Common use of Data Privacy and Information Security Clause in Contracts

Data Privacy and Information Security. (a) The Borrower and its Subsidiaries maintain data and privacy security policies, processes, and controls, all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge of the Borrower, none of the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptive, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer facing disclosures or Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against the Borrower or its Subsidiaries with respect to privacy or data security, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower nor any Subsidiary, nor any Products, have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT Assets. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have used commercially reasonable efforts to cause all Data Processors that process Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its Subsidiaries, including without limitation (i) compliance with applicable Privacy Laws and (ii) implementation of a commercially reasonable information security program to protect the applicable Personal Data. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the IT Assets are sufficient to conduct the business of the Borrower and the Subsidiaries as currently conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conducted. (d) The Borrower, its Subsidiaries and, to the knowledge of the Borrower, any Data Processors have, in all material respects, implemented and maintained reasonable technical measures consistent with generally accepted industry standards to protect the operation, confidentiality, integrity, and security, as applicable, of all Confidential Business Information stored by the Borrower and its Subsidiaries, Personal Data, and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternation, modification, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have taken or caused to be taken commercially reasonable actions designed to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable manner. Except as would not reasonably be expected to have a Material Adverse Effect, none of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused disruption or interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.

Data Privacy and Information Security. (a) The Borrower and its Subsidiaries maintain appropriate data and privacy security policies, processes, and controlscontrols and an appropriate comprehensive privacy program, all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected to have Law in all material respects. Schedule 6.23(a) sets forth the terms of each such policy or written data security or privacy program (or a Material Adverse Effectreasonable description thereof) that has been adopted by the Borrower or a Subsidiary at present time. To the knowledge of the Borrower, none None of the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptive, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer consumer-facing disclosures or Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against the Borrower or its Subsidiaries with respect to privacy or data security, except as would not reasonably be expected and, to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower nor any Subsidiary, Subsidiary nor any Products, Products have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT AssetsInformation. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have used commercially reasonable efforts to cause contractually obligated all Data Processors that process to commercially reasonable contractual terms relating to the protection and use of Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its SubsidiariesIT Assets, including without limitation obligations substantially similar to the following: (i) compliance with applicable Privacy Laws and in all material respects, (ii) implementation of a commercially reasonable information security program that includes administrative, technical, and physical safeguards to protect protection the applicable data and/or systems, (iii) restricting processing of Personal Data to those authorized or required under the servicing, outsourcing, processing, or similar arrangement, and (iv) certifying or guaranteeing the return or adequate disposal or destruction of Personal Data. The Borrower and its Subsidiaries have taken commercially reasonable measures to ensure that all Data Processors have complied with their contractual obligations. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary to conduct the business of the Borrower and the Subsidiaries as currently conducted in all material respects and as currently proposed to be conducted by the Borrower Borrow and the SubsidiariesSubsidiaries in all material respects. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems consistent with generally accepted standards for the industry in which the Borrower operates and sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conductedconducted in all material respects and as currently proposed to be conducted in all material respects by the Borrower and the Subsidiaries. (d) The Borrower, its Subsidiaries Subsidiaries, and, to the knowledge of the Borrower, any Data Processors have, in all material respects, have implemented and maintained reasonable organizational, physical, administrative and technical measures consistent with generally accepted standards for the industry standards in which the Borrower operates to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, Data and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternationalteration, modification, or use. To the knowledge of the Borrower, as applicableno Person has obtained unauthorized access to or use of any Confidential Business Information, Personal Data and IT Assets in the past 24 months. (e) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have taken or caused to be taken commercially reasonable actions designed precautions to ensure that all IT Assets (i) are free from any material defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused material disruption or material interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower Borrow and the Subsidiaries.

Data Privacy and Information Security. (a) The Parent, the Borrower and its the Subsidiaries maintain appropriate data and privacy security policies, processes, and controlscontrols and an appropriate, comprehensive privacy program, all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge None of the BorrowerParent’s, none of the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptive, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer consumer-facing disclosures or Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against the Parent, the Borrower or its the Subsidiaries with respect to privacy or data security, except as would not reasonably be expected and, to have a Material Adverse Effect. To the knowledge of the Parent and the Borrower, except as would not reasonably be expected to have a Material Adverse Effectnone of the Parent, neither the Borrower nor or any Subsidiary, nor Subsidiary or any Products, Products have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT AssetsInformation. (b) Except as would not reasonably be expected to have a Material Adverse EffectThe Parent, the Borrower and its the Subsidiaries have used commercially reasonable efforts to cause contractually obligated all Data Processors that process to appropriate contractual terms relating to the protection and use of Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its SubsidiariesIT Assets, including without limitation obligations to (i) compliance comply with applicable Privacy Laws and Laws, (ii) implementation of a commercially reasonable implement an appropriate information security program that includes reasonable administrative, technical, and physical safeguards to protect the applicable data and/or systems, (iii) restrict processing of Personal Data to those authorized or required under the servicing, outsourcing, processing, or similar arrangement, and (iv) certify or guarantee the return or adequate disposal or destruction of Personal Data. The Parent, the Borrower and the Subsidiaries have taken reasonable measures to ensure that all Data Processors have complied with their contractual obligations. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary to conduct the business of the Parent, the Borrower and the Subsidiaries as currently conducted and as currently proposed to be conducted by the Parent, the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither Neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse EffectThe Parent, the Borrower and its the Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems consistent with generally accepted industry standards, and sufficient to reasonably maintain the operation of the business of the Parent, the Borrower and the Subsidiaries as currently conductedconducted and as currently proposed to be conducted by the Parent, the Borrower and the Subsidiaries. (d) The BorrowerParent, its Subsidiaries and, to the knowledge of the Borrower, the Subsidiaries, and any Data Processors have, in all material respects, have implemented and maintained reasonable and appropriate organizational, physical, administrative and technical measures consistent with generally accepted the state of the art for the industry standards in which the Parent, the Borrower or any Subsidiary operates to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, Data and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternationalteration, modification, or use. No Person has obtained unauthorized access to or use of any Confidential Business Information, as applicablePersonal Data and IT Assets. (e) Except as would not reasonably be expected to have a Material Adverse EffectThe Parent, the Borrower and its the Subsidiaries have taken or caused to be taken commercially all reasonable actions designed precautions to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable and efficient business manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused substantial disruption or substantial interruption in the Parent’s, the Borrower’s or any Subsidiary’s use thereof or to the business of the Parent, the Borrower and the Subsidiaries.

Data Privacy and Information Security. (a) The Borrower and its Subsidiaries maintain commercially reasonable data and privacy security policies, processes, and controls, controls and an appropriate privacy program in accordance with applicable Law in all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected to have a Material Adverse Effectmaterial respects. To the knowledge of the Borrower, none None of the Borrower’s or any Subsidiary’s privacy statements or disclosures in the past five years have been or are misleading or deceptivedeceptive in any material manner, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer consumer-facing disclosures or Laws, Laws in each case, except as would not reasonably be expected to have a Material Adverse Effectany material respect. There is not currently pending and there has not been in the past five (5) years any material action, proceeding, suit or claim against the Borrower or its Subsidiaries with respect to privacy or data security, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither none the Borrower or any Subsidiary nor any Subsidiary, nor any Products, Products have experienced in the past five (5) three years any material security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any SubsidiaryData, Confidential Business Information stored by the Borrower or any Subsidiary or IT Assets. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have used commercially reasonable efforts to cause contractually obligated all material Data Processors that process Personal Data on behalf of the Borrower or any of its Subsidiaries to protect commercially reasonable contractual terms relating to the protection and use of Personal Data of the and IT Assets. The Borrower and its Subsidiaries, including without limitation (i) compliance with applicable Privacy Laws and (ii) implementation of a Subsidiaries have taken commercially reasonable information security program measures designed to protect the applicable Personal Dataensure that Data Processors have complied with their contractual obligations. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary to conduct the business of the Borrower and the Subsidiaries as currently conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, as of the Closing Date (and, except as would not reasonably be expected to have a Material Adverse Effectbe material to the business of the Borrower and the Subsidiaries, as of each Delayed Draw Closing Date), neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems sufficient consistent with generally accepted industry standards, and designed to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conductedconducted by the Borrower and the Subsidiaries. (d) The Borrower, its Subsidiaries and, to the knowledge of the Borrower, any Data Processors have, in all material respects, implemented and maintained commercially reasonable organizational, physical, administrative and technical measures consistent with generally accepted industry standards designed to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, Data and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternationalteration, modification, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have taken or caused to be taken commercially reasonable actions precautions designed to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable business manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 twenty-four months that has caused material disruption or material interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.

Data Privacy and Information Security. 12.1 To the extent that Company or Company’s Affiliates provides to Service Provider, or Service Provider otherwise accesses Personal Data (aas defined below) The Borrower about Company’s employees, customers, or other individuals in connection with this Agreement, Service Provider represents and warrants that: (i) Service Provider will only use Personal Data for the purposes of fulfilling its Subsidiaries maintain obligations or exercising its rights under the Agreement, and Service Provider will not disclose or otherwise process such Personal Data except upon Company’s instructions in writing or for the purposes of fulfilling its obligations under the Agreement; (ii) Service Provider will notify Company in writing and obtain Company’s consent before sharing any Personal Data with any government authorities or other third parties (if legally permissible); and (iii) it has and will continue to have during the term of this Agreement an adequate and current Safe Harbor certification with the United States Department of Commerce applicable to the Personal Data (“Safe Harbor Certification”), will provide Company with no less than ninety (90) days written notice (in accordance with Section 14.4 herein) prior to any date on which the Safe Harbor Certification ends (“Safe Harbor Certification End Date”), and will promptly execute any supplemental privacy and security terms as Company may direct in its sole judgment prior to any such Safe Harbor Certification End Date, including but not limited to the Standard Contractual Clauses for the Transfer of Personal Data to Processors established in Third Countries, dated 5 February 2010 (2010/87/EU) as amended from time to time and other forms of data transfer agreements as may be required for cross-border data transfers outside the EU; and (iv) Service Provider agrees to adhere to additional contractual terms and conditions related to Personal Data as Company may instruct in writing that Company deems necessary, in its reasonable discretion, to address applicable data protection, privacy, or information security laws or requirements.; and (iv) Service Provider agrees to adhere to additional contractual terms and conditions related to Personal Data as Company may instruct in writing that Company deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements. [OF Internal Note: ▇▇▇▇ should weigh in on the following, if he needs ▇▇▇▇▇▇▇▇ to also weigh in, ask her. I think it is probably okay or close to okay.]Notwithstanding the foregoing, Service Provider shall have the right to collect and analyze data and privacy security policiesother information relating to the provision, processesuse and performance of various aspects of the Products and Services and related systems and technologies, and controlsService Provider will be free to (i) use such information and data (during and after the Term) solely in an aggregate or other de-identified form (that does not and cannot be used to identify any individual and it is not associated with the Company) to improve and enhance the Products and Services and for other development, all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected to have a Material Adverse Effect. To diagnostic and corrective purposes in connection with the knowledge of the Borrower, none of the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptiveProducts and Services and other Service Provider offerings, and (ii) disclose such data solely in aggregate or other de-identified form (that does not identify and cannot be used to identify any individual and is not associated with the contemplated transactions to be consummated hereunder as of Company) in connection with its business. [MM Internal Note: OK. Confirm with ▇▇▇▇▇▇▇▇.] 12.2 In the Closing Date event that (i) Service Provider discovers any Confidential Information or any Delayed Draw Closing Date will not violate any privacy statements, other consumer facing disclosures Personal Data is disclosed by Service Provider (including its agents or Lawssubcontractors), in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit violation of this Agreement or claim against the Borrower or its Subsidiaries with respect applicable laws pertaining to privacy or data security, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower nor any Subsidiary, nor any Products, have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT Assets. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have used commercially reasonable efforts to cause all Data Processors that process Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its Subsidiaries, including without limitation (i) compliance with applicable Privacy Laws and (ii) implementation Service Provider (including its agents or Subcontractors) discovers, is notified of, or suspectsof, or suspects that unauthorized access, acquisition, disclosure or use of a commercially reasonable information security program to protect Confidential Information or Personal Data has occurred (“Security Incident”), Service Provider shall notify Company immediately promptly in writing of any such Security Incident. Service Provider shall cooperate fully in the applicable Personal Data. (c) As investigation of the Closing Date and any Delayed Draw Closing DateSecurity Incident, except as would not reasonably be expected to have a Material Adverse Effect, the IT Assets are sufficient to conduct the business of the Borrower and the Subsidiaries as currently conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conducted. (d) The Borrower, its Subsidiaries and, to the knowledge extent such Security Incident is caused by Service Provider, Service Provider shall indemnify and hold Company harmless for any and all damages, losses, fees or costs payable to any third party and (whether direct, indirect, special or consequential) incurred from any third party claims (whether direct, indirect, special or consequential) as a result of such Security Incident,. provided that Company promptly notifies Service Provider in writing of such claim, permits Service Provider sole control of the Borrowerdefense and settlement thereof, and Company cooperates in the defense thereof at Service Provider’s request and expenseThe foregoing shall be subject to Section 10.3 herein; provided that for the avoidance of doubt, any Data Processors havesuch claims that may arise from government agencies or other third parties that are not subject to defense shall not be subject to Section 10.3 herein, and remedy any harm or potential harm caused by such Security Incident. 12.3 To the extent that a Security Incident gives rise to a need, in all material respectsCompany’s sole judgment, implemented to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and maintained reasonable technical the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s request, Service Provider shall, at Service Provider’s cost, cooperate with Company in undertaking such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company in its sole discretion.Intentionally ▇▇▇▇▇▇▇.▇▇ the extent that a Security Incident gives rise to a need, in Company’s sole judgment, to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures consistent (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s request, Service Provider shall, at Service Provider’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company in its sole discretion. 12.4 [OF Internal Note: ▇▇▇▇][MM Internal Note: see edits]To the extent that Company provides to Service Provider, or Service Provider otherwise accesses Confidential Information or Personal Data about Company’s employees, customers, or other individuals in connection with generally accepted industry standards to protect this Agreement, Service Provider shall implement a written information security programpractices (“Information Security Program”) that includes administrative, technical, and physical safeguards that are designed to: ensure the operation, confidentiality, integrity, and securityavailability of Confidential Information and Personal Data, as applicableprotect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of all the Confidential Business Information stored by the Borrower and its Subsidiaries, Personal Data, and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) protect against unauthorized access, acquisitionuse, interruptiondisclosure, alternation, modificationalteration, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effectdestruction of the Confidential Information and Personal Data. In particular, the Borrower and its Subsidiaries have taken or caused Service Provider’s Information Security Program shall include, but not be limited, to be taken the following safeguards where commercially reasonable actions designed appropriate or necessarypursuant to industry standards to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code or programming, design or documentation error or corruption or other defect, the protection of Confidential Information and (ii) are fully functional and operate and run in a commercially reasonable manner. Except as would not reasonably be expected to have a Material Adverse Effect, none of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused disruption or interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.Personal Data:

Data Privacy and Information Security. (a) The Borrower and its the Subsidiaries maintain appropriate data and privacy security policies, processes, and controlscontrols and an appropriate, comprehensive privacy program, all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected to have . Schedule 6.23(a) sets forth the terms of each such policy or written data security or privacy program (or a Material Adverse Effectreasonable description thereof) that has been adopted by the Borrower or a Subsidiary at present time. To the knowledge of the Borrower, none None of the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptive, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer consumer-facing disclosures or Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against the Borrower or its the Subsidiaries with respect to privacy or data security, except as would not reasonably be expected and, to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither none of the Borrower nor or any Subsidiary, nor Subsidiary or any Products, Products have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT AssetsInformation. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its the Subsidiaries have used commercially reasonable efforts to cause contractually obligated all Data Processors that process to appropriate contractual terms relating to the protection and use of Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its SubsidiariesIT Assets, including without limitation obligations to (i) compliance comply with applicable Privacy Laws and Laws, (ii) implementation of a commercially reasonable implement an appropriate information security program that includes reasonable administrative, technical, and physical safeguards to protect protection the applicable data and/or systems, (iii) restrict processing of Personal Data to those authorized or required under the servicing, outsourcing, processing, or similar arrangement, and (iv) certify or guarantee the return or adequate disposal or destruction of Personal Data. The Borrower and the Subsidiaries have taken reasonable measures to ensure that all Data Processors have complied with their contractual obligations. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary to conduct the business of the Borrower and the Subsidiaries as currently conducted and as currently proposed to be conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither Neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its the Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems consistent with generally accepted industry standards, and sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conductedconducted and as currently proposed to be conducted by the Borrower and the Subsidiaries. (d) The Borrower, its Subsidiaries andthe Subsidiaries, to the knowledge of the Borrower, and any Data Processors have, in all material respects, have implemented and maintained reasonable and appropriate organizational, physical, administrative and technical measures consistent with generally accepted the state of the art for the industry standards in which the Borrower or any Subsidiary operates to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, Data and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternationalteration, modification, or use. No Person has obtained unauthorized access to or use of any Confidential Business Information, as applicablePersonal Data and IT Assets. (e) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its the Subsidiaries have taken or caused to be taken commercially all reasonable actions designed precautions to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable and efficient business manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused substantial disruption or substantial interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.

Data Privacy and Information Security. (a) The Borrower and its Subsidiaries maintain appropriate data and privacy security policies, processes, and controlscontrols and an appropriate, comprehensive privacy program, all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected Law in all material respects. Each such policy or written data security or privacy program (or a reasonable description thereof) that has been adopted by the Borrower or a Subsidiary at present time has been delivered to have a Material Adverse Effectthe Lender. To the knowledge of the Borrower, none None of the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptivedeceptive in any material respect, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer consumer-facing disclosures or Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against the Borrower or its Subsidiaries with respect to privacy or data security, except as would not reasonably be expected and, to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower nor any Subsidiary, Subsidiary nor any Products, Products have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT AssetsInformation. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have used commercially reasonable efforts to cause contractually obligated all Data Processors to contractual terms that process are appropriate in all material respects for contracts relating to the protection and use of Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its SubsidiariesIT Assets, including without limitation obligations to (i) compliance comply with applicable Privacy Laws and Laws, (ii) implementation of a commercially reasonable implement an appropriate information security program that includes reasonable administrative, technical, and physical safeguards to protect protection the applicable data and/or systems, (iii) restrict processing of Personal Data to those authorized or required under the servicing, outsourcing, processing, or similar arrangement, and (iv) certify or guarantee the return or adequate disposal or destruction of Personal Data. The Borrower and its Subsidiaries have taken reasonable measures to ensure that all Data Processors have complied in all material respects with their contractual obligations. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary in all material respects to conduct the business of the Borrower and the Subsidiaries as currently conducted and as currently proposed to be conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect’s knowledge, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems consistent with generally accepted industry standards, and sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conductedconducted and as currently proposed to be conducted by the Borrower and the Subsidiaries. (d) The Borrower, its Subsidiaries andSubsidiaries, to the knowledge of the Borrower, and any Data Processors have, in all material respects, have implemented and maintained reasonable and appropriate in all material respects organizational, physical, administrative and technical measures consistent with generally accepted industry standards for the industry in which the Borrower operates to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, Data and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternationalteration, modification, or use. Except as set forth on Schedule 6.23(d), as applicableno Person has obtained unauthorized access to or use of any Confidential Business information, Personal Data or IT Assets. (e) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have taken or caused to be taken commercially all reasonable actions designed precautions to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable and efficient business manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused substantial disruption or substantial interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.

Data Privacy and Information Security. (a) The Borrower Company and its Subsidiaries maintain industry appropriate data and privacy security policies, processes, and controlscontrols and an industry appropriate privacy program, all of which meet or exceed any comply with the requirements of applicable Law, except as would not reasonably be expected to have a Material Adverse EffectApplicable Law in all material respects. To the knowledge None of the Borrower, none of the BorrowerCompany’s or any Subsidiary’s privacy statements or disclosures have been in the past five (5) years or are misleading or deceptivedeceptive in any material respect, and the contemplated transactions to be consummated hereunder as of the Closing Effective Date or any Delayed Draw Closing on the First Purchaser Payment Date, the Second Purchaser Payment Date or the Third Purchaser Payment Date will not violate any privacy statementsstatements of the Company, other consumer consumer-facing disclosures or of the Company or, to the Knowledge of the Company any Applicable Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effectcase in any material respect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against the Borrower Company or its Subsidiaries with respect to privacy or data security, except as would not reasonably be expected and, to have a Material Adverse Effect. To the knowledge Knowledge of the BorrowerCompany, except as would not reasonably be expected to have a Material Adverse Effect, neither none of the Borrower Company or any Subsidiary nor any Subsidiary, nor any Products, Product Assets have experienced in the past five (5) years any material security incident breach in which an unauthorized party accessed or acquired Personal Data stored by the Borrower Data, IT Assets or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT AssetsInformation. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower The Company and its Subsidiaries have used commercially reasonable efforts to cause contractually obligated all material Data Processors that process Personal Data on behalf of the Borrower Company or any of its Subsidiaries to protect commercially reasonable contractual terms relating to the protection and use of Personal Data of the Borrower and its SubsidiariesIT Assets, including without limitation (i) compliance obligations to comply with applicable Privacy Laws Laws. The Company and (ii) implementation of a commercially its Subsidiaries have taken reasonable information security program measures to protect the applicable Personal Dataensure that all Data Processors have complied with their contractual obligations. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary to conduct the business of the Borrower Company and the Subsidiaries as currently conducted and as currently proposed to be conducted by the Borrower Company and the Subsidiaries. To the knowledge Knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse EffectCompany, neither the IT Assets nor any Products Core Assets contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower The Company and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems consistent with generally accepted industry standards (given the nature and size of the business of the Company and its Subsidiaries), and sufficient to reasonably maintain the operation of the business of the Borrower Company and the Subsidiaries as currently conductedconducted and as currently proposed to be conducted by the Company and the Subsidiaries. (d) The Borrower, Company and its Subsidiaries and, to the knowledge of the Borrower, any Data Processors have, in all material respects, have implemented and maintained reasonable and appropriate organizational, physical, administrative and technical measures consistent with generally accepted the industry standards in which the Company operates and with the nature and size of the business of the Company and its Subsidiaries to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, Data and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternationalteration, modification, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower The Company and its Subsidiaries have taken or caused to be taken all commercially reasonable actions designed precautions consistent with the nature and size of the business of the Company and its Subsidiaries to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other material defect, and (ii) are fully functional and operate and run in a commercially reasonable and efficient business manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused material disruption or material interruption in the BorrowerCompany’s or any Subsidiary’s use thereof or to the business of the Borrower Company and the Subsidiaries.

Data Privacy and Information Security. 12.1 To the extent that Company or Company’s Affiliates provides to Service Provider, or Service Provider otherwise accesses Personal Data (aas defined below) The Borrower about Company’s employees, customers, or other individuals in connection with this Agreement, Service Provider represents and warrants that: (i) Service Provider will only use Personal Data for the purposes of fulfilling its Subsidiaries maintain data and privacy security policies, processesobligations under the Agreement, and controls, all of which meet Service Provider will not disclose or exceed otherwise process such Personal Data except upon Company’s instructions in writing; (ii) Service Provider will notify Company in writing and obtain Company’s consent before sharing any requirements of applicable Law, except as would not reasonably be expected Personal Data with any government authorities or other third parties; (iii) it has and will continue to have a Material Adverse Effect. To during the knowledge term of this Agreement an adequate and current Safe Harbor certification with the BorrowerUnited States Department of Commerce applicable to the Personal Data (“Safe Harbor Certification”), none of will provide Company with no less than ninety (90) days written notice (in accordance with Section 14.4 herein) prior to any date on which the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptiveSafe Harbor Certification ends (“Safe Harbor Certification End Date”), and will promptly execute any supplemental privacy and security terms as Company may direct in its sole judgment prior to any such Safe Harbor Certification End Date, including but not limited to the contemplated transactions Standard Contractual Clauses for the Transfer of Personal Data to be consummated hereunder Processors established in Third Countries, dated 5 February 2010 (2010/87/EU) as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer facing disclosures or Lawsamended from time to time; and (iv) Service Provider agrees to adhere to additional contractual terms and conditions related to Personal Data as Company may instruct in writing that Company deems necessary, in each caseits sole discretion, except as would not reasonably be expected to have a Material Adverse Effect. There address applicable data protection, privacy, or information security laws or requirements. 12.2 In the event that (i) any Confidential Information or Personal Data is not currently pending and there has not been disclosed by Service Provider (including its agents or subcontractors), in the past five (5) years any action, proceeding, suit violation of this Agreement or claim against the Borrower or its Subsidiaries with respect applicable laws pertaining to privacy or data security, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower nor any Subsidiary, nor any Products, have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT Assets. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have used commercially reasonable efforts to cause all Data Processors that process Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its Subsidiaries, including without limitation (i) compliance with applicable Privacy Laws and (ii) implementation Service Provider (including its agents or Subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Confidential Information or Personal Data has occurred (“Security Incident”), Service Provider shall notify Company immediately in writing of any such Security Incident. Service Provider shall cooperate fully in the investigation of the Security Incident, indemnify and hold Company harmless for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such Security Incident, and use commercially reasonable means to remedy any harm or potential harm caused by such Security Incident. 12.3 To the extent that a Security Incident gives rise to a need, in Company’s sole judgment, to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a commercially call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s request, Service Provider shall, at Service Provider’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company in its sole reasonable discretion. 12.4 To the extent that Company provides to Service Provider, or Service Provider otherwise accesses Confidential Information or Personal Data about Company’s employees, customers, or other individuals in connection with this Agreement, Service Provider shall implement a written information security program to protect the applicable Personal Data. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the IT Assets are sufficient to conduct the business of the Borrower and the Subsidiaries as currently conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious CodeInformation Security Program”) that are designed or intended to deleteincludes administrative, destroytechnical, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, and physical safeguards that ensure the Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conducted. (d) The Borrower, its Subsidiaries and, to the knowledge of the Borrower, any Data Processors have, in all material respects, implemented and maintained reasonable technical measures consistent with generally accepted industry standards to protect the operation, confidentiality, integrity, and securityavailability of Confidential Information and Personal Data, as applicableprotect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of all the Confidential Business Information stored by the Borrower and its Subsidiaries, Personal Data, and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) protect against unauthorized access, acquisitionuse, interruptiondisclosure, alternation, modificationalteration, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effectdestruction of the Confidential Information and Personal Data. In particular, the Borrower and its Subsidiaries have taken Service Provider’s Information Security Program shall include, but not be limited, to the following safeguards where appropriate or caused to be taken commercially reasonable actions designed necessary to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code or programming, design or documentation error or corruption or other defect, the protection of Confidential Information and (ii) are fully functional and operate and run in a commercially reasonable manner. Except as would not reasonably be expected to have a Material Adverse Effect, none of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused disruption or interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.Personal Data:

Data Privacy and Information Security. 12.1 To the extent that Company or Company’s Affiliates provides to Service Provider, or Service Provider otherwise accesses Personal Data (aas defined below) The Borrower about Company’s employees, customers, or other individuals in connection with this Agreement, Service Provider represents and warrants that: (i) Service Provider will only use Personal Data for the purposes of fulfilling its Subsidiaries maintain data and privacy security policies, processesobligations under the Agreement, and controls, all of which meet Service Provider will not disclose or exceed otherwise process such Personal Data except upon Company’s instructions in writing; (ii) Service Provider will notify Company in writing and obtain Company’s consent before sharing any requirements of applicable Law, except as would not reasonably be expected Personal Data with any government authorities or other third parties; (iii) it has and will continue to have a Material Adverse Effect. To during the knowledge term of this Agreement an adequate and current Safe Harbor certification with the BorrowerUnited States Department of Commerce applicable to the Personal Data (“Safe Harbor Certification”), none of will provide Company with no less than ninety (90) days written notice (in accordance with Section 14.4 herein) prior to any date on which the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptiveSafe Harbor Certification ends (“Safe Harbor Certification End Date”), and will promptly execute any supplemental privacy and security terms as Company may direct in its sole judgment prior to any such Safe Harbor Certification End Date, including but not limited to the contemplated transactions Standard Contractual Clauses for the Transfer of Personal Data to be consummated hereunder Processors established in Third Countries, dated 5 February 2010 (2010/87/EU) as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer facing disclosures or Lawsamended from time to time; and (iv) Service Provider agrees to adhere to additional contractual terms and conditions related to Personal Data as Company may instruct in writing that Company deems necessary, in each caseits sole discretion, except as would not reasonably be expected to have a Material Adverse Effect. There address applicable data protection, privacy, or information security laws or requirements. 12.2 In the event that (i) any Confidential Information or Personal Data is not currently pending and there has not been disclosed by Service Provider (including its agents or subcontractors), in the past five (5) years any action, proceeding, suit violation of this Agreement or claim against the Borrower or its Subsidiaries with respect applicable laws pertaining to privacy or data security, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower nor any Subsidiary, nor any Products, have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT Assets. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have used commercially reasonable efforts to cause all Data Processors that process Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its Subsidiaries, including without limitation (i) compliance with applicable Privacy Laws and (ii) implementation Service Provider (including its agents or Subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Confidential Information or Personal Data has occurred (“Security Incident”), Service Provider shall notify Company immediately in writing of any such Security Incident. Service Provider shall cooperate fully in the investigation of the Security Incident, indemnify and hold Company harmless for any and all damages, losses, fees or costs (whether direct, indirect, special or consequential) incurred as a result of such Security Incident, and remedy any harm or potential harm caused by such Security Incident. 12.3 To the extent that a Security Incident gives rise to a need, in Company’s sole judgment, to provide (A) notification to public authorities, individuals, or other persons, or (B) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a commercially reasonable call center to respond to inquiries (each of the foregoing a "Remedial Action")), at Company’s request, Service Provider shall, at Service Provider’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Company in its sole discretion. 12.4 To the extent that Company provides to Service Provider, or Service Provider otherwise accesses Confidential Information or Personal Data about Company’s employees, customers, or other individuals in connection with this Agreement, Service Provider shall implement a written information security program to protect the applicable Personal Data. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the IT Assets are sufficient to conduct the business of the Borrower and the Subsidiaries as currently conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious CodeInformation Security Program”) that are designed or intended to deleteincludes administrative, destroytechnical, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, and physical safeguards that ensure the Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conducted. (d) The Borrower, its Subsidiaries and, to the knowledge of the Borrower, any Data Processors have, in all material respects, implemented and maintained reasonable technical measures consistent with generally accepted industry standards to protect the operation, confidentiality, integrity, and securityavailability of Confidential Information and Personal Data, as applicableprotect against any reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of all the Confidential Business Information stored by the Borrower and its Subsidiaries, Personal Data, and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) protect against unauthorized access, acquisitionuse, interruptiondisclosure, alternation, modificationalteration, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effectdestruction of the Confidential Information and Personal Data. In particular, the Borrower and its Subsidiaries have taken Service Provider’s Information Security Program shall include, but not be limited, to the following safeguards where appropriate or caused to be taken commercially reasonable actions designed necessary to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code or programming, design or documentation error or corruption or other defect, the protection of Confidential Information and (ii) are fully functional and operate and run in a commercially reasonable manner. Except as would not reasonably be expected to have a Material Adverse Effect, none of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused disruption or interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.Personal Data:

Data Privacy and Information Security. (ai) The Borrower and its Subsidiaries maintain Seller Group has since the Reference Date, complied in all material respects with all applicable (A) Privacy Laws, (B) terms of any Contract by which any entity within the Seller Group is bound relating to privacy, information security, or Processing of Sensitive Data (including without limitation, data and privacy processing agreements, information security policies, processesschedules, and controlsdata transfer agreements), all of which meet or exceed any requirements of applicable Law, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge of the Borrower, none of the Borrower’s or any Subsidiary’s privacy statements or disclosures have been or are misleading or deceptive, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer facing disclosures or Laws, (C) Privacy Policies in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against the Borrower or its Subsidiaries case with respect to privacy or data security, except as would not reasonably be expected to have a Material Adverse Effect. To the knowledge operation of the BorrowerCGM Activities, except as would not reasonably be expected to have a Material Adverse Effect(collectively, neither the Borrower nor any Subsidiary, nor any Products, have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT Assets“Privacy Requirements”). (bii) Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower The Seller Group has sufficient rights and its Subsidiaries have used commercially reasonable efforts to cause all Data Processors that process Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its Subsidiariesauthority, including without limitation (i) compliance with under applicable Privacy Laws and (ii) implementation Requirements, to permit the Processing of a commercially reasonable information security program to protect Personal Data by or for the applicable Personal Data. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the IT Assets are sufficient to conduct the business of the Borrower and the Subsidiaries as currently conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems sufficient to reasonably maintain the operation of the business of the Borrower and the Subsidiaries Seller Group as currently conducted. (diii) The Borrower, its Subsidiaries and, to To the knowledge of the Borrower, any Data Processors have, in all material respects, implemented and maintained reasonable technical measures consistent with generally accepted industry standards to protect the operation, confidentiality, integrity, and security, as applicable, of all Confidential Business Information stored by the Borrower and its Subsidiaries, Personal Data, and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against unauthorized access, acquisition, interruption, alternation, modification, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effectextent required under applicable Privacy Law, the Borrower and its Subsidiaries have taken or caused to be taken commercially reasonable actions designed to ensure that all IT Assets Seller Group has: (i) are free from any defectprovided adequate notice and obtained all necessary consents, bugin each case, Malicious Code or programming, design or documentation error or corruption or other defect, as required for its Processing of Personal Data under applicable Privacy Requirements; and (ii) are fully functional and operate and run in a commercially reasonable mannerhas honored applicable opt-outs. Except as would The Seller Group represents that it has not reasonably be expected knowingly or intentionally deleted any Sensitive Data (including sales leads, prospects, etc.) from the Purchased Assets prior to have a Material Adverse Effectthe Closing Date. (iv) To Seller’s Knowledge, none neither the execution, delivery, or performance of this Agreement, nor the consummation of the IT Assets have malfunctioned transactions contemplated by this Agreement, nor the disclosure or failed transfer of Sensitive Data to the Purchaser Parties in connection with the transactions contemplated by this Agreement, will violate any Privacy Requirements. (v) There is not, and has not been since the Reference Date, any Proceeding, Order or have experienced Contract with any breakdowns Governmental Body or continued substandard performance in the past 24 months that has caused disruption other Person or interruption in the Borrower’s or any Subsidiary’s use thereof other written allegation (or to Seller’s Knowledge, other communication) involving the business Seller Group which materially restricts, impairs, encumbers, hinders, or imposes requirements in connection with, its Processing of any Personal Data. There is not, and has not been since the Borrower and Reference Date, any Proceeding or other written allegation (or to Seller’s Knowledge, other communication) involving the SubsidiariesSeller Group by any Governmental Body or other Person relating to the Seller Group’s privacy or data security practices, the security of any Sensitive Data or Transferred Seller IT Systems or the Processing of Sensitive Data.

Data Privacy and Information Security. (a) The Borrower Parent and its the Subsidiaries maintain appropriate data and privacy security policies, processes, and controlscontrols and an appropriate, all of which meet or exceed any comprehensive privacy program that materially complies with the requirements of applicable Law, except as would not reasonably be expected to have . Schedule 6.23(a) sets forth the terms of each such policy or written data security or privacy program (or a Material Adverse Effectreasonable description thereof) that has been adopted by Parent or a Subsidiary at present time. To the knowledge None of the Borrower, none of the BorrowerParent’s or any Subsidiary’s privacy statements or disclosures have been or are materially misleading or deceptive, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer consumer-facing disclosures or Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any action, proceeding, suit or claim against Parent or the Borrower or its Subsidiaries with respect to privacy or data security, except as would not reasonably be expected and, to have a Material Adverse Effect. To the knowledge of Parent or the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower nor none of Parent or any Subsidiary, nor Subsidiary or any Products, Products have experienced in the past five (5) years any material security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT AssetsInformation. (b) Except as would not reasonably be expected to have a Material Adverse Effect, Parent and the Borrower and its Subsidiaries have used commercially reasonable efforts to cause contractually obligated all Data Processors that process to appropriate contractual terms relating to the protection and use of Personal Data on behalf of the Borrower or any of its Subsidiaries to protect the Personal Data of the Borrower and its SubsidiariesIT Assets, including without limitation obligations to (i) compliance comply with applicable Privacy Laws and Laws, (ii) implementation of a commercially reasonable implement an appropriate information security program that includes reasonable administrative, technical, and physical safeguards to protect protection the applicable data and/or systems, (iii) restrict processing of Personal Data to those authorized or required under the servicing, outsourcing, processing, or similar arrangement, and (iv) certify or guarantee the return or adequate disposal or destruction of Personal Data. Parent and the Subsidiaries have taken reasonable measures to ensure that all Data Processors have complied with their contractual obligations. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary to conduct the business of the Borrower Parent and the Subsidiaries as currently conducted and as currently proposed to be conducted by the Borrower Parent and the Subsidiaries. To the knowledge of Parent's and the Borrower, except as would not reasonably be expected to have a Material Adverse Effect’s knowledge, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, Parent and the Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems consistent with generally accepted industry standards, and sufficient to reasonably maintain the operation of the business of the Borrower Parent and the Subsidiaries as currently conductedconducted and as currently proposed to be conducted by Parent and the Subsidiaries. (d) The BorrowerParent, its Subsidiaries andthe Subsidiaries, to the knowledge of the Borrower, and any Data Processors have, in all material respects, have implemented and maintained reasonable and appropriate organizational, physical, administrative and technical measures consistent with generally accepted industry standards for the industry in which Parent or any Subsidiary operates to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, Data and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) against material unauthorized access, acquisition, interruption, alternationalteration, modification, or use. No Person has obtained material unauthorized access to or use of any Confidential Business Information, as applicablePersonal Data and IT Assets. (e) Except as would not reasonably be expected to have a Material Adverse Effect, Parent and the Borrower and its Subsidiaries have taken or caused to be taken commercially all reasonable actions designed precautions to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable and efficient business manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused substantial disruption or substantial interruption in the BorrowerParent’s or any Subsidiary’s use thereof or to the business of the Borrower Parent and the Subsidiaries.

Data Privacy and Information Security. (a) The Borrower and its Subsidiaries maintain commercially reasonable data and privacy security policies, processes, and controls, all of which meet or exceed any and a reasonable privacy program that materially complies with the requirements of applicable Law, except as would not reasonably be expected to have a Material Adverse EffectPrivacy Laws. To the knowledge of the Borrower, none None of the Borrower’s or any Subsidiary’s written, public-facing privacy statements or disclosures (“Privacy Policies”) have been or are misleading or deceptive, and the contemplated transactions to be consummated hereunder as of the Closing Date or any Delayed Draw Closing Date will not violate any privacy statements, other consumer facing disclosures Privacy Policies or applicable Privacy Laws, in each case, except as would not reasonably be expected to have a Material Adverse Effect. There is not currently pending and there has not been in the past five (5) years any written action, proceeding, suit or claim against the Borrower or its Subsidiaries with respect to privacy or data securityviolations of applicable Privacy Laws, except as would not reasonably be expected and, to have a Material Adverse Effect. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect, neither the Borrower Borrower, any Subsidiary nor any Subsidiary, nor any Products, Products have experienced in the past five (5) years any security incident in which an unauthorized party accessed or acquired Personal Data stored by the Borrower or any Subsidiary, Confidential Business Information stored by the Borrower or any Subsidiary or IT Assetsthat would require notification to another Person. (b) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have used commercially reasonable efforts to cause contractually obligated all Data Processors that sub-processors who process Personal Data on behalf of the Borrower or any of its Subsidiaries (“Data Processors”) to protect contractual terms relating to the protection and use of Personal Data of the Borrower and its SubsidiariesData, including without limitation limitation, where required by applicable Privacy Laws, obligations to (i) compliance comply with applicable Privacy Laws and Laws, (ii) implementation of implement a commercially reasonable information security program that includes reasonable administrative, technical, and physical safeguards designed to protect the applicable Personal Data, (iii) restrict processing of Personal Data to those personnel authorized or required under the servicing, outsourcing, processing, or similar arrangement, and (iv) certify or guarantee the return or adequate disposal or destruction of Personal Data. (c) As of the Closing Date and any Delayed Draw Closing Date, except as would not reasonably be expected to have a Material Adverse Effect, the The IT Assets are sufficient and operate and perform as is necessary in all material respects to conduct the business of the Borrower and the Subsidiaries as currently conducted and as currently proposed to be conducted by the Borrower and the Subsidiaries. To the knowledge of the Borrower, except as would not reasonably be expected to have a Material Adverse Effect’s knowledge, neither the IT Assets nor any Products contain any “virus,” “spyware,” “malware,” “worm,” “Trojan horse” (as such terms are commonly understood in the software industry), disabling codes or instructions, or other similar code or software routines or components (collectively, “Malicious Code”) that are designed or intended to delete, destroy, disable, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have established, implemented and tested commercially reasonable backup and disaster recovery policies, procedures and systems sufficient designed to reasonably maintain the operation of the business of the Borrower and the Subsidiaries as currently conductedconducted and as currently proposed to be conducted by the Borrower and the Subsidiaries. (d) The Borrower, its Subsidiaries andSubsidiaries, to the knowledge of the Borrower, and any Data Processors have, in all material respects, have implemented and maintained commercially reasonable organizational, physical, NY: 1219514-6- - administrative and technical measures consistent with generally accepted industry standards designed to protect the operation, confidentiality, integrity, and security, as applicable, security of all Confidential Business Information stored by the Borrower and its SubsidiariesInformation, Personal Data, and IT Assets (including, for clarity, all information and transactions stored or contained therein or transmitted thereby) Personal Data against material unauthorized access, acquisition, interruption, alternationalteration, modification, or use, as applicable. (e) Except as would not reasonably be expected to have a Material Adverse Effect, the The Borrower and its Subsidiaries have taken or caused to be taken commercially all reasonable actions designed precautions to ensure that all IT Assets (i) are free from any defect, bug, Malicious Code virus or programming, design or documentation error or corruption or other defect, and (ii) are fully functional and operate and run in a commercially reasonable and efficient business manner. Except as would not reasonably be expected to have a Material Adverse Effect, none None of the IT Assets have malfunctioned or failed or have experienced any breakdowns or continued substandard performance in the past 24 months that has caused substantial disruption or substantial interruption in the Borrower’s or any Subsidiary’s use thereof or to the business of the Borrower and the Subsidiaries.