CoStar Debt Solutions
Security, Cybersecurity and Service Level Commitments

CoStar’s Security and Cybersecurity program includes:

1. Access Controls – policies, procedures, and physical and logical controls to: (a) limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (b) ensure that all members of its workforce who require access to customer data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (c) authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing customer data or information relating thereto to unauthorized individuals.

Security Awareness Training – CoStar Employees are required to undergo role-relevant security awareness training upon hire and once annually thereafter. Social engineering simulations are performed against the entirety of the CoStar userbase at least quarterly. Software development personnel are required to undergo secure code training upon hire, and once annually thereafter

2. Security Incident Response Procedures – A formal Incident Response Plan, which defines expected incident response activities, is established. The Incident Response Plan sets expectations and requirements for the identification of incidents, validation of incidents, continuous assessment and investigation of incidents, containment of incidents, remediation of incidents, and ‘lessons learned’ activities. A formal register of Incident Response personnel is maintained, and the Incident Response Plan is reviewed at least annually. The CoStar Cybersecurity Team facilitates quarterly Incident Response Tabletops. CoStar will follow documented incident response procedures to comply with applicable laws and regulations, including data breach notifications.

Incident notifications are provided without undue delay, but in any event within seventy-two (72) hours after CoStar’s validation of a material information security incident known or reasonably suspected to affect customer’s data. 

3. Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage customer data or production systems that contain customer data, including a data backup, a disaster recovery plan, and a business continuity plan.

4. Monitoring Controls – hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

5. Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of customer data and protect it from disclosure, improper alteration, or destruction.

6. Storage and Transmission – technical security measures to guard against unauthorized access to customer data that is being transmitted over an electronic communications network or stored electronically. Customer data shall not be stored or otherwise utilized within lower environments of the CoStar Debt Solutions service (e.g., Development, Test, and/or Staging environments.)

7. Secure Disposal – policies and procedures regarding the disposal of tangible property containing customer data, taking into account available technology so that customer data cannot be practicably read or reconstructed.

8. Assigned Security Responsibility – designate security and cybersecurity officials responsible for the development, implementation, and maintenance of its Security and Cybersecurity program. The Security and Cybersecurity program is documented within policies and procedures reviewed at least annually.

9. Testing and Audits – regularly test the key controls, systems and procedures of its systems and security program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests shall be performed by a reputable, independent third-party. Penetration assessments shall be performed on an annual basis. The CoStar Debt Solutions control environment undergoes SOC 2 Type 2 audits against the trust services principles of Security, Availability, and Confidentiality on a 12 month period. Letters of attestation and SOC 2 Type 2 reports are made available via the CoStar Trust Center.

10. Vulnerability Management – a Vulnerability Management Standard is maintained and practiced, which sets expectations for the monitoring, identification, prioritization, and remediation timelines for identified vulnerabilities. CoStar Debt Solutions assets are scanned periodically – no less frequently than quarterly.

11. Secure Software Development Lifecycle – development of the CoStar Debt Solutions platform is performed by CoStar employees located in the United States of America. Software development activities adhere to a defined Secure Software Development Lifecycle, which includes requirements for segregation of duties, periodic static application security testing, and peer code reviews.

12. Risk Management – An Audit Committee is appointed, and oversees the Company’s cybersecurity risks, controls, and procedures.

Risk assessments are performed against Subservice Organizations supporting the CoStar Deby Solutions platform at least annually.

Location of Data and Infrastructure – the CoStar Debt Solutions platform is hosted within the United States of America.

13. Program Adjustments – monitor, evaluate, and adjust, as appropriate, its systems and security program in light of any relevant changes in technology or internal or external threats to CoStar or the customer data, and CoStar’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. Details regarding CoStar’s information security program are provided via the Trust Center. 

Service Level Commitments:

CoStar aims for high availability for our services. This means high availability of the Debt Solutions platform to our customers as well as high availability of communications flow between our infrastructure and our customers monitored and managed environments.

To attain this goal, the Debt Solutions platform will be available at the point of connection of CoStar’s content delivery network to the Internet for 99.9% of the time during each month of the term of this Agreement, excluding planned maintenance windows.

In the event that this availability is not met for a given calendar month, CoStar’s customers shall be entitled to a monetary credit up to an amount equal to 1/30th of the monthly rate paid for services delivered during that calendar month. In order for a customer to receive a service level credit, the notification of the service level failure must be submitted by the customer to CoStar within thirty (30) days of such failure. CoStar will research the request and respond to the customer within thirty (30) days from the date of the request. The total amount credited to a customer in connection with any of the above service levels in any calendar month will not exceed the monthly service fees paid by customer for the Debt Solutions platform services. Except as otherwise expressly provided hereunder or in the Agreement, the foregoing service level credit(s) shall be customer’s exclusive remedy for failure to meet or exceed the foregoing service levels.

CoStar makes no guarantee to availability or performance of the Internet at large between its customers to the Internet. CoStar’s measuring of 99.9% is executed from multiple sites throughout the internet to the Debt Solutions platform.

Last modified: May 18, 2026