Common use of Data Privacy and Information Security Clause in Contracts

Data Privacy and Information Security. (a) The Company and each Company Subsidiary have complied with all applicable (i) Laws, (ii) contractual obligations and (iii) publicly posted privacy policies to which the Company and each Company Subsidiary is subject that are related to privacy, patient confidentiality, information security, data protection or the Processing of Personal Information (collectively, the “Privacy Obligations”). Neither the Company nor any of the Company Subsidiaries have received written notices or complaints, and no claims (whether by a Governmental Authority or Person) are pending or threatened against the Company or any of the Company Subsidiaries, alleging any violation of Privacy Obligations. (b) The Company and each Company Subsidiary maintains appropriate (i) written policies and procedures, and (ii) organizational, physical, administrative and technical safeguards designed to protect Personal Information against a Security Breach. The Company and each Company Subsidiary periodically assesses risks to privacy and the confidentiality and security of Personal Information. Since January 1, 2020, (i) there have been no Security Breaches of any of the IT Systems of the Company, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on its/their behalf and (ii) there have been no material disruptions in the IT Systems of Company, any of the Company Subsidiaries or any of their respective vendors that adversely affected the Company’s or any of the Company Subsidiaries’ business or operations. (c) The Company and each Company Subsidiary (i) has operated its respective business in material compliance with all Privacy Obligations in connection with the operation of the CGRP Business, and (ii) has implemented all confidentiality, security and other protective measures required in connection with (i) of this subsection (c), including, as required by applicable Law, by obtaining study subjects’ consent and/or authorization to use and disclose Personal Information for research. (d) Since January 1, 2020, none of the Company, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on their behalf has experienced any Security Breach for which written notification was provided or required to be provided to any Person or Governmental Authority under any applicable Laws related to privacy, information security, data protection or the Processing of Personal Information. (e) The Company and each Company Subsidiary (i) has obtained or will obtain all rights, permissions, and consents necessary to permit the transfer of Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement; or (ii) has otherwise verified that applicable Privacy Obligations permits it to transfer Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement.

Data Privacy and Information Security. (a) The Company and each Company Subsidiary have complied with all applicable IT Assets (i) Lawsare adequate for, and operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required in connection with, the operation of the Business, (ii) contractual obligations and are, to the Knowledge of Sellers, free from material bugs, errors or other defects, (iii) publicly posted privacy policies except as would not reasonably be expected to which be material to the Company Purchased Assets and each Company Subsidiary is subject that are related the Business, have not materially malfunctioned, crashed, failed, experienced denial of service attacks or continued substandard performance or other adverse events, and (iv) to privacythe Knowledge of Sellers, patient confidentialitydo not contain any Malicious Code. The Group Companies have implemented reasonable and appropriate anti-malware, information anti-virus, backup, security, business continuity, and disaster recovery measures and technology and regularly tests those measures and technology. (b) Each Group Company complies, and has in the past three (3) years complied materially, with (i) public-facing privacy and data protection security policies, (ii) all applicable rules of self-regulatory organizations and codes of conduct, including the Payment Card Industry Data Security Standard (PCI DSS), (iii) applicable industry standards and guidelines concerning the Processing of Personal Information, (iv) all applicable Privacy Laws, and (v) all contractual obligations concerning information security and data privacy (including the Processing of Personal Information) (collectively, the “Data Privacy/Security Requirements”). All vendors, processors, subcontractors and other Persons acting for or on behalf of the Group Companies in connection with the Processing of Personal Information or that otherwise have been authorized to have access to the Company IT Assets or the Personal Information in the possession or control of Group Companies are subject to reasonable contractual requirements regarding the Processing of Personal Information, and, to the Knowledge of Sellers, comply, and have in the past three (collectively3) years complied, with the “Privacy Obligations”)Data Privacy/Security Requirements. Neither the Company consummation of the transactions contemplated by the performance of this Agreement and each Transaction Document, nor any disclosure or transfer of information in connection therewith, will breach or otherwise cause any violation of any Data Privacy/Security Requirement or require the Company Subsidiaries have received written notices consent, waiver or complaintsauthorization of, or declaration, filing or notification to, any Person under any such Data Privacy/Security Requirement. Except as would not reasonably be expected to be material to the Purchased Assets and the Business, there are not, and no claims have not been in the last three (whether 3) years, any legal actions pending by a Governmental Authority or Person) are pending or threatened against any Group Company concerning any Data Privacy/Security Requirement or compliance therewith or violation thereof. To the Company Knowledge of Sellers, no disclosure or representation made or contained in any of the Company Subsidiariessuch privacy policy has been inaccurate, alleging any misleading, deceptive or in violation of Privacy Obligations. any applicable Laws (b) The Company and each Company Subsidiary maintains appropriate (i) written policies and procedures, and (ii) organizational, physical, administrative and technical safeguards designed to protect Personal Information against a Security Breach. The Company and each Company Subsidiary periodically assesses risks to privacy and the confidentiality and security of Personal Information. Since January 1, 2020, (i) there have been no Security Breaches of including containing any of the IT Systems of the Company, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on its/their behalf and (ii) there have been no material disruptions in the IT Systems of Company, any of the Company Subsidiaries or any of their respective vendors that adversely affected the Company’s or any of the Company Subsidiaries’ business or operationsomission). (c) The For the last three (3) years, each Group Company has posted a privacy policy that fully and accurately describes its privacy practices, including its collection and use of Personal Information in a clear and conspicuous location on each of the websites and mobile applications owned, operated or hosted by the Group Company Subsidiary (i) has operated its respective or through which the Group Company conducts business in material compliance accordance with all applicable Privacy Obligations in connection with the operation of the CGRP Business, and (ii) has implemented all confidentiality, security and other protective measures required in connection with (i) of this subsection (c), including, as required by applicable Law, by obtaining study subjects’ consent and/or authorization to use and disclose Personal Information for researchLaws. (d) Since January 1Each Group Company has implemented and maintains a comprehensive information security plan (a “Security Plan”), 2020which includes commercially reasonable administrative, none of technical and physical safeguards reasonably designed to protect the Companyconfidentiality, any availability, integrity and security of the Company Subsidiaries or any of their respective vendors that Process IT Assets and the Personal Information on their behalf and other sensitive information stored therein. The Security Plan conforms to the Data Privacy/Security Requirements and any public statements made by the Sellers regarding the Security Plan. To the Knowledge of Sellers, there has experienced any Security Breach for which written notification was provided or required to be provided to any Person or Governmental Authority under any applicable Laws related to privacy, information security, data protection or the Processing of Personal Information. (e) The Company and each Company Subsidiary been no material (i) has obtained loss, damage, misuse or will obtain all rightsunauthorized use, permissionsaccess, and consents necessary to permit modification, destruction, or disclosure, or other breach of security of the transfer of Personal Information maintained by or on behalf of the any Group Company (including, but not limited to, any event that would give rise to Parent a breach or incident for which notification by the Company to individuals and/or Merger Sub in connection with the transactions contemplated by this Agreement; or Governmental Authorities is required under Data Privacy/Security Requirements), (ii) phishing, social engineering, or business email compromise incident that has resulted in a monetary loss or that has otherwise verified that applicable Privacy Obligations permits it had or would reasonably be expected to transfer Personal Information to Parent and/or Merger Sub have, individually or in connection with the transactions contemplated by this Agreementaggregate, an adverse effect on the Business, or (iii) breaches or unauthorized intrusions of the security of any Company IT Asset.

Data Privacy and Information Security. Except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and the Company Subsidiaries (taken as a whole): (a) The Since January 1, 2020, the Company and each Company Subsidiary have complied with all applicable (i) Laws, (ii) written contractual obligations and (iii) publicly posted privacy policies to which the Company and each Company Subsidiary is subject subject, in each case, that are related to privacy, patient confidentiality, information security, data protection or the Processing of Personal Information (collectively, the “Privacy Obligations”). Neither the Company nor any of the Company Subsidiaries have received written notices or complaints, and no claims (whether by a Governmental Authority or Person) are pending or threatened in writing against the Company or any of the Company Subsidiaries, alleging any violation of Privacy Obligations. (b) The Company and each Company Subsidiary maintains appropriate (i) written policies and procedures, and (ii) organizational, physical, administrative and technical safeguards safeguards, in each case, designed to protect Personal Information against a Security Breach. The Company and each Company Subsidiary periodically assesses assess risks to privacy and the confidentiality and security of Personal Information. Since January 1, 2020, to the Knowledge of the Company, (i) there have been no Security Breaches of any of the Company Systems or any of the IT Systems of the Company, any of the Company Subsidiaries Subsidiaries, or any of their the respective vendors that Process Personal Information on its/their the Company’s or the Company Subsidiaries’ behalf and (ii) there have been no material disruptions in the Company Systems or any of the IT Systems of the Company, any of the Company Subsidiaries Subsidiaries, or any of their respective such vendors that adversely affected the Company’s or any of the Company Subsidiaries’ business or operations. (c) The Company and each Company Subsidiary (i) has has, since January 1, 2020, operated its respective business in material compliance with all Privacy Obligations in connection with the operation of the CGRP BusinessObligations, and (ii) has implemented all confidentiality, security and other protective measures required in connection with (i) of this subsection (c), including, as required by applicable Law, by obtaining study subjects’ consent and/or authorization to use and disclose Personal Information for research. (d) Since January 1, 2020, none of the Company, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on their behalf has experienced any Security Breach for which written notification was provided or required to be provided by the Company, any Company Subsidiary, or to the Knowledge of the Company, such vendors to any Person or Governmental Authority under any applicable Laws related to privacy, information security, data protection or the Processing of Personal Information. (e) The Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, the Company and each Company Subsidiary (i) has obtained or will obtain all required rights, permissions, and consents necessary to permit the transfer of Personal Information controlled by the Company or any Company Subsidiaries to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement; or (ii) has otherwise verified that applicable Privacy Obligations Law permits it to transfer such Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement.

Data Privacy and Information Security. (a) The Company and each Company Subsidiary have complied with all applicable (i) LawsSince the Reference Date, (ii) contractual obligations and (iii) publicly posted privacy policies to which the Company and each Company Subsidiary is subject that are related to privacyhas, patient confidentialityas applicable, information security, data protection or the Processing of Personal Information (collectively, the “complied with all Privacy Obligations”)Obligations in all material respects. Neither the Company nor any of the Company Subsidiaries have received written notices or complaints, and to the Knowledge of the Company no claims (whether by a Governmental Authority or Person) are pending or threatened in writing against the Company or any of the Company Subsidiaries, alleging any a violation of any Privacy Obligations. (b) The Company and each Company Subsidiary maintains appropriate a comprehensive written information security program comprising commercially reasonable (i) measures (such as when using vendors), (ii) written policies and procedures, and (iiiii) organizational, physical, administrative and technical safeguards safeguards, each (i) through (iii) are designed to protect Personal the security, confidentiality, integrity and availability of Sensitive Information Processed by or on behalf of the Company and each Company Subsidiary and all Systems in the Company’s custody or control against a Security BreachXxxxxxxx, and each case in compliance with all Privacy Obligations. The Company and each Company Subsidiary periodically assesses risks to privacy and the confidentiality and security of Personal Sensitive Information. Since January 1, 2020, (i) there have been no Security Breaches of and promptly mitigate any of the IT Systems of the Company, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on its/their behalf and (ii) there have been no material disruptions risks identified during such assessments in the IT Systems of Company, any of the Company Subsidiaries or any of their respective vendors that adversely affected the Company’s or any of the Company Subsidiaries’ business or operationsorder to ensure compliance with Privacy Obligations. (c) The Since the Reference Date, the Company and each Company Subsidiary (i) has operated its respective business in material compliance with all Privacy Obligations in connection with the operation of the CGRP Business, and (ii) has implemented all commercially reasonable confidentiality, security and other protective measures required in connection with (i) of this subsection (c)relation to Sensitive Information, includingincluding providing notices to, as required by applicable Law, by and obtaining study subjects’ consent and/or authorization to use and disclose Personal Sensitive Information for researchresearch to the extent required by and in compliance with Privacy Obligations. (d) Since January 1, 2020the Reference Date, none of the Company, any of the Company Subsidiaries or or, any of their respective vendors that Process Personal Sensitive Information on their behalf and in their provision of services to the Company or any Company Subsidiaries, has experienced any breach, misappropriation, or unauthorized collection, use, disclosure or other Processing of any Sensitive Information, including any Security Breach for which written notification was provided or Breach. Since the Reference Date, the Company has not been required to be provided to notify under applicable Privacy Laws any Person Persons or Governmental Authority under Authorities of the occurrence or potential occurrence of any applicable Laws related to privacy, information security, data protection security breaches or the Processing unauthorized disclosures of Personal InformationInformation collected by the Company, including any disclosures through any Company Platforms. (e) The Company and each Company Subsidiary (i) has obtained or will obtain all required rights, permissions, and consents necessary to permit the transfer of Personal Sensitive Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement; or (ii) has otherwise verified that applicable Privacy Obligations Law permits it to transfer Personal Sensitive Information to Parent and/or Merger Sub in connection with the transactions contemplated by this AgreementAgreement without obtaining any rights, permissions or consents. (f) To the extent required by applicable Law, the Company and each Company Subsidiary contractually requires all third parties, including vendors and other Persons providing services of the Company or such Company Subsidiary that, in each case, have access to Sensitive Information from or on behalf of the Company or such Company Subsidiary, to: (i) comply with all Privacy Obligations; (ii) take reasonable steps designed to ensure that all Sensitive Information in such third parties’ possession or control is protected against damage and loss, and against unauthorized access, acquisition, use, modification, disclosure or other misuse; and (iii) restrict use of Sensitive Information to that authorized or required under the servicing, outsourcing or other arrangement. (g) To the Knowledge of the Company, the Company and each Company Subsidiary are not, nor has any such entity ever (i) been subject to any investigation, lawsuit, action, inquiry or audit concerning the privacy and/or data security of any Sensitive Information collected, used, stored, shared or otherwise processed by the Company or such Company Subsidiary, or (ii) received any written or oral notice of any claim, investigation or alleged violation of any Privacy Obligation, and there are no facts or circumstances which could form the basis for any such claim, investigation or alleged violation. (h) Since the Reference Date, none of the websites or mobile applications developed and maintained by or on behalf of the Company (the “Company Platforms”) have used or disclosed Personal Information in a manner that constitutes a breach under, or otherwise violates, any Privacy Laws. (i) Since the Reference Date, the Company has not received written or oral notice of, or been subject to, any claim, action, demand, lawsuit, audit, complaint, compliance review, inspection, investigation, or subpoena from any Governmental Authority or any other Person alleging that the Company Platforms have used or disclosed Personal Information in a manner that does not comply with Privacy Laws.

Data Privacy and Information Security. (a) The Company In connection with the collection, storage, transfer (including, without limitation, any transfer across national borders), disclosure, and/or use of any information that identifies or is reasonably likely to identify an individual, including, without limitation, any customers, prospective customers, employees and/or other third parties (collectively “Personal Information”), the Sellers are and each Company Subsidiary have complied been in compliance with all applicable (i) Laws, (ii) contractual obligations and (iii) publicly posted privacy policies the requirements of any contract or other agreements to which the Company and each Company Subsidiary a Seller is subject that are related to privacy, patient confidentiality, information security, data protection or the Processing of Personal Information (collectively, the “Privacy Obligations”). Neither the Company nor any of the Company Subsidiaries have received written notices or complaintsa party, and no claims (whether by all applicable industry or self-regulatory standards which a Governmental Authority Seller has agreed to comply with or Person) are pending or threatened against the Company or any of the Company Subsidiaries, alleging any violation of Privacy Obligationsotherwise represents that it complies. (b) The Company Each Seller has implemented and each Company Subsidiary maintains commercially reasonable physical, technical, organizational and administrative security measures and policies to protect the confidentiality, availability, and integrity of all Personal Information, such Seller’s systems, and other confidential or sensitive information. Each Seller has ensured that any individual or Entity performing services for such Seller has implemented and maintained reasonable and appropriate physical, technical, organizational, and administrative security measures to preserve the confidentiality, availability, and integrity of the all Personal Information, such Seller’s systems, and other confidential or sensitive information. No Seller has experienced any (i) written policies and procedures, and (ii) organizational, physical, administrative and technical safeguards designed unauthorized access to protect Personal Information against a Security Breach. The Company and each Company Subsidiary periodically assesses risks to privacy and the confidentiality and security of Personal Information. Since January 1, 2020, (i) there have been no Security Breaches or material unavailability of any of the IT Systems of the Companysystems or information technology assets maintained by or for such Seller, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on its/their behalf and (ii) there have actual or reasonably suspected unauthorized access to, or acquisition, handling, disclosure, or other processing of any Personal Information maintained or processed by or for such Seller (each, a “Security Incident”). Each Seller is and has been no in compliance in all material disruptions in respects with all Laws relating to data loss, theft and breach of security notification obligations. Each Seller has promptly (A) taken appropriate actions to address all known or suspected Security Incidents and (B) remedied the IT Systems cause of Company, any of the Company Subsidiaries or any of their respective vendors that adversely affected the Company’s or any of the Company Subsidiaries’ business or operationsSecurity Incidents. (c) The Company Each Seller has in the previous five (5) years, periodically and each Company Subsidiary (i) has operated regularly, conducted reasonable assessments to identify security vulnerabilities in its respective business in material compliance with all Privacy Obligations in connection with the operation of the CGRP Businessproducts, services, and (ii) has software. To each Seller’s Knowledge, no security vulnerabilities exist in any of such Seller’s services, products, or software implemented all confidentialityby such Seller or any of its customers, security and other protective measures required in connection with (i) which present a material risk of this subsection (c), including, as required by applicable Law, by obtaining study subjects’ consent and/or authorization to use and disclose Personal Information for researcha Security Incident. (d) Since January 1Each Seller has implemented and maintains external-facing and internal privacy policies, 2020procedures, none representations and promises relating to the collection, use, storage, disclosure, transmission, disposal, protection, and other processing of Personal Information and other confidential or sensitive data (the “Privacy Policies”). Accurate, current copies of all Privacy Policies have been provided and the privacy and information security practices of each Seller and the Business conform, and at times have conformed, in all material respects, to the respective Privacy Policies. Each of the CompanySellers has at all times: (i) complied with all applicable Laws, as well as its own Privacy Policies, including any obligations under Title V of the Xxxxx-Xxxxx-Xxxxxx Act, as amended (15 U.S.C. §§ 6801 et seq.), the Fair Credit Reporting Act, as amended (15 U.S.C. §§ 1681 et seq.), and the European Union’s General Data Protection Regulation, as well as any laws and regulations in the EEA Member States promulgated under any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on their behalf has experienced any Security Breach for which written notification was provided or required to be provided to any Person or Governmental Authority under any foregoing (“GDPR”); and (ii) registered with applicable Laws related to privacy, information security, data protection or the Processing of Personal Informationagencies as may be required. (e) The Company With respect to any Personal Information obtained by third parties other than the individuals to whom the Personal Information pertains, each Seller has conducted appropriate due diligence and each Company Subsidiary implemented contractual obligations ensuring that such third parties collect, use, process, and disclose such Personal Information in compliance with all applicable Laws and the third party’s privacy notices, statements and representations, and that such third parties have taken all necessary steps to secure appropriate rights to such Personal Information to enable such Seller to collect, use, disclose, and process such Personal Information for such Seller’s general and specific business purposes. (f) No person or Entity (including any foreign or domestic Governmental Authority) has made or commenced any complaint, order, action, hearing, claim, investigation, charge, inquiry, or demand relating to any Seller’s practices with respect to (i) has obtained the collection, use, retention, disclosure, transfer, storage, disposal, or will obtain all rights, permissions, and consents necessary to permit the transfer other processing of Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreementsuch Seller or for which such Seller is responsible; or (ii) has otherwise verified that applicable Privacy Obligations permits it to transfer the security, confidentiality, availability, or integrity of Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this AgreementInformation.

Data Privacy and Information Security. (a) The Company and each Company Subsidiary have complied with all applicable (i) LawsSince January 1, (ii) contractual obligations and (iii) publicly posted privacy policies to which 2019, the Company and each Company Subsidiary is subject that are related has, as applicable, complied in all material respects with (i) all applicable Laws governing Personal Information; (ii) all applicable written contractual obligations to privacy, patient confidentiality, information security, data protection or the Processing of third parties governing Personal Information Information; and (collectively, the “Privacy Obligations”)iii) all applicable publicly posted privacy policies governing Personal Information. Neither the Company nor any of the Company Subsidiaries have received written notices or complaints, and no claims (whether by a Governmental Authority or Person) are pending or threatened in writing against the Company or any of the Company Subsidiaries, alleging any a material violation of Privacy Obligationsany third party’s Personal Information, including any alleged material violation of applicable Laws, written contractual obligations or publicly posted policies governing Personal Information. (b) The Company and each Company Subsidiary maintains appropriate commercially reasonable (i) measures (such as when using vendors), (ii) written policies and procedures, and (iiiii) organizational, physical, administrative and technical safeguards safeguards, each (i) through (iii) in compliance in all material respects with applicable Laws governing Personal Information and designed to protect Personal Information against a Security Breach. The Company and each Company Subsidiary periodically assesses risks to privacy and the confidentiality and security of Personal Information. Since Except as set forth in Section 3.22(b) of the Company Disclosure Letter, since January 1, 20202019, (i) there have been no Security Breaches of any of the IT Systems of the Company, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on its/their behalf and (ii) there have been no material disruptions in the IT Systems their provision of Company, any of services to the Company Subsidiaries or any of their respective vendors that adversely affected the Company’s or any of the Company Subsidiaries’ business or operations. (c) The Since January 1, 2019, the Company and each Company Subsidiary (i) has operated its respective business in material compliance with all Privacy Obligations in connection with the operation of the CGRP Business, and (ii) has implemented all commercially reasonable confidentiality, security and other protective measures required in connection with (i) of this subsection (c)relation to Personal Information, including, such as required by applicable Law, by obtaining study subjects’ consent and/or authorization to use and disclose Personal Information for research. (d) Since Except as set forth in Section 3.22(d) of the Company Disclosure Letter, since January 1, 20202019, none of the Company, any of the Company Subsidiaries or or, any of their respective vendors that Process Personal Information on their behalf and in their provision of services to the Company or any Company Subsidiaries, has experienced any breach, misappropriation, or unauthorized collection, use or disclosure of any Personal Information, including any Security Breach Breach, for which written notification was provided given or required to be provided given to any Person or Governmental Authority under any applicable Laws related to privacy, information security, data protection or the Processing of Personal Informationprivacy Laws. (e) The Company and each Company Subsidiary (i) has obtained or will obtain all required rights, permissions, and consents necessary to permit the transfer of Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement; or (ii) has otherwise verified that applicable Privacy Obligations Law permits it to transfer Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement.

Data Privacy and Information Security. (a) The Except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and each the Company Subsidiary have complied with all applicable Subsidiaries, taken as a whole, (i) Lawsthe IT Assets are in good repair and operating condition and are adequate and suitable for the purposes for which they are being used or held for use, and, to the knowledge of the Company, do not contain any faults, malicious code, malware, virus, Trojan horse, worm, program, sub-program, or other flaw or weakness that could be exploited by a bad actor to cause a Cybersecurity Incident, (ii) contractual obligations the Company and the Company Subsidiaries have implemented, maintain and comply with commercially reasonable written information security, business continuity and backup and disaster recovery plans and procedures that are consistent with industry practices and (iii) publicly posted privacy policies to which the Company and each Company Subsidiary is subject that are related to privacy, patient confidentiality, information security, data protection or the Processing of Personal Information (collectively, the “Privacy Obligations”). Neither the Company nor any knowledge of the Company Subsidiaries have received written notices Company, since January 1, 2020, there has been no actual or complaints, and no claims (whether by a Governmental Authority or Person) are pending or threatened against the Company or any of the Company Subsidiaries, alleging any violation of Privacy Obligationsalleged Cybersecurity Incident. (b) The Except as would not reasonably be expected to be material to the Company and each the Company Subsidiary maintains appropriate (i) written policies and proceduresSubsidiaries, and (ii) organizationaltaken as a whole, physical, administrative and technical safeguards designed to protect Personal Information against a Security Breach. The Company and each Company Subsidiary periodically assesses risks to privacy and the confidentiality and security of Personal Information. Since since January 1, 2020, (i) there the Company and the Company Subsidiaries are and have been no Security Breaches of in compliance with the Data Protection Requirements that apply to the Company or to such Company Subsidiary, respectively, (ii) the Company and the Company Subsidiaries are not subject to any restrictions that would limit Parent’s ability to use Personal Information, collected, stored and processed by the Company and the Company Subsidiaries, after the Closing in the manner substantially the same as currently used by the Company and the Company Subsidiaries, (iii) the Company and the Company Subsidiaries have used commercially reasonable efforts to protect the confidentiality and security of the IT Systems Personal Information that the Company and the Company Subsidiaries collect, store, use, maintain or otherwise process for the conduct of their business and to prevent unauthorized use, disclosure, loss, processing, transmission or destruction of or access to such Personal Information by any other Person, (iv) neither the Company nor any Company Subsidiary has been legally required to provide any written notices to any Person in connection with the disclosure of Personal Information or non-public information, nor has the Company or any Company Subsidiary provided any such written notice, (v) there are no written complaints, inquiries or requests pending or, to the knowledge of the Company, any of threatened against the Company or the Company Subsidiaries or alleging a violation of any of their respective vendors that Process Person’s Personal Information on its/their behalf or privacy rights and (iivi) to the knowledge of the Company, there have has been no material disruptions in the IT Systems of Company, Cybersecurity Incident that would constitute a breach for which notification to any of the Company Subsidiaries or any of their respective vendors that adversely affected the Company’s or any of the Company Subsidiaries’ business or operationsPerson is required under applicable Data Protection Requirements. (c) The Company and each Company Subsidiary (i) has operated its respective business in material compliance with all Privacy Obligations in connection with the operation of the CGRP Business, and (ii) has implemented all confidentiality, security and other protective measures required in connection with (i) For purposes of this subsection (c), including, as required by applicable Law, by obtaining study subjects’ consent and/or authorization to use and disclose Personal Information for research. (d) Since January 1, 2020, none of the Company, any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on their behalf has experienced any Security Breach for which written notification was provided or required to be provided to any Person or Governmental Authority under any applicable Laws related to privacy, information security, data protection or the Processing of Personal Information. (e) The Company and each Company Subsidiary (i) has obtained or will obtain all rights, permissions, and consents necessary to permit the transfer of Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement; or (ii) has otherwise verified that applicable Privacy Obligations permits it to transfer Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement.:

Data Privacy and Information Security. (a) The Company and Company, each Company Subsidiary have and, to the Knowledge of the Company, any Person acting for or on behalf of the Company or any Company Subsidiary, have, since the Reference Date, complied in all material respects with all applicable (i) Laws, (ii) contractual obligations and (iii) publicly posted privacy policies to which the Company and each Company Subsidiary is subject that are related to privacy, patient confidentiality, information security, data protection or the Processing of Personal Information (collectively, the “Privacy Obligations”). Neither Since the Reference Date, neither the Company nor any of the Company Subsidiaries have received any written notices or of any complaints, and no claims claims, threatened claims, charges, investigations or regulatory inquiries (whether by a Governmental Authority or Person) are pending or threatened against the Company or any of the Company Subsidiaries, Subsidiaries alleging any violation of any Privacy Obligations. To the Knowledge of the Company, there are no facts or circumstances that could reasonably form the basis of any of the same. (b) The Company and each Company Subsidiary maintains reasonable and appropriate (i) written policies and procedures, and (ii) organizational, physical, administrative and technical safeguards designed to protect Personal Information against a Security Breach. The Company and each Company Subsidiary periodically periodically, and no less than annually, assesses risks to privacy and the confidentiality and security of Personal Information. Since January 1, 2020the Reference Date, (i) to the Knowledge of the Company, there have been no Security Breaches of any of the IT Systems of the Company, Company or any of the Company Subsidiaries or any of their respective vendors that Process Personal Information on its/their behalf and (ii) there have been no material disruptions in the IT Systems of Company, the Company or any of the Company Subsidiaries or any vendors of their respective vendors the Company or any of the Company Subsidiaries that adversely materially affected the Company’s or any of the Company Subsidiaries’ business or operations. (c) The Company and each Company Subsidiary (i) has operated its respective business in material compliance with all Privacy Obligations in connection with the operation of the CGRP 101 Business, and (ii) has has, in all material respects, implemented all confidentiality, security and other protective measures required in connection with (i) of this subsection (c), including, as where required by applicable Law, by obtaining study subjects’ consent and/or authorization to use and disclose Personal Information for researchresearch purposes. (d) Since The Company and each Company Subsidiary is, and since January 1, 20202021 has been, in compliance in all material respects with HIPAA (to the extent applicable to the Company and each Company Subsidiary) and all contractual commitments relating to privacy and the security of Protected Health Information. The Company and each Company Subsidiary has, if and to the extent required by HIPAA, entered into current and valid “Business Associate Agreements” (as defined in 45 C.F.R. §§ 164.502(e) and 164.504(e)) with each “Business Associate” (as defined in 45 C.F.R. § 160.103) of the Company and any “Covered Entity” (as defined in 45 C.F.R. § 160.103), for which the Company and each Company Subsidiary functions as a “Business Associate.” None of the Company or any of the Company Subsidiaries or, to the Company’s Knowledge, any subcontractors of the Company or any of the Company Subsidiaries, has, since January 1, 2021, experienced any unauthorized use or disclosure of Protected Health Information that would constitute (i) a “security incident” (as defined in 45 C.F.R. § 164.304) or (ii) a “breach” (as defined in 45 C.F.R. § 164.402) that would require the Company or any of the Company Subsidiaries to provide notice under 16 C.F.R. § 164.404. (e) Since the Reference Date, none of the Company, any of the Company Subsidiaries or or, to the Knowledge of the Company, any of their respective vendors that Process Personal Information on their behalf has experienced any material Security Breach for which Breach, and none of the Company or any of the Company Subsidiaries has provided or been required to provide written notification was provided or required to be provided to any Person or Governmental Authority under any applicable Laws related to privacy, information security, data protection or the Processing of Personal InformationPrivacy Obligations. (ef) The Company and each Company Subsidiary Subsidiary, has, in all material respects, (i) has obtained or will obtain all rights, permissions, and consents necessary to permit the transfer of Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement; Agreement; or (ii) has otherwise verified that applicable Privacy Obligations permits permit it to transfer Personal Information to Parent and/or Merger Sub in connection with the transactions contemplated by this Agreement.