Appendix Sustainability Accounting Standards Board (SASB) This report marks the second year TransUnion has reported in alignment with the Sustainability Accounting Standards Board (SASB) standards — with the purpose of providing material environmental, social and governance information to our stakeholders. The information below provides content aligned with the Professional & Commercial Services SASB standard. Unless expressly stated otherwise, all data disclosed covers the global organization and full calendar year through Dec. 31, 2021. Per our introductory disclosures, TransUnion’s SASB Appendix does not include our acquisition of Neustar and Sontiq and utilizes a pre-merger employee population. Table 1. Sustainability disclosure topics and accounting metrics TOPIC ACCOUNTING METRIC 2021 2020 2019 CODE Percentage of breaches involving Data SV-PS-230a.1 Security personally identifiable information Except as a matter of public record, TransUnion does not disclose this information. Number of users affected SV-PS-230a.2 by breach Description of approach to identifying and addressing data security risks, including use of third-party cybersecurity standards TransUnion’s Global Information Security Department (GISD) is overseen by our Chief Information Security Officer and operates across all our business units and locations to reduce the impact and likelihood of potential malicious activity. Our information security program (which is fundamentally based on ISO\ IEC 27001:2013) includes a global-level Information Security Department that develops the company’s SV-PS-230a.3 security policies, standards and procedures. This includes the implementation of, and measures to maintain, reasonable and appropriate administrative, technical and physical security safeguards to: (a) ensure the security and confidentiality of non-public personal information that TransUnion receives and is obligated to maintain in confidence; (b) protect against anticipated threats or hazards to the security or integrity of such non-public personal information; and (c) protect against unauthorized access or use of such non-public personal information that could result in substantial harm or inconvenience to any consumer. APPENDIX TRANSUNION | 2021 SUSTAINABILITY REPORT 45