFolio. Each Authorized User of the system access software must also have a unique login password.
(g) Ensure that Authorized User IDs are not shared, posted or otherwise divulged in any manner.
(h) Keep Authorized User passwords confidential.
(i) Develop strong passwords that are: (i) not easily guessable (i.e. your name or company name, repeating numbers and letters or consecutive numbers and letters); (ii) contain a minimum of eight (8) alpha/numeric characters for standard user accounts; and (iii) for interactive sessions (i.e. non system-to-system) ensure that passwords are changed periodically (every 90 days is recommended).
(j) Implement password protected screensavers with a maximum fifteen (15) minute timeout to protect unattended workstations. Systems should be manually locked before being left unattended.
(k) Active logins to credit Information systems must be configured with a thirty (30) minute inactive session timeout.
(l) Restrict the number of Authorized Users who have access to consumer information and ensure that only Authorized Users have access to Screening Reports and Information. Ensure that Authorized Users have a business need to access such information and understand these requirements to access such information are only for the permissible purposes listed in the permissible purpose information section of these Screening Terms.
(m) Authorized Users must NOT install Peer-to-Peer file sharing software on systems used to access, transmit or store consumer data.
(n) Ensure that you and your employees do not access your own Screening Reports or those reports of any family member(s) or friend(s). Screening Reports on any person may only be accessed for the purposes of prospective tenant screening, and not for any other means (employment background checks may not be run). Unauthorized access to Screening Reports may subject the user to civil and criminal liability under the FCRA punishable by fines and imprisonment.
(o) Implement a process to terminate access rights immediately for Authorized Users when those Authorized Users are terminated or when they have a change in their job tasks and no longer require access to the Information.
(p) Implement a process to perform periodic user account reviews to validate whether access is needed as well as the privileges assigned.
(q) Implement a process to periodically review user activities and account usage, ensure the user activities are consistent with the individual job responsibility, business need, and in line with contractual obligations.
(r) Implement physical security controls to prevent unauthorized entry to your facility and access to systems used to obtain consumer information. Ensure that access is controlled with badge readers, other systems, or devices including authorized lock and key.
2\.3 Maintain a Vulnerability Management Program
2\.3.1 Keep operating system(s), firewalls, routers, servers, personal computers (laptop and desktop) and all other systems current with appropriate system patches and updates.
2\.3.2 Configure infrastructure such as firewalls, routers, servers, mobile devices, personal computers (laptops and desktops), and similar components to industry best security practices, including disabling unnecessary services or features, removing or changing default passwords, IDs and sample files/programs, and enabling the most secure configuration features to avoid unnecessary risks.
2\.3.3 Implement and follow current best security practices for computer virus detection scanning services and procedures:
(a) Use, implement and maintain a current, commercially available computer virus detection/scanning product on all computers, systems and networks, if applicable anti-virus technology exists. Anti-virus software deployed must be able to detect, remove, and protect against all known types of malicious software such as viruses, worms, spyware, adware, Trojans, and root-kits.
(b) Ensure that all anti-virus software is current, actively running, and generating audit logs; ensure that anti-virus software is enabled for automatic updates and performs scans on a regular basis.
(c) If you suspect an actual or potential virus, immediately cease accessing the system and do not resume the inquiry process until the virus has been eliminated.
2\.4 Protect Data
2\.4.1 Develop and follow procedures to ensure that Information is protected throughout its entire information lifecycle (from creation, transformation, use, storage and secure destruction) regardless of the media used to store the Information (i.e., tape, disk, paper, etc.)
2\.4.2 All Information is classified as confidential and must be secured to this requirement at a minimum.
2\.4.3 Procedures for transmission, disclosure, storage, destruction and any other information modalities or media should address all aspects of the lifecycle of the Information. Information should not be stored on non-company owned assets such as personal computer hard drives, or portable and/or removable data storage equipment or media.
2\.4.4 Encrypt all Information when stored or transferred on any system, including but not limited to laptops, mobile devices, personal computers, servers and databases using strong encryption such as AES256 or above. Do not ship hardware or software between your locations, or to third parties, without first deleting all Authorized User passwords and IDs, and any Information.
2\.4.5 Information must not be stored locally on mobile devices.
2\.4.6 When using mobile devices to access Information, ensure that such devices are protected via device pass-code.
2\.4.7 Applications utilized to access Information via mobile devices must protect Information while in transmission such as SSL protection and/or use of VPN, etc.
2\.4.8 Only open email attachments and links from trusted sources and after verifying legitimacy.
2\.4.9 When no longer in use, ensure that hard-copy materials containing Information are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
2\.4.10 When no longer in use, electronic media containing Information is rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media (for example, degaussing).
2\.5 Maintain an Information Security Policy
2\.5.1 Develop and follow a security plan to protect the confidentiality and integrity of Information as required under the GLB Safeguard Rule.
2\.5.2 Suitable to complexity and size of the organization, establish and publish information security and acceptable user policies identifying user responsibilities and addressing requirements in line with this document and applicable laws and regulations.
2\.5.3 Establish processes and procedures for responding to security violations, unusual or suspicious events and similar incidents to limit damage or unauthorized access to information assets and to permit identification and prosecution of violators. If you believe Information may have been compromised, immediately notify AppFolio within twenty-four (24) hours.
2\.5.4 The FACTA Disposal Rules requires that you implement appropriate measures to dispose of any sensitive information related to consumer reports and records that will protect against unauthorized access or use of that Information.
2\.5.5 Implement and maintain ongoing mandatory security training and awareness sessions for all staff to underscore the importance of security within your organization.
2\.5.6 When using third party service providers (e.g. application service providers) to access, transmit, store or process Information, ensure that service provider is compliant with a third party assessment program.
2\.6 Build and Maintain a Secure Network
2\.6.1 Protect Internet connections with dedicated, industry-recognized firewalls that are configured and managed using industry best security practices.
2\.6.2 Internal private Internet Protocol (IP) addresses must not be publicly accessible or natively routed to the Internet. Network address translation (NAT) technology should be used.
2\.6.3 Administrative access to firewalls and servers must be performed through a secure internal wired connection only.
2\.6.4 Any stand-alone computers that directly access the Internet must have a desktop firewall deployed that is installed and configured to block unnecessary/unused ports, services and network traffic.
2\.6.5 Change vendor defaults.
2\.6.6 For wireless networks connected to or used for accessing or transmission of Information, ensure that networks are configured and firmware on wireless devices updated to support strong encryption (for example, IEEE 802.11i) for authentication and transmission over wireless networks.
2\.7 Regularly Monitor and Test Networks
2\.7.1 Perform regular tests on Information systems (port scanning, virus scanning, vulnerability scanning). Ensure that issues identified via testing are remediated according to the issue severity (e.g. fix critical issues immediately, high severity in 15 days, etc.).
2\.7.2 Ensure that audit trails are enabled and active for systems and applications used to access, store, process, or transmit Information; establish a process for linking all access to such systems and applications. Ensure that security policies and procedures are in place to review security logs on a daily or weekly basis and that follow-up to exceptions is required. Maintain audit trail history for at least three (3) months.
2\.7.3 Use current best practices to protect your telecommunications systems and any computer system or network device(s) you use to provide services hereunder to access AppFolio systems and networks. These controls should be selected and implemented to reduce the risk of infiltration, hacking, access penetration or exposure to an unauthorized third party by: (a) protecting against intrusions; (b) securing the computer systems and network devices; and (c) and protecting against intrusions of operating systems or software.
2\.8 Mobile and Cloud Technology
2\.8.1 Storing Information on mobile devices is prohibited.
2\.8.2 Mobile applications development must follow industry known secure software development standard practices such as OWASP and OWASP Mobile Security Project adhering to common controls and addressing top risks.
2\.8.3 Mobile applications development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
2\.8.4 Mobility solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
2\.8.5 Mobile applications and data shall be hosted on devices through a secure container separate from any personal applications and data. See details below. Under no circumstances is the Information to be exchanged between secured and unsecured applications on the mobile device.
2\.8.6 When using cloud providers to access, transmit, store, or process Information, ensure that: (a) appropriate due diligence is conducted to maintain compliance with applicable laws and regulations and contractual obligations, and (b) cloud providers must have gone through independent audits and are compliant with one or more of the following standards, or a current equivalent: (i) ISO 27001, (ii) PCI DSS, (iii) EI3PA, (iv) SSAE 18 – SOC 2 or SOC 3, Type 2, (v) FISMA, and (vi) CAI / CCM assessment.
2\.9 General
2\.9.1 We may from time to time audit the security mechanisms you maintain to safeguard access to Information, Information systems and electronic communications. Audits may include examination of systems security and associated administrative practices.
2\.9.2 In cases where you are accessing Information and Information systems via third party software, you agree to make available to AppFolio, upon request, audit trail information and management reports generated by the third party software, regarding individual Authorized Users.
2\.9.3 You shall be responsible for and ensure that third party software, which accesses Information and/or Information systems, is secure, and protects this third party software against unauthorized modification, copy and placement on systems which have not been authorized for its use.
2\.9.4 You shall conduct software development (for software which accesses Information and/or Information systems; this applies to both in-house or outsourced software development) based on the following requirements:
(a) Software development must follow industry known secure software development standard practices such as OWASP adhering to common controls and addressing top risks.
(b) Software development processes must follow secure software assessment methodology which includes appropriate application security testing (for example: static, dynamic analysis, penetration testing) and ensuring vulnerabilities are remediated.
(c) Software solution server/system should be hardened in accordance with industry and vendor best practices such as Center for Internet Security (CIS) benchmarks, NIS, NSA, DISA and/or other.
2\.9.5 Reasonable access to audit trail reports of systems utilized to access systems shall be made available to AppFolio upon request, for example during breach investigation or while performing audits.
2\.9.6 Data requests from you to AppFolio must include the IP address of the device from which the request originated, where applicable.
2\.9.7 You shall report actual security violations or incidents that impact Information to AppFolio within twenty-four (24) hours. You agree to provide notice to AppFolio of any confirmed security breach that may involve Information related to the contractual relationship, to the extent required under and in compliance with applicable law. Telephone notification is preferred at 866.648.1536 or email to
support@appfolio.com.
2\.9.8 You acknowledge and agree that you (a) have received a copy of these requirements, (b) have read and understand your obligations described in the requirements, (c) will communicate the contents of the applicable requirements contained herein, and any subsequent updates hereto, to all Authorized Users and (d) will abide by the provisions of these requirements when accessing the Information.
2\.9.9 You understand that your access to the Information is monitored and audited by AppFolio, without further notice.
2\.9.10 You acknowledge and agree that you are responsible for all activities of your Authorized Users, and for ensuring that mechanisms to access Information are secure and in compliance with these Screening Terms.
2\.9.11 When using third party service providers to access, transmit, or store Information, additional documentation may be required by AppFolio.
2\.9.12 AppFolio acknowledges that not all of these Access Security Requirements may apply in all circumstances.
2\.10 Experian Specific Security Requirements
The following security requirements represent the minimum security requirements acceptable to Experian, AppFolio’s provider of credit reports, RentBureau, and Experian Income Verification reports, and are intended to ensure that you have appropriate controls in place to protect information and systems, including any Experian information that you receive, process, transfer, transmit, store, deliver, and/or otherwise access. These security requirements are only required for Experian Information and are largely encompassed by the security requirements in this Section - FCRA Requirements. It is your responsibility to implement and comply with these Experian specific security requirements.
2\.10.1 Definitions
"Experian Information” means Experian highly sensitive information including, by way of example and not limitation, data, databases, application software, software documentation, supporting process documents, operation process and procedures documentation, test plans, test cases, test scenarios, cyber incident reports, consumer information, financial records, employee records, and information about potential acquisitions, and such other information that is similar in nature or as mutually agreed in writing, the disclosure, alteration or destruction of which would cause serious damage to Experian’s reputation, valuation, and/or provide a competitive disadvantage to Experian.
“Resource” means all of your devices, including but not limited to laptops, PCs, routers, servers, and other computer systems that store, process, transfer, transmit, deliver, or otherwise access the Experian Information.
2\.10.2 You shall have industry standard information security policies and procedures in place, such as ISO 27002 and/or the standards within this section, which is aligned to Experian’s information security policy.
2\.10.3 Resources (including physical, on premise or cloud hosted infrastructure) will be kept current with appropriate security specific system patches. You will perform regular penetration tests to further assess the security of systems and resources. You will use end-point computer malware detection/scanning services and procedures.
2\.10.4 Logging mechanisms will be in place sufficient to identify security incidents, establish individual accountability, and reconstruct events. Audit logs will be retained in a protected state (i.e., encrypted, or locked) with a process for periodic review.
2\.10.5 You will use security measures, including anti-virus software, to protect communications systems and network devices to reduce the risk of infiltration, hacking, access penetration by, or exposure to, an unauthorized third-party.
2\.10.6 You will use security measures, including encryption, to protect Experian Information in storage and in transit to reduce the risk of exposure to unauthorized parties.
2\.10.7 All remote access connections to your internal networks and/or computer systems will require authorisation with access control at the point of entry using multi-factor authentication. Such access will use secure channels, such as a Virtual Private Network (VPN).
2\.10.8 Processes and procedures will be established for responding to security violations and unusual or suspicious events and incidents. You will report actual or suspected security violations or incidents that may affect Experian to Experian within twenty-four (24) hours of your confirmation of such violation or incident.
2\.10.9 Each user of any Resource will have a uniquely assigned user ID to enable individual authentication and accountability. Access to privileged accounts will be restricted to those people who administer the Resource and individual accountability will be maintained. All default passwords (such as those from hardware or software vendors) will be changed immediately upon receipt.
2\.10.10 All passwords will remain confidential and use ‘strong’ passwords that expire after a maximum of 90 calendar days. Accounts will automatically lockout after five (5) consecutive failed login attempts.
2\.10.11 You shall require all your personnel to participate in information security training and awareness sessions at least annually and establish proof of learning for all personnel.
2\.10.12 You shall be subject to remote and/or onsite assessments of your information security controls and compliance with these Security Requirements.
2\.11 Record Retention
2\.11.1 The Federal Equal Credit Opportunities Act (“ECOA”) states that a creditor must preserve all written or recorded information connected with an application for 25 months. In keeping with the ECOA, AppFolio requires that you retain the credit application and, if applicable, a purchase agreement for a period of not less than 25 months. When conducting an investigation, particularly following a breach or a consumer complaint that your company impermissibly accessed their credit report, AppFolio will contact you and will request a copy of the original application signed by the consumer or, if applicable, a copy of the sales contract.
2\.11.2 Under Section 621(a)(2)(A) of the FCRA, any person that violates any of the provisions of the FCRA may be liable for a civil penalty of not more than $3,500 per violation.
3\. Additional Terms Relating To FICO Scores
3\.1 In the event we make available to you (which we may elect to do in our sole discretion), certain credit scoring services known as “Experian/Fair Isaac Model” the terms in this Section 3 shall apply.
3\.2 We purchase Experian/Fair Isaac Model for resale of the Scores and reason codes to you as an end-user of the information. Experian/Fair Isaac Model is an application of a risk model developed by Fair Isaac Corporation (“Experian/Fair Isaac”) which employs a proprietary algorithm and which, when applied to credit information relating to individuals with whom you have a credit relationship or with whom you contemplate entering into a credit relationship will result in a numerical score (“Score” or, collectively, “Scores”); the purpose of the models being to rank said individuals in order of the risk of unsatisfactory payment.
3\.3 AppFolio is reselling the Scores and reason codes to you subject to your strict compliance with the following provisions and payment of all applicable fees:
3\.3.1 You warrant that you have a “permissible purpose” to obtain the information derived from the Experian/Fair Isaac Model under the FCRA, as it may be amended from time to time, and any similar applicable state fair credit reporting statute.
3\.3.2 You shall limit your use of Scores and reason codes solely to use in your own business with no right to transfer or otherwise sell, license, sublicense or distribute said Scores or reason codes to third parties.
3\.3.3 You agree that you will not publicly disseminate any results of the validations or other reports derived from the Scores without each of Experian’s or Fair Isaac’s express written permission. You agree to maintain internal procedures to minimize the risk of unauthorized disclosure and agree that such Scores and reason codes will be held in strict confidence and disclosed only to those of your employees with a “need to know” and to no other person.
3\.3.4 Notwithstanding any contrary provision of these Screening Terms, you may disclose the Scores to credit applicants, when accompanied by the corresponding reason codes, in the context of bona fide lending transactions and decisions only.
3\.3.5 You shall comply with all applicable laws and regulations in using the Scores and reason codes purchased from AppFolio, including, without limitation, the ECOA, Regulation B, and/or the FCRA, and you agree that the Scores will not be used for adverse action as defined by the ECOA or Regulation B, unless adverse action reason codes have been delivered to you along with the Scores.
3\.3.6 You, your employees, agents or subcontractors are prohibited from using the trademarks, service marks, logos, names, or any other proprietary designations, whether registered or unregistered, of Experian Information Solutions, Inc. or Fair Isaac Corporation, or the affiliates of either of them, or of any other party involved in the provision of the Experian/Fair Isaac Model without such entity’s prior written consent.
3\.3.7 Nothing contained in these Screening Terms shall be deemed to grant you any license, sublicense, copyright interest, proprietary rights, or other claim against or interest in any computer programs utilized by AppFolio, Experian and/or Fair Isaac or any third party involved in the delivery of the scoring services hereunder. You acknowledge that the Experian/Fair Isaac Model and its associated intellectual property rights in its output are the property of Fair Isaac. You may not attempt, in any manner, directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by Experian/Fair Isaac in performing the Experian/Fair Isaac Model.
3\.3.8 By providing Scores to you under these Screening Terms, AppFolio grants to you a limited license to use information contained in reports generated by the Experian/Fair Isaac Model solely in your own business with no right to sublicense or otherwise sell or distribute said information to third parties. Before directing AppFolio to deliver Scores to any third party, you agree to enter into a contract with such third party that (1) limits use of the Scores by the third party only to the use permitted to you, and (2) identifies Experian and Fair Isaac as express third party beneficiaries of such contract.
3\.3.9 You hereby release and hold harmless AppFolio, Fair Isaac and/or Experian and their respective officers, directors, employees, agents, sister or affiliated companies, and any third-party contractors or suppliers of AppFolio, Fair Isaac or Experian from liability for any damages, losses, costs or expenses, whether direct or indirect, suffered or incurred by you resulting from any failure of the Scores to accurately predict that a consumer will repay their existing or future credit obligations satisfactorily.
3\.3.10 The aggregate liability of Experian/Fair Isaac to you is limited to the lesser of the fees paid by AppFolio to Experian/Fair Isaac for the Experian/Fair Isaac Model resold to you during the six (6) month period immediately preceding your claim, or the fees paid by you to AppFolio under the resale contract during said six (6) month period, and excluding any liability of Experian/Fair Isaac for incidental, indirect, special or consequential damages of any kind.
3\.3.11 You agree to indemnify, defend, and hold each of AppFolio, Experian and Fair Isaac harmless from and against any and all claims, suits, proceedings, investigations, damages, losses, expenses, costs, and any and all other liabilities (including reasonable attorneys’ fees and court costs and expenses) arising out of or resulting from any nonperformance by you of any obligations to be performed by you under these additional terms and conditions, provided that AppFolio and/or Experian/Fair Isaac have given you prompt notice of, and the opportunity and the authority (but not the duty) to, defend or settle any such claim. You shall not agree to any settlement without the prior written consent of AppFolio, Experian and Fair Isaac.
3\.3.12 You acknowledge that the Scores result from the joint efforts of Experian and Fair Isaac. You further acknowledge that each Experian and Fair Isaac have a proprietary interest in said Scores and agree that either Experian or the Fair Isaac may enforce those rights against you as third party beneficiaries of these additional terms and conditions as they may desire.
4\. Additional Terms Related to VantageScore Credit Score
4\.1 In the event we make available to you (which we may elect to do in our sole discretion), certain credit scoring services known as “VantageScore Credit Score” the terms in this Section 4 shall apply. We purchase the VantageScore Credit Score for resale to you as an end-user of the information. The VantageScore Credit Score interprets credit information relating to individuals with whom you have a credit relationship or with whom you contemplate entering into a credit relationship, to better inform your decisions in that relationship.
4\.2 AppFolio is reselling the VantageScore Credit Score and reason codes to you subject to your strict compliance with the following provisions and payment of all applicable fees:
4\.2.1 You warrant that you have a “permissible purpose” to obtain the information derived from the VantageScore Credit Score under the FCRA, as it may be amended from time to time, and any similar applicable state fair credit reporting statute.
4\.2.2 You shall limit your use of VantageScore Credit Score and reason codes solely to use in your own business with no right to transfer or otherwise sell, license, copy, reuse, disclose, sublicense or distribute said VantageScore Credit Score or reason codes to third parties. You shall not use the VantageScore Credit Score for model development or model calibration.
4\.2.3 You agree that you will not publicly disseminate any results of the validations or other reports derived from the VantageScore Credit Score without Experian’s express written permission. You agree to maintain internal procedures to minimize the risk of unauthorized disclosure and agree that such VantageScore Credit Score and reason codes will be held in strict confidence and disclosed only to those of your employees with a “need to know” and to no other person.
4\.2.4 Notwithstanding any contrary provision of these Screening Terms, you may disclose the VantageScore Credit Scores to credit applicants who are the subject of the VantageScore Credit Score, when accompanied by the corresponding reason codes; to government regulatory agencies when approved in writing by Experian; or as required by law.
4\.2.5 You shall comply with all applicable laws and regulations in using the VantageScore Credit Scores and reason codes purchased from AppFolio, including, without limitation, the ECOA, Regulation B, and/or the FCRA, and you agree that the VantageScore Credit Scores will not be used for adverse action as defined by the ECOA or Regulation B, unless adverse action reason codes have been delivered to you along with the VantageScore Credit Scores.
4\.2.6 You, your employees, agents or subcontractors are prohibited from using the trademarks, service marks, logos, names, or any other proprietary designations for VantageScore Credit Scores and VantageScore credit scoring models, whether registered or unregistered, of VantageScore Solutions, LLC, or the affiliates of either of them, or of any other party involved in the provision of the VantageScore Credit Scores without such entity’s prior written consent.
4\.2.7 Nothing contained in these Screening Terms shall be deemed to grant you any license, sublicense, copyright interest, proprietary rights, or other claim against or interest in any computer programs utilized by AppFolio and/or Experian or any third party involved in the delivery of the scoring services hereunder. You acknowledge that the VantageScore Credit Scores and its associated intellectual property rights in its output are the property of VantageScore Solutions, LLC and Experian Information Solutions, Inc. You may not attempt, in any manner, directly or indirectly, to discover or reverse engineer any confidential and proprietary criteria developed or used by Experian in performing the VantageScore Credit Scores.
4\.2.8 You agree to indemnify, defend, and hold each of AppFolio and Experian harmless from and against any and all claims, suits, proceedings, investigations, damages, losses, expenses, costs, and any and all other liabilities (including reasonable attorneys’ fees and court costs and expenses) arising out of or resulting from any nonperformance by you of any obligations to be performed by you under these additional terms and conditions, provided that AppFolio and/or Experian have given you prompt notice of, and the opportunity and the authority (but not the duty) to, defend or settle any such claim. You shall not agree to any settlement without the prior written consent of AppFolio and Experian.
5\. Additional Terms Related to Income Verification Services
5\.1 AppFolio’s Income Verification Service (IVS) reports are purchased from outside vendors for resale to you as the end-user of that information. In the event we make available to you (which we may elect to do in our sole discretion) income verification reports provided by Experian, through Finicity, and/or Work Number®, a service provided by Equifax Workforce Solutions LLC (a provider of Equifax Verification Solutions)(“EVS”), the terms in this Section 5 shall apply.
5\.2 Experian Verification Reports (defined herein)Experian, through Finicity, interprets Account Data relating to Applicants with whom you contemplate entering into a leasing agreement with and produces a Verification Report; the purpose of the Verification Report being to identify Applicant’s income streams, their frequency, and estimated annual income.
5\.2.1 Definitions
As used herein this Section 5.2 of the Screening Terms.
“Account Data” means data and other information collected using the Consumer Credentials from the Provider Services, which may include medical information (such as payment information related to the rendering of medical or healthcare services) and employment information (such as deposit information from an employer), for the creation of one or more Verification Reports, and any derivatives or modifications thereof, which can be provided in the format agreed to by Experian. Account Data (and all derivatives thereof, including the Verification Reports, as applicable) shall constitute the confidential information of Experian subject, at all times, to obligations of confidential treatment under the Agreement, and shall not be shared by you with, or accessed by, an affiliate, or any other third party, except as expressly provided herein.
“User Interface” means the user interface that will be used for the collection of Account Data by Finicity.
“Consumer Credentials” means the Applicant’s log-in credentials or other access information to the Provider Services that Finicity will use with the Applicant’s consent and at the Applicant’s direction for its access to the Provider Services for the purpose of collecting the Account Data and creating the Verification Reports and delivering the same to you.
“Finicity” means Finicity Corporation, a Mastercard company, the originating consumer reporting agency and provider of certain services related to the provision of the Account Data and Verification Reports. Finicity is an independent contractor of Experian, the ultimate provider of these services.
“Provider Services” means the online services or information that may be available to Applicants by providers, such as online banking, online payment, online investment account download, online bill pay, online trading and other account information made available by provider(s).
“Verification Report” is a report that identifies income streams, and estimates annual income of an individual Applicant, and identifies frequency of deposits and account owner based solely on the Account Data.
5\.2.2 You agree the delivery of the Verification Report is contingent on:
(a) The collection of the Consumer Credentials through the User Interface;
(b) Applicant’s explicit consent for the (i) collection of the Consumer Credentials through the User Interface (on behalf of, and explicitly naming, Finicity); (ii) provision of the Consumer Credentials to Finicity through the User Interface; and (iii) retention and use of the Consumer Credentials, one-time (or more, as may be necessary for Finicity to comply with its obligations under applicable law), by Finicity; all of which shall be performed in order for Finicity to use the Consumer Credentials to access the Provider Services, and collect and aggregate the Account Data to: (x) deliver the Account Data to AppFolio, you, and other third parties to create the applicable Verification Reports, and deliver the same to AppFolio, you, and to other third parties, and (y) deliver the Account Data to Experian for use in accordance with all applicable laws, rules and regulations; and Finicity’s ability to access the Provider Services for the purpose of collecting and providing the Account Data, and to create and deliver each Verification Report.
5\.2.3 You agree that Experian is not responsible for the provision of any Verification Report for any Applicant that does not provide his or her consent, Consumer Credentials, or required Applicant uploaded documentation, as applicable. In addition, Experian is not responsible for the inclusion of data from any Provider Services into any Verification Report if a provider of the Provider Services does not permit Finicity access to the Provider Services in order for Finicity to access, collect and use the Account Data for use as contemplated herein. You agree to provide AppFolio with your applicable permissible purpose code for each Verification Report you retrieve.
5\.2.4 AppFolio is reselling the Verification Reports to you subject to your strict compliance with the following provisions and payment of all applicable fees:
(a) You may not be a reseller of the income verification services or Verification Report, or directly or indirectly charge a consumer any costs or fees, or accept any other payment or valuable consideration from a consumer, for prequalification or any information derived therefrom, including, without limitation, by offering the income verification services as the sole additional feature of a higher-priced service offering or as an incentive to or bundled with a fee-based offering.
(b) You may not use, or permit your respective employees, agents and subcontractors to use, the trademarks, service marks, logos, names or any other proprietary designations of Experian, whether registered or unregistered, without prior written consent from Experian. Experian reserves the right to review your press releases and other collateral, as needed, in order to limit the use of Experian’s name.
(c) You shall not advertise, represent, claim or infer that you can (a) remove accurate but negative information from the Applicant’s credit report or (b) help the Applicant restore a credit report or improve or enhance the consumer’s credit score, record, history or rating. You shall avoid the following terms: clear your credit, fix your credit, advice on correcting your credit, clean up your credit, repair your credit, guidance on how to correct your credit report, help to improve your score, etc.
(d) You agree that the income verification service (including all Verification Reports and Account Data) shall not be used, disclosed, transmitted, or accessed in any way outside the United States or its territories.
5\.3 EVS The Work Number® (defined herein)EVS’s The Work Number® is a service used to verify certain tenant screening related information provided by current and prior employers, including employment and income information (“EVS Tenant Screening Information”). You will be charged for the EVS Tenant Screening Information by AppFolio. Access to EVS Tenant Screening Information will only be available to you while you are an active customer of AppFolio, and continue to meet applicable credentialing requirements, Screening Terms, and the Terms of Services.
5\.3.1 You will not disclose EVS Tenant Screening Information to the subject of the EVS Tenant Screening Information except as permitted or required by law, but will refer the subject to us. You will indemnify and hold us and our agents and service providers (including without limitation, Equifax Workforce Solutions LLC (a provider of Equifax Verification Solutions), a Missouri corporation (“EVS”)) harmless on account of any expense or damage arising or resulting from the publishing or other disclosure of EVS Tenant Screening Information by you, your employees or agents contrary to the Screening Terms, Terms of Service, or applicable law.
5\.3.2 You will comply with all applicable laws, statutes and regulations regarding the EVS Tenant Screening Information. Where applicable, you will comply with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq. (“GLB”) and the implementing regulations issued thereunder and any other applicable statutes or federal laws, you will not use or disclose any of the EVS Tenant Screening Information other than in accordance with Section 6802(c) or with one of the General Exceptions of Section 6802(e) of the GLB and applicable regulations and all other Privacy Laws.
5\.3.3 If we and/or EVS reasonably believe that you have violated Section 2 of the Screening Terms, we and/or EVS may, in addition to any other remedy authorized by the Terms of Service, with reasonable advance written notice to you, and at our and/or EVS’s sole expense, conduct, or have a third party conduct on its behalf, an audit of your network security systems, facilities, practices and procedures to the extent we reasonably deem necessary, including an on-site inspection, to evaluate your compliance with the data security requirements contained therein.
5\.3.4 We and/or EVS may periodically conduct audits of you from time to time, during normal business hours, at all locations containing relevant records with ten (10) days prior notice regarding your compliance with the FCRA and other certifications in this Agreement. Audits will be conducted by email whenever possible and will require you to provide DocuSign documentation as to permissible use of particular EVS Tenant Screening Information. You shall (i) fully cooperate with and in such an audit, and (ii) promptly correct any discrepancy revealed by such audit. In addition, we will be required to provide EVS documentation indicating that we validated your legitimacy prior to the use of the EVS Tenant Screening Information, and we will also provide a copy of your agreement to use the EVS Tenant Screening Information. You give consent to us and EVS to conduct such audits and agree that any failure to cooperate fully and promptly in the conduct of any audit, or your material breach of these terms, constitute grounds for immediate suspension or termination of this service. If we terminate your access to the EVS Tenant Screening Information due to the conditions in the preceding sentence, you (i) unconditionally release and agree to hold us and EVS harmless and indemnify us and EVS from and against any and all liabilities of whatever kind or nature that may arise from or relate to such termination, and (ii) covenant you will not assert any claim or cause of action of any kind or nature against us or EVS in connection with such termination.
5\.3.5 You acknowledge and agree that the EVS Tenant Screening Information described herein may be modified by EVS. Should EVS modify the EVS Tenant Screening Information, we will provide such revised terms of service to you, which will supersede prior versions. All modifications will be governed by the Terms of Service Section 2 - Modification of these Terms of Services.