CoStar Lender

Security, Cybersecurity and Service Level Commitments

CoStar’s Security and Cybersecurity program includes:

1. Access Controls – policies, procedures, and physical and logical controls to: (a) limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (b) ensure that all members of its workforce who require access to customer data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; and (c) authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing customer data or information relating thereto to unauthorized individuals.

2. Security Awareness and Training – a security awareness and training program for all members of CoStar’s workforce (including management).

3. Security Incident Procedures – a security incident response plan that includes procedures to be followed in the event of any actual security breach of customer data or any security breach of any application or system directly associated with the accessing, processing, storage, communication or transmission of customer data.

4. Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage customer data or production systems that contain customer data, including a data backup and a disaster recovery plan.

5. Audit Controls – hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

6. Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of customer data and protect it from disclosure, improper alteration, or destruction.

7. Storage and Transmission – technical security measures to guard against unauthorized access to customer data that is being transmitted over an electronic communications network or stored electronically.

8. Secure Disposal – policies and procedures regarding the disposal of tangible property containing customer data, taking into account available technology so that customer data cannot be practicably read or reconstructed.

9. Assigned Security Responsibility – designate security and cybersecurity officials responsible for the development, implementation, and maintenance of its Security and Cybersecurity program.

10. Testing – regularly test the key controls, systems and procedures of its systems and security program to ensure that they are properly implemented and effective in addressing the threats and risks identified.

11. Program Adjustments – monitor, evaluate, and adjust, as appropriate, its systems and security program in light of any relevant changes in technology or internal or external threats to CoStar or the customer data, and CoStar’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

Service Level Commitments:

CoStar aims for high availability for our services. This means high availability of the Lender platform to our customers as well as high availability of communications flow between our infrastructure and our customers monitored and managed environments.

To attain this goal, the Lender platform will be available at the point of connection of CoStar’s content delivery network to the Internet for 99.9% of the time during each month of the term of this Agreement, excluding planned maintenance windows.

In the event that this availability is not met for a given calendar month, CoStar’s customers shall be entitled to a monetary credit up to an amount equal to 1/30th of the monthly rate paid for services delivered during that calendar month. In order for a customer to receive a service level credit, the notification of the service level failure must be submitted by the customer to CoStar within thirty (30) days of such failure. CoStar will research the request and respond to the customer within thirty (30) days from the date of the request. The total amount credited to a customer in connection with any of the above service levels in any calendar month will not exceed the monthly service fees paid by customer for the Lender platform services. Except as otherwise expressly provided hereunder or in the Agreement, the foregoing service level credit(s) shall be customer’s exclusive remedy for failure to meet or exceed the foregoing service levels.

CoStar makes no guarantee to availability or performance of the Internet at large between its customers to the Internet. CoStar’s measuring of 99.9% is executed from multiple sites throughout the internet to the Lender platform.

Last modified: February 2, 2022