Direct Mortgage Loans, LLC
Privacy Policy
Version 3.0

Chapter 1  Introduction

Direct Mortgage Loans, LLC (“Company”) understands the importance of protecting nonpublic and customer information and adopted this Privacy Policy (“Policy”) to abide by privacy protection laws.

This Policy describes how the Company protects personally identifiable information (“PII”) and defines roles and responsibilities of the Company’s employees in managing the potential risks associated with PII.

Before Company collects personally identifiable information (“PII”)*, customers are notified that such information is being collected, why it is being collected, and how it will be used. Company only collects the minimum amount of PII necessary to achieve the task. In the event Company collects more PII than necessary, the information is returned or it is destroyed in accordance with Company policy. The company works to ensure that the PII on record is accurate, relevant, timely, and complete. The company holds itself accountable for handling PII appropriately and trains all of our employees to make sure they know how to ensure that PII remains protected.

Chapter 2 Commitment to Privacy

At Direct Mortgage Loans, LLC, has nine privacy principles that guide when and how PII is collected, used, shared, and protected.

  1. Purpose of collection

Direct Mortgage Loans, LLC will state the purpose and legal authority for collecting PII.

  1. Openness and transparency

Direct Mortgage Loans, LLC will notify customers as to the PII collected from them, as well as how it will be protected, use it, and shared. A convenient way for customers to learn about what is happening to their PII will be provided.

  1. Data minimization

Direct Mortgage Loans, LLC will limit the collection of PII to what is needed to accomplish the stated purpose for its collection. Direct Mortgage Loans, LLC will keep PII only if needed to fulfill its stated purpose.

  1. Limits on uses and sharing of information

Direct Mortgage Loans, LLC will provide notice about how it is planned to use and share the PII that has been collected. The company will only use or share PII in a manner compatible with the notice, as stated in the Privacy Act, or as explicitly mandated or authorized by law.

  1. Data quality and integrity

Direct Mortgage Loans, LLC will make reasonable efforts to ensure that all PII it maintains is accurate, relevant, timely, and complete.

  1. Security

Direct Mortgage Loans, LLC will protect PII from loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

  1. Individual participation

Direct Mortgage Loans, LLC will, in most cases, give customers the ability to access their PII and allow them to correct or amend it if it is inaccurate.

  1. Awareness and training

Direct Mortgage Loans, LLC will train all Company employees about how to secure PII properly to ensure that it remains protected.

  1. Accountability and auditing

Direct Mortgage Loans, LLC will ensure accountability in the handling of PII through strict policies and procedures communicated to all Company employees. Independent auditors hold the Company accountable for complying with these policies and procedures. The company also conducts its own internal audits to ensure that responsibilities are being met and takes swift and immediate action if any violations of law or our policies or procedures are uncovered.

Chapter 3   Chief Privacy Officer

Direct Mortgage Loans, LLC’s Chief Privacy Officer (“CPO”) is the Company’s Senior Official for Privacy, and is responsible for overseeing, coordinating, and facilitating the Company’s compliance efforts in accordance with applicable privacy requirements in statute, regulation, and policy. The CPO evaluates the privacy implications of legislative, regulatory, and other policy proposals and ensures that the technology used by Direct Mortgage Loans, LLC upholds privacy protections. The CPO manages privacy risks associated with all Company’s activities that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII. The CPO is responsible for ensuring that all employees are familiar with information privacy laws, regulations, policies, and procedures and

understand the serious consequences and ramifications of inappropriate access, use, or disclosure of PII.

The CPO ensures completion of System of Records Notices (“SORN”), Privacy Impact Assessments

(“PIA”), and provisions of appropriate privacy notice. The CPO is also responsible for ensuring that Direct Mortgage Loans, LLC takes steps to eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to the use of Social Security numbers as a personal identifier. The CPO and the privacy program are an important part of a comprehensive approach to effective acquisition and management of Company information resources.

Chapter 4   Training Company Employees

Direct Mortgage Loans, LLC trains all employees to maintain strict confidentiality, protection, and respect for PII they encounter in the course of their duties.

The CPO provides specific training for all operational units that handle PII.

Chapter 5   Limiting Access to Information

Direct Mortgage Loans, LLC only allows access to PII to authorized individuals with legitimate need-to- know access.

Company employees will:

  • Only access PII as authorized and as needed to carry out official
  • Disclose PII only as authorized by
  • Ensure that they protect and dispose of PII in accordance with applicable laws, regulations, and Company policies and procedures. This includes:
    • Storing all digital customer PII in cloud-based loan origination PII necessary for the origination and closing of loans will be retained for a minimum of three years, unless otherwise mandated by a specific law or regulation. Additionally, Company complies with all local, state, and federal requirements for document retention.
    • Temporary collection of hard-copy PII will be stored in fireproof filing cabinets before it is uploaded to secure servers. Once uploaded, hard-copy PII is either returned to the customer or disposed of through locked shredder bins.
    • Unapproved storage methods include:
      • USB Thumb Drives
      • Email inbox or other email file folders including trash or archived folders
      • Mobile Devices (Including Non-Company issued Cell Phones)
  • Personal Email Inboxes
  • External Hard Drives
  • Personal Computers (Not issued by Direct Mortgage Loans)
  • Only use PII for the purposes it was collected unless other purposes are explicitly mandated or authorized by law.
  • Establish and maintain appropriate administrative, technical, and physical safeguards to protect

Company system owners and managers will:

  • Meet all responsibilities for employees related to PII as outlined
  • Follow applicable laws, regulations, and Company policies and procedures in the development, implementation, and operation of information systems under their control.
  • Conduct a risk assessment to identify privacy risks and determine the appropriate security controls to protect against This includes safeguards, such as encryption, to prevent unauthorized access to, loss of, or theft of laptops and/or other portable media devices including thumb drives, portable hard drives, cell phones, etc.)
  • Ensure that only the minimum PII that is necessary and relevant for legally mandated or authorized purposes is collected.
  • Ensure that disposal of PII complies with this policy including:
    • Professionally wiping laptops, hard drives, thumb drives, or servers before disposal
    • Hard-copy PII is either returned to the customer or disposed of in locked shredder bins when no longer needed.

All Will:

  • Monitor existing safeguards to ensure that all customer PII is safe and not at risk of exposure to unauthorized parties
  • Active company safeguards include:
    • All office locations are locked and secured; only accessible by company issued badges
    • Visitors must be rung in by reception and escorted to their destination
    • Encryption of any email containing sensitive data
    • Company issued laptops are encrypted upon distribution
    • Company issued laptop USB drives are disabled
    • Passwords for computers and laptops must be changed every 60 days

Chapter 6   Third Parties

Third parties, such as credit reporting agencies, banks, employers, investors, or government agencies that have access to information collected by Direct Mortgage Loans, LLC, shall comply with these requirements. These relationships are governed by our Vendor Management Policy which minimally requires that all vendor relationships are assessed annually including compliance with this Privacy Policy.

The company will ensure that PII is either transmitted through encrypted emails or a secure portal that is established for the express purpose of transmitting PII securely.

*The Office of Management and Budget has defined “Personally Identifiable Information” as

“information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” Office of Management and Budget, M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, Jan. 3, 2017. Direct Mortgage Loans, LLC has adopted this definition in its entirety for the purposes of this policy and the Company’s Data Classification.

Chapter 7   Policy Revision History

Revision/Annual Review Date Description of Revision Approved By Revision
? Policy Created ?Erin Naylor
9/1/2021 Active Safeguards Erin Naylor 1
1/22/23 Updated and Reviewed Erin Naylor