This Fair Isaac Information Security Agreement (“Information Security Agreement”) is a part of the Agreement and is subject to all the terms and conditions of the Agreement, including, without limitation, the limitation of liability provisions therein. This Information Security Agreement outlines the security measures and procedures implemented by Fair Isaac relating to SaaS Services. If there is a conflict between the terms of this Information Security Agreement and the Agreement, the terms of this Information Security Agreement shall apply but only to the extent of such conflict. Unless defined in this Information Security Agreement, capitalized terms will have the same meanings stated in the Agreement. 

1. Definitions

Agreement” collectively means the agreement between Client and Fair Isaac that references this Information Security Agreement and pursuant to which Fair Isaac provides SaaS Services to the Client, and all related orders, order forms, subscriptions, statements of work, work orders, purchase orders, amendments and other attachments to such agreement.

Cardholder Data” has the meaning provided by the Payment Card Industry (“PCI”) Security Standards Council.  At a minimum, Cardholder Data consists of the full primary account number (“PAN”). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date, and/or service code. 

Client Data” means any data submitted by or on behalf of Client under the Agreement. Client Data may include Cardholder Data or Personal Data.

Client Personal Data” means Client Data that is Personal Data.

Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person, or as otherwise defined under Applicable Data Protection Laws. Personal Data includes, to the extent applicable, “personal data” as defined under the GDPR, the UK GDPR, and the LGPD; “personal information” as defined under the CCPA; “nonpublic personal information” as defined under the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; and “cardholder data” as defined by the Payment Card Industry (“PCI”) Security Standards Council. Personal Data does not include de-identified data such that it has been stripped of all direct identifiers or is otherwise in a form that does not identify and cannot be used to identify a natural person.

Regulatory Authorities” means any government agency or regulatory authority responsible for supervision or enforcement of a law, statute, or regulation applicable to the security or privacy of Client Data.

Security Audit” means an assessment of Fair Isaac’s security practices, procedures, infrastructure, standards, compliance, and/or performance, which may include compilation of answers to Client questionnaires, participation in detailed discussions with Client’s security team or third party auditors, and/or facilitation of on-site visits to Fair Isaac owned facilities. 

Security Breach” means a Security Incident that results in unauthorized acquisition, access, alteration, destruction, loss, use, or disclosure of Client Data that compromises the security, confidentiality, or privacy of such information. A Security Breach does not include any unintentional acquisition, access, or use of Client Data by an employee or individual acting under the authority of Fair Isaac if: (i) such acquisition, access or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with Fair Isaac; and (ii) such information is not further acquired, accessed, used, or disclosed by any person.

Security Incident” means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

2. Governance of Cyber Security

2.1. Cyber Security Program. Fair Isaac maintains a cyber security program, led by a Chief Cyber Security Officer, that is designed to protect the SaaS Service, organizational assets, Client Data and infrastructure (“Cyber Security Program”). Fair Isaac’s Cyber Security Program is informed by current and evolving regulatory requirements, industry trends and best practices.

2.2. Cyber Security Policies. As part of its Cyber Security Program, Fair Isaac designs its security policies and standards to align with ISO27001, and they are reviewed, updated and approved on at least an annual basis. All Fair Isaac employees and contractors are obligated to safeguard the confidentiality, integrity, and availability of data and information systems and are required to understand and comply with all documented security policies and standards.

2.3. Cyber Security Awareness Training. Fair Isaac requires all employees and contractors to undertake security awareness training upon hire and annually thereafter. In addition to mandatory security awareness training, Fair Isaac has developed a role-based security training program for certain roles dependent on job functions.

3. Fair Isaac Responsibilities

3.1. Protection of Client Data. Fair Isaac shall implement and maintain reasonable technical and organizational measures that are designed to (i) protect the security and confidentiality of Client Data, (ii) protect against anticipated threats or hazards to the security or integrity of Client Data, and (iii) protect against unauthorized access to or use of Client Data that could result in substantial harm to Client or Client’s customers or end-users. Client shall not submit to the SaaS Service any Personal Data that contains “Cardholder Data” subject to PCI Security Standards, unless Fair Isaac has agreed in writing pursuant to the Agreement to receive such Cardholder Data and then only with respect to the SaaS Service (or portion thereof) specifically identified by Fair Isaac for such receipt. Fair Isaac shall have no liability under any Agreement relating to Cardholder Data that is not processed in accordance with the terms of this section notwithstanding anything to the contrary contained in the Agreement, the Payment Card Industry Data Security Standards (“PCI DSS”) or similar regulations.

3.2. Incident Management. Fair Isaac shall promptly investigate and respond to suspected or actual Security Incidents. All employees and contractors are required to report suspected Security Incidents. Identified Security Incidents are analyzed by Fair Isaac in an effort to contain, recover, correct, and prevent such Security Incidents.

3.3. Security Breach Response. Fair Isaac shall monitor its systems and procedures for Security Incidents, violations, and suspicious activity that is reasonably foreseeable to result in a Security Breach. This includes suspicious external activity (such as unauthorized probes, scans, or break-in attempts) and suspicious internal activity (such as unauthorized system administrator access, unauthorized changes or misuse to its system or network). Upon detection by Fair Isaac of any Security Breach that has occurred, Fair Isaac shall investigate to identify the cause and take prompt corrective action to prevent similar future incidents. In addition, to the extent Fair Isaac is legally permitted to do so, Fair Isaac shall, within the time period required under applicable law, but in no event more than forty-eight (48) hours after confirmation, notify the Client of the nature of the Security Breach and the steps being taken to address the incident and prevent future incidents. If the Client detects any Security Breach, the Client shall immediately notify Fair Isaac.

3.4. Vulnerability Management. Fair Isaac will manage all information system vulnerabilities found using an industry approved vulnerability scanner, including, where applicable, a PCI approved option for PCI compliance scans. In the event of a detected vulnerability, Fair Isaac will promptly undertake appropriate remediation efforts.

3.5. Secure Software Development. Fair Isaac will maintain a software development life cycle process that is designed to include certain security requirements in each phase of the development of Fair Isaac software products, is informed by applicable industry standards, and includes, as appropriate, activities such as: threat modeling, secure code reviews, penetration testing, and remediation of detected product security vulnerabilities. Fair Isaac uses industry standard tools to perform static and dynamic code scanning.

3.6. Cryptography. While in transit, Client Data is encrypted using cryptographically secure protocols (TLS v.1.2 or higher), and while at rest within the SaaS Service, Client Data is encrypted using cryptographically secure protocols (AES-256 bit, or the equivalent).

3.7. Access Controls. Fair Isaac follows the “principle of least privilege,” meaning that an authorized user is only granted levels of system access and rights as appropriate given the user’s job function. All access and actions taken with that access are traceable back to an individual user and documented within Fair Isaac’s IT service management tool.

3.8. Physical and Environmental Security. Fair Isaac facilities are classified into categories based on the data and information that is processed, transmitted, or stored in the facility. Security controls applied to facilities are dependent on the classification. CCTV is implemented to monitor ingress and egress points. Facility access is granted based on the principle of least privilege and all employees are assigned a unique proximity badge for facility access corresponding to their job duties. Visitors are required to sign in and be escorted by a Fair Isaac employee while on-premises at a Fair Isaac facility.

3.9. Disposal of Client Information. To the extent Client Data is within Fair Isaac’s possession and control and Client does not have the ability to dispose of such Client Data, Fair Isaac shall dispose of Client Data in compliance with applicable law to which Fair Isaac is subject. In furtherance of the foregoing, Fair Isaac shall take reasonable measures designed to protect against unauthorized access to or use of Client Data in connection with its disposal, considering the nature and sensitivity of the Client Data, the costs and benefits of different disposal methods, and relevant technological changes. Client acknowledges and agrees it has an affirmative obligation to provide Fair Isaac prior notice of Client Data that is or may be subject to specific process disposal requirements, and Fair Isaac’s compliance with this section depends on receiving that notice from Client. Any data stored on off-site backups, including without limitation, automatically generated computer backup or archival copies generated in the ordinary course of Fair Isaac’s information technology systems procedures, will be destroyed as part of Fair Isaac’s normal data destruction process. If Client requires Fair Isaac to remove specific files from the backups, Client is responsible for all costs associated with retrieving the data from off-site backups and archives, reloading the data onto Fair Isaac systems, deleting the files in question, and re-performing backups and transmission of the remaining data.

4. Fair Isaac Audits and Reports. Fair Isaac engages independent third-party auditors to assess Fair Isaac’s Cyber Security Program on an annual basis, including the following independent third-party audits:

(a) SOC2 Type 2;

(b) ISO27001; and

(c) PCI DSS (PCI compliant solutions only).

5. Client Audits, Reports and Testing

(a) General. Subject to any applicable terms under this Information Security Agreement and/or in a data protection agreement between the parties governing the processing of Personal Data, if Client requests a Security Audit, then Client agrees and acknowledges the following process and criteria must be satisfied before Fair Isaac is obligated to grant a Security Audit request: (i) Client will provide 30 days advance written notice to Fair Isaac with the Security Audit request that shall include reasonable details of the requested Security Audit; (ii) Client is limited to one Security Audit within a 12 month period; and (iii) the parties will enter into a mutually agreed upon agreement for professional services issued under the Agreement, and such agreement shall define the obligations and commercial terms, including, but not limited to, terms relating to confidentiality and non-disclosure, with regard to the requested Security Audit. Subject to the foregoing, in response to a Security Audit request, Fair Isaac shall make available industry standard documentation relating to its security program and infrastructure, including policies, procedures and reports for the inspection, examination, and auditing; on-site audits shall not be permitted unless Client reasonably demonstrates a substantial need after reviewing audit documentation provided by Fair Isaac and the parties mutually agree on the timing and scope to avoid disruption to Fair Isaac’s normal business operations. In no event shall Client have access to data relating to other Fair Isaac clients.

(b) Cooperation with Regulatory Authorities. Client’s business operations may be subject to audit by Client’s Regulatory Authorities. Fair Isaac shall cooperate with Client’s efforts to meet Client’s regulatory obligations with respect to audits requested in writing under legally valid notice, request, or order by Client’s Regulatory Authority. Subject to Section 5(a), Fair Isaac shall make available the information described in Section 5(a), to the extent legally allowed and required by the Regulatory Authorities; provided, however, Client shall pay for all Fair Isaac’s time spent in connection with efforts to support Client’s audits contemplated under this section at Fair Isaac’s then-current hourly rates, plus any out-of-pocket expenses.

(c) Audit Reports and Audit Data. Client shall provide Fair Isaac with copies of all audit reports generated by Client, including any audit reports by Client’s internal or external auditors and Client’s Regulatory Authorities, in connection with any audit under this Section 5, unless Client is prohibited by applicable law. Client may use the audit reports only for the purposes of meeting its regulatory audit requirements under applicable law, and/or confirming compliance with the requirements under this Information Security Agreement. The audit reports are Confidential Information of the parties under the terms of the Agreement. All Fair Isaac information received or obtained by Client or its auditors before, during and/or after the audit (collectively, “Audit Data”) must be treated by Client and its auditors as Fair Isaac Confidential Information and shall only be used and retained for purposes of the audit. All Audit Data in electronic form must be kept in an encrypted format. All Audit Data maintained as paper documentation or notes must be kept in a secured and locked container. Client and its auditors shall not disclose any of the information to another party without the specific written approval of Fair Isaac. Auditors must execute a written confidentiality agreement acceptable to Fair Isaac before conducting the audit. 

(d) No Client Testing. Client, and any party acting on Client’s behalf, are prohibited from performing any type of tests (automated or otherwise) affecting or against Fair Isaac’s infrastructure and networks. Fair Isaac periodically performs its own tests of its infrastructure and networks. Fair Isaac is willing to discuss the results of the tests with Client; and Fair Isaac may, in its sole discretion, provide executive summary reports of penetration tests, as applicable, to Client for its internal use of evaluating its compliance with PCI Security Standards if applicable. In no event is Fair Isaac required to provide any test results to Client. All information and reports provided to Client must be treated by Client as Fair Isaac Confidential Information.

(e) Audit Recommendations. Based on the results of an audit under this Section 5, Client or Client’s auditors may make recommendations to Fair Isaac relating to security issues. If the audit identifies any security issues that the parties agree are both material and that directly affect the Client Data in the possession of Fair Isaac through the SaaS Service, Fair Isaac will work with Client and use reasonable efforts to remediate the issues based on the nature and sensitivity of the Client Data. If Client requests that Fair Isaac take corrective actions, Fair Isaac will evaluate the request in light of standard industry norms and practices, and Fair Isaac’s contractual obligations to (i) Client under the Agreement and (ii) its other clients. If Fair Isaac determines that Client’s request for correction is specific to Client’s requirements (i.e., not needed for other clients) and Fair Isaac determines that it can provide professional services to accommodate Client’s request, then Fair Isaac will develop a statement of work or other agreement providing for professional services at Fair Isaac’s then-current fees for Client’s approval. If approved by Client, then Fair Isaac will develop and propose an implementation schedule to such statement of work or agreement. Unless and until the parties execute a definitive statement of work or other agreement for such professional services, Fair Isaac shall have no obligation to perform any requests from Client.

6. Changes. This Information Security Agreement is subject to change by Fair Isaac at any time by posting a revised version on the https://www.fico.com/en/legal website (“FICO Website”) or by otherwise providing written notice of such changes to Client. Any changes to this Information Security Agreement will be in effect as of the “Last Updated” date referenced on the FICO Website or in the written notice, as applicable. Client has reviewed and assents to this Information Security Agreement, and Client’s continued use of the SaaS Service after the “Last Updated” date shall constitute Client’s acceptance of and agreement to all such changes.