Common use of Topic Description Clause in Contracts

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Mae’s prior written approval, except on a need‐to‐know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with ▇▇▇▇▇▇ Mae in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae or any Third‐Party Licensor (or other third‐party owner). Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ to mitigate the consequences of such Data Breach.

Topic Description. Licensee Responsibilities Licensee must:  • Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  • Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  • Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇.  • Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with ▇▇▇▇▇▇ Mae in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  • Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  • Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  • Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae or any Third‐Party Licensor (or other third‐party owner). Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ to mitigate the consequences of such Data Breach.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Mae’s prior written approval, except on a need‐to‐know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇Mae.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with ▇▇▇▇▇▇ Mae ▇▇▇ in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ Mae or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae ▇▇▇ or any Third‐Party Licensor (or other third‐party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all ▇▇▇▇▇▇ Mae mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take taking all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ Mae to mitigate the consequences of such Data Breach. Licensee must fully cooperate with ▇▇▇▇▇▇ ▇▇▇ to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify ▇▇▇▇▇▇ Mae's Privacy Office (see E‐1‐03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from ▇▇▇▇▇▇ Mae's Privacy Office (see E‐1‐03, List of Contacts in the Selling Guide) to use ▇▇▇▇▇▇ Mae's name if the Licensee intends to refer to ▇▇▇▇▇▇ ▇▇▇ in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to ▇▇▇▇▇▇ Mae's Privacy Office (see E‐1‐03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies ▇▇▇▇▇▇ ▇▇▇ may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give ▇▇▇▇▇▇ Mae notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self‐regulatory authority that has authority to regulate or oversee ▇▇▇▇▇▇ Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. ▇▇▇▇▇▇ Mae may remove from ▇▇▇▇▇▇ Mae’s systems any material transmitted by Licensee that ▇▇▇▇▇▇ Mae determines is in violation of law or the Agreement or that ▇▇▇▇▇▇ ▇▇▇ determines may lead to a Performance Incident or Data Breach. ▇▇▇▇▇▇ Mae has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by ▇▇▇▇▇▇ ▇▇▇. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants ▇▇▇▇▇▇ Mae an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. ▇▇▇▇▇▇ ▇▇▇ may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the Gramm‐▇▇▇▇▇‐▇▇▇▇▇▇ Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇Mae.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with ▇▇▇▇▇▇ Mae ▇▇▇ in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ Mae or any Third‐Party Third-Party Licensor (or other third‐party third-party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae ▇▇▇ or any Third‐Party Third-Party Licensor (or other third‐party third-party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all ▇▇▇▇▇▇ Mae mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take taking all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ Mae to mitigate the consequences of such Data Breach. Licensee must fully cooperate with ▇▇▇▇▇▇ ▇▇▇ to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify ▇▇▇▇▇▇ Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from ▇▇▇▇▇▇ Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) to use ▇▇▇▇▇▇ Mae's name if the Licensee intends to refer to ▇▇▇▇▇▇ ▇▇▇ in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to ▇▇▇▇▇▇ Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies ▇▇▇▇▇▇ ▇▇▇ may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give ▇▇▇▇▇▇ Mae notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self-regulatory authority that has authority to regulate or oversee ▇▇▇▇▇▇ Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. ▇▇▇▇▇▇ Mae may remove from ▇▇▇▇▇▇ Mae’s systems any material transmitted by Licensee that ▇▇▇▇▇▇ Mae determines is in violation of law or the Agreement or that ▇▇▇▇▇▇ ▇▇▇ determines may lead to a Performance Incident or Data Breach. ▇▇▇▇▇▇ Mae has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by ▇▇▇▇▇▇ ▇▇▇. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants ▇▇▇▇▇▇ Mae an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. ▇▇▇▇▇▇ ▇▇▇ may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.

Topic Description. Licensee Responsibilities Licensee must:  • Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  • Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  • Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇.  • Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  ° These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  ° Licensee must collaborate with ▇▇▇▇▇▇ Mae in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  • Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  • Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  • Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ or any Third‐Party Licensor (or other third‐party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae or any Third‐Party Licensor (or other third‐party owner). Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ to mitigate the consequences of such Data Breach.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Mae▇▇▇’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with ▇▇▇▇▇▇ Mae ▇▇▇ in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ or any Third‐Party Third-Party Licensor (or other third‐party third-party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae ▇▇▇ or any Third‐Party Third-Party Licensor (or other third‐party third-party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all ▇▇▇▇▇▇ ▇▇▇ mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take taking all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ to mitigate the consequences of such Data Breach. Licensee must fully cooperate with ▇▇▇▇▇▇ ▇▇▇ to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify ▇▇▇▇▇▇ ▇▇▇'s Privacy Office (see E-1-03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from ▇▇▇▇▇▇ ▇▇▇'s Privacy Office (see E-1-03, List of Contacts in the Selling Guide) to use ▇▇▇▇▇▇ ▇▇▇'s name if the Licensee intends to refer to ▇▇▇▇▇▇ ▇▇▇ in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to ▇▇▇▇▇▇ ▇▇▇'s Privacy Office (see E-1-03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies ▇▇▇▇▇▇ ▇▇▇ may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give ▇▇▇▇▇▇ ▇▇▇ notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self-regulatory authority that has authority to regulate or oversee ▇▇▇▇▇▇ ▇▇▇’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. ▇▇▇▇▇▇ ▇▇▇ may remove from ▇▇▇▇▇▇ ▇▇▇’s systems any material transmitted by Licensee that ▇▇▇▇▇▇ ▇▇▇ determines is in violation of law or the Agreement or that ▇▇▇▇▇▇ ▇▇▇ determines may lead to a Performance Incident or Data Breach. ▇▇▇▇▇▇ ▇▇▇ has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by ▇▇▇▇▇▇ ▇▇▇. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants ▇▇▇▇▇▇ ▇▇▇ an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. ▇▇▇▇▇▇ ▇▇▇ may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Fannie Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with ▇▇▇▇▇▇ Mae ▇▇▇ in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ or any Third‐Party Third-Party Licensor (or other third‐party third-party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae ▇▇▇ or any Third‐Party Third-Party Licensor (or other third‐party third-party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all ▇▇▇▇▇▇ ▇▇▇ mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take taking all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ to mitigate the consequences of such Data Breach. Licensee must fully cooperate with ▇▇▇▇▇▇ ▇▇▇ to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) to use Fannie Mae's name if the Licensee intends to refer to ▇▇▇▇▇▇ Mae in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies ▇▇▇▇▇▇ ▇▇▇ may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give ▇▇▇▇▇▇ ▇▇▇ notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self-regulatory authority that has authority to regulate or oversee Fannie Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. ▇▇▇▇▇▇ ▇▇▇ may remove from Fannie Mae’s systems any material transmitted by Licensee that ▇▇▇▇▇▇ ▇▇▇ determines is in violation of law or the Agreement or that ▇▇▇▇▇▇ ▇▇▇ determines may lead to a Performance Incident or Data Breach. ▇▇▇▇▇▇ ▇▇▇ has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by ▇▇▇▇▇▇ ▇▇▇. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants ▇▇▇▇▇▇ ▇▇▇ an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. ▇▇▇▇▇▇ ▇▇▇ may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.

Topic Description. Licensee Responsibilities Licensee must:  Take appropriate steps to ensure the security, integrity, and confidentiality of Confidential Information and must comply with all relevant applicable laws and regulations, including laws protecting borrower privacy.  Not disclose Confidential Information to third parties, without ▇▇▇▇▇▇ Fannie Mae’s prior written approval, except on a need‐to‐know need-to-know basis to Licensee’s partners, Topic Description affiliates, officers, employees, directors, contractors, counsels, agents or representatives, provided they are subject to confidentiality obligations at least as stringent as those set forth in this Section A3.  Not use Confidential Information in any way that could be viewed as a conflict of interest, a breach of confidentiality or privacy, or the gaining of an unfair advantage from the relationship with ▇▇▇▇▇▇ ▇▇▇.  Implement commercially reasonable measures meeting or exceeding industry standards to ensure the security, integrity, and confidentiality of Confidential Information, including using industry‐standard industry-standard encryption for data in transit and virus checking programs designed to prevent the transmission and receipt of viruses and other malicious code, implementing appropriate disaster recovery and back‐up back-up procedures, implementing appropriate procedures to prevent disclosure of data and other materials to a party other than the intended recipient, and employing methods for securely disposing or destroying such information.  These measures must meet, at least, the same level of protection that the Receiving Party seeks for its own information of a similar nature.  Licensee must collaborate with ▇▇▇▇▇▇ Mae ▇▇▇ in assessing the sufficiency of these measures and Licensee’s information security program, upon reasonable request.  Instruct its Related Parties who may receive Confidential Information about the requirements of this Section A3, and the processes and procedures necessary to comply with them.  Comply with all reasonable security policies and procedures required by ▇▇▇▇▇▇ ▇▇▇ related to the access and use of ▇▇▇▇▇▇ Mae’s systems or any Licensed Materials.  Not transmit to ▇▇▇▇▇▇ Mae’s systems any materials that contain bugs, viruses, worms or other functions, routines, devices or instructions which may create any unauthorized access or damage to, or interruption in the functioning of, the Licensed Application or ▇▇▇▇▇▇ Mae’s systems. Restrictive Legends  Licensee must abide by and reproduce and include any restrictive legend or proprietary rights notice that appears in or on any Confidential Information of ▇▇▇▇▇▇ ▇▇▇ or any Third‐Party Third-Party Licensor (or other third‐party third-party owner) that it is authorized to reproduce.  Licensee also agrees that it will not remove, alter, cover or distort any trademark, trade name, copyright or other proprietary rights notices, legends, symbols or labels appearing on or in any Confidential Information of ▇▇▇▇▇▇ Mae ▇▇▇ or any Third‐Party Third-Party Licensor (or other third‐party third-party owner). Data Breach Response Program Licensee must maintain a response program consistent with the requirements of the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all ▇▇▇▇▇▇ ▇▇▇ mortgage loans. Required Actions in Case of Data Breach  Licensee must address any Data Breach with prompt and effective corrective action, including cooperation with ▇▇▇▇▇▇ ▇▇▇ in the investigation and remediation of such Data Breach, as well as prompt disclosure and notification where legally required; required and  Licensee must promptly notify ▇▇▇▇▇▇ Mae of any Data Breach in writing ‐‐ at ▇▇▇▇▇▇▇_▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇ ‐‐ and must take taking all steps reasonably requested by ▇▇▇▇▇▇ ▇▇▇ to mitigate the consequences of such Data Breach. Licensee must fully cooperate with ▇▇▇▇▇▇ ▇▇▇ to enable compliance with its legal and privacy incident management obligations. Notifications in Connection with a Data Breach Licensee must:  provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws;  maintain a copy of the notice in the individual mortgage loan file (if Licensee maintains the mortgage loan file);  notify Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that  affects 10 or more borrowers,  requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or  involves the intentional unauthorized access or misuse of borrower NPI; and  request permission from Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) to use Fannie Mae's name if the Licensee intends to refer to ▇▇▇▇▇▇ ▇▇▇ in any notices sent to affected borrowers or regulatory agencies. The written notice of a data breach to Fannie Mae's Privacy Office (see E-1-03, List of Contacts in the Selling Guide) must include:  a detailed description of the scope of the incident, including the number of impacted individuals and states where they reside;  a description of the related NPI;  the root cause (if known);  the response plan; and  a copy of the breach notice that the Licensee plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice. Remedies ▇▇▇▇▇▇ ▇▇▇ may seek immediate equitable relief to enjoin any unauthorized use or disclosure of Confidential Information, in addition to all other rights and remedies it may have at law or otherwise. Exclusions The obligations in this Section do not apply to information that is or becomes public through no fault of Licensee, was previously known or is disclosed to Licensee free of any obligation to keep it confidential or is independently developed by Licensee without reference or access to the Confidential Information. Disclosure Required by Applicable Law The restrictions on disclosure to a third party do not apply to the extent Licensee is required to disclose the Confidential Information by applicable law, provided that Licensee:  uses all reasonable efforts to give ▇▇▇▇▇▇ ▇▇▇ notice at least ten business days prior to such disclosure, and  discloses only that portion of the Confidential Information that Licensee’s legal counsel determines is legally required to be furnished, and requests that the information remain confidential. This notice requirement is waived if Licensee is required by law to disclose Confidential Information in response to a request from a governmental agency, regulator or self-regulatory authority that has authority to regulate or oversee Fannie Mae’s business (including bank examiners, securities examiners, and regulators’ inspector general offices), so long as Licensee formally requests that the Confidential Information be treated in confidence and exempt from Freedom of Information Act and other open records laws requests. ▇▇▇▇▇▇ ▇▇▇ may remove from Fannie Mae’s systems any material transmitted by Licensee that ▇▇▇▇▇▇ ▇▇▇ determines is in violation of law or the Agreement or that ▇▇▇▇▇▇ ▇▇▇ determines may lead to a Performance Incident or Data Breach. ▇▇▇▇▇▇ ▇▇▇ has no obligation to remove, screen, police, edit or monitor any data or other material generated by Licensee or its Related Parties. Licensee may provide feedback in connection with a new process, technology, technology upgrade, or service offering yet to be released into production by ▇▇▇▇▇▇ ▇▇▇. The feedback may include comments and recommendations. When Licensee provides such feedback, it grants ▇▇▇▇▇▇ ▇▇▇ an unlimited, worldwide, perpetual, and irrevocable license under Licensee’s intellectual property rights, without duty to account, to disclose, incorporate, practice, deploy, or adapt such feedback. ▇▇▇▇▇▇ ▇▇▇ may at times share loan quality and loan performance data and other NPI with Licensee in compliance with permitted purposes outlined in the ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act and other applicable privacy laws. Licensee must use such data only for those limited permitted purposes.