Legal Center

Security Requirements

UPDATED
April 2021

Company Obligations

  1. Company Security Breach

    1. Company agrees to provide Customer with notice via email, at the latest email address provided by Customer, of any confirmed unauthorized access, acquisition, use, disclosure, or loss of any Consumer Information (a “Security Breach”) within twenty-four (24) hours following the discovery thereof. The written notice may be delayed if any law enforcement agency determines that such notice will impede a criminal investigation.

    2. Attestation of Security Practices

      1. Company agrees to the following and provide evidence of the same upon Customer’s request, which may be requested no more than once (1) per year:

        1. Company has implemented a comprehensive written information security program that includes administrative, technical and physical safeguards appropriate to the size and complexity and the nature and scope of the Services provided to Customer under this Agreement. Company’s security program shall include, but not limited to, the following:

          1. access controls on Company’s information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing Consumer Information to unauthorized individuals;

          2. encryption of electronic Consumer Information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;

          3. monitoring systems and procedures to detect actual and attempted attacks on or intrusions into Company;

          4. penetration testing by an independent assessor on an annual basis, at minimum;

          5. response programs that specify actions to be taken when Company suspects or detects that unauthorized individuals have gained access to Company’s information system; and,

          6. measures to protect against destruction, loss, or damage of Consumer Information due to potential environmental hazards, such as fire and water damage or technological failures.

        2. Company shall adhere, in all material respects, to the applicable sections of the ISO 27002 standards or similarly applicable security standards in the provision of the Services.

        3. Company’s information security program complies with applicable laws and statutes applicable to the Services regarding the protection of Consumer Information.

        4. Company conducts, at least annually, at its expense, industry security audits of Customer’s financial industry security standard compliance performed by one or more independent and reputable organizations qualified to conduct information security audits. Company shall retain sole and exclusive control over the selection of such organization and frequency of such audits.

        5. Company shall provide to Customer one or more summaries of the results of Company’s relevant independent security audits, solely as relates to the Services, upon request. These summaries shall be considered Company’s Proprietary Information and treated as such by Customer.

        6. Company shall document, maintain, and follow industry practices related to security incident notification and response plans.

        7. Company will conduct, or cause to have conducted, a comprehensive background investigation on any of its employees or representatives (“Personnel”). Company’s background investigation shall be conducted in accordance with Company’s standard policy on background investigations, which is available for review by Customer upon request and which is in accordance with applicable industry standards and regulations. Company shall not permit any Personnel to perform material aspects of the Services under this Agreement if such Personnel has failed to pass such background check.

 

Customer Obligations

  1. Customer Security Breach

    1. Customer shall agree to the following and provide evidence of the same upon Company’s request:

  2. Attestation of Security Practices

    1. Customer shall agree to the following and provide evidence of the same upon Company’s request:

      1. Customer has a comprehensive security program that complies with all applicable laws, rules, and regulations.

      2. Customer will use multi-factor authentication, which include at least one factor in addition to username and password, to access the Services. This requirement applies even if Customer is using single sign on to access the Services.

      3. Customer complies with financial industry security standards such as ISO 27001 and ISO 27002, AICPA Trust Service Principles and Criteria (SOC 2), BITS Shared Assessment Agreed Upon Procedures (AUP), or other similar standards.

      4. Customer conducts, at least annually, at its expense, industry security audits of Customer’s financial industry security standard compliance performed by one or more independent and reputable organizations qualified to conduct information security audits.

      5. If requested by Company, Customer will provide to Company a complete copy of the security audit report(s) conducted by an independent organization detailing scope and results of the assessment.

      6. If requested by Company, Customer will make available relevant security documentation and personnel to verify Customer’s security program.

Linkedin Instagram Facebook
21972-312_SOC_NonCPA

Use Cases

Company

Support

© 2024 Real-Finity, Inc.

Cheers from Miami 😎

Mortgage loan processing services are offered through Real-Finity Mortgage, LLC, a wholly owned subsidiary of Real-Finity Inc. NMLS #2445766. Real-Finity Mortgage, LLC is a licensed mortgage brokerage and maintains its corporate headquarters at 929 Alton Road Suite 500, Miami Beach, FL, 33139.

State Licensing