Common use of Confidentiality of Information/Conflict Clause in Contracts

Confidentiality of Information/Conflict. of Interest Parameters‌ The MPF Bank or MPF Provider may furnish the PFI or Servicer with information and documentation that the MPF Bank or MPF Provider has identified as “confidential information”. Said confidential information may include, but is not limited to, information and documentation regarding the development, negotiation, operation or terms of various products, programs, technology, business terms, trade secrets, certain commercial and financial information, and/or “material inside information” within the meaning of the federal securities laws. Confidential information may include information belonging to third parties. The PFI and Servicer must treat all confidential information and all information or materials prepared from said information, defined as “derivative information”, as strictly confidential and proprietary. The PFI and Servicer must not release or disclose or permit the release or disclosure of confidential information or the derivative information, or any portion thereof, for any purpose except to the extent allowed by this section, expressly required or consented to by the MPF Bank or MPF Provider, as the case may be, in writing, or, ordered by a court or administrative agency. In the event the PFI or Servicer anticipates that it may be required, for any reason, to disclose or discovers it has disclosed confidential information or derivative information, the PFI or Servicer shall immediately notify the MPF Bank or MPF Provider to allow the MPF Bank or MPF Provider to take any action it deems necessary to prevent or limit the release or disclosure of the confidential information or derivative information in question. The PFI or Servicer shall not copy or permit copies to be made of confidential information, the derivative information, or any portion thereof, except to the extent necessary for the Servicing or other obligations to the MPF Bank or MPF Provider or unless prior written consent from the MPF Bank or MPF Provider has been obtained. The PFI shall mark “Confidential” in a prominent location on all confidential information, derivative information, and on all copies. If necessary for Servicing or other obligations to the MPF Bank or MPF Provider, the PFI or Servicer may provide confidential information, derivative information, and copies thereof, to those officers, directors, principals, partners, employees of the PFI or Servicer, regulators, auditors, counsel, and accountants who are necessary for such performance. The PFI or Servicer must notify any such individuals receiving such confidential information or derivative information that such individual has the same obligations as the PFI or Servicer to keep the confidential information or derivative information confidential. Confidential information and derivative information do not include any of the following: • Information that is generally available to the public; • Information that is provided to the PFI or Servicer by a third party that is not itself under a confidentiality obligation with respect to the information; or • Information that is independently developed by the PFI or Servicer without use of the confidential information or any portion thereof. Loss of Confidential Information/Security Incident (6/14/18)32‌ In the event of any unauthorized possession, actual or suspected loss, theft, knowledge, disclosure, or improper use or access to any confidential information as well as any unauthorized access to any computer network or system containing confidential information (collectively “Security Incident”), the PFI or Servicer must report the Security Incident immediately to the MPF Bank and the MPF Provider (see Exhibit T for contact information). The PFI or Servicer must ensure compliance with all state, federal and other regulatory entities’ requirements of privacy and data laws and cooperate with the MPF Bank and MPF Provider in any investigation the MPF Bank or the MPF Provider deems necessary. The PFI or Servicer must also take immediate steps, in consultation with the MPF Bank and the MPF Provider, to mitigate the damages caused by such Security Incident and promptly use all commercially reasonable efforts to prevent further Security Incidents. When a PFI or Servicer determines a Security Incident has occurred they must immediately/ as soon as possible provide the following information to the applicable MPF Bank and MPF Provider: • A detailed description of the scope of the incident, including the number of impacted individuals, and states where they reside. • A description of the related personally identifiable information (PII). • An explanation of the root cause (if known). • Advise how much and what types of losses have been sustained (if known). • A response plan (including an estimated time to cure the event). • A copy of the breach notice that the PFI or Servicer plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice.MPF loan numbers (if not immediately known, as soon as reasonably practicable) for affected loans. • MPF Program product type (ex: Traditional, Xtra, Gov MBS and Direct) for affected loans. The PFI or Servicer shall pay to the MPF Bank and the MPF Provider all costs and expenses related to any Security Incidents.

Confidentiality of Information/Conflict. of Interest Parameters‌ The MPF Bank or MPF Provider may furnish the PFI or Servicer with information and documentation that the MPF Bank or MPF Provider has identified as “confidential information”. Said confidential information may include, but is not limited to, information and documentation regarding the development, negotiation, operation or terms of various products, programs, technology, business terms, trade secrets, certain commercial and financial information, and/or “material inside information” within the meaning of the federal securities laws. Confidential information may include information belonging to third parties. The PFI and Servicer must treat all confidential information and all information or materials prepared from said information, defined as “derivative information”, as strictly confidential and proprietary. The PFI and Servicer must not release or disclose or permit the release or disclosure of confidential information or the derivative information, or any portion thereof, for any purpose except to the extent allowed by this section, expressly required or consented to by the MPF Bank or MPF Provider, as the case may be, in writing, or, ordered by a court or administrative agency. In the event the PFI or Servicer anticipates that it may be required, for any reason, to disclose or discovers it has disclosed confidential information or derivative information, the PFI or Servicer shall immediately notify the MPF Bank or MPF Provider to allow the MPF Bank or MPF Provider to take any action it deems necessary to prevent or limit the release or disclosure of the confidential information or derivative information in question. The PFI or Servicer shall not copy or permit copies to be made of confidential information, the derivative information, or any portion thereof, except to the extent necessary for the Servicing or other obligations to the MPF Bank or MPF Provider or unless prior written consent from the MPF Bank or MPF Provider has been obtained. The PFI shall mark “Confidential” in a prominent location on all confidential information, derivative information, and on all copies. If necessary for Servicing or other obligations to the MPF Bank or MPF Provider, the PFI or Servicer may provide confidential information, derivative information, and copies thereof, to those officers, directors, principals, partners, employees of the PFI or Servicer, regulators, auditors, counsel, and accountants who are necessary for such performance. The PFI or Servicer must notify any such individuals receiving such confidential information or derivative information that such individual has the same obligations as the PFI or Servicer to keep the confidential information or derivative information confidential. Confidential information and derivative information do not include any of the following: • Information that is generally available to the public; • Information that is provided to the PFI or Servicer by a third party that is not itself under a confidentiality obligation with respect to the information; or • Information that is independently developed by the PFI or Servicer without use of the confidential information or any portion thereof. Loss of Confidential Information/Security Incident (6/14/18)32‌ In the event of any unauthorized possession, actual or suspected loss, theft, knowledge, disclosure, or improper use or access to any confidential information as well as any unauthorized access to any computer network or system containing confidential information (collectively “Security Incident”), the PFI or Servicer must report the Security Incident immediately to the MPF Bank and the MPF Provider (see Exhibit T for contact information). The PFI or Servicer must ensure compliance with all state, federal and other regulatory entities’ requirements of privacy and data laws and cooperate with the MPF Bank and MPF Provider in any investigation the MPF Bank or the MPF Provider deems necessary. The PFI or Servicer must also take immediate steps, in consultation with the MPF Bank and the MPF Provider, to mitigate the damages caused by such Security Incident and promptly use all commercially reasonable efforts to prevent further Security Incidents. When a PFI or Servicer determines a Security Incident has occurred they must immediately/ as soon as possible provide the following information to the applicable MPF Bank and MPF Provider: • A detailed description of the scope of the incident, including the number of impacted individuals, and states where they reside. • A description of the related personally identifiable information (PII). • An explanation of the root cause (if known). • Advise how much and what types of losses have been sustained (if known). • A response plan (including an estimated time to cure the event). • A copy of the breach notice that the PFI or Servicer plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice.MPF loan numbers (if not immediately known, as soon as reasonably practicable) for affected loans. • MPF Program product type (ex: Traditional, Xtra, Gov MBS and Direct) for affected loans. The PFI or Servicer shall pay to the MPF Bank and the MPF Provider all costs and expenses related to any Security Incidents.. 32 MPF Announcement 2017-44 (8/25/17) MPF Announcement 2018-31 (6/14/18)