HTTPS by default Yes

Content Security Policy Implemented, but has problems

Referrer Policy Referrers leaked

33 Cookies 33 (14 first-party; 19 third-party)

57 Third-party requests 57 requests to 36 unique hosts

Server location United States of America

Server IP address 66.175.240.138

Privacy Auditfor transunion.com

Completed on: December 19, 2019 Expires on: January 19, 2020

Find solutions for data privacy website compliance at www.osano.com

www.osano.com

HTTPS by default www.transunion.com uses HTTPS by default.

Osano's automated web browser reports the following:

StateState TitleTitle SummarySummary DescriptionDescription

Certificate valid and trustedThe connection to this site is using a valid, trusted server certificate issued by Entrust Certification Authority - L1K.

Resources all served securely All resources on this page are served securely.

Connection obsolete connection settingsThe connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_GCM.

More information about the site's TLS/SSL configuration:

•• Analyze www.transunion.com on SSL Labs

•• Observatory by Mozilla

•• Mozilla TLS Observatory

•• testssl.sh

To enable HTTPS on a website, a certificatecertificate for the domain needs to be installed on the web server. To get acertificate that browsers will trust, you need one issued by a trusted certificate authority (otherwise a visitor'sbrowser will show a warning).

Let's Encrypt is a non-profit certificate authority (sponsored by Mozilla, EFF, Cisco, Facebook and others) providingfree certificates through an easy, automated process. You can set it up yourself, or use one of the many hostingproviders who have built-in support for Let's Encrypt.

•• Get started with Let's Encrypt

•• Mozilla SSL/TLS Configuration Generator [for advanced users]

•• For checking the configuration of a server, try SSL Labs SSL Server Test (web), testssl.sh (CLI tool), Mozilla TLSObservatory (CLI tool) or Observatory by Mozilla (web).

www.osano.com

HTTP Strict Transport Security (HSTS) HSTS policy for https://www.transunion.com:max-age=15768000; includeSubDomains

PassPass TestTest

max-age set to at least 6 months

includeSubDomains — policy also applies to subdomains

preload — requests inclusion in preload lists (only relevant for base domain)

Base domain (https://transunion.com) HSTS status unknown.

HSTS is just an HTTP header. In its simplest form, the policy tells a browser to enable HSTS for that exact domainor subdomain, and to remember it for a given number of seconds (the policy is refreshed every time browser seesthe header again):

Strict-Transport-Security: max-age=31536000;

In its strongest and recommended formstrongest and recommended form, the HSTS policy includes all subdomainsall subdomains, and indicates a willingness tobe "preloaded" into browsers:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Note that includeSubDomains should be deployed at the base domain, i.e., https://example.com , nothttps://www.example.com . While we recommend the use of includeSubDomains , be veryvery careful, as it

means that all subdomainsall subdomains associated with the parent domain mustmust support HTTPS. (They do not have to eachhave their own HSTS policy.)

For a user to take advantage of HSTS, their browser does have to see the HSTS header at least once. This meansthat users are not protected until after their first successful secure connection to a given domain.

To solve this problem, the Chrome security team created an "HSTS preload list": a list of domains baked intoChrome that get Strict Transport Security enabled automatically, even for the first visit.

Firefox, Safari, Opera, and Edge also incorporate Chrome’s HSTS preload list, making this feature shared acrossmajor browsers.

The Chrome security team allows anyone to submit their domain to the list, provided it meets a few requirements.

•• HTTP Strict Transport Security [cio.gov]

•• HSTS Preload List Submission [hstspreload.org]

•• Strict-Transport-Security [mozilla.org]

Text adapted from the CIO Council's The HTTPS-Only Standard (public domain).

www.osano.com

Content Security Policy Content Security Policy set in HTTP header: default-src 'self' *.ifgza3.net *.ojrq.net*.tapad.com *.loggly.com *.rlcdn.com *.impactradius-event.com *.teads.tv

*.passage.ai wss://tars-prod.passage.ai *.evenfinancial.com *.taboola.com

*.quantcount.com *.transunion.com *.vols7feed.com *.addthis.co *.amazon-

adsystem.com *.youtube.com *.doubleclick.net *.company-target.com

*.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.adsrvr.org dmtry.com

*.dmtry.com *.quantserve.com *.bluekai.com *.facebook.com *.demandbase.com

doubleclick.net *.trustev.com *.yahoo.com *.atedra.com *.twitter.com *.bing.com

crwdcntrl.net c.rstg.io cdn.nextinsure.com *.jquery.com cloudfront.net

*.googleapis.com *.adnxs.com *.rlcdn.com investis.com adsrvr.org

sharethrough.com adroll.com yimg.com amazonaws.com *.fastclick.net

secure.leadback.advertising.com google-analytics.com *.ads-twitter.com

*.openx.net *.zencdn.net googleadservices.com gstatic.com bidswitch.net

*.media6degrees.com googletagmanager.com *.siteintercept.qualtrics.com

*.qualtrics.com; script-src 'self' *.impactradius-event.com *.teads.tv

*.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com

*.transunion.com *.mxpnl.com *.vols7feed.com *.addthis.com

*.googletagmanager.com *.optimizely.com *.pingdom.com *.cloudflare.com

*.googleadservices.com *.youtube.com *.doubleclick.net *.google-analytics.com

*.quantserve.com *.g.3gl.net *.eloqua.com *.crwdcntrl.net *.googleapis.com

*.investis.com *.amazonaws.com *.cloudfront.net *.nextinsure.com

*.lendingtree.com *.mediaplex.com *.demandbase.com *.jquery.com *.gstatic.com

*.bing.com *.3gl.net *.yourscoreonline.com *.gofreecredit.com

*.creditcheckingtoday.com *.naturaltracking.com *.credit.com *.facebook.com

*.yimg.com *.ytimg.com *.quora.com *.ensighten.com

*.d39se0h2uvfakd.cloudfront.net *.linkedin.com *.adsprotection.com

*.brightcove.com *.hotjar.com *.adroll.com *.brightcove.net *.en25.com

*.adsrvr.org *.abmr.net *.mathtag.com t2.rstg.io px.ads.linkedin.com

vjs.zencdn.net *.twitter.com iad-login.dotomi.com snap.licdn.com

sp.analytics.yahoo.com unpkg.com *.myfonts.net *.en25.com *.addthisedge.com

*.zencdn.com *.s3.amazonaws.com cdn.ampproject.org *.company-target.com

*.media6degrees.com *.ads-twitter.com cdn.mxpnl.com *.bizographics.com

*.pingdom.net *.mbww.com *.entrust.net *.trustev.com *.mathtag.com

*.googlesyndication.com *.google.com *.outbrain.com o1.qnsr.com *.facebook.net

cas.cluep.com *.quizgnome.com *.siteintercept.qualtrics.com *.qualtrics.com

*.pulseinsights.com blob: 'unsafe-eval' 'unsafe-inline'; child-src

*.evenfinancial.com *.transunion.com blob: *.crwdcntrl.net *.cdn.optimizely.com

*.addthis.com *.doubleclick.net *.lendingtree.com *.youtube.com *.hotjar.com

*.mediaplex.com *.optimizely.com *.brightcove.net s.amazon-adsystem.com

*.trustev.com *.mathtag.com *.qnsr.com *.facebook.com

*.siteintercept.qualtrics.com *.qualtrics.com; connect-src 'self' *.ifgza3.net

*.passage.ai wss://tars-prod.passage.ai *.taboola.com *.transunion.com

*.mixpanel.com *.optimizely.com *.youtube.com *.brightcovecdn.com *.pingdom.net

*.brightcove.com manifest.prod.boltdns.net airbrake.io *.company-target.comwww.osano.com

r.3gl.net s7.addthis.com *.herokuapp.com unity.cadreon.com app.trustev.com

*.hotjar.com wss://*.hotjar.com *.siteintercept.qualtrics.com *.qualtrics.com

'unsafe-eval'; media-src 'self' *.brightcove.com *.brightcovecdn.com

*.prod.boltdns.net *.transunion.com blob: f1.media.brightcove.com; img-src *

*.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com data:; font-src

data: *.transunion.com *.gstatic.com *.company-target.com

edge.api.brightcove.com r.3gl.net *.addthis.com *.herokuapp.com *.quora.com;

style-src * 'unsafe-eval' 'unsafe-inline'; frame-ancestors *.transunion.com;

Content Security Policy (CSP) implemented unsafely. This includes 'unsafe-inline' or data: insidescript-src , overly broad sources such as https: inside object-src or script-src , or not

restricting the sources for object-src or script-src .

PassPass TestTest InfoInfo

Clickjacking protection, using frame-ancestors

The use of CSP's frame-ancestors directive offers fine-grained control over who can frame your site.

Deny by default, using default-src 'none'

Denying by default using default-src 'none' can ensure that your Content Security Policy doesn't allow the loading of resources you didn't intend to allow.

Restricts use of the <base> tag by using base-uri 'none' , base-uri 'self' , orspecific origins

The base tag can be used to trick your site into loading scripts from untrusted origins.

Restricts where <form> contents may be submitted by using form-action 'none' , form-action 'self' , or specific URIs

Malicious JavaScript or content injection could modify where sensitive form data is submitted to or create additional forms for data exfiltration.

Blocks loading of active content over HTTP or FTP

Loading JavaScript or plugins can allow a man-in-the-middle to execute arbitrary code on your website. Restricting your policy and changing links to HTTPS can help prevent this.

Blocks loading of passive content over HTTP or FTP

This site's Content Security Policy allows the loading of passive content such as images or videos over insecure protocols such as HTTP or FTP. Consider changing them to load them over HTTPS.

Uses CSP3's 'strict-dynamic' directive to allow dynamic script loading (optional)

'strict-dynamic' lets you use a JavaScript shim loader to load all your site's JavaScript dynamically, without having to track script-src origins.

www.osano.com

Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src

Blocking the use of JavaScript's eval() function can help prevent the execution of untrusted code.

Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src

Blocking the execution of inline JavaScript provides CSP's strongest protection against cross-site scripting attacks. Moving JavaScript to external files can also help make your site more maintainable.

Blocks inline styles by not allowing 'unsafe-inline' inside style-src

Blocking inline styles can help prevent attackers from modifying the contents or appearance of yourpage. Moving styles to external stylesheets can also help make your site more maintainable.

Blocks execution of plug-ins, using object-src restrictions

Blocking the execution of plug-ins via object-src 'none' or as inherited from default-src can prevent attackers from loading Flash or Java in the context of your page.

PassPass TestTest InfoInfo

The recommended way to enable Content Security Policy is with the Content-Security-Policy HTTPheader, e.g.:

Content-Security-Policy: default-src 'self'

It can also be enabled with an HTML <meta> element:

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">

CSP is a powerful mechanism that we strongly recommend. It allows for very fine-grained control. However,creating a good policy (or adjusting your site to work with a good policy) can take some time and effort. To makethis easier, it's possible to use CSP in report-only mode.

See the following pages for more information:

•• Content Security Policy (CSP) [developerz.mozilla.org]

•• Google Web Fundamentals: Content Security Policy [developers.google.com]

•• CSP Cheat Sheet [scotthelme.co.uk]

•• Report URI: Tools (CSP analyser, CSP builder) [report-uri.com]

•• CSP Evaluator [csp-evaluator.withgoogle.com]

•• CSP Level 2 specification [w3.org]

•• CSP Level 3 specification [w3.org]

•• Browser support [caniuse.com]

www.osano.com

Referrer Policy Referrer Policy not set. This means that the default value no-referrer-when-downgrade , leaking referrersin many situations, is used.

A referrer policy can easily be set with a <meta> element in your HTML. Simply include this inside the <head>section:

<meta name="referrer" content="no-referrer">

Alternatively, set the Referrer-Policy HTTP header, e.g.:

Referrer-Policy: no-referrer

If a referrer policy is delivered via both Referrer-Policy header and meta element, the meta element's policy takesprecedence.

If multiple policy values are specified, the browser will use the last one, ignoring unknown values (fallback valuesshould thus appear first). Multiple values should be separated by commas, e.g.:

<meta name="referrer" content="no-referrer, same-origin">

Several policies are offered, such as origin (strips everything except the origin) and origin-when-cross-origin (sends full URL with same-origin requests, otherwise stripped). We recommend no-referrer , whichkills the referrer header entirely for all requests, no matter the destination; or same-origin , which kills thereferrer for third-party requests but not for requests to the same origin.

•• Referrer-Policy [developer.mozilla.org]

•• Referer header: privacy and security concerns [developer.mozilla.org]

•• Referrer Policy specification [w3.org]

•• Browser support [caniuse.com]

www.osano.com

Subresource Integrity (SRI) Subresource Integrity (SRI) not implemented, and external resources are loaded over HTTP or use protocol-relative URLs via src="//...".

The following third-party resources are not loaded using SRI:

TypeType URLURL

scripthttps://siteintercept.qualtrics.com/dxjsmodule/CoreModule.js?Q_CLIENTVERSION=

1.17.0&Q_CLIENTTYPE=web

scripthttps://siteintercept.qualtrics.com/dxjsmodule/CoreModule.js?Q_CLIENTVERSION=

1.17.0&Q_CLIENTTYPE=web

scripthttps://zn74cvbyxcewl8l2z-transunioncxusa.siteintercept.qualtrics.com/WRSiteI

nterceptEngine/?Q_ZID=Z...

script https://zn8i03elsrj8ujesh-transunioncxusa.siteintercept.qualtrics.com/WRSiteI

nterceptEngine/?Q_ZID=Z...

scripthttps://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1ol6&e

vents=%5B%5B%22pageview...

script //assets.transunion.com/resources/js/personalizedBanner.js

script //assets.transunion.com/resources/js/immersive.js

script //assets.transunion.com/resources/js/tu-main.js

script //assets.transunion.com/resources/js/lib/min/slick.min.js

script //assets.transunion.com/resources/js/TuFontsCounter.js

script //assets.transunion.com/resources/js/validation.js

script //assets.transunion.com/resources/js/lib/min/jquery.visible.min.js

script //assets.transunion.com/resources/js/lib/min/handlebars.min.js

script //assets.transunion.com/resources/js/lib/min/jquery.touchSwipe.min.js

script //assets.transunion.com/resources/js/lib/min/additional-methods.min.js

script //assets.transunion.com/resources/js/lib/min/jquery.validate.min.js

www.osano.com

script //assets.transunion.com/resources/js/lib/min/bootstrap.min.js

script //assets.transunion.com/resources/js/lib/min/jquery.min.js

script https://script.hotjar.com/modules.7b8376ee918863f83692.js

scripthttps://googleads.g.doubleclick.net/pagead/viewthroughconversion/945968994/?r

andom=1576775665372&cv=...

css//assets.transunion.com/resources/transunion/css/consumer/orphan/homebuttonfi

x.css

css//assets.transunion.com/resources/transunion/css/consumer/orphan/ppc/home-alt

.css

css //assets.transunion.com/resources/css/main-isobar.css

css //assets.transunion.com/resources/css/lib/slick.css

css //assets.transunion.com/resources/css/tu-main.css

css //assets.transunion.com/resources/css/tu-font-awesome.css

css //assets.transunion.com/resources/css/lib/bootstrap.min.css

css //assets.transunion.com/resources/css/lib/jquery-ui.css

script //assets.transunion.com/resources/js/lib/min/modernizr.min.js

script https://cdn.optimizely.com/js/4242406432.js

script //www.googletagmanager.com/gtm.js?id=GTM-T8HG9X4

script //www.googleadservices.com/pagead/conversion_async.js

script //static.hotjar.com/c/hotjar-949432.js?sv=5

script https://connect.facebook.net/en_US/fbevents.js

script https://connect.facebook.net/signals/config/871078119587868?v=2.9.15&r=stable

TypeType URLURL

www.osano.com

script //bat.bing.com/bat.js

script //cdn.taboola.com/libtrc/unip/1193436/tfa.js

script //static.ads-twitter.com/uwt.js

script https://hello.myfonts.net/count/2ca963

script https://scripts.demandbase.com/YZhT3gW1.min.js

script https://www.google-analytics.com/analytics.js

script https://www.google-analytics.com/plugins/ua/linkid.js

TypeType URLURL

SRI can be used with script and link elements. To enable SRI on an element, you need to addintegrity and crossorigin attributes to it.

integrity should contain integrity metadata: a string describing the cryptographic hash function used(currently sha256, sha384, or sha512), followed by a dash, followed by the base64-encoded hash of the file.

crossorigin must be set to anonymous for third-party resources when using SRI. This has to do with CORS.

For example, given the file https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js, we can calculate theSHA384 hash:

$ openssl dgst -sha384 -binary jquery.min.js | openssl base64 -A

tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT

The correct HTML code should then be:

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"

integrity="sha384-

tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT"

crossorigin="anonymous"></script>

When the browser sees this element, it will download jquery.min.js , calculate the SHA384 hash, compare itto the hash in the integrity attribute, and only run the script if the hashes match. For example, if someonewere to modify jquery.min.js on the remote server after we calculcated the original hash, Firefox wouldrefuse to run the script and you'd see this in the browser console:

None of the “sha384” hashes in the integrity attribute match the content of the

subresource.

To make all this easier, you can use Mozilla's SRI Hash Generator.

•• Subresource Integrity [developer.mozilla.org]

•• Protecting your embedded content with subresource integrity (SRI) [troyhunt.com]

•• Subresource Integrity specification [w3.org]www.osano.com

•• Browser support [caniuse.com]

www.osano.com

HTTP headersPassPass HeaderHeader ValueValue ResultResult

X-Content-Type-Options nosniff X-Content-Type-Options header set to "nosniff"

X-Frame-OptionsSAMEORIGIN

X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive

X-XSS-Protection1;mode=block

X-XSS-Protection header set to "1; mode=block"

To enable these headers you'll need to add them to your web server configuration. This is a simple change.Exactly how you do it depends on what server you use. This page [developer.mozilla.org] has configurationexamples for Apache, Nginx and IIS.

X-Content-Type-Options should be set to nosniff , which is the only valid value.

X-Frame-Options can be set to deny (page can never be loaded in a frame), sameorigin (page can onlybe loaded in a frame only if the origin is the same), or allow-from <URI> (page can only be loaded in aframe on a page on the specified origin).

X-XSS-Protection should be set to 1 or 1; mode=block .

www.osano.com

CookiesFirst-party cookies (14)

DomainDomain NameName ValueValue ExpiresExpiresHttp OHttp O

nlynlySecureSecure

Same Same SiteSite

www.transunion.com

JSESSIONID535BD3098F9F3521EB19...

session

.transunion.comoptimizelyEndUserId

oeu1576775664792r0.4...

2020-06-16 17:14:24Z

www.transunion.com

tm_engage true2019-12-26 17:14:24Z

.transunion.com _gcl_au1.1.1334588532.15767...

2020-03-18 17:14:25Z

.transunion.com TM_Visit not-set2019-12-19 17:44:25Z

.transunion.com TM_VDetail direct||not-set||2019-12-19 17:44:25Z

.transunion.com TM_VEvents 000000002019-12-19 17:44:25Z

.transunion.com _fbpfb.1.1576775665526.1...

2020-03-18 17:14:26Z

.transunion.com _hjidba3eaa76-3d36-4899-9...

2020-12-09 17:14:25Z

.transunion.com _gaGA1.2.611973946.1576...

2021-12-18 17:14:25Z

.transunion.com _gidGA1.2.333414249.1576...

2019-12-20 17:14:25Z

.transunion.com_dc_gtm_UA-2854562-5

12019-12-19 17:15:25Z

www.transunion.com

_hjIncludedInSample

1 session

www.transunion.com

QSI_HistorySession

https%3A%2F%2Fwww.tr...

session

www.osano.com

Third-party cookies (19)

DomainDomain NameName ValueValue ExpiresExpiresHttp OHttp O

nlynlySecureSecure

Same Same SiteSite

trc.taboola.comtaboola_session_id

v2_13418af8dafcd1de7...

session

.bing.com MUID02F9E23F15EA6B1A1816...

2021-01-12 17:14:26Z

.bat.bing.com MR 02020-06-16 17:14:26Z

bat.bing.com MUIDB3F33BD824D5067FF1035...

2021-01-12 17:14:26Z

.yahoo.com B53go601evnbvh&b=3&s=...

2020-12-18 17:14:25Z

.doubleclick.net IDEAHWqTUm8fRNrce1oz9CK...

2021-12-18 17:14:25Z

.taboola.com t_gid317edc57-3f2f-4785-b...

2020-12-18 17:14:25Z

.twitter.compersonalization_id

"v1_QC0oLd1Nr6pa7NBB...

2021-12-18 17:14:26Z

.bidr.io bitoAAUC4U6792AAADkK7Xxq...

2021-01-17 12:14:26Z

.bidr.io bitoIsSecure ok2021-01-17 12:14:26Z

.company-target.com

tuuid4831d9f9-6dec-4c1d-a...

2021-12-18 17:14:26Z

.company-target.com

tuuid_lu 15767756652021-12-18 17:14:26Z

members.transunion.ca

TUCILBCookie!mLDulblljDZ4QsH2dvb...

session

r.3gl.net ua 20,84,76,56,0,0,0,02019-12-19 18:14:26Z

www.osano.com

r.3gl.net gi0F,1,224,46,4059,0,0...

2019-12-20 17:14:26Z

.facebook.com fr0klRSbCrykILNopTO..B...

2020-03-18 17:14:26Z

.siteintercept.qualtrics.com

__cfduiddc535737dc91c5dd0e74...

2020-01-18 17:14:26Z

( Lax )

.atdmt.com AA003AXzTF6RZZeNVNxLCpaQv...

2020-03-18 17:14:26Z

.atdmt.com ATN1.1576775666.1741176...

2021-12-18 17:14:26Z

DomainDomain NameName ValueValue ExpiresExpiresHttp OHttp O

nlynlySecureSecure

Same Same SiteSite

Http OnlyHttp Only means that the cookie can only be read by the server, and not by JavaScript on the client. This canmitigate XSS (cross-site scripting) attacks.

SecureSecure means that the cookie will only be sent over a secure channel (HTTPS). This can mitigate MITM (man-in-the-middle) attacks.

Same SiteSame Site can be used to instruct the browser to only send the cookie when the request is originating from thesame site. This can mitigate CSRF (cross-site request forgery) attacks.

GDPR: Rec. 60, Rec. 61, Rec. 69, Rec. 70, Rec. 75, Rec. 78, Art. 5.1.a, Art. 5.1.c, Art. 5.1.e, Art. 21, Art. 22, Art. 32.

e-PD (2002/58/EC). Rec. 24, 25, Art. 5.2.

e-PD revised (2009/136/EC). Rec. 65, 66.

First-party cookiesFirst-party cookies are placed by the web site owner in some register on their visitors' device in order to be able tore-identify the visitor on subsequent page loads. First-party cookies can be related to technical features on a website (such as remembering language settings or the contents of a shopping basket), or related to commercialfeatures of the web site owners' activities (such as being able to trace a visitors' behaviour over the duration oftheir visit, or over much longer time periods, often for years, in order to be able to serve advertisements to theusers or to get usage statistics to guide later changes to the web site that are envisaged to make the web sitemore attractive to recurring users). First-party cookies may come from services provided by the web site owner(language settings in a Content Management System) or from services used by the web site owner (analyticstools).

Third-party cookiesThird-party cookies are placed by a service affiliated with the web site owner on the devices of visitors to the website in order to be able to re-identity the visitor on subsequent page loads, or across different web sites. Third-party cookies are typically related to commercial features of a web site owners' activities, usually advertising, butmay also relate to technical features in scripts used by a web site (such as language settings).

Storing information or gaining access to information stored in the visitors' devices, for instance in the form ofcookies, has been subject to sui generis legislation in the European Union (ePD, Art. 5.3). These sui generis lawshave tried to make a distinction between information stored to support technical features and information storedto support commercial features. In practice, poor enforcement of these rules has made the legal landscape

www.osano.com

unclear. Because there exists no legal duty for citizens to receive better targeted advertisement, nor a legal dutyfor citizens to assist web developers in improving web sites, it's doubtful that a legal basis exists for storinginformation to support commercial features without the consent of the web visitor (GDPR Art. 7). It is argued thatthe legitimate interests of a web site owner (Art. 6.1.f, Art. 6.4) may nevertheless enable them to subject a visitor totargeted ads or cause a visitor to assist the web developers. Then there must exist relevant and appropriaterelationship between the web visitor and the web site owner in situations (GDPR Rec. 47), which calls intoquestion the use of third-party service first-party cookies. In either case, if the legitimate interest legal basis forprocessing is invoked, adequate security measures must be undertaken (GDPR Art. 32).

Particular care must be taken with regards to the period of storage (GDPR Art. 5.1.e). While it is technically easy fora web site owner to set the duration of a information stored in the form of cookies to a long period time, theprinciple of storage limitation implies a balancing act between the interest of tracking a visitors' behaviour andthe interest of the visitor to keep their behaviour private. It's been established that a reasonable storage perioddoes not exceed one year.

www.osano.com

localStorage localStorage used:

KeyKey ValueValue

1193436:session-data v2_13418af8dafcd1de7fc8974d0fc95ce6_317edc57-3f2f-...

__CGu:8307841423775361000,s:1546992973,t:1576775665882...

_hjid ba3eaa76-3d36-4899-931b-1f2f08c0967e

eng_mt {"ver":27,"sessionStartTime":1576775665334,"scroll...

optimizely_data$$oeu1576775664792r0.43684453882158... null

optimizely_data$$oeu1576775664792r0.43684453882158... null

optimizely_data$$oeu1576775664792r0.43684453882158... {}

optimizely_data$$oeu1576775664792r0.43684453882158... []

optimizely_data$$oeu1576775664792r0.43684453882158... {"lastSessionTimestamp":1576775664801,"sessionId":...

optimizely_data$$oeu1576775664792r0.43684453882158... {}

optimizely_data$$oeu1576775664792r0.43684453882158... {}

optimizely_data$$oeu1576775664792r0.43684453882158... {"profile":{"visitorId":"oeu1576775664792r0.436844...

optimizely_data$$pending_events {}

taboola global:user-id 317edc57-3f2f-4785-baea-6fb9d9f2b92c-tuct4f53571

www.osano.com

Third-party requests5757 requests (57 secure, 0 insecure) to 3636 unique hosts.

A third-party request is a request to a domain that's not transunion.com or one of its subdomains.

HostHost IPIPCountrCountr

yyClassificationClassification

stats.g.doubleclick.net

https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&t...

172.217.197.157

USDisconnect (Google)

static.hotjar.com

https://static.hotjar.com/c/hotjar-949432.js?sv=5

147.75.39.63

NL Analytics (Hotjar)

match.prod.bidr.io

https://match.prod.bidr.io/cookie-sync/demandbase?_bee_ppp=1

https://match.prod.bidr.io/cookie-sync/demandbase

52.203.83.158

US

segments.company-target.com

https://segments.company-target.com/validateCookie?vendor=choca&user_i...

https://segments.company-target.com/log?vendor=choca&user_id=AAUC4U679...

13.249.44.81

USAnalytics (Demandbase)

g.3gl.net

https://g.3gl.net/jp/320/v3.2.0/M

93.184.216.38

US

www.googletagmanager.com

https://www.googletagmanager.com/gtm.js?id=GTM-T8HG9X4

172.217.12.232

USDisconnect (Google)

www.osano.com

siteintercept.qualtrics.com

https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...

https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...

https://siteintercept.qualtrics.com/dxjsmodule/CoreModule.js?Q_CLIENTV...

https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...

https://siteintercept.qualtrics.com/WRSiteInterceptEngine/Targeting.ph...

104.17.209.240

US

analytics.twitter.com

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=...

104.244.42.131

USDisconnect (Twitter)

sp.analytics.yahoo.com

https://sp.analytics.yahoo.com/spp.pl?a=10000&.yp=10014220&ec=TUHomepa...

https://sp.analytics.yahoo.com/spp.pl?a=10001064297885&.yp=415148&et=T...

https://sp.analytics.yahoo.com/spp.pl?a=10000&.yp=10079906

76.13.32.146

US

connect.facebook.net

https://connect.facebook.net/signals/config/871078119587868?v=2.9.15&r...

https://connect.facebook.net/en_US/fbevents.js

69.171.250.25

USDisconnect (Facebook)

googleads.g.doubleclick.net

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/94596...

172.217.7.194

USDisconnect (Google)

api.company-target.com

https://api.company-target.com/api/v2/ip.json?referrer=&page=https%3A%...

13.249.44.72

USAnalytics (Demandbase)

HostHost IPIPCountrCountr

yyClassificationClassification

www.osano.com

cx.atdmt.com

https://cx.atdmt.com/?c=9239934406948647794&f=AYxZPDnFRUTCTIQv4DUYG8OK...

31.13.65.2 IEAdvertising (Microsoft)

ad.doubleclick.net

https://ad.doubleclick.net/activity;dc_pre=CI3prIubwuYCFQd_wQodbpYCTw;...

https://ad.doubleclick.net/activity;dc_pre=CMDjrIubwuYCFUtrwQodbvAPcQ;...

https://ad.doubleclick.net/activity;src=8524752;type=rmkt01;cat=trarm0...

https://ad.doubleclick.net/activity;src=4395963;type=TUIVM0;cat=Trans0...

172.217.9.198

USDisconnect (Google)

adservice.google.com

https://adservice.google.com/ddm/fls/z/dc_pre=CI3prIubwuYCFQd_wQodbpYC...

https://adservice.google.com/ddm/fls/z/dc_pre=CMDjrIubwuYCFUtrwQodbvAP...

172.217.7.194

US

cdn.optimizely.com

https://cdn.optimizely.com/js/4242406432.js

23.195.249.8

USContent (Optimizely)

cdn.taboola.com

https://cdn.taboola.com/libtrc/unip/1193436/tfa.js

151.101.202.2

USAdvertising (Taboola)

logx.optimizely.com

https://logx.optimizely.com/v1/events

34.233.232.157

USContent (Optimizely)

www.facebook.com

https://www.facebook.com/tr/?id=871078119587868&ev=Microdata&dl=https%...

https://www.facebook.com/tr/?id=871078119587868&ev=PageView&dl=https%3...

31.13.65.36 IEDisconnect (Facebook)

HostHost IPIPCountrCountr

yyClassificationClassification

www.osano.com

r.3gl.net

https://r.3gl.net/hawklogserver/r.p

173.231.186.87

US

scripts.demandbase.com

https://scripts.demandbase.com/YZhT3gW1.min.js

13.249.44.77

USAnalytics (Demandbase)

a4242406432.cdn.optimizely.com

https://a4242406432.cdn.optimizely.com/client_storage/a4242406432.html

104.119.29.102

USContent (Optimizely)

members.transunion.ca

https://members.transunion.ca/sites/tucan_en/assets/images/analytics.g...

74.117.129.102

US

hello.myfonts.net

https://hello.myfonts.net/count/2ca963

152.199.24.107

US

t.co

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1ol6&events=%5B%...

104.244.42.5

US

www.googleadservices.com

https://www.googleadservices.com/pagead/conversion_async.js

172.217.9.194

USDisconnect (Google)

www.google.com

https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-285...

https://www.google.com/pagead/1p-user-list/945968994/?random=157677566...

172.217.13.228

US

vars.hotjar.com

https://vars.hotjar.com/box-b736908ce6b0e933fad3a2e45df61b38.html

147.75.195.51

US Analytics (Hotjar)

static.ads-twitter.com

https://static.ads-twitter.com/uwt.js

151.101.248.157

USDisconnect (Twitter)

HostHost IPIPCountrCountr

yyClassificationClassification

www.osano.com

zn74cvbyxcewl8l2z-transunioncxusa.siteintercept.qualtrics.com

https://zn74cvbyxcewl8l2z-transunioncxusa.siteintercept.qualtrics.com/...

104.17.209.240

US

trc.taboola.com

https://trc.taboola.com/1193436/log/3/unip?en=page_view&tim=1576775665...

https://trc.taboola.com/1193436/trc/3/json?tim=1576775665337&data=%7B%...

151.101.202.2

USAdvertising (Taboola)

www.google-analytics.com

https://www.google-analytics.com/collect?v=1&_v=j79&a=1324264946&t=pag...

https://www.google-analytics.com/plugins/ua/linkid.js

https://www.google-analytics.com/analytics.js

172.217.15.110

USDisconnect (Google)

in.hotjar.com

https://in.hotjar.com/api/v2/client/sites/949432/visit-data?sv=5

https://in.hotjar.com/api/v2/client/sites/949432/visit-data?sv=5

https://in.hotjar.com/api/v2/client/sites/949432/visit-data?sv=5

52.50.117.83

IE Analytics (Hotjar)

zn8i03elsrj8ujesh-transunioncxusa.siteintercept.qualtrics.com

https://zn8i03elsrj8ujesh-transunioncxusa.siteintercept.qualtrics.com/...

104.17.209.240

US

script.hotjar.com

https://script.hotjar.com/modules.7b8376ee918863f83692.js

147.75.197.65

JP Analytics (Hotjar)

bat.bing.com

https://bat.bing.com/action/0?ti=4020018&Ver=2&mid=ec549770-3c44-94cb-...

https://bat.bing.com/bat.js

204.79.197.200

USContent (Microsoft)

HostHost IPIPCountrCountr

yyClassificationClassification

GDPR: Rec. 69, Rec. 70, Art. 5.1.b-c, Art. 25.

www.osano.com

Server locationThe server www.transunion.comwww.transunion.com (66.175.240.138) appears to have been located in United States of AmericaUnited States of Americaduring our test.

www.osano.com

Raw headersHeaderHeader ValueValue

accept-ranges none

cache-control no-store, no-cache, must-revalidate, max-age=0

connection Keep-Alive

content-encoding gzip

content-language en

www.osano.com

content-security-policy

default-src 'self' *.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com *.impactradius-event.com *.teads.tv *.passage.ai wss://tars-prod.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com *.transunion.com *.vols7feed.com *.addthis.co *.amazon-adsystem.com *.youtube.com *.doubleclick.net *.company-target.com *.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.adsrvr.org dmtry.com *.dmtry.com *.quantserve.com *.bluekai.com *.facebook.com *.demandbase.com doubleclick.net *.trustev.com *.yahoo.com *.atedra.com *.twitter.com *.bing.com crwdcntrl.net c.rstg.io cdn.nextinsure.com *.jquery.com cloudfront.net *.googleapis.com *.adnxs.com *.rlcdn.com investis.com adsrvr.org sharethrough.com adroll.com yimg.com amazonaws.com *.fastclick.net secure.leadback.advertising.com google-analytics.com *.ads-twitter.com *.openx.net *.zencdn.net googleadservices.com gstatic.com bidswitch.net *.media6degrees.com googletagmanager.com *.siteintercept.qualtrics.com *.qualtrics.com; script-src 'self' *.impactradius-event.com *.teads.tv *.passage.ai *.evenfinancial.com *.taboola.com *.quantcount.com *.transunion.com *.mxpnl.com *.vols7feed.com *.addthis.com *.googletagmanager.com *.optimizely.com *.pingdom.com *.cloudflare.com *.googleadservices.com *.youtube.com *.doubleclick.net *.google-analytics.com *.quantserve.com *.g.3gl.net *.eloqua.com *.crwdcntrl.net*.googleapis.com *.investis.com *.amazonaws.com *.cloudfront.net *.nextinsure.com *.lendingtree.com *.mediaplex.com *.demandbase.com *.jquery.com *.gstatic.com *.bing.com *.3gl.net *.yourscoreonline.com *.gofreecredit.com *.creditcheckingtoday.com *.naturaltracking.com*.credit.com *.facebook.com *.yimg.com *.ytimg.com *.quora.com *.ensighten.com *.d39se0h2uvfakd.cloudfront.net *.linkedin.com *.adsprotection.com *.brightcove.com *.hotjar.com *.adroll.com *.brightcove.net *.en25.com *.adsrvr.org *.abmr.net *.mathtag.com t2.rstg.io px.ads.linkedin.com vjs.zencdn.net *.twitter.com iad-login.dotomi.com snap.licdn.com sp.analytics.yahoo.com unpkg.com *.myfonts.net *.en25.com *.addthisedge.com *.zencdn.com *.s3.amazonaws.com cdn.ampproject.org *.company-target.com *.media6degrees.com *.ads-twitter.com cdn.mxpnl.com *.bizographics.com *.pingdom.net *.mbww.com *.entrust.net *.trustev.com *.mathtag.com *.googlesyndication.com *.google.com *.outbrain.com o1.qnsr.com *.facebook.net cas.cluep.com *.quizgnome.com *.siteintercept.qualtrics.com *.qualtrics.com *.pulseinsights.com blob: 'unsafe-eval' 'unsafe-inline'; child-src *.evenfinancial.com *.transunion.com blob: *.crwdcntrl.net *.cdn.optimizely.com *.addthis.com *.doubleclick.net *.lendingtree.com *.youtube.com *.hotjar.com *.mediaplex.com *.optimizely.com *.brightcove.net s.amazon-adsystem.com *.trustev.com *.mathtag.com *.qnsr.com *.facebook.com *.siteintercept.qualtrics.com *.qualtrics.com; connect-src'self' *.ifgza3.net *.passage.ai wss://tars-prod.passage.ai *.taboola.com *.transunion.com *.mixpanel.com *.optimizely.com *.youtube.com *.brightcovecdn.com *.pingdom.net *.brightcove.com manifest.prod.boltdns.net airbrake.io *.company-target.com r.3gl.net s7.addthis.com *.herokuapp.com unity.cadreon.com app.trustev.com *.hotjar.com wss://*.hotjar.com *.siteintercept.qualtrics.com *.qualtrics.com 'unsafe-eval'; media-src 'self' *.brightcove.com *.brightcovecdn.com *.prod.boltdns.net *.transunion.com blob: f1.media.brightcove.com; img-src * *.ifgza3.net *.ojrq.net *.tapad.com *.loggly.com *.rlcdn.com data:; font-src data: *.transunion.com *.gstatic.com *.company-target.com edge.api.brightcove.com r.3gl.net *.addthis.com *.herokuapp.com *.quora.com; style-src * 'unsafe-eval' 'unsafe-inline'; frame-ancestors *.transunion.com;

content-type text/html;charset=UTF-8

date Thu, 19 Dec 2019 17:14:24 GMT

keep-alive timeout=10, max=89

pragma no-cache

HeaderHeader ValueValue

www.osano.com

server Transunion

set-cookie JSESSIONID=535BD3098F9F3521EB1904EA7027CC3D; Path=/iw-runtime; Secure; HttpOnly

strict-transport-security max-age=15768000; includeSubDomains

transfer-encoding chunked

vary Accept-Encoding

x-content-type-options nosniff

x-frame-options SAMEORIGIN

x-xss-protection 1; mode=block

HeaderHeader ValueValue

www.osano.com