Common use of Cybersecurity and Data Protection Clause in Contracts

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, the information technology systems used in the business of each Credit Party and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit the Credit Parties and their respective Subsidiaries to conduct their business as presently conducted in the Territory. (b) Except as set forth on Schedule 4.22(b) of the Disclosure Letter, Parent and its Subsidiaries have implemented and maintain a commercially reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect from any unauthorized access, acquisition, use, control, disclosure, destruction or modification, (i) any information subject to Data Protection Laws, (ii) any information and other materials in which Parent or any of its Subsidiaries have Intellectual Property rights (including material Company IP) or nondisclosure obligations, (iii) Regulatory Submission Materials and (iv) each System. (c) Except as set forth on Schedule 4.22(c) of the Disclosure Letter, neither Parent nor any of its Subsidiaries, nor to the Knowledge of Parent, any vendor of Parent or any of its Subsidiaries, has suffered any material data breaches or other incidents that have resulted in (i) any unauthorized access, acquisition, use, control, disclosure, destruction or modification of any information subject to Data Protection Laws, any information or other materials subject to non-disclosure obligations, any material Company IP or any Regulatory Submission Materials, or (ii) any unauthorized access to or acquisition, use, control or disruption of any of the Systems. (d) Parent and each of its Subsidiaries is in material compliance with the requirements of (i) their respective enterprise-wide privacy and information security programs, (ii) Data Protection Laws, (iii) all Material Contracts regarding the privacy and security of customer, consumer, patient, clinical trial participant, employee and other personal data, (iv) their respective contractual non-disclosure obligations and (v) their respective published privacy policies. (e) In the past six (6) years: (i) there have not been any material third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Parent or any of its Subsidiaries creates, receives, maintains or transmits; and (ii) neither Parent nor any of its Subsidiaries has received any written notice of any claims, investigations (including investigations by any Governmental Authority), or alleged violations relating to any information subject to Data Protection Laws created, received, maintained or transmitted by Parent or any of its Subsidiaries.

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, the The information technology systems used in the business of each Credit Party Borrower and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit the Credit Parties Borrower and their respective its Subsidiaries to conduct their business as presently conducted conducted. Neither Borrower, nor any of its Subsidiaries, nor to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has suffered any data breaches that (A) have resulted in any unauthorized access, acquisition, use, control, disclosure, destruction, or modification of any information subject to Data Protection Laws or any Company IP, or (B) have resulted in unauthorized access to, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries. Except as would not cause or could not be reasonably expected to result in, individually or in the Territory. aggregate, a Material Adverse Change, (bi) Except as set forth on Schedule 4.22(b) of the Disclosure Letter, Parent Borrower and its Subsidiaries have implemented and maintain a commercially reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws and the information technology systems of Borrower and each of its Subsidiaries from any unauthorized access, acquisition, use, control, disclosure, destruction or modification, (i) any information subject to Data Protection Laws, (ii) any information and other materials in which Parent or any of its Subsidiaries have Intellectual Property rights (including material Company IP) or nondisclosure obligations, (iii) Regulatory Submission Materials and (iv) each System. (c) Except as set forth on Schedule 4.22(c) of the Disclosure Letter, neither Parent nor any of its Subsidiaries, nor to the Knowledge of Parent, any vendor of Parent or any of its Subsidiaries, has suffered any material data breaches or other incidents that have resulted in (i) any unauthorized access, acquisition, use, control, disclosure, destruction or modification of any information subject to Data Protection Laws, any information or other materials subject to non-disclosure obligations, any material Company IP or any Regulatory Submission Materials, or (ii) any unauthorized access to or acquisition, use, control or disruption of any of the Systems. (d) Parent Borrower and each of its Subsidiaries is in material compliance with the requirements all applicable Requirements of (i) their respective enterprise-wide privacy Law and information security programs, (ii) Data Protection Laws, (iii) all Material Contracts regarding the privacy and security of customer, consumer, patient, clinical trial participant, employee and other personal data, (iv) their respective contractual non-disclosure obligations data and (v) is compliant with their respective published privacy policies. policies and (e) In the past six (6) years: (iiii) there have not been any material incidents of, or, to the Knowledge of Borrower, any third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Parent Borrower or any of its Subsidiaries creates, receives, maintains maintains, or transmits; and . (iib) Except as would not cause or could not be reasonably expected to result in, individually or in the aggregate, a Material Adverse Change, neither Parent Borrower nor any of its Subsidiaries has received any written notice of any claims, investigations (including investigations by any Governmental Authority), or alleged violations relating of any Requirements of Law with respect to any information subject to Data Protection Laws created, received, maintained maintained, or transmitted by Parent Borrower or any of its Subsidiaries.

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, the information technology systems used in the business of each Credit Party of Parent and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit the Credit Parties each of Parent and their respective its Subsidiaries to conduct their business respective businesses as presently conducted in the their respective Specified Territory. (b) Except as set forth on Schedule 4.22(b) of the Disclosure Letter, Parent and each of its Subsidiaries have has implemented and maintain maintains a commercially reasonable enterprise-wide privacy and information security program with plans, policies and procedures for (“Security Program”) that addresses privacy, physical and cyber security, disaster recovery, business continuity and incident response, including and that includes reasonable and appropriate administrative, technical and physical safeguards that are designed to protect from the integrity and availability of the Systems and to protect against (i) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, processing, loss, destruction, or modification of Personal Data that would require notification to affected individuals or any Governmental Authority under any applicable Data Protection Law (each, a “Personal Data Breach”), (ii) any unauthorized accessor unlawful access to or acquisition, use, disclosure, or loss of Sensitive Information that is not Personal Data, and (iii) material security incidents that would result in unauthorized or unlawful access to or acquisition, use, control, disclosuredisruption, destruction destruction, or modification, (i) any information subject to Data Protection Laws, (ii) any information and other materials in which Parent or modification of any of its Subsidiaries have Intellectual Property rights the Systems (including material Company IP) or nondisclosure obligationseach, (iii) Regulatory Submission Materials and (iv) each Systema “Security Incident”). (c) Parent and each of its Subsidiaries has conducted commercially reasonable privacy and security audits and penetration tests at reasonable intervals on all Systems that maintain, store, or process Sensitive Information. Parent and each of its Subsidiaries has addressed all material privacy or data security issues identified as “critical,” “high risk,” or similar level of risk rating that are raised in any such audits or penetration tests (including any third party audits of the Systems). (d) [Reserved] (e) Except as set forth on Schedule 4.22(c4.22(e) of the Disclosure Letter, and except as would not reasonably be expected to result in a Material Adverse Change, to the Knowledge of Parent neither Parent nor any of its Subsidiaries, nor to has, in the Knowledge of Parentpast three (3) years, any vendor of Parent or any of its Subsidiaries, has suffered any material data breaches or other incidents that have resulted in (i) any unauthorized access, acquisition, use, control, disclosure, destruction or modification of any information subject to Data Protection Laws, any information or other materials subject to non-disclosure obligations, any material Company IP or any Regulatory Submission Materials, or (ii) any unauthorized access to or acquisition, use, control or disruption of any of the SystemsSecurity Incidents. (df) Parent and each of its Subsidiaries is in material compliance with the requirements of (i) their respective enterprise-wide privacy and information security programsSecurity Programs, (ii) applicable Data Protection Laws, (iii) all Material Contracts their respective contractual obligations regarding the privacy privacy, security, and security notification of breaches of customer, consumer, patient, clinical trial participant, employee employee, and other personal dataPersonal Data, (iv) their respective contractual non-disclosure obligations obligations, and (v) their respective published publicly available privacy notices and policies. (eg) In Except as set forth on Schedule 4.22(g) of the Disclosure Letter, in the past six (6) years: (i) there have not been any material third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that neither Parent or nor any of its Subsidiaries createshas received any written third party claims or, receivesto the Knowledge of Parent, maintains or transmitsany threat (in writing) of a third party claim, related to any Personal Data Breaches; and (ii) neither Parent nor any of its Subsidiaries has received any written notice of any claims, investigations (including investigations by any Governmental Authority), or alleged violations relating to any information subject to Personal Data Breaches. (h) Parent and each of its Subsidiaries has maintained all database registrations required under applicable Data Protection Laws created, received, maintained or transmitted by Parent or any of its SubsidiariesLaws.

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, the The information technology systems used in the business of each Credit Party the Parent and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit the Credit Parties Parent and their respective its Subsidiaries to conduct their business as presently conducted conducted. Neither Parent, nor any of its Subsidiaries, nor to the knowledge of the Loan Parties, any vendor of Parent or any of its Subsidiaries, has suffered any data breaches that (i) have resulted in any unauthorized access, acquisition, use, control, disclosure, destruction, or modification of any information subject to Data Protection Laws or any material Intellectual Property of Parent and its Subsidiaries, or (ii) have resulted in unauthorized access to, control of, or disruption of the Territoryinformation technology systems of Parent or any of its Subsidiaries. (b) Except as set forth on Schedule 4.22(bwould not cause or could not be reasonably expected to result in, individually or in the aggregate, a Material Adverse Effect, (i) of the Disclosure Letter, Parent and its Subsidiaries have implemented and maintain a commercially reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws and the information technology systems of Parent and each of its Subsidiaries from any unauthorized access, acquisition, use, control, disclosure, destruction or modification, (i) any information subject to Data Protection Laws, (ii) any information and other materials in which Parent or any of its Subsidiaries have Intellectual Property rights (including material Company IP) or nondisclosure obligations, (iii) Regulatory Submission Materials and (iv) each System. (c) Except as set forth on Schedule 4.22(c) of the Disclosure Letter, neither Parent nor any of its Subsidiaries, nor to the Knowledge of Parent, any vendor of Parent or any of its Subsidiaries, has suffered any material data breaches or other incidents that have resulted in (i) any unauthorized access, acquisition, use, control, disclosure, destruction or modification of any information subject to Data Protection Laws, any information or other materials subject to non-disclosure obligations, any material Company IP or any Regulatory Submission Materials, or (ii) any unauthorized access to or acquisition, use, control or disruption of any of the Systems. (d) Parent and each of its Subsidiaries is in material compliance with the all applicable requirements of (i) their respective enterprise-wide privacy law and information security programs, (ii) Data Protection Laws, (iii) all Material Contracts regarding the privacy and security of customer, consumer, patient, clinical trial participant, employee and other personal data, (iv) their respective contractual non-disclosure obligations data and (v) is compliant with their respective published privacy policies. policies and (e) In the past six (6) years: (iiii) there have not been any material incidents of, or, to the knowledge of the Loan Parties, any third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Parent or any of its Subsidiaries creates, receives, maintains maintains, or transmits; and (ii) neither Parent nor any of its Subsidiaries has received any written notice of any claims, investigations (including investigations by any Governmental Authority), or alleged violations relating to any information subject to Data Protection Laws created, received, maintained or transmitted by Parent or any of its Subsidiaries.

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, the information technology systems used in the business of each Credit Party Borrower and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit the Credit Parties Borrower and their respective its Subsidiaries to conduct their business as presently conducted in the Territory. (b) conducted. Except as set forth on Schedule 4.22(b4.22(a) of the Disclosure Letter, Parent Borrower and its Subsidiaries have implemented and maintain a commercially reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws as well as information and other materials in which Borrower or any of its Subsidiaries have Intellectual Property rights (including Company IP) or nondisclosure obligations, and the information technology systems of Borrower and each of its Subsidiaries, from any unauthorized access, use, control, disclosure, destruction or modification. Except as set forth on Schedule 4.22(a) of the Disclosure Letter, neither Borrower nor any of its Subsidiaries, nor to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has suffered any data breaches or other incidents that have resulted in such unauthorized access, acquisition, use, control, disclosure, destruction or modificationdestruction, (i) any information subject to Data Protection Laws, (ii) any information and other materials in which Parent or any of its Subsidiaries have Intellectual Property rights (including material Company IP) or nondisclosure obligations, (iii) Regulatory Submission Materials and (iv) each System. (c) Except as set forth on Schedule 4.22(c) of the Disclosure Letter, neither Parent nor any of its Subsidiaries, nor to the Knowledge of Parent, any vendor of Parent or any of its Subsidiaries, has suffered any material data breaches or other incidents that have resulted in (i) any unauthorized access, acquisition, use, control, disclosure, destruction or modification of any information subject to Data Protection Laws, any information or other materials subject to non-disclosure obligations, obligations or any material Company IP or any Regulatory Submission MaterialsIP, or (ii) any have resulted in such unauthorized access to or acquisition, useto, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries, as could have a material adverse effect on the Systems. (d) Parent Company and its Subsidiaries as a whole. Borrower and each of its Subsidiaries is in material compliance with the requirements of (iA) their respective enterprise-wide privacy and information security programs, (iiB) Data Protection Laws, (iiiC) all Material Contracts regarding the privacy and security of customer, consumer, patient, clinical trial participant, employee and other personal data, (ivD) their respective contractual non-disclosure obligations and (vE) their respective published privacy policies. (e) . In the past six (6) years: (i) , there have not been any material third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Parent Borrower or any of its Subsidiaries creates, receives, maintains maintains, or transmits; and . (iib) In the past six (6) years, neither Parent Borrower nor any of its Subsidiaries has received any written notice of any claims, investigations (including investigations by any Governmental Authority), or alleged violations relating to any information subject to Data Protection Laws created, received, maintained or transmitted by Parent Borrower or any of its Subsidiaries.

Cybersecurity and Data Protection. (a) Except as set forth in on Schedule 4.22(a) of the Disclosure Letter, to the Knowledge of the Borrower, the information technology systems used in the business of each Credit Party Borrower and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit the Credit Parties Borrower and their respective its Subsidiaries to conduct their business as presently conducted in the Territory. (b) conducted. Except as set forth on Schedule 4.22(b4.22(a) of the Disclosure Letter, Parent Borrower and its Subsidiaries have implemented and maintain a commercially reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws, Company IP and the information technology systems of Borrower and each of its Subsidiaries, from any unauthorized access, use, control, disclosure, destruction or modification. Except as set forth on Schedule 4.22(a) of the Disclosure Letter, to the Knowledge of Borrower, neither Borrower nor any of its Subsidiaries, nor to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has, in the past [**], suffered any data breaches or other incidents that (i) have resulted in any unauthorized access, acquisition, use, control, disclosure, destruction or modificationdestruction, (i) any information subject to Data Protection Laws, (ii) any information and other materials in which Parent or any of its Subsidiaries have Intellectual Property rights (including material Company IP) or nondisclosure obligations, (iii) Regulatory Submission Materials and (iv) each System. (c) Except as set forth on Schedule 4.22(c) of the Disclosure Letter, neither Parent nor any of its Subsidiaries, nor to the Knowledge of Parent, any vendor of Parent or any of its Subsidiaries, has suffered any material data breaches or other incidents that have resulted in (i) any unauthorized access, acquisition, use, control, disclosure, destruction or modification of any information subject to Data Protection Laws, any information Laws or other materials subject to non-disclosure obligations, any material Company IP or any Regulatory Submission MaterialsIP, or (ii) any have resulted in unauthorized access to or acquisition, useto, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries. Except as would not cause or could not be reasonably expected to result in, individually or in the Systems. (d) Parent aggregate, a Material Adverse Change, to the Knowledge of Borrower, Borrower and each of its Subsidiaries is in material compliance with the requirements of (iA) their respective enterprise-wide privacy and information security programs, ; (iiB) Data Protection Laws, Laws and (iiiC) all Material Contracts regarding the privacy and security of customer, consumer, patient, clinical trial participant, employee and other personal data, (iv) their respective contractual non-disclosure obligations and (v) their respective published privacy policies. (e) . In the past six (6) years: (i) [**], there have not been any material any, to the Knowledge of Borrower, third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Parent Borrower or any of its Subsidiaries creates, receives, maintains maintains, or transmits; and . (iib) Except as would not cause or could not be reasonably expected to result in, individually or in the aggregate, a Material Adverse Change, to the Knowledge of Borrower, neither Parent Borrower nor any of its Subsidiaries has received any written notice of any claims, investigations (including investigations by any Governmental Authority), or alleged violations relating to any information subject to Data Protection Laws created, received, maintained or transmitted by Parent Borrower or any of its Subsidiaries.