Common use of Cybersecurity; Data Protection Clause in Contracts

Cybersecurity; Data Protection. The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses and other corruptants, except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businesses, and there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses of or accesses to the same (“Breach”), nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries have complied at all times and are presently in compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security Obligation”), except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, any Data Security Obligation and there is no pending or threatened action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with any Data Security Obligation.

Cybersecurity; Data Protection. The Except as disclosed in the Registration Statement, Disclosure Package and the Prospectus, or except as would not, individually or in the aggregate, reasonably be expected to result in a Material Adverse Effect, the Company and its subsidiaries’ respective information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (including confidential information, trade secrets or other data of the Company or any of its subsidiaries or their respective users, customers, employees, suppliers, vendors, personal data and any third party data maintained by or on behalf of the Company and its subsidiaries (collectively, “IT SystemsSystems and Data”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted. The Company and its subsidiaries have complied, free and clear are presently in compliance with all applicable laws and statutes and any judgments, orders, rules or regulations of any court or arbitrator or other governmental or regulatory authority, and all material bugsinternal policies and contractual obligations and any other legal obligations, errorsin each case, defectsrelating to the privacy and security of IT Systems and Data, Trojan horsesand to the protection of such IT Systems and Data from unauthorized use, time bombsaccess, malwaremisappropriation or modification and the collection, viruses use, transfer, processing, import, export, storage, protection, disposal and other corruptantsdisclosure of data (collectively, the “Data Security Obligations”), except as would not not, individually or in the aggregate have aggregate, reasonably be expected to result in a Material Adverse Effect. The Company and its subsidiaries have implemented used reasonable efforts to establish and maintain, and have established, implemented, maintained and complied with, commercially reasonable information technology, information security, cyber security and data protection controls, policiespolicies and procedures to protect against and prevent security breaches of, procedures, unauthorized access to and safeguards to maintain and protect their confidential information and the integrity, continuous operation, redundancy and security other similar compromises of all IT Systems and data (including all personalData in accordance with industry practices and as required by applicable regulatory standards. Except as disclosed in the Registration Statement, personally identifiableDisclosure Package and the Prospectus, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businesses, and there have been no, and the Company and its subsidiaries have not been notified of, experienced and have no knowledge of any event cyber-attack, security breach, unauthorized access or condition other similar compromise to their IT Systems and Data (“Breach”), which attack, breach, unauthorized access, or similar compromise that would reasonably be expected to result in any, breachesa Material Adverse Effect. There have been no Breaches, violations, outages outages, or unauthorized uses of or accesses to the same (“Breach”), nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal and Data used in connection with the operation of the Company’s and its subsidiaries’ businessesbusinesses that would reasonably be expected to result in a Material Adverse Effect; the Company and its subsidiaries have not received notification of, and have no knowledge of, any event or condition that would reasonably be expected to result in, a Breach to their IT Systems and Data that would reasonably be expected to result in a Material Adverse Effect. Neither the Company nor any of its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries have complied at all times and are presently in compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security Obligation”), except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have has received any notice, claim, complaint, demand, letter, written notification of or complaint regarding, and is unaware has no knowledge of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, with any Data Security Obligation by the Company or any of its subsidiaries, and there is no pending or threatened action, suit, investigation suit or proceeding by or before any court or governmental agency, authority or body body, pending or, to the Company’s knowledge, threatened alleging non-compliance with any Data Security ObligationObligation by the Company or any of its subsidiaries.

Cybersecurity; Data Protection. The Company Each TWFG Party and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (including all data of their respective employees, suppliers, vendors and any third-party data under the control of and maintained by each TWFG Party or any of its subsidiaries) (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company each TWFG Party and its subsidiaries as currently conducted, and to the knowledge of the TWFG Parties, such IT Systems are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses malware and other corruptants, except as would not individually or in the aggregate have a Material Adverse Effect. The Company Each TWFG Party and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businesses. To the knowledge of the TWFG Parties, and there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the same (“Breach”)duty to notify any other person, nor are there any material incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any noticesame, claim, complaint, demand or letter from any person or governmental agency except as otherwise disclosed in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach each of the IT Systems Registration Statement, the Pricing Disclosure Package and the Prospectus. Except as would not reasonably be expected, individually or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries aggregate, to have been obligated to notify any third partya Material Adverse Effect, including, without limitation, any individual or data protection authority, of any Breach. The Company each TWFG Party and its subsidiaries have complied at all times and are presently in compliance with all applicable laws or statutes and all applicable judgments, orders, rules and regulations of any applicable court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (collectively, the “Data Security ObligationObligations”), except as would not individually or in . None of the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have TWFG Parties has received any noticewritten, claimor, complaintto the knowledge of the TWFG Parties, demand, letter, other notification of or complaint regarding, and or is unaware aware of any other facts that, individually or in the aggregate, would reasonably indicate indicate, non-compliance with, with any Data Security Obligation and there is no pending or threatened action, suit, investigation suit or proceeding by or before any court or governmental agency, authority or body pending or, to the knowledge of the TWFG Parties, threatened alleging non-compliance with any Data Security Obligation.

Cybersecurity; Data Protection. The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses and other corruptants, except as would not individually or in the aggregate have a Material Adverse Effect. The Company Each StepStone Party and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems Systems”) and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Protected Data”)) belonging to them, their respective customers, prospective customers, employees, and any other third parties, which are used in connection with their businesses. The IT Systems are adequate for, and there have been nooperate and perform in all material respects as required for the operation of the business of the StepStone Parties and their subsidiaries as currently conducted, and are, to the Company knowledge of the StepStone Parties, free and its clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. There has been no unauthorized use, alteration, misappropriation or modification of, or access to, the IT Systems or Protected Data, except as would not reasonably be expected to have a Material Adverse Effect. Neither of the StepStone Parties nor any of their subsidiaries have not been notified of, and or have no knowledge of of, any event or condition that would reasonably be expected to result in anyhave triggered any legal, breaches, violations, outages regulatory or unauthorized uses of or accesses to the same (“Breach”), nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated contractual duty to notify any third partyother person, includingentity, without limitationor governmental, any individual regulatory or data protection self-regulatory authority, of any Breach. The Company Each StepStone Party and its subsidiaries have complied at all times and are presently in compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Protected Data and to the protection of such IT Systems and Personal Protected Data from unauthorized use, alteration, misappropriation, modification or access, misappropriation or modification (“Data Security Obligation”), except as would not individually or in the aggregate reasonably be expected to have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, any Data Security Obligation and there is no pending or threatened action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with any Data Security Obligation.

Cybersecurity; Data Protection. The Company Each SDH Party and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are are: (i) adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company each SDH Party and its subsidiaries as currently conducted, and (ii) to the knowledge of the SDH Parties, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses malware and other corruptants, except as would not individually or in the aggregate have a Material Adverse Effect. The Company Each SDH Party and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all owned IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businesses. To the knowledge of the SDH Parties, and there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses of or accesses to any such IT Systems or data, except for those that have been remedied without material cost or liability or the same (“Breach”)duty to notify any governmental or regulatory authority or any other Person, nor are there any incidents under internal review or investigations investigation relating to any Breachthe same. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company Each SDH Party and its subsidiaries have complied at all times and are presently in material compliance with all applicable laws or statutes and all statutes, judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies published policies, and contractual obligations obligations, in each case, relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to (collectively, the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security ObligationObligations”), except as would not individually or in . None of the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have SDH Parties has received any notice, claim, complaint, demand, letter, written notification of or written complaint regarding, and or is unaware aware of any other facts that, individually or in the aggregate, would reasonably indicate indicate, material non-compliance with, with any Data Security Obligation Obligation, and there is no pending or threatened action, suit, investigation suit or proceeding by or before any court or governmental agency, authority or body pending or, to the knowledge of the SDH Parties, threatened alleging non-compliance with any Data Security Obligation.

Cybersecurity; Data Protection. The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection conformance with their functional specifications and have not materially malfunctioned or failed during the operation of past three (3) years. To the business of Company’s knowledge, the Company and its subsidiaries as currently conducted, free and clear of all material IT Assets do not contain any bugs, errors, defects, Trojan horses, time bombs, malware, viruses and malware or other corruptants, except as would not individually or in the aggregate each case that could have a Material Adverse Effectmaterial impact on the business or operations of the Company and its subsidiaries. The Company and its subsidiaries have implemented and maintained maintain commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businesses, and and, to the Company’s knowledge, there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the same (“Breach”)duty to notify any other person, nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breachsame. The Company and its subsidiaries have complied are and at all times and are presently have been in full compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security ObligationProtection Requirements”), except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts thatnot, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Neither the Company nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Data Protection Requirements, and has no knowledge of any event or condition that would reasonably indicate non-compliance withbe expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any Data Security Obligation and there is no pending investigation, remediation, or threatened action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with other corrective action pursuant to any Data Security ObligationProtection Requirement; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Data Protection Requirement.

Cybersecurity; Data Protection. The Except (i) as described in Registration Statement, the Pricing Disclosure Package and the Prospectus or (ii) as would not reasonably be expected to have a Material Adverse Effect, (A) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and are, to the knowledge of the Company, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses malware and other corruptants, except as would not individually or in ; (B) the aggregate have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential confidential, or regulated data (“Personal Data”)) used in connection with their businesses; (C) to the knowledge of the Company, and there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses use or disclosure of or accesses access to the same (“Breach”)same, nor except for those that have been remedied without material cost or liability or the duty to notify any other person or governmental or regulatory authority, and there are there any no incidents under internal review or investigations by governmental or regulatory authorities or other third parties relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of same; (D) the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries have complied at all times and are presently in material compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or court, arbitrator or governmental or regulatory authority, their own internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification modification; (“E) the Company and its subsidiaries have at all times taken all reasonable steps to safeguard that any Personal Data Security Obligation”)of the Company and its subsidiaries collected or handled by authorized third parties acting on behalf of the Company or its subsidiaries is protected with similar safeguards, except as would not individually or in each case, in compliance with applicable laws and contractual obligations; and (F) the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, Regulation (and all other applicable laws and regulations with respect to Personal Data that have been announced as of the Health Insurance Portability and Accountability Actdate hereof as becoming effective within 12 months after the date hereof, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have received for which any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, any Data Security Obligation and there is no pending or threatened action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with any Data Security Obligationsame would be reasonably likely to create a material liability) as soon as they took effect.

Cybersecurity; Data Protection. The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses and other corruptants, except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businessesbusiness, and there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, any breaches, violations, outages or unauthorized uses of or accesses to the same (“Breach”), except for a Breach that has been remedied without material cost or liability or the duty to notify any other person, nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any written notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses business under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businessesbusiness. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries have complied at all times and are presently in compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security Obligation”), except as where the violation of such Data Security Obligations would not not, individually or in the aggregate aggregate, reasonably be expected to have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and except where the California Consumer Privacy Actfailure to take any such action would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Neither the Company nor its subsidiaries have received any written notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, any Data Security Obligation Obligation, and there is no pending or threatened or, to the knowledge of the Company, threatened, action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance by the Company or any of its subsidiaries with any Data Security Obligation.

Cybersecurity; Data Protection. The Except (i) as described in the Registration Statement, the Time of Sale Prospectus and the Prospectus or (ii) as would not reasonably be expected to have a Material Adverse Effect, (A) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, for and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and are, to the best knowledge of the Company, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses malware and other corruptants, except as would not individually or in ; (B) the aggregate have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, household, confidential or regulated data or information collected, stored or processed by the Company or its subsidiaries (“Personal Data”)) used in connection with their businesses, businesses and have contractual commitments from third parties who process Personal Data on their behalf regarding the same; (C) there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses use or disclosure of or accesses access to the same (“Breach”)IT Systems and/or Personal Data, nor except for those that have been remedied without material cost or liability or the duty to notify any other person or governmental or regulatory authority, and there are there any no incidents or, to Company’s knowledge, threatened incidents under internal review or investigations by governmental or regulatory authorities or other third parties relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of same; (D) the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries have complied at all times and are presently in compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or court, arbitrator or governmental or regulatory authority, their own internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, loss, access, processing, misappropriation or modification (“Data Security Obligation”)modification, except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligationincluding, including without limitation, the European Union General Data Protection RegulationRegulation 2016/679 and/or any implementing or supplementing local law of a European Union member state, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, the Federal Trade Commission Act, the Health Insurance Portability and Accountability of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the California Consumer Privacy Act. Neither Act and all other laws and regulations with respect to Personal Data applicable to the Company nor or its subsidiaries (“Privacy Laws”); (E) the Company and its subsidiaries have not received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware notice of any other facts that, individually actual or in the aggregate, would reasonably indicate non-compliance with, potential violation of any Data Security Obligation Privacy Laws and there is no pending or threatened action, suit, investigation suit or proceeding by or before any court or governmental agency, authority or body pending or threatened against the Company or its subsidiaries alleging non-compliance with Privacy Laws; (F) the Company has provided notice of its privacy policy on its websites where required by Privacy Laws and such privacy policies do not contain any misrepresentations of the Company’s then-current privacy practices; (G) the Company and its subsidiaries has taken commercially reasonable steps to require that any Personal Data Security Obligationof the Company and its subsidiaries processed by authorized third parties acting on behalf of the Company or its subsidiaries is protected with similar safeguards, in each case, in compliance with applicable laws and contractual obligations; and (H) the Company and its subsidiaries have in place safeguards and measures for the international transfer of Personal Data outside the European Economic Area that are adequate and comply with Privacy Laws.

Cybersecurity; Data Protection. (A) The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses and other corruptants, except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businesses, and there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses of or accesses to the same (“Breach”), nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries Subsidiaries have complied at all times and are presently in compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and data, confidentiality and archive administration (including all personal, personally identifiable, sensitive, confidential or regulated data, or any such data that may constitute trade secrets and working secrets of any governmental authority or any other data that would otherwise be detrimental to national security or public interest pursuant to the privacyapplicable laws used in connection with their businesses and/or the offering of the Class A ordinary shares) (“Data Protection Laws”, securityand such data, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data “Data”) and to the protection of such IT Systems and Personal Data from loss and against unauthorized use, access, misappropriation misappropriation, modification, disclosure or modification other misuse; (“Data Security Obligation”B) neither the Company nor any of its Subsidiaries is subject to any sanction relating to cybersecurity, data privacy, confidentiality or archive administration, or any cybersecurity review by the CAC, the CSRC, or any other relevant governmental authority; (C) neither the Company nor any of its Subsidiaries has received any investigation, inquiry, notice (including, without limitation, any enforcement notice, de-registration notice or transfer prohibition notice), except as would not individually letter, complaint or in allegation from the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with relevant cybersecurity, data privacy, confidentiality or archive administration governmental authority alleging any Data Security Obligation, including breach or non-compliance by it of the European Union General applicable Data Protection RegulationLaws or prohibiting the transfer of data to a place outside the relevant jurisdiction; (D) neither the Company nor any of its Subsidiaries has received any claim for compensation from any person in respect of its business under the applicable Data Protection Laws and industry standards in respect of inaccuracy, loss, unauthorized destruction or unauthorized disclosure of data and there is no outstanding order against the Health Insurance Portability and Accountability ActCompany or any of its Subsidiaries in respect of the rectification or erasure of data; (E) no warrant has been issued authorizing the cybersecurity, and data privacy, confidentiality or archive administration governmental authority (or any of its officers, employees or agents) to enter any of the California Consumer Privacy Act. Neither premises of the Company or any of its Subsidiaries for the purposes of, inter alia, searching them or seizing any documents or other materials found there; (F) neither the Company nor its subsidiaries have Subsidiaries has received any noticecommunication, claim, complaint, demand, letterenquiry, notification of of, warning or complaint regardingregarding any Data Protection Laws (including, and without limitation, the CSRC Archive Rules) or from the CAC; (G) neither the Company nor its Subsidiaries is unaware aware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, with any Data Security Obligation and there Protection Laws; (H) the Company is no not aware of any pending or threatened actioninvestigation, suitinquiry or sanction relating to cybersecurity, investigation data privacy, confidentiality or proceeding archive administration, or any cybersecurity review, by the CAC, the CSRC, or before any court other relevant governmental authority on the Company or governmental agencyany of its Subsidiaries or any of their respective directors, authority or body alleging non-officers and employees; (I) the Company and its Subsidiaries have adequate and effective internal control measures and internal systems consistent with applicable regulatory standards and customary industry practices (including, without limitation, implementing and monitoring compliance with adequate measures with respect to technical and physical security) to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and Data used, gathered or accessed in connection with their businesses and/or the offering of the Class A ordinary shares, and there have been no breaches, violations, outages, leakages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any Data Security Obligationother person, nor any incidents under internal review or investigations relating to the same; (J) neither the Company nor any of its Subsidiaries is, or is expected to be classified as a “critical information infrastructure operator” under the Revised Cybersecurity Review Measure; (K) neither the Company nor any of its Subsidiaries has received any objection to the offering of the Class A ordinary shares or the transactions contemplated under this Agreement from the CSRC, the CAC or any governmental authority.

Cybersecurity; Data Protection. The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection conformance with their functional specifications and have not materially malfunctioned or failed during the operation of past three (3) years. To the business of Company’s knowledge, the Company and its subsidiaries as currently conducted, free and clear of all material IT Assets do not contain any bugs, errors, defects, Trojan horses, time bombs, malware, viruses and malware or other corruptants, except as would not individually or in the aggregate each case that could have a Material Adverse Effectmaterial impact on the business or operations of the Company and its subsidiaries. The Company and its subsidiaries have implemented and maintained maintain commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with their businesses, and and, to the Company’s knowledge, there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the same (“Breach”)duty to notify any other person, nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breachsame . The Company and its subsidiaries have complied are and at all times and are presently have been in full compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal and external policies and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security ObligationProtection Requirements”), except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts thatnot, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Neither the Company nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Data Protection Requirements, and has no knowledge of any event or condition that would reasonably indicate non-compliance withbe expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any Data Security Obligation and there is no pending investigation, remediation, or threatened action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with other corrective action pursuant to any Data Security ObligationProtection Requirement; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Data Protection Requirement.

Cybersecurity; Data Protection. The Except as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conductedconducted and as proposed to be conducted in the Registration Statement, the Disclosure Package, and the Prospectus, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malwareback doors, viruses drop dead devices, malware and other corruptants, except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have established, implemented and maintained commercially reasonable and appropriate controls, policies, procedures, and technological safeguards designed to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and material data (including all personal, personally identifiable, household, sensitive, confidential or regulated data or information (“Personal Company Data”)) used in connection with their businesses, in compliance with all applicable laws and regulatory standards in all material respects. To the knowledge of the Company, there have been no, and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in any, material breaches, violations, outages outages, security incidents or unauthorized uses of or accesses to the same (“Breach”), nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any BreachData. The Company and its subsidiaries own or have a valid right to access and use all IT Systems and Company Data, and have complied at in all times material respects and are presently in material compliance with all applicable laws or statutes and all statutes, judgments, orders, rules and regulations of any court or arbitrator or other governmental or regulatory authority, binding industry standards, internal and external policies and notices, contractual obligations and any other legal obligations, in each case relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disclosure or other processing by or on behalf of Personal the Company or any of its subsidiaries of Company Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security ObligationObligations”), except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor any of its subsidiaries have received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware or otherwise have knowledge of any other facts thatthat would indicate, individually or in the aggregate, would reasonably indicate any material non-compliance with, by the Company or any of its subsidiaries with any Data Security Obligation and there Obligation. There is no pending or threatened action, suit, investigation or proceeding against the Company or any of its subsidiaries by or before any court or governmental agency, authority or body pending or, to the knowledge of the Company, threatened, against the Company or any of its subsidiaries alleging material non-compliance with any Data Security ObligationObligations by the Company or any of its subsidiaries.

Cybersecurity; Data Protection. The Company Except as described in the Registration Statement, the Offering Materials and its subsidiaries’ the Prospectus, the information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data applications and databases owned by, or leased or licensed to, the Company or any of its subsidiaries (collectively, “IT Systems”) ), to the knowledge of the Company, are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conducted, and to the Company’s knowledge are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses malware and other corruptants, except as would not individually or in ; the aggregate have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data of their respective customers, employees, suppliers, vendors and any third party data maintained by or on behalf of them (“Personal Data”)) used in connection with their businesses; to the knowledge of the Company, and there have been nono material breaches, violations, outages, unauthorized uses of, accesses to or other compromise of or relating to any of the Company’s or any of its subsidiaries’ Personal Data or IT Systems, except for those that have been remedied without material cost or liability or the duty to notify any third party; there are no material incidents under internal review or investigations relating to any security breach or other compromise of the Company’s or any of its subsidiaries’ Personal Data or IT Systems and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in anyin, breaches, violations, outages any security breach or unauthorized uses of or accesses other compromise to the same (“Breach”), nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with Data; the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries have complied at all times implemented commercially reasonable backup and disaster recovery technology consistent with industry standards and practices; and the Company and its subsidiaries are presently in material compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authorityauthority and internal policies, internal and external policies procedures and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disposal or disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security Obligation”), except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, any Data Security Obligation and there is no pending or threatened action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with any Data Security Obligationmodification.

Cybersecurity; Data Protection. The Company Except as described in the Registration Statement and its subsidiaries’ the Prospectus, the information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, technology, data applications and databases owned by, or leased or licensed to, the Company or any of its subsidiaries (collectively, “IT Systems”) ), to the knowledge of the Company, are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conducted, and to the Company’s knowledge are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses malware and other corruptants, except as would not individually or in ; the aggregate have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data of their respective customers, employees, suppliers, vendors and any third-party data maintained by or on behalf of them (“Personal Data”)) used in connection with their businesses; to the knowledge of the Company, and there have been nono material breaches, violations, outages, unauthorized uses of, accesses to or other compromise of or relating to any of the Company’s or any of its subsidiaries’ Personal Data or IT Systems, except for those that have been remedied without material cost or liability or the duty to notify any third party; there are no material incidents under internal review or investigations relating to any security breach or other compromise of the Company’s or any of its subsidiaries’ Personal Data or IT Systems and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in anyin, breaches, violations, outages any security breach or unauthorized uses of or accesses other compromise to the same (“Breach”), nor are there any incidents under internal review or investigations relating to any Breach. Neither the Company nor its subsidiaries has received any notice, claim, complaint, demand or letter from any person or governmental agency in respect of their businesses under applicable data protection laws, regulations and standards regarding any Breach of the IT Systems or any Personal Data used in connection with Data; the operation of the Company’s and its subsidiaries’ businesses. Neither the Company nor its subsidiaries have been obligated to notify any third party, including, without limitation, any individual or data protection authority, of any Breach. The Company and its subsidiaries have complied at all times implemented commercially reasonable backup and disaster recovery technology consistent with industry standards and practices; and the Company and its subsidiaries are presently in material compliance with all applicable laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authorityauthority and internal policies, internal and external policies procedures and contractual obligations relating to the privacy and security of IT Systems and the privacy, security, collection, use, transfer, import, export, storage, protection, disposal, disposal or disclosure or other processing of Personal Data and to the protection of such IT Systems and Personal Data from unauthorized use, access, misappropriation or modification (“Data Security Obligation”), except as would not individually or in the aggregate have a Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to comply with any Data Security Obligation, including the European Union General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the California Consumer Privacy Act. Neither the Company nor its subsidiaries have received any notice, claim, complaint, demand, letter, notification of or complaint regarding, and is unaware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with, any Data Security Obligation and there is no pending or threatened action, suit, investigation or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with any Data Security Obligationmodification.