Common use of Controlling Access to Confidential Information Clause in Contracts

Controlling Access to Confidential Information. 1. Access to Confidential Information stored on Company’s systems must not be granted to members of Company’s staff, subcontractors, or other agents, unless the following conditions are met: a) The staff member, subcontractor, or other agent requesting the access can be uniquely identified (e.g., by a unique User ID), with the exception of “root” password access provided by the Company to its core system administration team; b) The staff member, subcontractor, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company (i.e., 8 characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks. c) In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractor, or other agent to perform his or her job function. The ability to read, write, modify or delete Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions. d) The date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file. 2. Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement. 3. Secret Information must never be stored in clear text on Company’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Company’s systems from retrieval by unauthorized persons. Company should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. 4. Passwords used to control Company’s staff, subcontractors, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by Company’s Customers are not required to conform to these policies; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them. 5. Procedures must be in place to modify or revoke access permissions to Confidential Information when staff members leave the Company or when their job responsibilities change. 6. Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor should be implemented.

Controlling Access to Confidential Information. 1. Access to Confidential Information stored on Company’s systems must not be granted to members of Company’s staff, subcontractors, or other agents, unless the following conditions are met: a) : The staff member, subcontractor, or other agent requesting the access can be uniquely identified (e.g., by a unique User ID), with the exception of “root” password access provided by the Company to its core system administration team; b) ; The staff member, subcontractor, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company (i.e., 8 characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks. c) . In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractor, or other agent to perform his or her job function. The ability to read, write, modify or delete Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions. d) . The date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file. 2. Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement. 3. Secret Information must never be stored in clear text on Company’s 's systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Company’s 's systems from retrieval by unauthorized persons. Company should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s 's password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. 4. Passwords used to control Company’s staff, subcontractors, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by Company’s 's Customers are not required to conform to these policies; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them. 5. Procedures must be in place to modify or revoke access permissions to Confidential Information when staff members leave the Company or when their job responsibilities change. 6. Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor should be implemented.

Controlling Access to Confidential Information. 1. Access to Confidential Information stored on CompanyContractor’s systems must not be granted to members of CompanyContractor’s staff, subcontractors, or other agents, unless the following conditions are met: a) The staff member, subcontractor, or other agent requesting the access can be uniquely identified (e.g., by a unique User ID), with the exception of “root” password access provided by the Company Contractor to its core system administration team; b) The staff member, subcontractor, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company Contractor (i.e.e.g., 8 characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks. c) In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractor, or other agent to perform his or her job function. The ability to read, write, modify or delete Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions. d) The date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file. 2. Confidential Information stored on CompanyContractor’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement. 3. Secret Information must never be stored in clear text on CompanyContractor’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in CompanyContractor’s systems from retrieval by unauthorized persons. Company Contractor should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. 4. Passwords used to control CompanyContractor’s staff, subcontractors, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by CompanyContractor’s Customers are not required to conform to these policies; however, Company Contractor must ensure that Customers do not have access to Confidential Information other than that which pertains to them. 5. Procedures must be in place to modify or revoke access permissions to Confidential Information when staff members leave the Company Contractor or when their job responsibilities change. 6. Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor should be implemented.

Controlling Access to Confidential Information. 1. Access to Confidential Information stored on Company’s systems must not be granted to members of Company’s staff, subcontractorsSub Suppliers, or other agents, unless the following conditions are met: a) The staff member, subcontractorSub Supplier, or other agent requesting the access can be uniquely identified (e.g., by a unique User ID), with the exception of “root” password access provided by the Company to its core system administration team; b) The staff member, subcontractorSub Supplier, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/he / she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company (i.e., 8 characters minimum length, required use of special- and/or and / or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks. c) In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractorSub Supplier, or other agent to perform his or her job function. The ability to read, write, modify or delete Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions. d) The date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file. 2. Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement. 3. Secret Information must never be stored in clear text on Company’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Company’s systems from retrieval by unauthorized persons. Company should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. 4. Passwords used to control Company’s staff, subcontractorsSub Suppliers, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by Company’s Customers are not required to conform to these policies; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them. 5. Procedures must be in place to modify or revoke access permissions to Confidential Information when staff members leave the Company or when their job responsibilities change. 6. Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor Sub Supplier should be implemented.

Controlling Access to Confidential Information. 1. Access to Confidential Information stored on Company’s systems must not be granted to members of Company’s staff, subcontractors, or other agents, unless the following conditions are met: a) The staff member, subcontractor, or other agent requesting the access can be uniquely identified (( e.g., by a unique User ID), with the exception of “root” password access provided by the Company to its core system administration team; b) The staff member, subcontractor, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he/she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company (( i.e., 8 characters minimum length, required use of special- and/or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks. c) In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, subcontractor, or other agent to perform his or her job function. The ability to read, write, modify or delete * We have requested confidential treatment for certain portions of this document pursuant to an application for confidential treatment sent to the SEC. We omitted such portions from this filing and filed them separately with the SEC. Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions. d) The date, time, requestor, and nature of the access (( i.e., read-only or modify) has been recorded in a log file. 2. Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement. 3. Secret Information must never be stored in clear text on Company’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Company’s systems from retrieval by unauthorized persons. Company should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. 4. Passwords used to control Company’s staff, subcontractors, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by Company’s Customers are not required to conform to these policies; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them. 5. Procedures must be in place to modify or revoke access permissions to Confidential Information information when staff members leave the Company or when their job responsibilities change. 6. Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed contractor should be implemented.