Common use of Cybersecurity and Data Protection Clause in Contracts

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, to the Knowledge of such Credit Party, the information technology systems used in the business of each of Borrower and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit each of Borrower and its Subsidiaries to conduct their respective businesses as presently conducted in their respective Territory. To the Knowledge of such Credit Party, no System contains any material ransomware, disabling codes or instructions, spyware, Trojan horses, worms, viruses or other software routines that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to Sensitive Information. Borrower and its Subsidiaries have and maintain back-up systems, consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of Borrower and its Subsidiaries, designed to provide continuing availability of the material functionality provided by the Systems in the event of any malfunction of, or other event materially interrupting access to or the functionality of, such Systems. Borrower and its Subsidiaries use commercially reasonable efforts to promptly implement material security patches that are generally available for the Systems. (b) Except as set forth on Schedule 4.22(b) of the Disclosure Letter, Borrower and each of its Subsidiaries has implemented and maintains a commercially reasonable, enterprise-wide privacy and information security program (“Security Program”) with plans, policies, and procedures for privacy, physical and cyber security, disaster recovery, business continuity, incident detection, and incident response, and that includes commercially reasonable and appropriate administrative, technical and physical safeguards designed to protect the integrity and availability of the Systems, consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of Borrower and its Subsidiaries, and designed to protect against (i) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, transmission, retention, processing, loss, destruction, or modification of Personal Data that would require notification to any affected individuals or any Governmental Authority under any applicable Data Protection Laws (each, a “Personal Data Breach”), (ii) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, or loss of Sensitive Information that is not Personal Data, and (iii) any security incidents that would result in unauthorized, accidental, or unlawful access to or acquisition, use, control, disruption, destruction, or modification of any of the Systems (including cyber-attacks) that would reasonably be expected to result in a material and adverse effect on the operation of Borrower’s or any of its Subsidiaries’ business operations as currently conducted (sub-clauses (i) through (iii), collectively, “Security Incidents”). (c) Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and security audits and penetration tests at reasonable intervals on all Systems that maintain, store, access, or process Sensitive Information, in each case consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of Borrower and its Subsidiaries, taken as a whole. Except as set forth on Schedule 4.22(c), Borrower and each of its Subsidiaries has addressed and remediated all material privacy or data security issues identified as “critical,” “high risk,” or similar level of risk rating raised in any such audits or penetration tests (including any third party audits of the Systems). (d) Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and data security diligence, consistent with generally accepted practices within the industry in which Borrower and each of its Subsidiaries operate and in compliance with applicable Data Protection Laws, on vendors (including CROs, CMSs and other service providers and contractors) that (i) collect, create, receive, access, maintain, store, or otherwise process Sensitive Information for or on behalf of Borrower or any of its Subsidiaries, or (ii) access or maintain the Systems. Except as set forth on Schedule 4.22(d) of the Disclosure Letter, neither Borrower nor any of its Subsidiaries has, in the past five (5) years, received any written notice from any vendor that such vendor experienced a Security Incident impacting Borrower’s or any of its Subsidiaries’ Sensitive Information. (e) Except as set forth on Schedule 4.22(e) of the Disclosure Letter, to the Knowledge of Borrower, neither Borrower nor any of its Subsidiaries, has in the past five (5) years suffered any (i) Personal Data Breaches, or (ii) other Security Incidents which, individually or together with any other such breaches or incidents, could reasonably be expected to have a material and adverse effect on Borrower’s or any of its Subsidiaries’ business operations, such as a material disruption of drug development, manufacturing or commercialization programs relating to the Product. (f) Except as set forth on Schedule 4.22(f) of the Disclosure Letter, Borrower and each of its Subsidiaries is in material compliance with the requirements of (i) their respective Security Programs, (ii) their respective contractual obligations regarding privacy, security, or notification of breaches of Personal Data, (iii) their respective contractual non-disclosure obligations, (iv) their respective publicly available privacy notices and policies, and (v) all applicable Data Protection Laws. (g) Except as set forth on Schedule 4.22(g) of the Disclosure Letter, in the past five (5) years: (i) neither Borrower nor any of its Subsidiaries has received any written third party claims or, to the Knowledge of Borrower, any threat (in writing) of a third party claim, related to any Personal Data Breaches or other Security Incidents; and (ii) neither Borrower nor any of its Subsidiaries has received any written notice of any claims or investigations (including investigations by any Governmental Authority) relating to any Personal Data Breaches or other Security Incidents, except, in each case of sub-clauses (i) and (ii) above as could not reasonably be expected to be material to Borrower and its Subsidiaries, taken as a whole. (h) In the past five (5) years, Borrower and each of its Subsidiaries has maintained all database registrations required under applicable Data Protection Laws material to Borrower and its Subsidiaries.

Cybersecurity and Data Protection. (a) a. Except as set forth in Schedule 4.22(a) of the Disclosure Letter, to the Knowledge of such Credit Party, the information technology systems used in the business of each of Borrower and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit each of Borrower and its Subsidiaries to conduct their respective businesses as presently conducted in their respective Territory. To the Knowledge of such Credit Party, no System contains any material ransomware, disabling codes or instructions, spyware, Trojan horses, worms, viruses or other software routines that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to Sensitive Informationany data, files, software, system, network, or other device. Borrower and its Subsidiaries have and maintain back-up systems, consistent with the industry in which the Borrower and each of its Subsidiaries operate and the size and condition of the Borrower and its Subsidiaries, designed to provide continuing availability of the material functionality provided by the Systems in the event of any malfunction of, or other event materially interrupting access to or and/or the functionality of, such Systems. Borrower and its Subsidiaries use commercially reasonable efforts to promptly implement material security patches that are generally available for the Systems. (b) b. Except as set forth on Schedule 4.22(b) of the Disclosure Letter, Borrower and each of its Subsidiaries has implemented and maintains a commercially reasonable, enterprise-wide privacy and information security program (“Security Program”) with plans, policies, and procedures for privacy, physical and cyber security, disaster recovery, business continuity, incident detection, and incident response, and that includes commercially reasonable and appropriate administrative, technical and physical safeguards designed to protect the integrity and availability of the Systems, consistent with the industry in which the Borrower and each of its Subsidiaries operate and the size and condition of the Borrower and its Subsidiaries, and designed to protect against (i) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, transmission, retention, processing, loss, destruction, or modification of Personal Data that would require notification to any affected individuals or any Governmental Authority under any applicable Data Protection Laws Law (each, a “Personal Data Breach”), (ii) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, or loss of Sensitive Information that is not Personal Data, and (iii) any security incidents that would result in unauthorized, accidental, or unlawful access to or acquisition, use, control, disruption, destruction, or modification of any of the Systems (including cyber-attacks) that would reasonably be expected to result in a material and adverse effect on the operation of Borrower’s or any of its Subsidiaries’ business operations as currently conducted (sub-clauses (i) through (iii), collectively, “Security Incidents”). (c) c. Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and security audits and penetration tests at reasonable intervals on all Systems that maintain, store, access, or process Sensitive Information, in each case consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of the Borrower and its Subsidiaries, taken as a whole. Except as set forth on Schedule 4.22(c), Borrower and each of its Subsidiaries has addressed taken commercially reasonable steps to address and remediated remediate all material privacy or data security issues identified as “critical,” “high risk,” or similar level of risk rating that are raised in any such audits or penetration tests (including any third party audits of the Systems). (d) d. Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and data security diligence, consistent with generally accepted practices within the industry in which the Borrower and each of its Subsidiaries operate and in compliance with applicable Data Protection Lawsthe size and condition of the Borrower and its Subsidiaries, on all vendors (including CROs, CMSs and other service providers and contractors) that (i) collect, create, receive, access, maintain, store, or otherwise process Sensitive Information for or on behalf of Borrower or any of its Subsidiaries, or (ii) access or maintain the Systems. Except as set forth on Schedule 4.22(d) of the Disclosure Letter), neither Borrower nor any of its Subsidiaries has, in the past five (5) years, received any written notice from any vendor that such vendor experienced a Security Incident impacting Borrower’s or any of its Subsidiaries’ Sensitive Information. (e) e. Except as set forth on Schedule 4.22(e) of the Disclosure Letter, to the Knowledge of Borrower, Borrower neither Borrower nor any of its Subsidiaries, has in the past five (5) years suffered any (i) Personal Data Breaches, or (ii) other Security Incidents which, individually or together with any other such breaches or incidents, could reasonably be expected to have a material and adverse effect on Borrower’s or any of its Subsidiaries’ business operations, such as a material disruption of drug development, manufacturing or commercialization programs relating to the Product. (f) Except as set forth on Schedule 4.22(f) of the Disclosure Letter, Borrower and each of its Subsidiaries is in material compliance with the requirements of (i) their respective Security Programs, (ii) their respective contractual obligations regarding privacy, security, or notification of breaches of Personal Data, (iii) their respective contractual non-disclosure obligations, (iv) their respective publicly available privacy notices and policies, and (v) all applicable Data Protection Laws. (g) Except as set forth on Schedule 4.22(g) of the Disclosure Letter, in the past five (5) years: (i) neither Borrower nor any of its Subsidiaries has received any written third party claims Breaches or, to the Knowledge of Borrower, any threat (in writing) of a third party claim, related to any Personal Data Breaches or other Security Incidents; and (ii) neither Borrower nor any of its Subsidiaries has received any written notice of any claims or investigations (including investigations by any Governmental Authority) relating to any Personal Data Breaches or other Security Incidents, except, in each case of sub-clauses (i) and (ii) above as could not reasonably be expected to be material to Borrower and its Subsidiaries, taken as a whole. (h) In the past five (5) years, Borrower and each of its Subsidiaries has maintained all database registrations required under applicable Data Protection Laws material to Borrower and its Subsidiaries.

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, to the Knowledge of such Credit PartyBorrower, the information technology systems used in the business of each of Borrower and its Subsidiaries (“Systems”) operate and perform in all material respects as required to permit each of Borrower and its Subsidiaries to conduct their respective businesses as presently conducted in their respective the Territory. To the Knowledge of such Credit PartyBorrower, no System contains any material ransomware, disabling codes or instructions, spyware, Trojan horses, worms, viruses or other software routines that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to Sensitive Informationany data, files, software, system, network, or other device. Borrower and its Subsidiaries have and maintain back-up systems, consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of Borrower and its Subsidiaries, designed to provide continuing availability of the material functionality provided by the Systems in the event of any malfunction of, or other event materially interrupting access to or the functionality of, such Systems. Borrower and its Subsidiaries use commercially reasonable efforts to promptly implement material security patches that are generally available for the Systems. (b) Except as set forth on Schedule 4.22(b) of the Disclosure Letter, Borrower and each of its Subsidiaries has implemented and maintains a commercially reasonable, enterprise-wide data privacy and information security program (“Security Program”) with plans, policies, and procedures for privacy, physical and cyber security, disaster recovery, business continuity, incident detection, and incident response, and that includes commercially reasonable and appropriate administrative, technical and physical safeguards designed to protect the integrity and availability of the Systems, consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of Borrower and its Subsidiaries, and designed to protect against (i) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, transmission, retention, processing, loss, destruction, or modification of Personal Data that would require notification to any affected individuals or any Governmental Authority under any applicable Data Protection Laws (each, a “Personal Data Breach”), (ii) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, or loss of Sensitive Information that is not Personal Data, and (iii) any security incidents that would result in unauthorized, accidental, or unlawful access to or acquisition, use, control, disruption, destruction, or modification of any of the Systems (including cyber-attacks) that would reasonably be expected to result in a material and adverse effect on the operation of Borrower’s or any of its Subsidiaries’ business operations as currently conducted (sub-clauses (i) through (iii), collectively, “Security Incidents”). (c) Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and security audits and penetration tests at reasonable intervals on all Systems that maintain, store, access, or process Sensitive Information, in each case consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of Borrower and its Subsidiaries, taken as a whole. Except as set forth on Schedule 4.22(c)) of the Disclosure Letter, Borrower and each of its Subsidiaries has addressed and remediated taken commercially reasonable steps to remediate all material privacy or data security issues identified as “critical,” “high risk,” or similar level of risk rating raised in any such audits or penetration tests (including any third third-party audits of the Systems). (d) Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and data security diligence, consistent with generally accepted practices within the industry in which Borrower and each of its Subsidiaries operate and in compliance with applicable Data Protection Lawsthe size and condition of Borrower and its Subsidiaries, on all vendors (including CROsclinical trial investigators, CMSs contract research organizations, clinical data management organizations, content management systems and other service providers and contractors) that (i) collect, create, receive, access, maintain, store, or otherwise process Sensitive Information for or on behalf of Borrower or any of its Subsidiaries, or (ii) access or maintain the Systems. Except as set forth on Schedule 4.22(d) of the Disclosure Letter, neither Borrower nor any of its Subsidiaries has, in the past five (5) years, received any written notice from any vendor that such vendor experienced a Security Incident impacting Borrower’s or any of its Subsidiaries’ Sensitive Information. (e) Except as set forth on Schedule 4.22(e) of the Disclosure Letter, to the Knowledge of Borrower, neither Borrower nor any of its Subsidiaries, has in the past five (5) years suffered any (i) Personal Data Breaches, or (ii) other Security Incidents which, individually or together with any other such breaches or incidents, that could reasonably be expected to have result in a material and adverse effect on Borrower’s or any of its Subsidiaries’ business operations, such as a material disruption of drug development, manufacturing or commercialization programs relating to the Product. (f) Except as set forth on Schedule 4.22(f) of the Disclosure Letter, Borrower and each of its Subsidiaries is in material compliance with (i) the requirements of (i) their respective Security Programs, (ii) their respective contractual obligations regarding privacy, security, or notification of breaches of Personal Data, (iii) their respective contractual non-disclosure obligations, (iv) their respective publicly available privacy notices and policies, and (v) the requirements of all applicable Data Protection Laws. (g) Except as set forth on Schedule 4.22(g) of the Disclosure Letter, in the past five (5) years: (i) neither Borrower nor any of its Subsidiaries has received any written third party claims or, to the Knowledge of Borrower, any threat (in writing) of a third party claim, related to any Personal Data Breaches or other Security Incidents; and (ii) neither Borrower nor any of its Subsidiaries has received any written notice of any claims or investigations (including investigations by any Governmental Authority) relating to any Personal Data Breaches or other Security Incidents, except, in each case of sub-clauses (i) and (ii) above as could not reasonably be expected to be material to Borrower and its Subsidiaries, taken as a whole. (h) In the past five (5) years, Borrower and each of its Subsidiaries has maintained all any database registrations required under applicable Data Protection Laws material to Borrower and its Subsidiaries.

Cybersecurity and Data Protection. (a) Except as set forth in Schedule 4.22(a) of the Disclosure Letter, to the Knowledge of such Credit PartyBorrower, the information technology systems used in the business of each of Borrower Parent and its Subsidiaries Subsidiaries, including technology systems and applications (such as the MyLink™ device) made available by Parent or any of its Subsidiaries, including Borrower, to medical partners, physicians, patients, payors, and other third parties in connection with Product, (altogether, “Systems”) operate and perform in all material respects as required to permit each of Borrower Parent and its Subsidiaries to conduct their respective businesses as presently conducted in their respective the Territory. To the Knowledge of such Credit PartyBorrower, no System contains any material ransomware, disabling codes or instructions, spyware, Trojan horses, worms, viruses or other software routines that are designed or intended to delete, destroy, disable, disrupt, impair, interfere with, perform unauthorized modifications to, or provide unauthorized access to Sensitive Informationany data, files, software, system, network, or other device. Borrower Parent and each of its Subsidiaries Subsidiaries, including Borrower, have and maintain back-up systems, consistent with the industry in which Borrower Parent and each of its Subsidiaries operate and the size and condition of Borrower Parent and each of its Subsidiaries, designed to provide continuing availability of the material functionality provided by the Systems in the event of any malfunction of, or other event materially interrupting access to or the functionality of, such Systems. Borrower Parent and each of its Subsidiaries Subsidiaries, including Borrower, use commercially reasonable efforts to maintain System security, including promptly implement implementing material security patches that are generally available for the Systems. (b) Except as set forth on Schedule 4.22(b) of the Disclosure Letter, Borrower Parent and each of its Subsidiaries Subsidiaries, including Borrower, has implemented and maintains a commercially reasonable, enterprise-wide privacy and information security program (“Security Program”) with plans, policies, and procedures for privacy, privacy and physical and cyber security, security (including for disaster recovery, business continuity, encryption, data back-up, System access controls, workstation use and security, incident detection, and incident response), and that includes commercially reasonable and appropriate administrative, technical and physical safeguards designed to protect the integrity and availability of the Systems, consistent with the industry in which Borrower Parent and each of its Subsidiaries operate and the size and condition of Borrower Parent and its Subsidiaries, and designed to protect against (i) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, transmission, retention, processing, loss, destruction, or modification of Personal Data that would require notification to any affected individuals or any Governmental Authority under any applicable Data Protection Laws (each, a “Personal Data Breach”), (ii) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, transmission, or loss of Sensitive Information that is not Personal Data, and (iii) any security incidents that would result in unauthorized, accidental, or unlawful access to or acquisition, use, control, disruption, destruction, or modification of any of the Systems (including cyber-attacks) that would reasonably be expected to result in a material and adverse effect on the operation of BorrowerParent’s or any of its Subsidiaries’ business operations as currently conducted (sub-clauses (i) through (iii), collectively, “Security Incidents”). (c) Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and security audits and penetration tests at reasonable intervals on all Systems that maintain, store, access, or process Sensitive Information, in each case consistent with the industry in which Borrower and each of its Subsidiaries operate and the size and condition of Borrower and its Subsidiaries, taken as a whole. Except as set forth on Schedule 4.22(c), Borrower and each of its Subsidiaries has addressed and remediated all material privacy or data security issues identified as “critical,” “high risk,” or similar level of risk rating raised in any such audits or penetration tests (including any third party audits of the Systems). (d) Borrower and each of its Subsidiaries has conducted commercially reasonable privacy and data security diligence, consistent with generally accepted practices within the industry in which Borrower and each of its Subsidiaries operate and in compliance with applicable Data Protection Laws, on vendors (including CROs, CMSs and other service providers and contractors) that (i) collect, create, receive, access, maintain, store, or otherwise process Sensitive Information for or on behalf of Borrower or any of its Subsidiaries, or (ii) access or maintain the Systems. Except as set forth on Schedule 4.22(d) of the Disclosure Letter, neither Borrower nor any of its Subsidiaries has, in the past five (5) years, received any written notice from any vendor that such vendor experienced a Security Incident impacting Borrower’s or any of its Subsidiaries’ Sensitive Information. (e) Except as set forth on Schedule 4.22(e) of the Disclosure Letter, to the Knowledge of Borrower, neither Borrower nor any of its Subsidiaries, has in the past five (5) years suffered any (i) Personal Data Breaches, or (ii) other Security Incidents which, individually or together with any other such breaches or incidents, could reasonably be expected to have a material and adverse effect on Borrower’s or any of its Subsidiaries’ business operations, such as a material disruption of drug development, manufacturing or commercialization programs relating to the Product. (f) Except as set forth on Schedule 4.22(f) of the Disclosure Letter, Borrower and each of its Subsidiaries is in material compliance with the requirements of (i) their respective Security Programs, (ii) their respective contractual obligations regarding privacy, security, or notification of breaches of Personal Data, (iii) their respective contractual non-disclosure obligations, (iv) their respective publicly available privacy notices and policies, and (v) all applicable Data Protection Laws. (g) Except as set forth on Schedule 4.22(g) of the Disclosure Letter, in the past five (5) years: (i) neither Borrower nor any of its Subsidiaries has received any written third party claims or, to the Knowledge of Borrower, any threat (in writing) of a third party claim, related to any Personal Data Breaches or other Security Incidents; and (ii) neither Borrower nor any of its Subsidiaries has received any written notice of any claims or investigations (including investigations by any Governmental Authority) relating to any Personal Data Breaches or other Security Incidents, except, in each case of sub-clauses (i) and (ii) above as could not reasonably be expected to be material to Borrower and its Subsidiaries, taken as a whole. (h) In the past five (5) years, Borrower and each of its Subsidiaries has maintained all database registrations required under applicable Data Protection Laws material to Borrower and its Subsidiaries.