Information security certifications and validation TransUnion is committed to aligning with industry-leading, cyber risk management best practices, and complying with all legal and regulatory requirements. Our information security program is fundamentally based on ISO\IEC 27001:2013; it includes a global-level Information Security Department that develops the company’s security policies, standards and procedures. This department centrally administers security on the major corporate platforms, and oversees the administration of other systems and platforms. TransUnion maintains several information security certifications annually, including Payment Card Industry (PCI), SSAE 18 SOC II Type II and ISO 27001. To maintain certifications and align with best practices, we conduct regular cybersecurity-related audits and assessments both internally and externally. Our internal and external independent security audits and assessments are conducted at least annually. TU’s Business ISO 27001 PCI SSAE 18 SOC 2 Type 2 India Planned for 2022 United States Canada Brazil Ireland United Kingdom Hong Kong Planned for 2022 Planned for 2022 South Africa Planned for 2022 Philippines The types of certifications we maintain in a region are specific to the products and services we offer in that geography. We maintain ISO 27001 certifications for our operations in TransUnion- Leeds, UK; TransUnion CIBIL- Mumbai, India and TransUnion- Sao Paulo, Brazil. Our TransUnion Consumer Interactive (TUCI) US business also maintains PCI and SSAE 18 SOC 2 Type 2 certifications. Additionally, TransUnion conducts NIST Cybersecurity Framework assessments to continually monitor our practices. Our governance, risk and compliance programs align their methodologies with the risk management hierarchy defined in NIST SP 800-39 in order to facilitate uniform communication, reporting and treatment of information technology risks. SECURITY, GOVERNANCE & COMPLIANCE TRANSUNION | 2021 SUSTAINABILITY REPORT 24