Common use of Cybersecurity; Data Protection Clause in Contracts

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the Company and its subsidiaries are, and at all prior times were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), and all internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the The Company and its subsidiaries’ information technology assets and equipment, computers, systemscomputer systems and assets, networks, hardware, software, websites, applications, databases (including all Personal Data, and databases sensitive, confidential or regulated data, and the data of their respective customers, employees, suppliers, vendors and any third party data maintained by or on behalf of them), equipment or technology (collectively, “IT SystemsSystems and Data”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes. (i) Except as may be included or incorporated by reference in the Registration Statement and the Prospectus, without limitation (Ax) a natural personto the Company’s nameknowledge, street address, telephone number, e-mail address, photograph, social the Company has not had any material security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breachesbreach, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without or other material cost compromise of or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to any of the sameCompany’s or its subsidiaries’ IT Systems and Data, and (iiiy) the Company and its subsidiaries arehave not been notified of, and at all prior times werehave no knowledge of any event or condition that would reasonably be expected to result in, any material security breach or other material compromise to their IT Systems and Data; (ii) the Company and its subsidiaries are presently in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so as would not, in the case of this clause (ii), individually or in the aggregate, have a Material Adverse Effect, ; and none of such disclosures made (iii) the Company and its subsidiaries have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, implemented backup and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectdisaster recovery technology consistent with industry standards and practices.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with for the operation and performance for the operation of the business of the Company and its subsidiaries as currently conducted, and, to the Company’s knowledge, the IT Systems are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the , that would reasonably be likely to have a Material Adverse Effect. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679)Regulation; (Div) any information which would qualify as “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (Fv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There To the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the that, in each case, would reasonably be likely to have a Material Adverse Effect. The Company and its subsidiaries are, and at all prior times were, are presently in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company The Company’s and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries have implemented and maintained commercially reasonable physical, technical and administrative controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (data, including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with “Personal Data, “Sensitive Data”)) ,” used in connection with their businesses. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation (EU 2016/679) (“GDPR”) (EU 2016/679); (Div) any information which would qualify as “protected health information” under HIPAA; the Health Insurance Portability and (E) any “personal information” Accountability Act of 1996, as defined amended by the California Consumer Privacy Health Information Technology for Economic and Clinical Health Act (collectively, “CCPAHIPAA”); and (Fv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There To the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the . The Company and its subsidiaries are, are and at all prior times were, have been in material compliance with all applicable state and federal data privacy and security laws and regulationslaws, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), directives or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data (“Data Protection Laws”) and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at taken all times made necessary actions to prepare to comply with the GDPR and all disclosures other applicable laws and regulations with respect to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse EffectPersonal Data, and none of such disclosures made have been inaccurate or in violation of for which any applicable Privacy Laws in any non-compliance with same would be reasonably likely to create a material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectliability.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries have implemented and maintained commercially reasonable physical, technical and administrative controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (data, including all Personal Data (as defined below) and all sensitive, confidential, confidential or proprietary regulated data (collectively, with Personal Data, “Sensitive Confidential Data”)) used in connection with their businesses. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation GDPR (“GDPR”) (EU 2016/679as defined below); (Div) any information which would qualify as “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”); and (Ev) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (Fvi) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the . The Company and its subsidiaries are, and at all prior times were, are presently in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems Systems, Confidential Data, and Sensitive Personal Data and to the protection of such IT Systems Systems, Confidential Data, and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expectednot, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect: , (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are designed to be adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary designed to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all personal, personally identifiable, sensitive, confidential, confidential or proprietary regulated data (collectively, with “Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Biii) any information which would qualify as “personally identifying information” under to the Federal Trade Commission ActCompany’s knowledge, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There there have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and ; (iiiiv) the Company and its subsidiaries are, and at all prior times were, are presently in material compliance with all applicable state and federal data privacy and security laws and regulationsor statutes (including, including without limitation HIPAA, CCPA, and GDPR (collectivelyfor the avoidance of doubt, the “Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act; the European Union General Data Protection Regulation (EU 2016/679); and the California Consumer Privacy Laws”), Act) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the protection, collection, use, disclosure, transfer, storage, disposal, confidentiality, integrity, privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company ; and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws(v) the execution, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effectdelivery, and none performance of such disclosures made have been inaccurate this Agreement or any other agreement referred to in this Agreement will not result in a breach or violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the The Company and its subsidiariesSubsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (including the data of their respective customers, employees, suppliers, vendors and any third party data maintained by or on behalf of the Company and its Subsidiaries) (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, Subsidiaries and to the Knowledge of the Company are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries Subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all personal, personally identifiable, sensitive, confidential, confidential or proprietary regulated data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includesWithout limiting the foregoing, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the Company and its subsidiaries areSubsidiaries have used reasonable efforts to establish, maintain, implement and at all prior times werecomply with reasonable information technology, in material compliance with all applicable state information security, cyber security and federal data privacy protection controls, policies and procedures, including oversight, access controls, encryption, technological and physical safeguards and business continuity/disaster recovery and security laws plans that are designed to protect against and regulationsprevent breach, including without limitation HIPAAdestruction, CCPAloss, and GDPR (collectivelyunauthorized distribution, the “Privacy Laws”), and all internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, disablement, misappropriation or modification, or other compromise or misuse of or relating to any information technology system or Data used in connection with the operation of the Company’s and its Subsidiaries’ businesses (“Breach”) and, to the Knowledge of the Company, there has been no such Breach. The Company and its subsidiaries Subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, not been notified of and have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in in, any such notice; (B) Breach. This representation is currently conducting limited in each case to the extent that such breach or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement non-compliance would not, individually or in the aggregate, not reasonably be expected to have a Material Adverse Effect, and except as otherwise disclosed in the Commission Documents.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation includes (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (DC) any information which would qualify as “protected health information” under HIPAA; and (ED) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (FE) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company’s information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) operate and perform in all material respects as required in connection with the operation of the business of the Company as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”) used by the Company, or by its service providers in the performance of services for the Company, in connection with the Company’s businesses; (iii) there have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Data used or maintained by the Company or by its service providers in the performance of services for the Company (“Company Data”), except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations by the Company relating to the same, and (iiiiv) the Company and its subsidiaries are, is and at all prior times werehas been, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR GDPR, as applicable (collectively, the “Privacy Laws”), and all of its internal policies and binding industry standards, and contractual obligations relating to the privacy and security of IT Systems and Sensitive Company Data and to the protection of such IT Systems and Sensitive Company Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so Except as would not, individually or in the aggregate, have a Material Adverse Effect, the Company has at all times made all disclosures to users or customers required by applicable Privacy Laws and none of such disclosures made made, have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has not received written (or to its knowledge, other) notice of any actual or potential liability under or relating tounder, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is not a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with for the operation and performance for the operation of the business of the Company and its subsidiaries as currently conducted, and, to the Company’s knowledge, the IT Systems are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the , that would reasonably be likely to have a Material Adverse Change. The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679)Regulation; (Div) any information which would qualify as “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (Fv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There To the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the that, in each case, would reasonably be likely to result in a Material Adverse Change. The Company and its subsidiaries are, and at all prior times were, are presently in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, expected to have a Material Adverse Effect: (i) , the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries have implemented and maintained commercially reasonable appropriate physical, technical and administrative controls, policies, procedures, and safeguards necessary to maintain and protect their material trade secrets and confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, confidential or proprietary regulated data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses), as monitored through regular penetration tests, vulnerability assessments, and data security audits (including by remediating any and all material identified vulnerabilities). “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) and the United Kingdom General Data Protection Regulation (“UK GDPR”); (Div) any information which would qualify as “protected health information” under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act; and (Ev) any “personal information” as defined by the California Consumer Privacy Act (the “CCPA”); and (Fvi) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There Except as would not reasonably be expected to have a Material Adverse Effect, in the past three (3) years, there have been (i) no breaches (including personal data breaches), violations, outages or unauthorized uses of or accesses to Sensitive Datathe IT Systems, except for those that have been remedied without material cost or liability or the duty to notify any other person, (ii) nor any incidents under internal review or investigations by governmental or regulatory authorities relating to the same, and (iii) the . The Company and its subsidiaries are, have been and at all prior times were, are currently in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), Laws or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority with jurisdiction over the Company and its subsidiaries, internal policies and contractual obligations relating to the privacy privacy, data protection and security of its IT Systems and Sensitive Data, including the collection, storage, transfer (including, without limitation, any transfer across national borders), processing and/or use of Data and securing a valid legal basis for the foregoing, and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The ; and the Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effecthas implemented, and none of such disclosures made have been inaccurate or in violation of any regularly tests its, reasonable backup and disaster recovery technology and plans that are consistent with applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, industry standards and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectpractices.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company The Company’s and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, applications and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and to the Company’s Knowledge, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries have implemented and maintained commercially reasonable physical, technical and administrative controls, policies, procedures, procedures and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (data, including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with “Personal Data, “Sensitive Data”)) ,” used in connection with their businessesbusiness. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, information or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation (EU 2016/679) (“GDPR”) (EU 2016/679); (Div) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (Fv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There To the Company’s Knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive such IT Systems or Personal Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the . The Company and its subsidiaries are, are and at all prior times were, have been in material compliance with all applicable state and federal data privacy and security laws and regulationslaws, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), directives or statutes and all judgments, orders, rules and regulations of any Governmental Entity or arbitrator or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data (“Data Protection Laws”) and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification, except as would not, singly or in the aggregate, result in a Material Adverse Effect. The Company and its subsidiaries have at taken all times made necessary actions to prepare to comply with the GDPR and all disclosures other applicable Data Protection Laws for which any non-compliance would be reasonably likely to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have create a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectliability.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no material breaches, violations, outages or unauthorized uses of or accesses to Sensitive Data, except for those that have been remedied without material cost or liability or as otherwise disclosed in the duty to notify any other personRegistration Statement and the Prospectus, nor any incidents under internal review or investigations relating to the same, and (iii) the Company and its subsidiaries are, and at all prior times were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), and all internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with for the operation and performance of the business of the Company and its subsidiaries as currently conducted. To the Company’s knowledge, the IT Systems are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679)Regulation; (Div) any information which would qualify as “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (Fv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There To the Company’s knowledge, there have been no material breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the . The Company and its subsidiaries areare presently, and at all prior times were, for the past three (3) years have been in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modificationmodification (each a “Data Protection Requirement”). The Neither the Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (Ai) has received written notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy LawsData Protection Requirements, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (Bii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy LawData Protection Requirement; or (Ciii) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse EffectData Protection Requirement.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the Company and its subsidiaries are, and at all prior times were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), and all internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect., (i) to the knowledge of the Company and the Guarantors, the information technology systems, equipment and software used by the Company or any of its subsidiaries in their respective businesses (the “IT Assets”) (A) are adequate for the operation of the business of the Company and its subsidiaries as currently conducted; (B) operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required by the Company’s and its subsidiaries’ respective businesses as currently conducted and (C) are free of any viruses, “back doors,” “Trojan horses,” “time bombs,” “worms,” “drop dead devices” or other software or hardware components that are designed or intended to interrupt use of, permit unauthorized access to, or disable, damage or erase, any software material to the business of the Company or any of its subsidiaries; (ii) the Company and its subsidiaries have implemented commercially reasonable backup and disaster recovery technology processes consistent with standard industry practices; and (iii) to the knowledge of the Company and the Guarantors, no person has gained unauthorized access to any IT Asset since the Company’s inception. Except as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, (i) with regard to their receipt, collection, handling, processing, sharing, transfer, usage, disclosure, interception, security, storage and disposal of all data and information that identifies or relates to a distinct individual, including without limitation IP addresses, mobile device identifiers, geolocation information and website usage activity data, or that is directly linked to such information (collectively, “Personal and Device Data”), the Company and its subsidiaries have operated at all times in a manner compliant with all applicable laws, regulations, and contractual obligations (including the European Union General Data Protection Regulation) (“Privacy Legal Obligations”); (ii) the Company and its subsidiaries have commercially reasonable policies and procedures consistent with standard industry practices designed to ensure the Company and its subsidiaries comply with such Privacy Legal Obligations and take appropriate steps that are reasonably designed to assure compliance with such policies and procedures, and such policies and procedures comply with all Privacy Legal Obligations; (iii) the Company and its subsidiaries maintain commercially reasonable data security policies and procedures consistent with standard industry practices designed to protect the confidentiality, security, and integrity of Personal and Device Data and to prevent unauthorized use of and access to Personal and Device Data; (iv) the Company and its subsidiaries have commercially reasonable policies and procedures consistent with standard industry practices to require all third parties to which they provide any Personal and Device Data to maintain the privacy and security of such Personal and Device Data and to comply with applicable Privacy Legal Obligations; and (v) to the knowledge of the Company and the Guarantors, there has been no unauthorized access to, or use or disclosure of, Personal and Device Data maintained by or for the Company or its subsidiaries

Cybersecurity; Data Protection. Except (i) as described in the Registration Statement, the Time of Sale Prospectus and the Prospectus or (ii) as would not reasonably be expected, individually or in the aggregate, expected to have a Material Adverse Effect: , (iA) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, for and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and are, to the best knowledge of the Company, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (iiB) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all personal, personally identifiable, sensitive, confidentialhousehold or regulated data or information collected, stored or proprietary data processed by the Company or its subsidiaries (collectively, with “Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by to the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by best knowledge of the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural personCompany, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There there have been no breaches, violations, outages or unauthorized uses use or disclosure of or accesses access to Sensitive the IT Systems and/or Personal Data, except for those that have been remedied without material cost or liability or the duty to notify any other personperson or governmental or regulatory authority, nor any and there are no incidents or, to Company’s knowledge, threatened incidents under internal review or investigations by governmental or regulatory authorities or other third parties relating to the same, and ; (iiiD) the Company and its subsidiaries are, and at all prior times were, are presently in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), or statutes and all judgments, orders, rules and regulations of any court, arbitrator or governmental or regulatory authority, their own internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, loss, access, processing, misappropriation or modification. The , including, without limitation, the European Union General Data Protection Regulation 2016/679 and/or any implementing or supplementing local law of a European Union member state, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, the Federal Trade Commission Act, the Health Insurance Portability and Accountability of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, the California Consumer Privacy Act and all other laws and regulations with respect to Personal Data applicable to the Company or its subsidiaries (“Privacy Laws”); (E) the Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has not received notice of any actual or potential liability under violation of any Privacy Laws and there is no action, suit or relating toproceeding by or before any court or governmental agency, authority or actual body pending or potential violation of, threatened against the Company or its subsidiaries alleging non-compliance with Privacy Laws; (F) the Company has provided notice of its privacy policy on its websites where required by Privacy Laws and such privacy policies do not contain any misrepresentations of the Company’s then-current privacy practices; (G) the Company and its subsidiaries has taken commercially reasonable steps to require that any Personal Data of the Company and its subsidiaries processed by authorized third parties acting on behalf of the Company or its subsidiaries is protected with similar safeguards, in each case, in compliance with applicable laws and contractual obligations; and (H) the Company and its subsidiaries have in place safeguards and measures for the international transfer of Personal Data outside the European Economic Area that are adequate and comply with Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or otherwise described in the aggregateDisclosure Documents, to have a Material Adverse Effect: (i) the Company Company’s and its subsidiariesSubsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and, to the Company’s knowledge, are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) . Except as otherwise described in the Disclosure Documents or would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company and its subsidiaries Subsidiaries have implemented and maintained commercially reasonable physical, technical and administrative controls, policies, procedures, policies and safeguards necessary procedures designed to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (data, including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation (EU 2016/679) (“GDPR”) (EU 2016/679); (Div) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (Fv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There To the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) except as otherwise described in the Disclosure Documents or would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as otherwise described in the Disclosure Documents, the Company and its subsidiaries are, Subsidiaries are and at all prior times were, have been in material compliance with all applicable state and federal data privacy and security laws and regulationslaws, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), directives or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data (“Data Protection Laws”) and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the each case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no material breaches, violations, outages or unauthorized uses of or accesses to Sensitive Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the Company and its subsidiaries are, and at all prior times were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), and all internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the The Company and its subsidiariesSubsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the . The Company and its subsidiaries Subsidiaries have implemented and maintained commercially reasonable physical, technical and administrative controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (data, including all Personal Data (as defined below) and all sensitive, confidential, or proprietary data (collectively, with “Personal Data, “Sensitive Data”)) ,” used in connection with their businesses. “Personal Data” includes, without limitation means (Ai) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (Bii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (Ciii) “personal data” as defined by the European Union General Data Protection Regulation GDPR (“GDPR”) (EU 2016/679as defined below); (Div) any information which would qualify as “protected health information” under HIPAA; the Health Insurance Portability and (E) any “personal information” Accountability Act of 1996, as defined amended by the California Consumer Privacy Health Information Technology for Economic and Clinical Health Act (collectively, “CCPAHIPAA”); and (Fv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Datasame, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the . The Company and its subsidiaries are, and at all prior times were, Subsidiaries are presently in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), or statutes and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Cybersecurity; Data Protection. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect: (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants; (ii) the Company and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data (as defined belowData”) and all sensitive, confidential, or proprietary data (collectively, with Personal Data, “Sensitive Data”)) used in connection with their businesses. “Personal Data” includes, without limitation (A) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (B) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (C) “personal data” as defined by the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); (D) any information which would qualify as “protected health information” under HIPAA; and (E) any “personal information” as defined by the California Consumer Privacy Act (“CCPA”); and (F) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. There have been no breaches, violations, outages or unauthorized uses of or accesses to Sensitive Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same, and (iii) the Company and its subsidiaries are, and at all prior times were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation HIPAA, CCPA, and GDPR (collectively, the “Privacy Laws”), and all internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company and its subsidiaries have at all times made all disclosures to users or customers required by applicable Privacy Laws, except where the failure to do so would not, individually or in the aggregate, have a Material Adverse Effect, and none of such disclosures made have been inaccurate or in violation of any applicable Privacy Laws in any material respect. The Company further certifies that neither it nor any subsidiary: (A) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (B) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (C) is a party to any order, decree, or agreement that imposes any obligation or liability by any governmental or regulatory authority under any Privacy Law, except, in the case of (A), (B) or (C), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectand.