Vendor Attestation
Compliance with Data Privacy Laws

1. GENERAL

This Vendor Attestation ("Attestation") serves as a foundational set of terms and conditions to be incorporated by reference into agreements, statements of work, work orders or analogous documents (individually, "Agreement") between Altisource and its vendors (individually, "Vendor"). Capitalized terms not expressly defined here have the same meanings as in the corresponding regulations. In the event of any conflict between this Attestation and any Agreement, this Attestation will govern and control.

2. DEFINITIONS

  • a. "CPA" as used in this Attestation, means the Colorado Privacy Act.

  • b. "CPRA" as used in this Attestation, means the California Consumer Privacy Act, as amended by the California Privacy Rights Act.

  • c. "GDPR" as used in this Attestation, means the EU General Data Protection Regulation.

  • d. "Personal Data" as used in this Attestation, means any information relating to an identified or identifiable natural person; an "identifiable natural person" is an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier (including but not limited to a screen name, username or social media handle) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. For avoidance of doubt, Personal Data includes any data covered by the definition of "Personal Information" as the term may be defined in the Data Protection Regulations.

  • e. "Personal Data Breach" as used in this Attestation, means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."

  • f. "Processing" as used in this Attestation, means any operation or set of operations (whether automatic or manual) performed upon Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destructing.

  • g. "Services" as used in this Attestation, means the services and or products provided by Vendor to Altisource.

  • h. "Subprocessor" as used in this Attestation means any natural or legal person, public authority, agency or other body which processes personal data on behalf of the Processor (including any affiliate of the Processor).

  • i. "Transfer" as used in this Attestation means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means.

  • j. "U.S. Data Privacy Regulations" as used in this Attestation, means the CPA, CPRA, VCDPA and any other laws or regulations that may enter into effect in the future (e.g., Utah Consumer Privacy Act or the Connecticut Data Privacy Act) and their implementing regulations.

  • k. "VCDPA" as used in this Attestation, means the Virginia Consumer Data Protection Act.

3. OBLIGATIONS

  • a. Vendor is solely responsible for its compliance with any data privacy and data protection laws and regulations applicable to it and for fulfilling any of its related obligations to third parties, including data subjects and supervisory authorities.

  • b. To the extent the Vendor receives, or has access to Personal Data, Vendor shall:

    • i. Only Process the Personal Data in order to provide the Services;

    • ii. Keep the Personal Data secure and implement appropriate technical, physical, administrative and organizational safeguards and measures to: (1) ensure the continued security, confidentiality, integrity, availability and resilience of the systems used to process the Personal Data, and (2) restore availability and access to the Personal Data without delays, in case of incident or security breach.

    • iii. Ensure that each person processing Personal Data on its behalf is subject to a duty of confidentiality with respect to such Personal Data;

    • iv. Promptly notify Altisource of any third-party requests or complaints relating to the Processing of Personal Data; the Processor will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of the Personal Data. Processor will notify Altisource without undue delay in the event of any Personal Data Breach.

4. GDPR

To the extent the processing of Personal Data contemplated in the Agreement is subject or otherwise covered by the GDPR:

  • a. Altisource is the data controller, and Vendor is the data processor and will comply with its obligations as a data processor under the GDPR. Altisource notes that, in certain instances, Vendor could act as an independent controller for specific Services, this section will not apply to these situations.

  • b. Altisource hereby instructs Vendor to collect and process the Personal Data in accordance with the Agreement or the instructions provided by Altisource. Vendor will process the Personal Data only: (i) in accordance with the terms of the Agreement or such instructions; (ii) as needed to provide the Services; or (iii) as needed to comply with applicable law.

  • c. Vendor shall maintain appropriate technical and organizational security measures to protect Personal Data against: (i) unauthorized or unlawful processing; (ii) accidental or unlawful destruction; (iii) accidental loss or alteration; and (iv) unauthorized disclosure or access.

  • d. Vendor employees or representatives with access to the Personal Data shall be subject to statutory or contractual obligations to protect, and keep confidential, such Personal Data.

  • e. The Vendor shall not Transfer any Personal Data without the prior consent of Altisource. Vendor shall ensure that adequate protection for the Personal Data will exist after the Transfer, using contracts that provide sufficient guarantees (such as standard contractual clauses) unless another legal basis for the Transfer exists. Vendor confirms that, to the extent the Services involve transferring personal data outside of the European Union/European Economic Area, then the terms of the Standard Contractual Clauses available at https://altisource.com/scc-processor shall apply to such transfers with Vendor deemed to be the "data importer".

  • f. Upon termination or expiration of the Agreement Vendor will delete or return the Personal Data to Altisource. Notwithstanding the foregoing, Altisource hereby authorizes Vendor to retain back-up copies of Personal Data for Vendor's compliance purposes.

Vendor shall provide Altisource full cooperation and with all information necessary to demonstrate compliance with the obligations laid down in the GDPR, and allow for and contribute to audits, including inspections, conducted by Altisource or another auditor mandated by Altisource.

5. U.S. Data Privacy Regulations

The following obligations apply to the extent the processing of Personal Data contemplated in the Agreements is subject or otherwise covered by the U.S. Data Privacy Regulations. Capitalized terms used in this section that are not otherwise defined herein, shall have the meanings assigned to them under the U.S. Data Privacy Regulations.

  • a. Processor shall comply with the U.S. Data Privacy Regulations, including with respect to the Personal Data Processor collected or received under the Agreements, providing the same level of privacy protection required by the U.S. Data Privacy Regulations. Processor shall maintain appropriate technical and organizational security measures to protect Personal Data against: (i) unauthorized or unlawful processing; (ii) accidental or unlawful destruction; (iii) accidental loss or alteration; and (iv) unauthorized disclosure or access.

  • b. Processor shall not: (i) sell or share the Personal Information; (ii) retain, use, or disclose the Personal Information for any purpose other than for performing the Services, including to retain, use, or disclose the Personal Data for a commercial purpose other than providing its Services; (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between the Processor and Altisource; (iv) combine the Personal Data with Personal Data received from other businesses or collected directly from consumers, provided that Processor retains the ability to combine Personal Data to perform any business purpose authorized by the U.S. Data Privacy Regulations. Processor certifies that it understands and acknowledges the obligations included in this section and will comply with them.

  • c. Processor shall permit Altisource or its designated assessor, subject to previous agreement, to monitor Processor's compliance with the Agreement through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.

  • d. Processor will require that any Subcontractors, to whom it provides Personal Data agrees in writing to appropriate protections with respect to such Personal Data.

  • e. Upon Altisource's reasonable request, Processor will make available all information in its possession necessary to demonstrate Processor's compliance with its obligations under the Data Protection Regulations. Processor grants Altisource the right, upon reasonable written notice, to take reasonable and appropriate steps to ensure that Processor uses the Personal Data consistent with the Data Protection Regulations.

  • f. Processor will promptly notify Altisource if Processor makes a determination that it can no longer meet its obligations under the Data Protection Regulations.

  • g. Processor shall notify Altisource immediately following discovery of any suspected breach or compromise of the security, confidentiality, or integrity of any Personal Data. Written notification provided pursuant to this section will include a brief summary of the available facts, the status of Processor's investigation, and if known and applicable, the potential number of data subjects affected by incident. Processor grants Altisource the right, upon reasonable written notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of its Personal Data.

  • h. Upon the termination of the Agreement, upon the written request of Altisource, Processor agrees to promptly delete or return to Altisource all copies of such Personal Data.

6. Data Protection Laws Updates

In the event that any modification is required to this Attestation as a result of a change in or subsequently applicable Data Protection Regulations, then Altisource may adjust and/or amend this Attestation in its reasonable discretion in order to achieve compliance with the same. Any such modifications shall be communicated in writing and shall be implemented within a reasonable timeframe.

Last Updated March 1, 2024