OPPORTUNITY FUND COMMUNITY

DEVELOPMENT

DATA SECURITY PROGRAM

DATA SECURITY PROGRAM

This Program consists of the following component policies governing different aspects of information
security for Opportunity Fund (herein defined as “Opportunity Fund”):

 The Acceptable Use Policy describes the acceptable use of information and technology resources of
Opportunity Fund. The Acceptable Use Policy protects both Opportunity Fund Personnel and
Opportunity Fund. Inappropriate use exposes Opportunity Fund to risks including virus attacks,
compromise of network systems and services, and legal issues.

 The Data Security Policy establishes processes for ensuring the security and confidentiality of
Confidential Information and to create administrative, technical and physical safeguards to protect
against unauthorized access or use of this information. Confidential Information includes sensitive
customer personal information and Opportunity Fund information and must be given the highest level
of protection against unauthorized access, modification or destruction. Unauthorized access to
customer Confidential Information may result in a significant invasion of privacy and may expose
Opportunity Fund to significant financial and reputational risk. Unauthorized access or modification
to Confidential Information may result in direct, materially negative impacts on the finances,
operations and/or reputation of Opportunity Fund. Opportunity Fund’s Confidential Information may
include financial and planning information, legally privileged information, invention disclosures and
other information concerning intellectual property.

 The E-mail Policy includes requirements for use of e-mail and computers, including access to the
Internet, within Opportunity Fund’s networks to minimize legal, privacy and security risks.

 The Password Protection Policy and Construction Guidelines establish a standard for creation of
strong passwords, the protection of those passwords and the frequency of change. Passwords are a
critical component of information security. A poorly chosen password and failure to secure the
password may result in unauthorized access and/or exploitation of Opportunity Fund resources.

 The Software Installation Policy provides the requirements regarding installation of software on
Opportunity Fund devices to minimize the risk of loss of program functionality, the exposure of
sensitive information contained within Opportunity Fund’s networks, the risk of introduction of
malware and the legal exposure of running unlicensed software.

 The Server Security Policy establishes the base configuration of internal server equipment and
standards for the web server used by Opportunity Fund because of Opportunity Fund’s online
operations and hosting of Confidential Information. Effective implementation of this Server Security
Policy will minimize unauthorized access to customer information and Opportunity Fund’s
proprietary information and technology.

 The Remote Access Policy defines the requirements for approval, monitoring and controlling remote
access tools used by Opportunity Fund Personnel to ensure the security of Opportunity Fund’s
networks.
The Wireless Communication Policy and Standards purpose is to secure and protect the information assets
in Opportunity Fund’s possession, including its Confidential Information. Opportunity Fund may grant
 access to these resources via wireless communication standards, and Opportunity Fund Personnel must
manage them responsibly to maintain the confidentiality, integrity and availability of all information
assets. The Wireless Communication Policy and Standards specify the technical requirements that
wireless devices must satisfy to connect to a Opportunity Fund network. Only those wireless devices that
meet the requirements specified in this standard or are granted an exception by the Information
Technology Department (“IT”) are approved for connectivity to a Opportunity Fund network.

 The Workstation Security and Clean Desk Policy secures and protects the information assets in hard
copy or electronic form in Opportunity Fund’s possession, including its Confidential Information such
as customer information.

 The Data Breach Plan defines the requirements for investigation and response including notification
to customers and regulators of a suspected or actual unauthorized release or access to customer
information whether stored by Opportunity Fund or its servicers.

OPERATING PROCEDURES

Acceptable Use Policy

The Acceptable Use Policy applies to the use of information, electronic and computing devices, and
network resources to conduct Opportunity Fund’s business or to interact with internal networks and
business systems, whether owned or leased by Opportunity Fund or Opportunity Fund Personnel. All
Opportunity Fund Personnel are responsible for exercising good judgment regarding appropriate use of
information and technology resources in accordance with Opportunity Fund Policies and standards, and
applicable law.

Under no circumstances is an employee of Opportunity Fund authorized to utilize Opportunity Fund-

owned technology resources to engage in any activity that is illegal under local, state, federal or
international law. Opportunity Fund reserves the right to monitor, intercept and review without further
notice Opportunity Fund Personnel’s use of Opportunity Fund-owned technology resources

System and Network Activities —The following activities are strictly prohibited, with no exceptions:

 Violations of the rights of any person or Opportunity Fund protected by copyright, trade secret, patent
or other intellectual property, or similar laws or regulations, including, but not limited to, the
installation or distribution of “pirated” or other software products that are not appropriately licensed
for use by Opportunity Fund.

 Unauthorized copying of copyrighted material including, but not limited to, digitization and
distribution of photographs from magazines, books or other copyrighted sources and copyrighted
music.

 Accessing Opportunity Fund’s data, servers or accounts for any purpose other than conducting
Opportunity Fund’s business.

 Exporting software, technical information, encryption software or technology in violation of

international or regional export control laws.

 Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-
mail bombs, etc.).
  Revealing Opportunity Fund Personnel’s account password to others, including household
members when work is being done at home, or allowing use of Opportunity Fund Personnel’s
account by others. (See the Remote Access Policy below).

 Using Opportunity Fund’s computing assets to actively engage in procuring or transmitting

material that is in violation of applicable sexual harassment or hostile workplace laws.

 Making fraudulent offers of products, items or services originating from any Opportunity Fund e-
mail account.

 Making statements about warranty, express or implied, unless it is a part of normal job duties.

 Effecting security breaches or disruptions of network communication. Security breaches include,

but are not limited to, accessing data of which Opportunity Fund Personnel is not an intended
recipient or logging into a server or account that Opportunity Fund Personnel is not expressly
authorized to access. A security breach is any event that causes or is likely to cause Confidential
Information to be accessed or used by an unauthorized person.

 Providing non-public information about, or lists of, Opportunity Fund Personnel to parties outside
Opportunity Fund unless it is part of our normal job duties.

 Copying account or borrower information in any form to any device other than Opportunity
Fund’s technology platforms – including personal cell phones.

 Transmitting account or borrower information outside of the Opportunity Fund without

authorization.

E-mail and Communication Activities —When using Opportunity Fund’s technology resources to
access and use the Internet, users must realize they represent Opportunity Fund. The following
activities are strictly prohibited, with no exceptions:

 Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising
material to individuals who did not specifically request such material. See Marketing Policy.

 Any form of harassment via e-mail, telephone or otherwise, whether through language, frequency
or size of messages.

 Unauthorized use, or forging, of e-mail header information.

 Creating or forwarding “chain letters,” “Ponzi” or other “pyramid” schemes of any type.

 Sending account or borrower information outside of the Opportunity Fund without authorization
from the VP of Technology or Chief Financial Officer or Chief Risk Officer.

Blogging and Social Media—Blogging by Opportunity Fund Personnel, whether using Opportunity
Fund’s property and systems or using personal computer systems, is also subject to the terms and
restrictions set forth in the Acceptable Use Policy. See the Social Media Policy in our employee
handbook.

Data Security Policy

This Policy applies to all Opportunity Fund Personnel. The Data Security Policy applies to all
information collected, stored or used by or on behalf of any operational unit, department or person
within Opportunity Fund.

All confidential and other sensitive information is to be safeguarded from unauthorized access, use,
modification or destruction.
All information covered by this Data Security and Data Breach Policy is an “Information Resource”
and is to be classified among one of three categories, according to the level of security required. In
descending order of sensitivity, these categories (or “security classifications”) are “Confidential,”
“Internal Use Only” and “Public.” An “Information Resource” is a discrete body of information
created, collected and stored in connection with the operation and management of Opportunity Fund
and used by members of Opportunity Fund having authorized access as a primary source. Information
Resources include electronic databases as well as physical files.

All Information Resources, whether physical documents, electronic databases or other collections of
information, are to be assigned to a security classification level according to the most sensitive
content contained therein and will be explicitly classified such that users of any particular data are
aware of its classification.

In the event information is not explicitly classified, it is to be treated as follows: any data that includes
any customer information shall be treated as “Confidential Information”. Other information is to be
treated as “Internal Use Only”, unless such information appears in a form accessible to the public
(i.e., on a public website or in a widely distributed publication) or is created for a public purpose
when it is to be treated as public.

“Confidential Information” includes any information containing personally identifiable information

(PII) that Opportunity Fund obtains in the process of offering a financial product or service or
accepting a donation. It includes a combination of, but not limited to: (a) first name or first initial and
last name; (b) social security or tax ID number; (c) driver’s license number or state-issued
identification number or equivalent; (d) home and/or business address; (e) financial account number,
or credit card or debit card number, with or without any required security code, access code, personal
identification number or password, that would permit access to Confidential Information. In some
cases, we may share information with external partners under contract. Our contracts will include the
appropriate Non-Disclosure Agreements AND our methods of sharing information will be secure. For
example, we may encrypt e-mails, send password protected files via SFTP, or other secure means.
Other examples include applications for credit, credit reports or other information obtained to
evaluate credit worthiness.

“Internal Use Only” includes information that is less sensitive than Confidential Information but that,
if exposed to unauthorized parties, may have an indirect or possible adverse impact on personal
interests, or on the finances, operations or reputation of Opportunity Fund. Examples include our
Credit Policies, Credit ScoreCards, Financial Reports, Board Materials, Loan Performance Reports.

“Public Information” are those items approved by at least one member of the Executive Team to be
shared publicly. Examples include publications on impact, client stories, or our annual report.

It is also Opportunity Fund’s policy to:

 Appoint the Opportunity Fund VP of Compliance to work with the Vice President of Technology
to monitor federal, state and local legislation concerning privacy and data security, stay abreast of
 evolving best practices in data security and privacy and periodically assess whether any changes
should be made to the Data Security Policy.

 Ensure that terminated Opportunity Fund Personnel no longer have access to Opportunity Fund
systems that permit access to Confidential or Internal Use Only information.

Opportunity Fund maintains a computer security system that provides at a minimum, to the extent
technically feasible:

 Secure user authentication protocols, including:

o control of user IDs and other identifiers; and

o control of data security passwords to ensure that such passwords are kept in a location and/or
format that does not compromise the security of the data they protect in accordance with the
Password Protection Policy and Construction Guidelines.

 Secure access control measures, including restricting access to records and files containing
Confidential Information to those who need such information to perform their job duties
 Encryption of all transmitted records and files containing customer Confidential Information that
will travel across public networks, and encryption of all data containing customer Confidential
Information to be transmitted wirelessly.

 Reasonably up-to-date firewall protection and operating system security patches reasonably
designed to maintain the integrity of the Information Resources.

 Reasonably up-to-date versions of system security agent software, which must include malware
protection and reasonably up-to-date patches and virus definitions, or a version of such software
that can still be supported with up-to-date patches and virus definitions and is set to receive the
most current security updates on a regular basis.

 Monitoring software for our applications and environments that scan for internal and external
vulnerabilities. Once identified, vulnerabilities are remediated in the following order of priority:

o Critical

o High

o All Else

 For data in transit, we use TLS 1.2 to secure our exchanges.

 For data at rest, we encrypt and mask fields in our customer database.

E-mail Policy

The E-mail Policy covers appropriate use of any e-mail sent from a Opportunity Fund e-mail address
and access to the Internet using Opportunity Fund’s computers and applies to all Opportunity Fund
Personnel.
 All use of e-mail must be consistent with Opportunity Fund’s policies and procedures of ethical
conduct, confidentiality and security of Confidential Information, compliance with applicable laws
and best business practices.

Opportunity Fund’s e-mail system and computers, including access to the Internet, should be used
primarily for Opportunity Fund’s business-related purposes. Opportunity Fund specifically prohibits
use of the computers (including access to the Internet) and the e-mail system in ways that are
disruptive, offensive to others, including sexually explicit messages, images and cartoons; ethnic
slurs; racial comments; off-color jokes; or anything that could be construed as harassment or shows
disrespect for others, defames or slanders others or otherwise harms another person or business. All
non-Opportunity Fund-related commercial uses of the computers and e-mail are prohibited.

Opportunity Fund Personnel may not access the Internet to log onto any website that contains any
such material, including any pornographic website or any website that contains any discriminatory
message or disparages any group.

All Opportunity Fund data contained within an e-mail message or an attachment must be secured
according to this Data Security and Data Breach Policy whether it is shared internally or externally.

Opportunity Fund’s e-mail system may not be used for the creation or distribution of any messages
that are disruptive, offensive or harmful to morale, including offensive comments about race, gender,
hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political
beliefs or national origin.

Opportunity Fund Personnel are prohibited from forwarding any Opportunity Fund e-mail containing
Confidential Information to a personal e-mail account. Opportunity Fund Personnel are also
prohibited from using third- party e-mail systems and storage servers to conduct Opportunity Fund
business, to create or memorialize any binding transactions or to store or retain e-mail on behalf of
Opportunity Fund.

Using a reasonable amount of Opportunity Fund resources (as determined by Opportunity Fund) for
personal e-mails is acceptable, but non-work-related e-mail must be saved in a separate folder from
work related e-mail. Sending chain letters or joke e-mails from a Opportunity Fund e-mail account is
prohibited.
Opportunity Fund Personnel shall have no expectation of privacy in anything they store, send or
receive on Opportunity Fund’s e-mail system.

Password Protection Policy and Construction Guidelines

Password Creation

 All user-level and system-level passwords must conform to the Password Construction Guidelines.

 Users must not use the same password for Opportunity Fund accounts as for other non-
Opportunity Fund access (for example, personal ISP account, benefits and so on).

 User accounts that have system-level privileges must have a password that is unique from all
other accounts held by that user to access system-level privileges.

Password Change

 All system-level passwords must be changed on at least an annual basis.

  All user-level passwords (for example, e-mail, web, desktop computer and so on) must be
changed at least every three months.

Password Protection

 Passwords must not be shared with anyone. All passwords are to be treated as Opportunity Fund
Confidential Information.

 With the exception of temporary passwords that must be changed on first use, Passwords must
not be inserted into e-mail messages or other forms of electronic communication; revealed over
the phone to anyone; revealed on questionnaires or security forms; shared with anyone, including
administrative assistants, secretaries, managers, co-workers while on vacation and family
members; written down and stored anywhere in Opportunity Fund Personnel’s or office; stored in
a file on a computer system or mobile devices (phone, tablet) without encryption.

 Any user suspecting that his or her password may have been compromised must report the
incident to their immediate supervisor and IT Help Desk, and promptly change all passwords.

Password Construction Guidelines

All passwords must meet or exceed the following requirements and must be changed no less
frequently than the time frames provided in the Password Protection Policy. Three out of the
following four criteria must be met:

 Contain at least 8 alphanumeric characters

 Contain both upper- and lower-case letters

 Contain at least one number (for example, 0-9)

 Contain at least one special character (for example, !$%^&*()_+|~-=\`{}[]:”;’<>?,/).

Opportunity Fund Personnel must never write down a password. Instead, they should try to create
passwords that can be easily remembered.

If a user attempts to sign in and consecutively fails more than five times, the user’s account will be
automatically locked, and will require the user to wait for 30 minutes before retrying or request IT to
reset the password.

Software Installation Policy

This Software Installation Policy applies to all Opportunity Fund Personnel with a Opportunity Fund
device. The Software Installation Policy covers all computers and servers, operating within
Opportunity Fund’s network.

 Opportunity Fund Personnel may not install software on Opportunity Fund devices operated
within Opportunity Fund’s network.

 The requester’s immediate supervisor must first approve the software request and will then
forward the request to the IT Help Desk for approval.

 All software requests will be fulfilled by software approved by the IT Help Desk.
  The Technology Team will obtain and track the licenses, test new software for conflict and
compatibility and perform the installation.

Server Security Policy

General Requirements

All internal servers deployed at Opportunity Fund must be registered with the Technology Team. At a
minimum, the following information is required to positively identify the point of contact: server
contact(s) and location, and a backup contact; Hardware and Operating System/Version; and Main
functions and applications, if applicable.

 Operating System configuration should be in accordance with industry-standard practices.

 Services and applications that will not be used must be disabled where practical.

 The most recent security patches must be installed on the system as soon as practical; the only
exception being when immediate application would interfere with business requirements.

 Always use standard security principles of least required access to perform a function.

 If a methodology for secure channel connection is available, privileged access must be performed
over secure channels.

 Servers must be physically located in an access-controlled environment. Servers are specifically

prohibited from operating from uncontrolled cubicle areas.

 Opportunity Fund Personnel will receive limited permissions and privileges necessary to perform
their jobs.
Monitoring

Logs such as network server logs, operating system logs are maintained and monitored by IT, and all
security-related events on critical or sensitive systems must be logged and audit trails saved as follows:

 Security-related logs will be kept online for a minimum of six months.

 Daily incremental backups of server OS logs will be retained for at least two weeks.

 Weekly full backups of server OS logs will be retained for at least one month.

 Monthly full backups of server OS logs will be retained for a minimum of three months.

Security-related events will be reported to Opportunity Fund executive management including at a

minimum the Chief Executive Officer, Head of Small Business Lending and the Chief
Financial Officer. Corrective measures will be prescribed as needed. See Data Breach Plan below for
any suspected or actual unauthorized release or access to customer information. Security-related
events include, but are not limited to:

 Port-scan attacks.

 Evidence of unauthorized access to password-controlled accounts.

 Anomalous occurrences that are not related to specific applications on the host.
Remote Access Policy

Only those Opportunity Fund Personnel who have been permitted remote access to Opportunity
Fund’s networks by IT and have installed required connection, encryption, and authentication
programs may engage in remote access. The Remote Access Policy applies to remote access
connections used to do work on behalf of Opportunity Fund, including reading or sending e-mail and
viewing intranet web resources. Remote access implementations that are covered by the Remote
Access Policy include, but are not limited to, DSL, VPN and SSH. All remote access tools used by
Opportunity Fund Personnel to communicate between Opportunity Fund’s networks or Opportunity
Fund’s devices and other systems must comply with the Remote Access Policy.

General Requirements

 Opportunity Fund Personnel with remote access privileges to Opportunity Fund’s networks are
subject to the same security and confidentiality rules that apply to their access to Opportunity
Fund’s data at an onsite location.

 General access to the Internet for use by immediate household members through Opportunity
Fund’s networks on personal computers is not permitted.

 Secure remote access must be strictly controlled. Opportunity Fund Personnel and servicers with
remote access privileges are prohibited from providing their log-in or e-mail password to anyone,
including family members.

 IT must approve non-standard hardware configurations and the IT must approve security
configurations for access to hardware.
Remote Access Tools

Opportunity Fund provides approved mechanisms to allow Opportunity Fund Personnel to connect to
Opportunity Fund’s networks remotely, collaborate with external partners and use non-Opportunity
Fund systems. Because proper configuration is important for secure use of these tools, mandatory
configuration procedures are provided by the Technology Team for each of the approved tools that
may change from time to time.

Wireless Communication Policy and Standards

All Opportunity Fund Personnel who maintain a wireless device on behalf of Opportunity Fund must
comply with this standard. This standard applies to wireless devices that make a connection with
Opportunity Fund’s networks and all wireless devices that provide wireless connectivity to the
networks.

General Requirements

All wireless devices that connect to a Opportunity Fund network or provide access to Opportunity
Fund’s Confidential Information must:

 Use Extensible Authentication Protocol-Fast Authentication via Secure Tunneling (EAP-FAST),

Protected Extensible Authentication Protocol (PEAP) or Extensible Authentication Protocol-
Translation Layer Security (EAP-TLS) as the authentication protocol.

All Bluetooth devices must use Secure Simple Pairing with encryption enabled.
Workstation Security and Clean Desk Policy

The Workstation Security and Clean Desk Policy applies to all Opportunity Fund Personnel and third-
party servicers with access to Opportunity Fund’s Confidential Information in hard copy or electronic
form, whether it is accessed on Opportunity Fund’s premises or at an offsite location. In the
Workstation Security and Clean Desk Policy, references to “workstation” refer to workstations both
on Opportunity Fund’s premises and in all other places where Opportunity Fund Personnel perform
Opportunity Fund work and have access to Confidential Information.

Opportunity Fund provides all Opportunity Fund Personnel with access to paper shredders, secure
storage space, password-protected screen savers and other tools to enable Opportunity Fund
Personnel to maintain the security of Confidential Information.

Opportunity Fund Personnel must:

 Restrict physical access to workstations to only authorized personnel.

 Secure workstations (screen lock or logout) prior to leaving the area for an extended period, to
prevent unauthorized access.

 Use the password-protected screen saver and a password that complies with Opportunity Fund’s
Password Policy.

 Use workstations for authorized business purposes only.

 Not install unauthorized software on workstations.

 Store all Confidential Information on encrypted file systems on network servers.

 Ensure workstation computers are left on but logged off in order to facilitate after-hours updates.

 Exit running applications and close open documents.

 Shred Confidential Information or place it in the locked confidential disposal bins.

 Promptly clear printers and fax machines of papers as soon as they are printed.

 If wireless network access is used, ensure access is secure by following the Wireless
Communication Policy.

Data Breach Plan

Security Response Team

Opportunity Fund designates the Vice President of Technology as Head of the Security Breach
Response Team. Other members of the Security Response Team will include but are not limited to:
Chief Executive Officer, Chief Financial Officer, Controller, Chief People Officer.

Reporting

All Opportunity Fund Personnel must report any known Data Breach or any incident that is likely to
cause a Data Breach to Opportunity Fund’s Head of Security Breach Response Team as soon as it is
discovered. These incidents include thefts of computer devices, and viruses, worms or computer
“attacks” that may lead to unauthorized access to Confidential Information.

Investigation

In the event of a Data Breach the Data Breach Response Team will immediately begin an
investigation to determine the nature and scope of the incident and what customer information have
been accessed including:
 The status of the breach. When (date and time) did the breach happen and is it an on-going or
active breach?
 How did the breach happen?
 What types of customer information were obtained and sensitivity of the customer
information (Name; social security; account and password; etc.)?
 How many and which customers were affected?
 Likelihood customer information is usable or may cause harm and ability of to mitigate the risk of
harm?
 Likelihood the customer information was intentionally targeted (increased chance for
fraudulent use)?
 Strength and effectiveness of security technologies protecting customer information
(e.g. encrypted customer information)?
If it is determined that the breach is active or on-going, Opportunity Fund will take action to prevent
further data loss by securing the system and data, blocking further unauthorized access and preserve
evidence for the investigation.

Opportunity Fund will institute internal monitoring of affected accounts to prevent further
unauthorized access.

Notification

The Data Breach Response Team will determine which parties to notify of the Data Breach in
consultation with legal counsel and make those notifications in a timely manner in accordance with
applicable data notification requirements. This may include notification to state regulators, local law
enforcement, investors, customers, credit reporting agencies and the media.

The Security Response Team will determine whether the Data Breach creates a threat to customers’
identity security and will determine whether to offer credit monitoring or identity theft protection
services.

Actions Following Data Breach

The Data Breach Response Team will ensure that appropriate remediation actions are implemented
including:
 Revisions to data collection, retention, storage and processing procedures.
  Need for additional employee training in data protection procedures.
 Review insurance policies and determine if coverage is adequate.
 Review of contract provisions with third party servicers that handle customer information.
 Review website privacy notices and terms of use and update as needed.
 Revisions to Data Breach Response Plan.

REPORTING AND MONITORING

The Compliance Department (“Compliance”) and IT are responsible for developing, implementing
and administering the Information Security Program and will report jointly on an as-needed basis, but
no less than annually, to the executive team on compliance with this Policy. Compliance in
consultation with IT will provide recommendations to the executive team for changes needed to be
made to the Information Security Program.

TRAINING

New Opportunity Fund Personnel will receive Information Security Program training as it relates to
their job responsibilities within thirty (30) days of the employee’s start date. All Opportunity Fund
Personnel will receive Information Security Program training annually or as necessary when changes
are made to this Policy and its procedures. Opportunity Fund Personnel questions related to
compliance with this Policy should be directed to Opportunity Fund Personnel’s Manager or IT.
Evidence of training will be retained and made available upon request.
RECORD RETENTION

Refer to the Record Retention Policy for additional information on departments responsible for
retaining evidence of record retention.