Data Access and Security Requirements

Effective Date: May 1, 2020 (v.20.1)

Under certain agreements between Customer and Everi Payments Inc. and/or its subsidiaries (collectively, “Everi” or the “Everi Companies”), and including, without limitation, Central Credit, LLC, Customer may have access to, or be provided with, certain sensitive personal information of individuals including, without limitation, names, address, Social Security numbers, birthdate, credit card and other account numbers, transaction information, credit history, e-mail address, IP address, telephone number, and other information (“Personal Information”).

Customer should examine the markets it serves and the data it stores to determine what federal or state laws and rules apply to Personal Information within their access or control through the use of Everi Companies services, in order to build and maintain a robust cybersecurity program that provides physical, administrative, and technical protection measures to comply with applicable law.

In addition to the U.S. Sarbanes-Oxley Act, Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA) and other U.S. Federal laws, at least 46 states, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and numerous countries have passed laws that require companies to protect the Personal Information of individuals with whom they do business (collectively, the “Privacy Protection Laws”). Noncompliance with the applicable Privacy Protection Laws can lead to enforcement by both federal and state regulators, as well as the Everi Companies immediate termination of the applicable agreements.

The GLBA and certain other Privacy Protection Laws require companies to enter into written agreements with anyone who will receive, maintain, process or access the Personal Information, and Everi is additionally required by its third-party providers of information to enter into written agreements with anyone who will receive, maintain, process or access Personal Information from Everi.

Customer hereby acknowledges that:

1. The following information security controls are required to reduce unauthorized access to Personal Information.
2. It will collect, access, store, use and disclose the Personal Information only for the purposes detailed in the applicable agreement.
3. It will implement and maintain a comprehensive, written, information security program to protect the Personal Information consistent with industry standards, which contains administrative, technical, and physical safeguards appropriate to the type and sensitivity of the Personal Information, and based on the nature and scope of its activities, is reasonably designed to effectively:
   1. safeguard the security, confidentiality, and integrity of the Personal Information,
   2. protect against any anticipated threats or hazards to the security or integrity of such information,
   3. protect against any unauthorized access to, use, modification, acquisition, or disclosure of such information that could result in substantial harm or inconvenience to any customer,
   4. mitigate the risks of, detect, promptly respond to, and resolve and remedy data breaches, transmission errors, unauthorized access, and fraud,
   5. identify and adapt effectively to new threats as the security landscape changes, and
   6. comply with all other requirements of the Privacy Protection Laws applicable to it.
4. It has, or will designate a qualified individual responsible for overseeing and implementing the information security program.
5. It will promptly provide Everi with information regarding any failure of such security measures or any security breach related to Personal Information.
6. It will not disclose to any third party, any Personal Information obtained from Everi, without the prior consent of Everi.
7. It will not disclose to any third party, any Personal Information obtained from Everi, without an agreement in writing requiring the third party to maintain, effective information security measures in accordance with law and that restrict such third party’s use of the Personal Information to not more than necessary to carry out Customer’s obligations under the applicable Everi agreement.
8. It has read, understands and agrees to implement security practices not less protective of the Personal Information than those required by applicable law and those cyber security standards generally utilized in the financial sector.
9. If the services involve use of use or access to credit or debit card data and transactions, then it will comply with the Payment Card Industry Data Security Standards applicable to it. More information is available from http://www.pcisecuritystandards.org/.

If the services involve use of consumer credit data, then the FCRA 15 U.S.C. 1681 requires that notice be provided to inform furnishers of information and users of consumer reports of their legal obligations under the FCRA. The FTC’s Web site, www.ftc.gov/credit, has more information about the FCRA, including publications for businesses and the full text of the FCRA. State law may impose additional requirements.

With respect to services related to consumer credit data, Customer hereby additionally acknowledges that:

1. It has read and understands the requirements set forth in the “Notice of Obligations of Users Under the FCRA ” and the “Notice of Obligations of Furnishers Under the FCRA”.
2. It will use the consumer credit information for no purpose other than a Permissible Purpose under applicable law including without limitation FCRA and/or GLBA, and for the type of activity expressly intended by the agreements.
3. It will not sell any report to any consumer or any other party, directly or indirectly.

Its use, and Everi’s ability to provide, certain Everi products containing data of Everi’s third-party providers such as, and without limitation, Experian, TransUnion or Equifax, may be conditioned upon Customer’s acceptance of additional terms of use and data protection specified by such third party from time to time.