SCFCU places a high priority on security, and utilizes security measures to protect not just nonpublic personal information and information about "covered accounts" (as defined in Part 717), but all types of confidential information that it receives from its member credit unions.

Under Part 717 of the NCUA's Regulations, SCFCU is deemed to be a "service provider" to its member credit unions. We are providing this Affidavit in order to assist our member credit unions in their compliance with Part 717. The Affidavit is written in general language so that our member credit unions can utilize the Affidavit regardless of the level of complexity of their security programs.

Each credit union for which SCFCU is a "service provider" is hereby authorized to consider this Affidavit to be a contractual agreement with SCFCU, or to be an amendment of any agreements or Schedules that the credit union has entered into with SCFCU.

• SCFCU agrees to utilize policies and procedures, developed by the corporate, that are designed to prevent, detect and mitigate the risk of security breaches that could result in a member of a credit union, or any other person, being exposed to identity theft. These policies and procedures will apply to all circumstances in which SCFCU processes or otherwise has access to confidential information, whether in connection with providing services for a "covered account" held at a credit union or otherwise.
• SCFCU agrees not to use nonpublic personal information about any credit union's members, or about any other person, for any purpose other than those purposes for which the credit union disclosed the information to SCFCU, including servicing and processing of transactions in the ordinary course of business.
• SCFCU will utilize security measures that SCFCU deems to be appropriate for the protection of nonpublic personal information about credit union members and other persons, with particular attention to protection against unauthorized access to or unauthorized use of such information that could result in substantial harm or inconvenience to any credit union'ss members or to any other person.
• If an incident occurs that involves unauthorized access to or unauthorized use of nonpublic personal information about any credit union's members or about any other person, SCFCU will take actions that SCFCU deems to be appropriate, including notification to the affected credit union as soon as possible of any such incident.
• From time to time, if requested by a credit union, SCFCU will make available to the credit union information deemed by SCFCU to be appropriate as to the security measures, controls, systems and procedures that SCFCU uses for the protection of nonpublic personal information.
• SCFCU will utilize security measures designed to accomplish the proper disposal of nonpublic personal information held by SCFCU. If immediate deletion or disposal of the nonpublic personal information held by SCFCU is not feasible, then until the date when deletion or disposal of the information occurs, SCFCU will continue to utilize security measures designed to protect the information against unauthorized access and against unauthorized use.