RMS Privacy Policy

Rev. 06-2018

Risk Mitigation Services, Inc. (RMS)

Privacy Policy

Privacy Information

Risk Mitigation Services, Inc. (RMS) is a Consumer Reporting Agency (CRA) that is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). RMS prepares Consumer Reports for authorized employers under the provisions of the federal Fair Credit Reporting Act (FCRA). The RMS Privacy policy is very simple: RMS only collects applicant data pursuant to written Authorization and Disclosure under the FCRA and only disseminates consumer reports to employers as directed in the written authorization. In other words, data is only collected and distributed at the direction and authorization of consumers. The data is maintained in a secured site. RMS maintains strict policies and procedures in all aspects of its operation to protect the privacy of consumers.

Notice

Risk Mitigation Services, Inc. receives personal information about consumers from its clients or directly from the consumer with their acknowledgement and consent. RMS’ client (employers other background screening) certify to RMS that they have obtained the consumer’s consent to share this information for a permissible purpose, usually for use in making employment-related decisions (who to hire, retain, promote, reassign, etc.), or for license applications (for professional or business purposes). Services are performed in accordance with applicable local and national laws. The scope of this notice covers EU and Switzerland consumer report data that RMS has obtained on behalf of clients by contacting the appropriate sources of the data (courts, law enforcement agencies, educational institutions, employers, etc.).

Accountability for Onward Transfer

RMS discloses personal data that it collects to third parties in connection with the business transaction for which it was collected. Third party disclosure of the information may include the RMS’ client whom the consumer has authorized to receive such information, the third-party representative of RMS authorized to receive such information (affiliate companies, agents, in-country sources, educational institutions, employers,

courts, law enforcement agencies and other persons or entities that may provide or verify information as necessary for RMS to process the authorized transaction). Information you provide may also be disclosed in response to lawful requests by public authorities, including disclosures to meet national security or law enforcement requirements (subpoenas, court orders, etc.). In cases of onward transfer to third parties of data of EU and Switzerland consumers received pursuant to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, RMS is potentially liable.

Third party disclosure of the information you provide may include affiliate companies, third party agents, in-country sources, educational institutions, employers, courts, law enforcement agencies and other persons or entities that may provide or verify information as necessary for RMS to process your transaction. Information you provide may also be disclosed in response to legal requirements. RMS does not sell or rent the personal information you provide.

RMS does NOT send U. S. applicant information outside of the U.S. for processing. Once data leaves the U.S., the data is beyond the reach of U.S. privacy laws and there are no meaningful privacy protections. RMS believes that firms that send data outside the U.S. put applicants and employers at great risk, for no other reason than to make a little more money. In some countries, it is a well- known fact that U.S. identities are stolen and used for identity theft. As a practical matter, someone in the U.S. has no ability to hire a lawyer in a foreign country to pursue legal action or contact a foreign police authority to get any action taken. The only exception is where RMS is asked to perform an international verification and the information resides outside of the U.S. Even in that situation, RMS goes to great length to protect applicant data by going directly to the school or employer. If it is necessary to have a researcher do research in a foreign country, RMS only releases the minimum information absolutely necessary.

RMS strongly advises all employers to ask a screening firm if they send data outside of the U.S. and to seriously consider the dangers to their hiring processes and to their applicants.

o Collection of Personally Identifiable Information This web site collects personally identifiable information online from individuals in the following way: A potential customer has the opportunity to e-mail this site in order to obtain information about our services. Any information given to this site is completely in the control of the third party who chooses to do so.

o No Passive Information Techniques

o This site does not engage in any passive information techniques.

o Your Information is Not Shared with Unauthorized Third Parties

o Under lawful requests by public authorities, including to meet national security or law enforcement requirements, we may have to disclose personal information.

o No information provided to this site through e-mail or any other method is ever released, utilized or shared with anyone else, including, but not limited to, third parties or affiliates.

Propriety, Secure and Certified Technology

The RMS client web portal is a separate web site that is only available to RMS customers and is utilized as a means for RMS to receive orders from authorized employers and to transmit information to and from authorized users. However, all such usage is strictly between RMS and business entities whose legitimate need for the information and permissible purpose has been verified pursuant to section 607(a) of the Federal Trade Commission (FTC) FCRA which states: (a) Identity and purposes of credit users. Every consumer reporting agency shall maintain reasonable procedures designed to avoid violations of section 605 [§ 1681c] and to limit the furnishing of consumer reports to the purposes listed under section 604 [§ 1681b] of this title. These procedures shall require that prospective users of the information identify themselves, certify the purposes for which the information is sought, and certify that

the information will be used for no other purpose. Every consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report. No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed in section 604.

All data on the RMS system is protected by secure access, ensuring “for-your-eyes-only” data exchange. Viewing of information is restricted to the users and customers that should have it with state of the art security, including 128-bit SSL encryption and strong password protection. Our data is housed from a secure data center that is a SSAE 16 Level II Certified and PCI Certified Data Center. These standards require strict adherence to control and change control for personnel. The security audit is completed under SSAE 16 guidelines. The Privacy and Integrity of all information is fully protected. All employees who have access to any information from this site have signed privacy agreements and are regularly trained in privacy practices and procedures. RMS maintains a Written Information Security Policy (WISP) in conformity with Massachusetts requirements under 201 CMR 17.00:

STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH (http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf). In the event of a data breach, RMS acts in conformity with appropriate data breach laws.

Data Integrity and Purpose Limitation

In accordance with applicable law, RMS takes reasonable steps to ensure that the information RMS collects is accurate, complete, current and reliable for its intended use. RMS only collects data that is necessary for the purposes listed under the section on “Notice.” RMS takes reasonable and appropriate measures to retain personal data only for as long as RMS has a legitimate legal or business need, such as compliance with legal or contractual retention obligations, retention for audit purposes, customer service, security and fraud prevention, preservation of legal rights or other reasonable purposes consistent with the purpose of the collection of the information. RMS will adhere to the Principles for as long as RMS retains personal data transferred in reliance upon the Privacy Shield.

RMS makes every effort to ensure that the data it collects and stores is as accurate as possible. RMS cannot guarantee, however, that third parties are accurate in their information. Therefore, RMS denies any responsibility for the accuracy of the data supplied by any third-party sources of information or by RMS’ clients.

Retention & Destruction of Your Information

Information is retained pursuant to the FCRA for a minimum of six (6) years. The method for a consumer to opt-out of RMS obtaining information is to not consent to a pre-employment background screening with a prospective or current employer. Once a consumer has consented to such a screening, RMS must retain information on file for US residents for the six (6) year period.

In the event RMS destroys any information provided by employers, applicants, or third parties during the

course of its work the destruction is accomplished in accordance with the approved document disposal rules formulated by the Federal Trade Commission (FTC). For more information, read the FTC Guidance ‘Disposing of Consumer Report Information? Rule Tells How.’ (https://www.ftc.gov/tips-advice/business-center/guidance/disposing-consumer-report-information- rule-tells-how)

You Have Rights

Any consumer may exercise their right to inspect any data about them and to object to any data pursuant to the FCRA and applicable state law. See “A Summary of Your Rights Under the Fair Credit Reporting Act” (/file/A-Summary-of-Your-Rights-Under-the-FCRA.pdf) (Un resumen de sus derechos en virtud de la Ley de Informe Justo de Crédito (/file/A-Summary-of-Your-Rights-Under-the-FCRA- Spanish.pdf)) prepared by the Consumer Financial Protection Bureau (CFPB). Also, learn about your right to request a copy of your data on the FACT Act Compliance page. (/Fact-Act-Compliance/)

Personal Information Disclosure: United States or Overseas

Risk Mitigation Services, Inc. (RMS) opposes the “offshoring” of Personally Identifiable Information (PII) of consumers – such as names, dates of birth, and Social Security numbers (SSNs) – sent overseas outside of the United States and its territories and beyond the protection of U.S. Privacy laws. Our mission is to protect the PII of consumers, which is best done by keeping all such information in the United States.

Risk Mitigation Services, Inc. does not transmit, share, or transfer personal and identifiable information outside the United States or its territories for the purposes of processing or preparing consumer reports. The sole exception occurs where there is a request for an international background checks and the information needed for the report is located outside of the US or its territories. Even in that situation, RMS does not transfer personal information unless absolutely required and would only transfer the minimum information needed to prepare the report.

Domestic Background Screening: Where a CRA (background screening firm) is providing background screening services for consumers in the United States based upon information available in the U.S. All work is done in the U.S.

International Screening: Where there is an international background check for verification of employment, education, or a professional degree, or for a criminal record check, some information may have to go offshore by necessity since the information being sought is offshore. However, our firms takes extra measures to protect personal and confidential data: a.) Documentation or information such as passport numbers, or unique identification numbers and date of birth, are not sent to anyone overseas other than the actual verification provider (e.g. employer or school registrar) whenever possible. b.) Where it is necessary to utilize a local firm, the local firm will first be asked to provide local contact information so that the CRA can contact the foreign verifying party directly. c.) If, due to infrastructure or other issues in a foreign country, a foreign research firm must perform the verification, then the CRA or its agent has properly vetted the local firm and will redact any unnecessary information.

Children’s Online Privacy Protection Act Compliance

We are in compliance with the requirements of COPRA (Children’s Online Privacy Protection Act). We do not collect any information from anyone under 13 years of age (“Children”). Our website, products, and services are all directed to people who are at least 13 years old or older.

We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your Children has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

Service Providers

We may employ third-party companies to facilitate our service to provide the service on our behalf to perform service related services within the scope of the Notice. We may also use third-party services for payment processing. We will not store of collect your payment card details. That information is provided directly to our third-party payment processors. All third-party service providers use of your personal information is governed by their Privacy Policy. A list of third-party service providers is available to you by calling 866-383-1180 and asking for the Data Protection Officer.

Choice

Risk Mitigation Services, Inc. affords individuals the opportunity to choose whether their personal information will be disclosed to a third party or will be used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. Therefore, consumer data may be disseminated under these circumstances unless the consumer explicitly opts-out. Where a consumer chooses to opt-out, the data is not necessarily erased or deleted. Various laws require that the data be maintained on file for a specified period of time for consumer protection purposes. A consumer can opt-out by contacting Risk Mitigation Services, Inc. by e-mail at the addresses listed below.

How Consumers Dispute Information in a Consumer Report

If consumers are the subject of a consumer report prepared by Risk Mitigation Services, Inc. (RMS) and find incorrect or incomplete information, they have the right under federal law to dispute it.

The following links will take consumers to the document ‘A Summary of Your Rights Under the Federal Fair Credit Reporting Act’ provided by the Consumer Financial Protection Bureau (CFPB):

A Summary of Your Rights Under the Federal Fair Credit Reporting Act (/file/A-Summary-of-Your- Rights-Under-the-FCRA.pdf)

Un resumen de sus derechos en virtud de la Ley de Informe Justo de Crédito (Spanish Version of Summary of FCRA Rights) (/file/A-Summary-of-Your-Rights-Under-the-FCRA-Spanish.pdf)

EU-U.S. Privacy Shield Framework

In February 2016, the EU Commission and the U.S. agreed on a new framework for data transfers called the EU-U.S. Privacy Shield. On August 1, 2016, the EU-U.S. Privacy Shield Framework (https://www.privacyshield.gov/EU-US-Framework) designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic that transfer personal data from the European Union (EU) to the United States (U.S.) with a mechanism to comply with EU data protection requirements Risk Mitigation Services, Inc. complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Risk Mitigation Services, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

Swiss-U.S. Privacy Shield Framework

Risk Mitigation Services, Inc. (RMS) complies with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from Switzerland. ESR has certi ed that it adheres to the principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (Updated February 2018) (/ le/EU-US-and-Swiss-US-Privacy-Shield-Policies-2018.pdf)

Contact RMS for Privacy Questions or Concerns

In compliance with the Privacy Shield Principles, Risk Mitigation Services, Inc. commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Risk Mitigation Services, Inc. at:

Ben Shelton
Data Protection Officer
Risk Mitigation Services, Inc. (RMS)
United States
Telephone: 866-383-1180
Email: info@riskmitigation.us

Please note that if your complaint is not resolved through this method, under limited circumstances, where permitted by the Privacy Shield Program, a binding arbitration option is available if the individual believes there has been a violation of Privacy Shield Requirements that has not been appropriately addressed by RMS.

Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Risk Mitigation Services, Inc.’s internal processes, Risk Mitigation Services, Inc. has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

RMS reserves the right to modify or change its privacy policy. All such changes will be posted on this page.

Copy of Privacy Policy

For a copy of the RMS Privacy Policy, print this web page or contact info@riskmitigation.us