Common use of Cybersecurity and Data Protection Clause in Contracts

Cybersecurity and Data Protection. (A) There has been no security breach or incident, unauthorized access or disclosure, or other compromise of or relating to, the Company’s or its subsidiaries’ information technology and computer systems, networks, hardware, software, data and databases (including the data and information of their respective patients, customers, employees, suppliers, vendors and any third party data maintained, processed or stored by the Company or its subsidiaries, and any such data processed or stored by third parties on behalf of the Company or its subsidiaries), equipment or technology (collectively, “IT Systems and Data”), (B) neither the Company nor its subsidiaries have been notified of, and have no knowledge of any event or condition that would result in, any security breach or incident, unauthorized access or disclosure of or other compromise to their IT Systems and Data and (C) the Company and its subsidiaries have implemented appropriate controls, policies, procedures, and technological safeguards to maintain and protect the integrity, continuous operation, redundancy, disaster recovery and security of their IT Systems and Data consistent with industry standards and practices, or as required by applicable data protection laws, Healthcare Laws and regulatory standards, except with respect to clauses (A) and (B), for any such security breach or incident, unauthorized access or disclosure, or other compromises, as would not, individually or in the aggregate, have a Material Adverse Effect, or with respect to clause (C), where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect. The Company and its subsidiaries are presently in compliance in all material respects with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of the IT Systems and Data, including the collection, use, transfer, processing, disposal, disclosure, handling, storage and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company, its subsidiaries and any third parties in their possession, and the protection of such IT Systems and Data from unauthorized use, access, misappropriation or modification.

Cybersecurity and Data Protection. (A) There has been no security breach or incident, unauthorized access or disclosure, or other compromise of or relating to, The Company and the Company’s or its subsidiariesSubsidiaries’ information technology assets and computer equipment, computers, systems, networks, hardware, software, data websites, applications, and databases (including collectively, the data and information of their respective patients, customers, employees, suppliers, vendors and any third party data maintained, processed or stored by the Company or its subsidiaries“IT Systems”) are adequate for, and any such data processed or stored by third parties on behalf operate and perform in all material respects as required in connection with the operation of the business of the Company or its subsidiaries), equipment or technology (collectively, “IT Systems and Data”), (B) neither the Company nor its subsidiaries have been notified ofSubsidiaries as currently conducted, and have no to the knowledge of any event or condition that would result in, any security breach or incident, unauthorized access or disclosure of or other compromise to their IT Systems and Data and (C) the Company and its subsidiaries the Subsidiaries free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. The Company and the Subsidiaries have implemented appropriate and maintained commercially reasonable controls, policies, procedures, and technological safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy, disaster recovery redundancy and security of their all IT Systems and Data consistent data (including all personal, personally identifiable, sensitive, confidential or regulated data (the “Personal Data”)) used in connection with industry standards their businesses, and practicesthere have been no breaches, violations, outages or as required by applicable data protection laws, Healthcare Laws and regulatory standardsunauthorized uses of or accesses to same, except with respect to clauses (A) and (B), for any such security breach or incident, unauthorized access or disclosure, or other compromises, as those that would not, individually or in the aggregate, not have a Material Adverse EffectEvent or have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or with respect investigations relating to clause (C)the same that the Company believes, where the failure in good faith, are reasonably likely to do so would not, individually or in the aggregate, have constitute a Material Adverse EffectEvent. The Company and its subsidiaries the Subsidiaries are presently in material compliance in all material respects with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of the IT Systems and Data, including the collection, use, transfer, processing, disposal, disclosure, handling, storage Personal Data and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company, its subsidiaries and any third parties in their possession, and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification. The statements disclosed and materials used as the basis of information contained in the Registration Statement, the Pricing Disclosure Package and the Prospectus relating to the cybersecurity review of the Company and its Subsidiaries and other cybersecurity and data privacy related matters in the sections headed “Prospectus Summary,” “Risk Factors,” and “Regulation” are complete, true and accurate in all material respects and in light of the circumstances under which they were made, not misleading.

Cybersecurity and Data Protection. (A) There has been no security breach or incident, unauthorized access or disclosure, or other compromise of or relating to, to the Company’s or its subsidiaries’ information technology and computer systems, networks, hardware, software, data and databases (including the data and information of their respective patients, customers, employees, suppliers, vendors and any third party data maintained, processed or stored by the Company or its subsidiaries, and any such data processed or stored by third parties on behalf of the Company or its subsidiaries), equipment or technology (collectively, “IT Systems and Data”), except as would not, individually or in the aggregate, have a Material Adverse Effect; (B) neither the Company nor its subsidiaries have been notified of, and or have no any knowledge of any event or condition that would could result in, any security breach or incident, unauthorized access or disclosure of or other compromise to their IT Systems and Data and (C) the Company and its subsidiaries have implemented appropriate controls, policies, procedures, and technological safeguards to maintain and protect the integrity, continuous operation, redundancy, disaster recovery redundancy and security of their IT Systems and Data reasonably consistent with industry standards and practices, or as required by applicable data protection laws, Healthcare Laws and regulatory standards, except with respect to clauses (A) and (B), for any such security breach or incident, unauthorized access or disclosure, or other compromises, as would not, individually or in the aggregate, have a Material Adverse Effect, or with respect to clause (C), where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect. The Company and its subsidiaries are presently in compliance in all material respects with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of the IT Systems and Data, including the collection, use, transfer, processing, disposal, disclosure, handling, storage and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company, its subsidiaries and any third parties in their possessionpossession (“Sensitive Company Data”), and to the protection of such IT Systems and Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have taken all reasonable steps necessary to maintain the confidentiality of the Sensitive Company Data. The Company and its subsidiaries have not received any notice, claim, complaint, demand or letter from any person in respect of their businesses under applicable data security and data protection laws and regulations and industry standards regarding misuse, loss, unauthorized destruction or unauthorized disclosure of any Sensitive Company Data. There has been no unauthorized or illegal use of or access to any Sensitive Company Data by any third party. The Company and its subsidiaries have not been required to notify any individual or data protection authority of any information security breach, compromise or incident involving Sensitive Company Data.

Cybersecurity and Data Protection. Except as would not reasonably be expected to, singly or in the aggregate, result in a Material Adverse Effect, (A) There there has been no security breach or incident, unauthorized access or disclosure, or other compromise of or relating to, to the Company’s or its subsidiaries’ information technology and computer systems, networks, hardware, software, data and databases (including the data and information of their respective patients, customers, employees, suppliers, vendors and any third party data maintained, processed or stored by the Company or its subsidiaries, and any such data processed or stored by third parties on behalf of the Company or its subsidiaries), equipment or technology (collectively, “IT Systems and Data”), ; (B) neither the Company nor its subsidiaries have been notified of, and nor have no any knowledge of any event or condition that would result in, any security breach or incident, unauthorized access or disclosure of or other compromise to their IT Systems and Data and Data; (C) the Company and its subsidiaries have implemented appropriate controls, policies, procedures, and technological safeguards to maintain and protect the integrity, continuous operation, redundancy, disaster recovery redundancy and security of their IT Systems and Data reasonably consistent with industry standards and practices, or as required by applicable data protection laws, Healthcare Laws and regulatory standards; (D) the IT Systems and Data are adequate and operational for, except in accordance with respect their documentation and functional specifications, the business of the Company and its subsidiaries as now operated by them and as currently proposed to clauses (A) be operated as described in the Registration Statement and the Prospectus; and (B), for any such security breach or incident, unauthorized access or disclosure, or other compromises, as would not, individually or in E) the aggregate, have a Material Adverse Effect, or with respect to clause (C), where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect. The Company and its subsidiaries are presently in compliance in all material respects with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of the IT Systems and Data, including the collection, use, transfer, processing, disposal, disclosure, handling, storage and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company, its subsidiaries and any third parties in their possessionpossession (“Sensitive Company Data”), and to the protection of such IT Systems and Data and Sensitive Company Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have taken all reasonable steps necessary to maintain the confidentiality of the Sensitive Company Data. The Company and its subsidiaries have not received any written notice, claim, complaint, demand or letter from any person or Governmental Entity in respect of their businesses under applicable data security and data protection laws and regulations and industry standards regarding misuse, loss, unauthorized destruction or unauthorized disclosure of any Sensitive Company Data. To the Company’s knowledge, there has been no unauthorized or illegal use of or access to any Sensitive Company Data by any third party. The Company and its subsidiaries have not been required to notify any individual, Governmental Entity or data protection authority of any information security breach, compromise or incident involving Sensitive Company Data and, to the Company’s knowledge, are not the subject of any inquiry or investigation by any Governmental Entity or data protection authority regarding any of the foregoing.

Cybersecurity and Data Protection. (Ai) There (x) To the Company’s knowledge, there has been no material security breach or incident, unauthorized access or disclosure, or other material compromise of or relating to, to any of the Company’s or its subsidiaries’ information technology and computer systems, networks, hardware, software, data and databases (including the data and information of their respective patients, customers, employees, suppliers, vendors and any third third-party data maintained, processed maintained by or stored by the Company or its subsidiaries, and any such data processed or stored by third parties on behalf of the Company or its subsidiariesthem), equipment or technology (collectively, “IT Systems and Data”), ) and (By) neither the Company nor its subsidiaries have has not been notified of, and have has no knowledge of any event or condition that would reasonably be expected to result in, any material security breach or incident, unauthorized access or disclosure of or other material compromise to their IT Systems and Data and Data; (Cii) the Company and its subsidiaries have implemented appropriate controls, policies, procedures, and technological safeguards to maintain and protect the integrity, continuous operation, redundancy, disaster recovery and security of their IT Systems and Data consistent with industry standards and practices, or as required by applicable data protection laws, Healthcare Laws and regulatory standards, except with respect to clauses (A) and (B), for any such security breach or incident, unauthorized access or disclosure, or other compromises, as would not, individually or in the aggregate, have a Material Adverse Effect, or with respect to clause (C), where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect. The Company and its subsidiaries are is presently in compliance in all material respects with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of the IT Systems and Data, including the collection, use, transfer, processing, disposal, disclosure, handling, storage Data and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company, its subsidiaries and any third parties in their possession, and to the protection of such IT Systems and Data from unauthorized use, access, misappropriation or modification, and (iii) the Company has implemented backup and disaster recovery technology consistent with industry standards and practices; except as would not, in the case of clause (ii) and (iii) hereof, individually or in the aggregate, result in a Material Adverse Effect. The Company has adopted and maintains data privacy and security policies designed to comply with all applicable laws, and each of the Company and the Subsidiaries has at all times complied with all applicable policies and third-party obligations (imposed by applicable laws, regulations or contracts) regarding the collection, use, transfer, storage, protection, disposal and disclosure by the Company and the Subsidiaries of personally identifiable information and data and any other information and data collected from or provided by third parties as well as data that may constitute trade secrets and working secrets of any Governmental Authority or would otherwise be detrimental to national security or public interest pursuant to the applicable laws in all material respects. The Company and the Subsidiaries have taken all commercially reasonable steps to protect the information technology systems and data used in connection with the operation of the Company and the Subsidiaries and/or the offering. There has been no material security breach or attack or other compromise of or relating to any such information technology systems or data, and, no material action, suit or proceeding (including, without limitation, governmental investigations or inquiries) by or before any Governmental Authority involving the Company or any of the Subsidiaries with respect to applicable cybersecurity, data privacy and security and confidentiality or archive administration laws is pending or threatened. The Company has not been informed by any Governmental Authority that the Company must file for a cybersecurity review under the Cybersecurity Review Measures of the Cyberspace Administration of China, which came into effect on February 25, 2022. The Company will use reasonable best efforts to fully cooperate once being informed by any Governmental Authority of any such cybersecurity review and report to the Cybersecurity Review Office once relevant network products and services provided by the Company may affect national security and is required by applicable Laws to make such report. The Company has not been designated as a “critical information infrastructure” operator by the Cyberspace Administration of China or any other Governmental Authority.

Cybersecurity and Data Protection. Except as would not, singly or in the aggregate, have or reasonably be expected to have a Material Adverse Effect: (A) There there has been no security breach or incident, unauthorized access or disclosure, or other compromise of or relating to, to the Company’s or its subsidiaries’ information technology and computer systems, networks, hardware, software, data and databases (including the data and information of their respective patients, customers, employees, suppliers, vendors and any third party data maintained, processed or stored by the Company or its subsidiaries, and any such data processed or stored by third parties on behalf of the Company or its subsidiaries), equipment or technology (collectively, “IT Systems and Data”), ; (B) neither the Company nor its subsidiaries have been notified of, and nor have no any knowledge of any event or condition that would result in, any security breach or incident, unauthorized access or disclosure of or other compromise to their IT Systems and Data and Data; (C) the Company and its subsidiaries have implemented appropriate controls, policies, procedures, and technological safeguards to maintain and protect the integrity, continuous operation, redundancy, disaster recovery redundancy and security of their IT Systems and Data reasonably consistent with industry standards and practices, or as required by applicable data protection laws, Healthcare Laws and regulatory standards, except with respect to clauses (A) ; and (B), for any such security breach or incident, unauthorized access or disclosure, or other compromises, as would not, individually or in D) the aggregate, have a Material Adverse Effect, or with respect to clause (C), where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect. The Company and its subsidiaries are presently in compliance in all material respects with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of the IT Systems and Data, including the collection, use, transfer, processing, disposal, disclosure, handling, storage and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company, its subsidiaries and any third parties in their possessionpossession (“Sensitive Company Data”), and to the protection of such IT Systems and Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have taken all reasonable steps necessary to maintain the confidentiality of the Sensitive Company Data. The Company and its subsidiaries have not received any written notice, claim, complaint, demand or letter from any person in respect of their businesses under applicable data security and data protection laws and regulations and industry standards regarding misuse, loss, unauthorized destruction or unauthorized disclosure of any Sensitive Company Data. There has been no unauthorized or illegal use of or access to any Sensitive Company Data by any third party. The Company and its subsidiaries have not been required to notify any individual or data protection authority of any information security breach, compromise or incident involving Sensitive Company Data.

Cybersecurity and Data Protection. (A) There has been no security breach or incident, unauthorized access or disclosure, or other compromise of or relating toExcept as disclosed in the Hong Kong Public Offering Documents, the Company’s or its subsidiariesCompany and the Subsidiaries’ information technology assets and computer equipment, computers, systems, networks, hardware, software, data websites, applications, and databases (including the data and information of their respective patients, customers, employees, suppliers, vendors and any third party data maintained, processed or stored by the Company or its subsidiaries, and any such data processed or stored by third parties on behalf of the Company or its subsidiaries), equipment or technology (collectively, “IT Systems and DataSystems”), (B) neither the Company nor its subsidiaries have been notified ofare adequate for, and have no knowledge operate and perform as required in connection with the operation of any event or condition that would result in, any security breach or incident, unauthorized access or disclosure the business of or other compromise to their IT Systems and Data and (C) the Company and its subsidiaries the Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. The Company and the Subsidiaries have implemented appropriate and maintained adequate controls, policies, procedures, and technological safeguards to maintain and protect and their users’ material confidential information and the integrity, continuous operation, redundancy, disaster recovery redundancy and security of their all IT Systems and Data consistent data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with industry standards their businesses, and practicesthere have been no breaches, violations, outages or as required by applicable data protection laws, Healthcare Laws and regulatory standardsunauthorized uses of or accesses to same, except with respect for those that have been remedied without material cost or liability or the duty to clauses (A) and (B), for notify any such security breach or incident, unauthorized access or disclosure, or other compromises, person. Except as would not, individually or disclosed in the aggregateHong Kong Public Offering Documents, have a Material Adverse Effect, or with respect to clause (C), where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect. The Company and its subsidiaries the Subsidiaries are presently in compliance in all material respects with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authorityauthority (including the PRC Cyber Security Law, the PRC Data Security Law, the PRC Personal Information Protection Law, and the related regulations and rules), internal policies and contractual obligations relating to the privacy and security of the IT Systems and Data, including the collection, use, transfer, processing, disposal, disclosure, handling, storage Personal Data and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company, its subsidiaries and any third parties in their possession, and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification. Neither the Company nor any Subsidiaries has received any claim for compensation from any person in respect of its business under the applicable data protection Laws and industry standards in respect of inaccuracy, loss, unauthorized destruction or unauthorized disclosure of data in the previous three years except to the extent any such claim would not, individually or in the aggregate, result in a Material Adverse Effect. Neither the Company nor any Subsidiaries is subject to any material investigation, inquiry, or sanction relating to cybersecurity or data privacy or any cybersecurity review from the Cyberspace Administration of China (the “CAC”), the China Securities Regulatory Commission (the “CSRC”), or any other relevant Governmental Authority. Neither the Company nor any Subsidiaries has been notified by any Governmental Authority of being classified as a critical information infrastructure operator under the Cybersecurity Review Measures. Neither the Company nor any of its Subsidiaries has received any objection to this Offering or the transactions contemplated under this Agreement from the CSRC, the CAC or any other relevant PRC Governmental Authority.