Common use of Data Privacy and Information Security Clause in Contracts

Data Privacy and Information Security. (i) The Company and its Subsidiaries have implemented and maintain information security procedures (the “Security Procedures”), which include commercially reasonable administrative, technical, and physical safeguards designed to protect the integrity, availability, and security of the Company’s and its Subsidiaries’ IT Assets (“Company IT Assets”), and the personal data and material business information stored therein against loss; theft; damage; misuse; or unauthorized use, disclosure, access or modification. These Security Procedures conform, and have in the three (3) years preceding the Effective Date conformed, in all material respects, to (A) all applicable Privacy Laws and employee codes of conduct relating to privacy, (B) any information security and data privacy statements in the Company and its Subsidiaries’ applicable privacy policies then in effect, and (C) the Company and its Subsidiaries’ contractual commitments, in each case, concerning the collection, use, storage, processing, retention, safeguarding, disclosure, disposal, sharing and/or transfer of any personal data ((A), (B) and (C) collectively referred to as the “Data Security Requirements”). The Security Procedures are designed to protect the Company IT Assets from any “malware,” “ransomware,” “back door,” “drop dead device,” “time bomb,” “Trojan horse,” “virus” or “worm” (as such terms are commonly understood in the software industry) or any other code designed to disrupt, disable, harm or otherwise impede the operation of, or provide unauthorized access to, a computer system or network or other device on which such code is stored or installed, either automatically, with the passage of time or upon command by any person (collectively, “Malicious Code”). To the Knowledge of the Company, in the two (2) years preceding the Effective Date, there has not been any material failure or malfunction of the Company IT Assets, the Company IT Assets are free of Malicious Code, and there have been no material unresolved, unauthorized intrusions or breaches of the security of the Company IT Assets, including with respect to any personal data or material business information in the possession, custody or control of the Company and its Subsidiaries, that would require notification by the Company and its Subsidiaries to individuals and/or Governmental Entities under any applicable Data Security Requirement. (ii) The Company IT Assets are adequate for and operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required in connection with, the operation of the businesses of the Company and its Subsidiaries as of the Closing. The Company and its Subsidiaries have implemented commercially reasonable backup, anti-virus, security and disaster recovery measures and technology. (iii) The Company and its Subsidiaries have in the two (2) years preceding the Effective Date complied in all material respects with the Data Security Requirements. In the two (2) years preceding the Effective Date, the Company and its Subsidiaries have not received any written (or, to the Knowledge of the Company, oral) complaint, nor, to the Knowledge of the Company, has any written complaint been made to any third party, from any patient or guardian thereof regarding the improper use or disclosure of such patient’s protected health information (as such term is defined under HIPAA) by any of the Company or its Subsidiaries, except as would not individually or in the aggregate reasonably be expected to be material to the Company and its Subsidiaries take as whole. In the two (2) years preceding the Effective Date, the Company and its Subsidiaries have not received any written (or, to the Knowledge of the Company, oral) communication from any Governmental Entity with respect to any allegation that the Company or its Subsidiaries is not in material compliance with any Data Security Requirements imposed under HIPAA or any similar state Law.

Data Privacy and Information Security. (a) The members of the Remainco Group (to the extent related to the Spinco Business) and, to the Knowledge of Remainco, its Data Processors and other Persons with whom the Remainco Group (to the extent related to the Spinco Business) has shared Personal Data, in each case since the Lookback Date, (i) The Company and its Subsidiaries have implemented and maintain information security procedures (the “Security Procedures”), which include commercially reasonable administrative, technical, and physical safeguards designed to protect the integrity, availability, and security of the Company’s and its Subsidiaries’ IT Assets (“Company IT Assets”), and the personal data and material business information stored therein against loss; theft; damage; misuse; or unauthorized use, disclosure, access or modification. These Security Procedures conform, and have in the three (3) years preceding the Effective Date conformed, in all material respects, to (A) all complied with applicable Privacy Laws Laws, Spinco Company Privacy Policies and employee codes of conduct other Contracts relating to privacy, (B) any information security and data privacy statements in the Company and its Subsidiaries’ applicable privacy policies then in effect, and (C) the Company and its Subsidiaries’ contractual commitments, in each case, concerning the collection, use, storage, processing, retention, safeguarding, disclosure, disposal, sharing and/or transfer of any personal data ((A), (B) and (C) collectively referred to as the “Data Security Requirements”). The Security Procedures are designed to protect the Company IT Assets from any “malware,” “ransomware,” “back door,” “drop dead device,” “time bomb,” “Trojan horse,” “virus” or “worm” (as such terms are commonly understood in the software industry) or any other code designed to disrupt, disable, harm or otherwise impede the operation ofprotection, or provide unauthorized access toprocessing of Spinco IT Systems or Spinco Company Data, a computer system or network or other device on which such code is stored or installed, either automatically, with the passage of time or upon command by any person (collectively, “Malicious Code”). To the Knowledge of the Company, in the two (2) years preceding the Effective Date, there has not been any material failure or malfunction of the Company IT Assets, the Company IT Assets are free of Malicious Code, and there have been no material unresolved, unauthorized intrusions or breaches of the security of the Company IT Assets, including with respect to any personal data or material business information in the possession, custody or control of the Company and its Subsidiaries, that would require notification by the Company and its Subsidiaries to individuals and/or Governmental Entities under any applicable Data Security Requirement. (ii) The Company IT Assets have not suffered and are adequate for not currently suffering a Security Incident and operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required in connection with, the operation of the businesses of the Company and its Subsidiaries as of the Closing. The Company and its Subsidiaries have implemented commercially reasonable backup, anti-virus, security and disaster recovery measures and technology. (iii) The Company have not been subject to any complaints, litigation or regulatory investigations or enforcement actions from any Person or Governmental Authority and its Subsidiaries have in the two (2) years preceding the Effective Date complied in all material respects with the Data Security Requirements. In the two (2) years preceding the Effective Date, the Company and its Subsidiaries have not received any written (or, to the Knowledge of the Company, oral) complaint, nor, to the Knowledge of the Company, has notices or inquiries alleging noncompliance with any written complaint been made to any third party, from any patient or guardian thereof regarding the improper use or disclosure of such patient’s protected health information (as such term is defined under HIPAA) by any of the Company or its Subsidiariesapplicable Privacy Laws in each case, except in the case of each of clause (i) through (iii), as would not not, individually or in the aggregate aggregate, reasonably be expected to be material to the Company and its Subsidiaries take Spinco Business or the Spinco Group, taken as a whole. In To the two Knowledge of Remainco, neither the execution, delivery or performance of any of the Transaction Documents, nor the consummation of the Contemplated Transactions, violate any Privacy Laws or Spinco Company Privacy Policies, except as, individually or in the aggregate, would not reasonably be expected to (A) be material to the Spinco Business or the Spinco Group, taken as a whole or (B) prevent or materially delay, materially interfere with or materially impair (1) the consummation by the members of the Remainco Group of the Contemplated Transactions or (2) years preceding the Effective Datecompliance by any member of the Remainco Group with the Transaction Documents. When any member of the Spinco Group uses a Data Processor to Process Personal Data, the Company and its Subsidiaries have not received any written (orrelevant Data Processor has provided guarantees, warranties or covenants in relation to the Knowledge Processing of Personal Data, confidentiality, and security measures, and has agreed to comply with those obligations in a manner sufficient for the relevant member of the Company, oral) communication from any Governmental Entity with respect to any allegation that the Company or its Subsidiaries is not in Spinco Group’s material compliance with applicable Privacy Law. (b) The members of the Remainco Group (to the extent related to the Spinco Business) have established and maintain a Spinco Information Security Program, and since the Lookback Date there have been no material violations of the Spinco Information Security Program. The Spinco Information Security Program has been assessed and tested on a no less than annual basis; all critical and high risks and vulnerabilities have been remediated; and the Spinco Information Security Program has proven sufficient and compliant with applicable Privacy Laws in all material respects. The Spinco IT Systems currently used by the members of the Remainco Group (to the extent related to the Spinco Business) are in good working condition, do not contain any Malicious Code or defect, and operate and perform as necessary to conduct the Spinco Business. All Spinco Company Data Security Requirements imposed under HIPAA or any similar state Lawwill continue to be available for Processing by the relevant member of the Spinco Group following the Closing on substantially the same terms and conditions as existed immediately before the Closing.

Data Privacy and Information Security. (a) The members of the Merger Partner Group and, to the Knowledge of Merger Partner, the Merger Partner Data Processors and other Persons with whom the Merger Partner Group has shared Personal Data, in each case since the Lookback Date, (i) The Company and its Subsidiaries have implemented and maintain information security procedures (the “Security Procedures”), which include commercially reasonable administrative, technical, and physical safeguards designed to protect the integrity, availability, and security of the Company’s and its Subsidiaries’ IT Assets (“Company IT Assets”), and the personal data and material business information stored therein against loss; theft; damage; misuse; or unauthorized use, disclosure, access or modification. These Security Procedures conform, and have in the three (3) years preceding the Effective Date conformed, in all material respects, to (A) all complied with applicable Privacy Laws Laws, Merger Partner Privacy Policies and employee codes of conduct other Contracts relating to privacy, (B) any information security and data privacy statements in the Company and its Subsidiaries’ applicable privacy policies then in effect, and (C) the Company and its Subsidiaries’ contractual commitments, in each case, concerning the collection, use, storage, processing, retention, safeguarding, disclosure, disposal, sharing and/or transfer of any personal data ((A), (B) and (C) collectively referred to as the “Data Security Requirements”). The Security Procedures are designed to protect the Company IT Assets from any “malware,” “ransomware,” “back door,” “drop dead device,” “time bomb,” “Trojan horse,” “virus” or “worm” (as such terms are commonly understood in the software industry) or any other code designed to disrupt, disable, harm or otherwise impede the operation ofprotection, or provide unauthorized access toprocessing of Merger Partner IT Systems or Merger Partner Data, a computer system or network or other device on which such code is stored or installed, either automatically, with the passage of time or upon command by any person (collectively, “Malicious Code”). To the Knowledge of the Company, in the two (2) years preceding the Effective Date, there has not been any material failure or malfunction of the Company IT Assets, the Company IT Assets are free of Malicious Code, and there have been no material unresolved, unauthorized intrusions or breaches of the security of the Company IT Assets, including with respect to any personal data or material business information in the possession, custody or control of the Company and its Subsidiaries, that would require notification by the Company and its Subsidiaries to individuals and/or Governmental Entities under any applicable Data Security Requirement. (ii) The Company IT Assets have not suffered and are adequate for not currently suffering a Security Incident and operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required in connection with, the operation of the businesses of the Company and its Subsidiaries as of the Closing. The Company and its Subsidiaries have implemented commercially reasonable backup, anti-virus, security and disaster recovery measures and technology. (iii) The Company have not been subject to any complaints, litigation or regulatory investigations or enforcement actions from any Person or Governmental Authority and its Subsidiaries have in the two (2) years preceding the Effective Date complied in all material respects with the Data Security Requirements. In the two (2) years preceding the Effective Date, the Company and its Subsidiaries have not received any written (or, to the Knowledge of the Company, oral) complaint, nor, to the Knowledge of the Company, has notices or inquiries alleging noncompliance with any written complaint been made to any third party, from any patient or guardian thereof regarding the improper use or disclosure of such patient’s protected health information (as such term is defined under HIPAA) by any of the Company or its Subsidiariesapplicable Privacy Laws in each case, except in the case of each of clause (i) through (iii), as would not not, individually or in the aggregate aggregate, reasonably be expected to be material to the Company and its Subsidiaries take Merger Partner Business or the Merger Partner Group, taken as a whole. In To the two Knowledge of Xxxxxx Partner, neither the execution, delivery or performance of any of the Transaction Documents, nor the consummation of the Contemplated Transactions, violate any Privacy Laws or Merger Partner Privacy Policies, except as, individually or in the aggregate, would not reasonably be expected to (A) be material to the Merger Partner Business or the Merger Partner Group, taken as a whole, or (B) prevent or materially delay, materially interfere with or materially impair (1) the consummation by the members of the Merger Partner Group of any of the Contemplated Transactions or (2) years preceding the Effective Datecompliance by any member of the Merger Partner Group with the Transaction Documents. When any member of the Merger Partner Group uses a Merger Partner Data Processor to Process Personal Data, the Company and its Subsidiaries have not received any written (orrelevant Merger Partner Data Processor has provided guarantees, warranties or covenants in relation to the Knowledge Processing of the CompanyPersonal Data, oral) communication from any Governmental Entity confidentiality, and security measures, and has agreed to comply with respect to any allegation that the Company or its Subsidiaries is not those obligations in material compliance with any Data Security Requirements imposed under HIPAA or any similar state Law.a

Data Privacy and Information Security. (a) The members of the Merger Partner Group and, to the Knowledge of Merger Partner, the Merger Partner Data Processors and other Persons with whom the Merger Partner Group has shared Personal Data, in each case since the Lookback Date, (i) The Company and its Subsidiaries have implemented and maintain information security procedures (the “Security Procedures”), which include commercially reasonable administrative, technical, and physical safeguards designed to protect the integrity, availability, and security of the Company’s and its Subsidiaries’ IT Assets (“Company IT Assets”), and the personal data and material business information stored therein against loss; theft; damage; misuse; or unauthorized use, disclosure, access or modification. These Security Procedures conform, and have in the three (3) years preceding the Effective Date conformed, in all material respects, to (A) all complied with applicable Privacy Laws Laws, Merger Partner Privacy Policies and employee codes of conduct other Contracts relating to privacy, (B) any information security and data privacy statements in the Company and its Subsidiaries’ applicable privacy policies then in effect, and (C) the Company and its Subsidiaries’ contractual commitments, in each case, concerning the collection, use, storage, processing, retention, safeguarding, disclosure, disposal, sharing and/or transfer of any personal data ((A), (B) and (C) collectively referred to as the “Data Security Requirements”). The Security Procedures are designed to protect the Company IT Assets from any “malware,” “ransomware,” “back door,” “drop dead device,” “time bomb,” “Trojan horse,” “virus” or “worm” (as such terms are commonly understood in the software industry) or any other code designed to disrupt, disable, harm or otherwise impede the operation ofprotection, or provide unauthorized access toprocessing of Merger Partner IT Systems or Merger Partner Data, a computer system or network or other device on which such code is stored or installed, either automatically, with the passage of time or upon command by any person (collectively, “Malicious Code”). To the Knowledge of the Company, in the two (2) years preceding the Effective Date, there has not been any material failure or malfunction of the Company IT Assets, the Company IT Assets are free of Malicious Code, and there have been no material unresolved, unauthorized intrusions or breaches of the security of the Company IT Assets, including with respect to any personal data or material business information in the possession, custody or control of the Company and its Subsidiaries, that would require notification by the Company and its Subsidiaries to individuals and/or Governmental Entities under any applicable Data Security Requirement. (ii) The Company IT Assets have not suffered and are adequate for not currently suffering a Security Incident and operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required in connection with, the operation of the businesses of the Company and its Subsidiaries as of the Closing. The Company and its Subsidiaries have implemented commercially reasonable backup, anti-virus, security and disaster recovery measures and technology. (iii) The Company have not been subject to any complaints, litigation or regulatory investigations or enforcement actions from any Person or Governmental Authority and its Subsidiaries have in the two (2) years preceding the Effective Date complied in all material respects with the Data Security Requirements. In the two (2) years preceding the Effective Date, the Company and its Subsidiaries have not received any written (or, to the Knowledge of the Company, oral) complaint, nor, to the Knowledge of the Company, has notices or inquiries alleging noncompliance with any written complaint been made to any third party, from any patient or guardian thereof regarding the improper use or disclosure of such patient’s protected health information (as such term is defined under HIPAA) by any of the Company or its Subsidiariesapplicable Privacy Laws in each case, except in the case of each of clause (i) through (iii), as would not not, individually or in the aggregate aggregate, reasonably be expected to be material to the Company and its Subsidiaries take Merger Partner Business or the Merger Partner Group, taken as a whole. In To the two Knowledge of Mxxxxx Partner, neither the execution, delivery or performance of any of the Transaction Documents, nor the consummation of the Contemplated Transactions, violate any Privacy Laws or Merger Partner Privacy Policies, except as, individually or in the aggregate, would not reasonably be expected to (A) be material to the Merger Partner Business or the Merger Partner Group, taken as a whole, or (B) prevent or materially delay, materially interfere with or materially impair (1) the consummation by the members of the Merger Partner Group of any of the Contemplated Transactions or (2) years preceding the Effective Datecompliance by any member of the Merger Partner Group with the Transaction Documents. When any member of the Merger Partner Group uses a Merger Partner Data Processor to Process Personal Data, the Company and its Subsidiaries have not received any written (orrelevant Merger Partner Data Processor has provided guarantees, warranties or covenants in relation to the Knowledge Processing of Personal Data, confidentiality, and security measures, and has agreed to comply with those obligations in a manner sufficient for the relevant member of the Company, oral) communication from any Governmental Entity with respect to any allegation that the Company or its Subsidiaries is not in Merger Partner Group’s material compliance with any Data Security Requirements imposed under HIPAA or any similar state applicable Privacy Law. (b) Merger Partner has established and maintains a Merger Partner Information Security Program, and since the Lookback Date there have been no material violations of the Merger Partner Information Security Program. The Merger Partner Information Security Program has been assessed and tested on a no less than annual basis; all critical and high risks and vulnerabilities have been remediated; and the Merger Partner Information Security Program has proven sufficient and compliant with applicable Privacy Laws in all material respects. The Merger Partner IT Systems currently used by the members of the Merger Partner Group are in good working condition, do not contain any Malicious Code or defect, and operate and perform as necessary to conduct the Merger Partner Business. All Merger Partner Data will continue to be available for Processing by the relevant member of the Merger Partner Group following the Closing on substantially the same terms and conditions as existed immediately before the Closing.

Data Privacy and Information Security. (a) The members of the Remainco Group (to the extent related to the Spinco Business) and, to the Knowledge of Remainco, its Data Processors and other Persons with whom the Remainco Group (to the extent related to the Spinco Business) has shared Personal Data, in each case since the Lookback Date, (i) The Company and its Subsidiaries have implemented and maintain information security procedures (the “Security Procedures”), which include commercially reasonable administrative, technical, and physical safeguards designed to protect the integrity, availability, and security of the Company’s and its Subsidiaries’ IT Assets (“Company IT Assets”), and the personal data and material business information stored therein against loss; theft; damage; misuse; or unauthorized use, disclosure, access or modification. These Security Procedures conform, and have in the three (3) years preceding the Effective Date conformed, in all material respects, to (A) all complied with applicable Privacy Laws Laws, Spinco Company Privacy Policies and employee codes of conduct other Contracts relating to privacy, (B) any information security and data privacy statements in the Company and its Subsidiaries’ applicable privacy policies then in effect, and (C) the Company and its Subsidiaries’ contractual commitments, in each case, concerning the collection, use, storage, processing, retention, safeguarding, disclosure, disposal, sharing and/or transfer of any personal data ((A), (B) and (C) collectively referred to as the “Data Security Requirements”). The Security Procedures are designed to protect the Company IT Assets from any “malware,” “ransomware,” “back door,” “drop dead device,” “time bomb,” “Trojan horse,” “virus” or “worm” (as such terms are commonly understood in the software industry) or any other code designed to disrupt, disable, harm or otherwise impede the operation ofprotection, or provide unauthorized access toprocessing of Spinco IT Systems or Spinco Company Data, a computer system or network or other device on which such code is stored or installed, either automatically, with the passage of time or upon command by any person (collectively, “Malicious Code”). To the Knowledge of the Company, in the two (2) years preceding the Effective Date, there has not been any material failure or malfunction of the Company IT Assets, the Company IT Assets are free of Malicious Code, and there have been no material unresolved, unauthorized intrusions or breaches of the security of the Company IT Assets, including with respect to any personal data or material business information in the possession, custody or control of the Company and its Subsidiaries, that would require notification by the Company and its Subsidiaries to individuals and/or Governmental Entities under any applicable Data Security Requirement. (ii) The Company IT Assets have not suffered and are adequate for not currently suffering a Security Incident and operate and perform in all material respects in accordance with their documentation and functional specifications and otherwise as required in connection with, the operation of the businesses of the Company and its Subsidiaries as of the Closing. The Company and its Subsidiaries have implemented commercially reasonable backup, anti-virus, security and disaster recovery measures and technology. (iii) The Company have not been subject to any complaints, litigation or regulatory investigations or enforcement actions from any Person or Governmental Authority and its Subsidiaries have in the two (2) years preceding the Effective Date complied in all material respects with the Data Security Requirements. In the two (2) years preceding the Effective Date, the Company and its Subsidiaries have not received any written (or, to the Knowledge of the Company, oral) complaint, nor, to the Knowledge of the Company, has notices or inquiries alleging noncompliance with any written complaint been made to any third party, from any patient or guardian thereof regarding the improper use or disclosure of such patient’s protected health information (as such term is defined under HIPAA) by any of the Company or its Subsidiariesapplicable Privacy Laws in each case, except in the case of each of clause (i) through (iii), as would not not, individually or in the aggregate aggregate, reasonably be expected to be material to the Company and its Subsidiaries take Spinco Business or the Spinco Group, taken as a whole. In To the two Knowledge of Remainco, neither the execution, delivery or performance of any of the Transaction Documents, nor the consummation of the Contemplated Transactions, violate any Privacy Laws or Spinco Company Privacy Policies, except as, individually or in the aggregate, would not reasonably be expected to (A) be material to the Spinco Business or the Spinco Group, taken as a whole or (B) prevent or materially delay, materially interfere with or materially impair (1) the consummation by the members of the Remainco Group of the Contemplated Transactions or (2) years preceding the Effective Datecompliance by any member of the Remainco Group with the Transaction Documents. When any member of the Spinco Group uses a Data Processor to Process Personal Data, the Company and its Subsidiaries have not received any written (orrelevant Data Processor has provided guarantees, warranties or covenants in relation to the Knowledge Processing of Personal Data, confidentiality, and security measures, and has agreed to comply with those obligations in a manner sufficient for the relevant member of the Company, oral) communication from any Governmental Entity with respect to any allegation that the Company or its Subsidiaries is not in Spinco Group’s material compliance with any Data Security Requirements imposed under HIPAA or any similar state applicable Privacy Law. (b) The members of the Remainco Group (to the extent related to the Spinco Business) have established and maintain a Spinco Information Security Program, and since the Lookback Date there have been no material violations of the Spinco Information Security Program. The Spinco Information Security Program has been assessed and tested on a no less than annual basis; all critical and high risks and vulnerabilities have been remediated; and the Spinco Information Security Program has proven sufficient and compliant with applicable Privacy Laws in all material respects. The Spinco IT Systems currently used by the members of the Remainco Group (to the extent related to the Spinco Business) are in good working condition, do not contain any Malicious Code or defect, and operate and perform as necessary to conduct the Spinco Business. All Spinco Company Data will continue to be available for Processing by the relevant member of the Spinco Group following the Closing on substantially the same terms and conditions as existed immediately before the Closing.