Medallion Analytics (“Medallion”) has provided this Storage &Security Policy statement to assist end users of the eSETTLEMENT Platform (as made available by Medallion from www.medallionanalytics.com and associated sub URLs) in understanding the manner by which Medallion provides storage and security for the personally identifiable information Medallion may collect from users of its eSETTLEMENT Platform. Personally identifiable information (“PII”) includes information that can be linked to a specific individual, such as a name, address, phone number, or e-mail address.

Medallion provides storage capability for the PII that is collected and used through and as a part of the eSETTLEMENT Platform. Some of Medallion's current measures are noted below.

Storage

  1. Information provided in connection with each completed application through the eSETTLEMENT Platform shall be archived for at least five (5) years after the corresponding loan is originated as a part of the eSETTLEMENT Platform transaction fee.
  2. All data is backed-up on a daily basis.
  3. All vaulted files and production database information is stored in at least two active locations not counting backups.
  4. Service Levels
    1. Backup Hardware is available and on stand-by. Medallion will work to have all hardware (under its control) back online within one (1) hour of a failure notification.
    2. Data Recovery. Medallion will work to have all PII (stored by Medallion) restored from backup within two (2) hours of a failure notification.
    3. System Up-Time. 99.9% uptime excluding maintenance

Security

As is appropriate for the nature of PII collected and stored by Medallion, the eSETTLEMENT Platform has industry standard security measures or safeguards in place to protect against the loss, misuse, and alteration of the PII under Medallion's control. Some of Medallion's current measures are noted below.

Physical Security

  1. ISO17799-Based policies and procedures, reviewed on a periodic basis as part of our hosting provider’s SAS70 II audit process.
  2. Hosting Environment is regularly monitored 24x7 (subject to maintenance).
  3. Data Center access limited only to data center technicians.
  4. Biometric scanning for controlled data center access.
  5. Security camera monitoring at all centers where Medallion data will be housed.
  6. 24x7 on site security to protect against unauthorized entry in unmarked facilities to maintain a low profile. Physical security is audited by an independent firm.

Network / System Security

Network Security

  1. Firewall. All Medallion hosts are protected by a dedicated Cisco ASA or superior firewall.

System Security

  1. Managed by Medallion's hosting providers' security engineers 24x7 (subject to maintenance)
  2. System installation using hardened, patched OS
  3. System patching configured to provide ongoing protection from exploits
  4. Offsite backups are encrypted

Application Security

  1. Data is validated to provide protection from outside exploits.
  2. Java EE Security Practices
  3. Use random generation of initial passwords.
  4. All passwords encrypted during transmission and while in storage.
  5. Audit Trail. Users access to the platform. (Login/Logout/Failed Login), Password changes, Upload, View, Download and Deletion of Documents, and User activities
  6. Quarterly intrusion test and security assessment

Operational Security

  1. Relevant employees are trained on documented information security and privacy procedures
  2. Access to confidential information restricted to authorized personnel only, according to documented process
  3. Systems access logged and tracked for auditing purposes
  4. Secure document-destruction policies for all sensitive information
  5. Documented change-management procedures
  6. Independently audited disaster recovery and business continuity plans in place for hosting environment and support services.
  7. Secure media handling and destruction procedures for all customer data.

Although Medallion has endeavored to make any information entered into the eSETTLEMENT Platform secure and reliable, the retention or confidentiality of any PII cannot be assured. Accordingly, the information set forth in this policy statement is not a guarantee of any kind with respect to the storage or the prevention of any unauthorized use of or access to any PII stored by Medallion.

Medallion reserves the right to change this Storage &Security Policy at any time. If Medallion makes changes to this Storage &Security Policy, Medallion will post those changes at this location and provide notice of any material changes. Please review this Storage &Security Policy on a periodic basis.