Information security features TransUnion’s Information Security program is aligned with industry best practices. The features of our program include: Restricted data access according to job role and business unit Federal and state-level background checks Security awareness training for new hires and annual security awareness programs for all associates Annual attestation for security policies and agreements Standards for security controls, such as length of passwords, password change frequency Combination of key card and biometric access to sensitive areas Secured data centers with restricted access Annual penetration tests for both our external and internal networks, and customer-facing applications Encryption and firewall strategies for internet applications Dynamic and static code reviews System wide Data Loss Prevention (DLP) program Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) *On an annual basis, TransUnion engages a trusted business partner (PricewaterhouseCoopers LLP) to conduct the annual review work required for the SOC 2 Type 2 Report. The scope of the report includes TransUnion’s systems relevant to our Data Centers and key applications used by our customers. The review itself is based on the criteria set forth in paragraph 1.26 of the AICPA Guide for Reporting on Controls at a Service Organization relevant to Security and Availability. SECURITY, GOVERNANCE & COMPLIANCE TRANSUNION | 2021 SUSTAINABILITY REPORT 23