Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. (a) To the Company’s knowledge, each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To Each Group Company does not knowingly collect or process Personal Data contrary to law, to each Group Company’s knowledge. The Company has safeguards in place that are sufficient to protect Personal Data and confidential information in the Company’s knowledge, possession or control from unauthorized access by third Persons and to ensure that the operation of the businesses of each Group Company has implemented adequate written policies relating (including with respect to the Processing of Personal Data as and to the extent required by applicable Law (“employee matters) are in compliance with all Privacy and Data Security Policies”)Requirements in all material respects. (b) To the Company’s knowledgeThere are no pending Proceedings, nor has there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened been any Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; Entity or (iiiiv) any regulatory or self-regulatory entity) , in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any applicable Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingLaws. (c) To the Company’s knowledge, since Since the Lookback Date: , (i) there has been no person has alleged material unauthorized access, use, acquisition or given written notice disclosure of unauthorized access toPersonal Data, or use, disclosure, or Processing of Personal Data confidential business information in the possession or control of any Group Company or or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or third party service provider on behalf of a any Group Company; , and (ii) to the Company’s knowledge, there have been no person has alleged or given written notice of unauthorized intrusions into or breaches Security Breaches of security into any Group Company systems networks, communication equipment or other technology necessary for the operations of the Group Companies’ business. The Group Companies have not experienced any material successful unauthorized access to, use or modification of, or interference with Company IT Systems; Systems since the Lookback Date and (iii) none of the Group Companies has notified is aware of any written or, to the knowledge of the Company, oral notices or been required to notify complaints from any Person regarding such a Security Breach or incident. None of the Group Companies has received any written complaints, claims, demands, inquiries or other notices, including a notice of investigation, from any Person (including any Governmental Entity or self-regulatory authority) regarding any of the Group Companies’ Processing of Personal Data or compliance with applicable Privacy and Security Requirements. Since the Lookback Date, none of the Group Companies have provided or have been obligated to provide notice under any Privacy and Security Requirements to regarding any Security Breach or unauthorized access to or use of any (A) loss, theft Company IT System or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Group Companies have a sufficient number of license seats for all Software included in the Company IT Systems are: Systems. (ie) free from any material defect, bug, virus or programming, design or documentation error The Group Companies are and (ii) have been in sufficiently good working condition to effectively perform compliance in all material information technology operations necessary for the operation of the Business (except for ordinary wear respects with all applicable Privacy and tear). To the Company’s knowledge, Security Requirements since the Lookback Date. (f) The Group Companies have implemented reasonable physical, there have not been any material failurestechnical and administrative safeguards to protect the privacy, breakdowns or continued substandard performance operation, confidentiality, integrity and security of any all Company IT Systems that have caused a material failure and Personal Data in their possession or disruption control from unauthorized access by any Person, including each of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessGroup Companies’ employees and contractors.

Data Privacy and Security. (ai) To The Company and each of its Subsidiaries complies, and during the past three years has complied, in all material respects, with all Privacy and Information Security Requirements. Neither the Company nor any of its Subsidiaries have been notified in writing of, or is the subject of, any complaint or proceeding or to the Company’s knowledge, each Group Company has implemented adequate written policies relating any, regulatory investigation related to the Processing of Personal Data as by any Governmental Entity or payment card association, regarding any actual or possible violations of any Privacy and Information Security Requirement by or with respect to the extent required by applicable Law (“Privacy and Data Security Policies”)Company or any of its Subsidiaries. (bii) The Company and each of its Subsidiaries employs commercially reasonable organizational, administrative, physical and technical safeguards that comply in all material respects with all Privacy and Information Security Requirements to protect Company Data within its custody or control and requires the same of all vendors under contract with the Company that Process Company Data on its behalf. The Company and each of its Subsidiaries have provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to notification to Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with the conduct of the business as currently conducted and in connection with the consummation of the transactions contemplated hereunder. (iii) To the knowledge of the Company, neither the Company nor any of its Subsidiaries has suffered a security breach with respect to any of the Company Data and to the Company’s knowledge, there is (and since has been no unauthorized or illegal use of or access to any Company Data. Neither the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person Subsidiaries has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified notified, or been required to notify notify, any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, information security breach involving Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses”, “worms”, “time bombs” or “back doors”) that have not been removed or fully remedied. Neither the Company nor any of its Subsidiaries have experienced within the past three years any material failuresdisruption to, breakdowns or continued substandard performance material interruption in, the conduct of its business that affected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the part of any Company IT Systems that have caused a material failure computer software or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessSystems.

Data Privacy and Security. (a) To The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the Company’s knowledge“Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, each Group 2018, no Person has brought, or threatened in writing to bring, any Action against the Company has implemented adequate written policies relating or any of its Subsidiaries in relation to the Processing any actual or alleged Security Incident or violation or breach of Personal Data as and to the extent required by applicable Law (“any Privacy and Data Security Policies”)Requirement. (b) To Since January 1, 2018, the Company’s knowledge, there is (Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since the Lookback Date there has been) no material Proceeding pending orJanuary 1, 2018, have not been subject to the Company’s knowledgea Governmental Order of, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commissionhave received a notice from, any state attorney general a Governmental Authority regarding actual or similar state official; (ii) any other Governmental Entity, foreign alleged non-compliance with or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy Requirement. The Company and Data Security Policies norits Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingright to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company’s knowledge, since the Lookback Date: (i) there have been no person has alleged unauthorized or given written notice of unauthorized access toillegal Processing, or useother breach, disclosureviolation or default (or event that, with or Processing without the giving of Personal Data in the possession notice or control lapse of time, would constitute a breach, violation or default) of any Group Privacy Requirements by any third-party data suppliers, vendors or other partners that Process any Company PII or any of its contractors with regard to any Personal Data obtained from or other Personally Identifiable Information on behalf of a Group Company; (ii) no person has alleged the Company or given written notice of unauthorized intrusions its Subsidiaries. No circumstances have arisen in which the Privacy Requirements would require or breaches of security into any recommend the Company IT Systems; and (iii) none of the Group Companies has notified or been required its Subsidiaries to notify any Person Governmental Authority of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectSecurity Incident. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business The consummation of each Group Company as currently conducted. All Company IT Systems are: (i) free from transactions contemplated by this Agreement will not breach any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessPrivacy Requirement.

Data Privacy and Security. (a) To the The Company’s knowledgeand its Subsidiaries’ data, each Group Company has implemented adequate written policies relating to the Processing privacy and security practices and processing of Personal Data as comply in all material respects with the Privacy Laws. Neither the execution, delivery and to the extent required by applicable Law (“performance of this Agreement will cause, constitute, or result in a breach or violation of any Privacy and Data Security Policies”)Laws. (b) To The Company and its Subsidiaries have established and maintain appropriate technical, physical and organizational measures in compliance in all material respects with all data security requirements under the Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingLaws. (c) To Neither the Company’s knowledgeCompany nor any of its Subsidiaries have received or experienced any Legal Proceeding, since Order, warrant, regulatory opinion, audit result or written notice from a Governmental Entity or any other Person in the Lookback Datelast three (3) years: (i) no person has alleged alleging or given written confirming material non-compliance with a relevant requirement of Privacy Laws; or (ii) giving notice of unauthorized access toany Governmental Entity’s investigation, requisition of information from, or useintention to enter the premises of, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors Subsidiaries with regard respect to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice confirmed material non-compliance with a relevant requirement of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectPrivacy Laws. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate During the business of each Group Company as currently conducted. All Company IT Systems are: last three (3) years, (i) free from no material security incident, including, but not limited to, malware, ransomware, virus, compromise of credentials, denial-of-service attack, unauthorized intrusion, violation of any material defectdata security policy, bugbreach, virus or programmingunauthorized access in relation to ICT Infrastructure, design Confidential Information, Intellectual Property or documentation error Personal Data in the Company’s or any of its Subsidiaries’ possession, custody or control has occurred and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary no data breach has occurred for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of which the Company IT Systems or any of its Subsidiaries has been required under Privacy Laws to notify a Governmental Entity or any other than routine failures or disruptions that have been remediated in the ordinary course of businessPerson.

Data Privacy and Security. (a) To Except as set forth on Section 3.22(a) of the Company’s knowledgeCompany Disclosure Schedules, each Group Company has implemented adequate written internal and external policies relating to the Processing of Personal Data as and to the extent required by applicable Privacy Law (“Privacy and Data Security Policies”). Except as set forth on Section 3.22(a) of the Company Disclosure Schedules, for the past three years, each Group Company has at all times complied with all applicable Privacy Laws, the Privacy and Data Security Policies, and contractual obligations entered into by a Group Company relating to the Processing of Personal Data and any other applicable industry standards or requirements binding upon such Group Company (collectively, the “Privacy Requirements”). (b) To the Company’s knowledgeThe Company has not received notice of any pending Proceedings, nor has there is (and since the Lookback Date there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; or (iiiiv) any regulatory state, federal, or self-regulatory entity) international data protection authority, in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirements. (c) To Except as set forth on Section 3.22(c) of the Company’s knowledgeCompany Disclosure Schedules, since for the Lookback Date: past three years, (i) there has been no person has alleged material unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group Company or and/or any of its contractors with regard to the service providers of any Personal Data obtained from or on behalf of a Group Company; Company and (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of Systems under the Group Companies has notified or been required to notify any Person control of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectGroup Company. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Each Group Company IT Systems are: has taken commercially reasonable steps to protect (i) free from any material defectthe operation, bugconfidentiality, virus or programming, design or documentation error integrity and security of the Company IT systems and (ii) personal data in sufficiently good working condition the Group Company’s possession or control, or otherwise processed by the Group Company, from unauthorized, accidental or unlawful use, disclosure and modification. (e) Each Group Company is, and at all times has been, in compliance with all legal requirements that are applicable to effectively perform all material information technology operations necessary for each Group Company’s business as presently conduct pertaining to sales, marketing, and electronic communications, including, without limitation, the operation U.S. CAN-SPAM Act, the U.S. Telephone Consumer Protection Act (TCPA), and the Fair Credit Reporting Act (FCRA). (f) Each Group Company has reasonable procedures in place to ensure that the third parties with which such Group Company shares or transfers Personal Data are required to protect the confidentiality of the Business (except for ordinary wear and tear)shared or transferred Personal Data in compliance with all applicable Privacy Requirements. To Each Group Company has contractual arrangements with such third parties that comply with all applicable Privacy Requirements to the Companyextent applicable to the third party’s knowledgeservices, since the Lookback Dateuse, there have not been any material failures, breakdowns or continued substandard performance processing of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessPersonal Data.

Data Privacy and Security. (a) To The Company and its Subsidiaries and, to the Knowledge of the Company, its Data Partners, comply and, within the last five years, have complied in all material respects with all Privacy Laws, Company Privacy Policies and Contracts relating to the processing, privacy and security of Personal Information (collectively, the “Company Privacy Commitments”), including compliance with respect to (i) Personal Information of Company’s website visitors, customers or representatives of Company customers, the Company’s knowledgeor its Subsidiaries’ own employees, each Group or any other individual whose Personal Information is processed by the Company has or its Subsidiaries; and (ii) the sending of solicited or unsolicited electronic or telephonic communications, including via email, text message or phone call. The Company and its Subsidiaries have implemented adequate written policies relating to and maintained processes for identifying and redacting any Personal Information contained in the Processing of Personal Data as and to Spaces created by the extent required by applicable Law (“Privacy and Data Security Policies”)Company Platform. (b) To Neither the Company’s knowledgeexecution, there is (delivery and since performance of this Agreement by the Lookback Date there has been) no material Proceeding pending or, to Company nor the Company’s knowledge, threatened against or involving any Group consummation by the Company initiated by any Person (including of the transactions contemplated hereby will (i) the United States Federal Trade Commission, trigger or require any state attorney general notices to or similar state officialconsents from any Person; (ii) violate any other Governmental Entity, foreign or domesticCompany Privacy Commitments; or (iii) give rise to any regulatory right of termination or self-regulatory entityother right to impair or limit the Company’s or its Subsidiaries’ right to own and process any Personal Information used in or necessary for the operation of the business of the Company or its Subsidiaries. Since July 21, 2021, the Company and its Subsidiaries (A) alleging that any Processing have, in all material respects, implemented and maintain complete, accurate and up to date records of responses to requests from individuals requesting access, rectification or deletion of Personal Data Information or other exercise of rights under Company Privacy Commitments and (B) have responded to all requests from individuals requesting access, rectification, deletion or other exercise of rights under Privacy Laws, in the time period and in accordance in all material respects with the other requirements of Company Privacy Commitments. (c) All Personal Information processed by the Company or its Subsidiaries has been collected fairly and lawfully (including through the provision of information notices and other disclosures (in the Company Privacy Policies or otherwise) and the collection of valid consent where required) and can be used legitimately in the manner used by the Company without breaching any Company Privacy Commitments. The Company and its Subsidiaries have, as of the date hereof and since July 21, 2021, posted and prominently made available on behalf its websites, mobile applications and other mechanisms through which the Company or its Subsidiaries collects Personal Information, a Company Privacy Policy in conformance in all material respects with Privacy Laws. All Company Privacy Policies published by the Company are and, since July 21, 2021, have, in all material respects, been accurate, complete and consistent with the actual practices of a Group the Company is and its Subsidiaries with respect to the processing of Personal Information. As of the date hereof, no disclosure or was representation made or contained in any Company Privacy Policy published by the Company has been intentionally inaccurate, misleading, deceptive or in violation of any Privacy Laws (including by containing any material omission). (d) The Company and its Subsidiaries have in place written Contracts with all of their customers regarding the Company’s or any its Subsidiaries’ processing of Personal Information on behalf of such customers. Such Contracts include written obligations that comply with the requirements of Privacy and Data Security Policies nor, Laws in relation to the Company’s knowledgeand its Subsidiaries’ processing and protection of Personal Information. When acting as a Data Processor on behalf of customers, is there the Company and its Subsidiaries do not process Personal Information for any purpose except on the instruction of the customer (unless required to do so by applicable Law). Neither the Company nor since its Subsidiaries have transferred or permitted the Lookback Date has there beentransfer of Personal Information originating in the European Economic Area (“EEA”) any basis or United Kingdom (“UK”) to outside the EEA or UK (as applicable), or otherwise across jurisdictional borders, except where such transfers have complied with the requirements of the Company Privacy Commitments and with reasonable safeguards in place for the foregoingsuch transfer. (ce) To Where the Company or its Subsidiaries use a Data Partner to process Personal Information or otherwise share or disclose Personal Information with such Data Partner, there is in existence a Contract. Such Contract with the Data Partner includes written obligations in relation to the processing and protection of Personal Information and has agreed to comply with those obligations in a manner sufficient for the Company’s knowledgeand its Subsidiaries’ compliance with Company Privacy Commitments, since including where applicable, obligations for any party acting as a Data Processor (as defined under the Lookback DatePrivacy Laws) to act only on the instructions of the Data Controller (as defined under the Privacy Laws) and such other terms as are required under Privacy Laws. To the Knowledge of the Company, no Data Partner has breached any such Contracts. (f) The Company and its Subsidiaries have, and have required all Data Partners to have, implemented administrative, physical and technical safeguards to protect and maintain the confidentiality, integrity, availability and security of Personal Information and any information technology systems owned by the Company or its Subsidiaries against any accidental, unlawful or unauthorized use, access, disclosure, modification, destruction, loss, or compromise or other processing (a “Security Incident”). The Company and its Subsidiaries use, and have at all times used, reliable methods designed to ensure the correct identity of the users of those with access to any information technology systems owned by the Company or its Subsidiaries, and have used reliable measures designed to protect the security and integrity of transactions executed through the IT Systems of the Company or its Subsidiaries. (g) In relation to any Security Incident and/or violation of Company Privacy Commitments, neither the Company, any Subsidiary, nor to the Knowledge of the Company, as of the date hereof, any Data Partner has: (i) no person has alleged or given written notice of unauthorized access tonotified in writing, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify in writing, any customer, consumer, employee, Governmental Authority or other Person or (ii) received any written notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any (A) lossinvestigation or enforcement action by, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure any Governmental Authority or other Processing of, Personal Data, except, in each casePerson. To the Knowledge of the Company, as of the date hereof, there are no facts or circumstances that would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license give rise to use such Company IT Systems as necessary to operate the business occurrence of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To the Company’s knowledge, each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there There is (and since the Lookback Date date of incorporation of each Group Company there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; , (ii) any other Governmental Entity, foreign or domestic; domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws and Security Requirements. (b) Since January 1, 2018, (i) there has been no Security Incidents with respect to any Company IT Systems, Personal Data, or Company Products or otherwise related to the business of any Privacy and Data Security Policies norGroup Company (including, to the Company’s knowledge, is there prior to each Group Company’s ownership of its business), (nor since the Lookback Date has there beenii) any basis for the foregoing. (c) To to the Company’s knowledge, since the Lookback Date: (i) knowledge there has been no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data or any trade secrets, know-how or confidential information of or in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; , and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as is not and would not have reasonably be excepted to be, individually or in the aggregate, material to the Group Companies, taken as a Company Material Adverse Effectwhole. (dc) Each Group Company owns or has license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. The Group Companies have taken reasonable precautions to protect the confidentiality, integrity and security of the Company IT Systems and all information stored or contained therein or transmitted thereby from any loss, theft, or unauthorized disclosure, use, access, interruption or modification by any Person. All Company IT Systems are: are (i) free from any Malicious Code, material defect, bug, virus bug or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business business of the Group Companies (except for ordinary wear and tear). To the Company’s knowledgeSince January 1, since the Lookback Date2018, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures Systems, including, to the Company’s knowledge, prior to each Group Company’s ownership of its business. The Group Companies have implemented, maintained and tested adequate and commercially reasonable disaster recovery procedures and facilities for their respective businesses. (d) The Group Companies (i) engage and have engaged in, directly or disruptions that have been remediated indirectly, Data Processing only with respect to such Data as they are authorized to so engage (or to cause such Processing, as applicable) by Law and Contract, except as is not and would not reasonably be expected to be, individually or in the ordinary course aggregate, material to the Group Companies, taken as a whole, and (ii) have implemented reasonable safeguards designed to prevent unauthorized use or disclosure of businesssuch Data. The Group Companies have, with respect to all such Data that is subjected to any Processing directly or indirectly in connection with the business of the Group Companies, all rights necessary to conduct the operation of their respective businesses as then-currently conducted, in all material respects.

Data Privacy and Security. (a) To The Company and each of its Subsidiaries complies, and during the Company’s knowledgepast twelve (12) months has complied in all material respects with all Privacy and Information Security Requirements. Neither the Company nor any of its Subsidiaries have been notified in writing of, each Group Company has implemented adequate written policies relating or is the subject of, any complaint, regulatory investigation or proceeding related to the Processing of Personal Data as by any Governmental Entity or payment card association, regarding any violations of any Privacy and Information Security Requirement by or with respect to the extent required by applicable Law (“Privacy and Data Security Policies”)Company or any of its Subsidiaries. (b) To The Company and each of its Subsidiaries employs commercially reasonable organizational, administrative, physical and technical safeguards that comply with all Privacy and Information Security Requirements to protect Personal Data within its custody or control and requires the same of all vendors under contract with the Company that Process Personal Data on its behalf. The Company and each of its Subsidiaries have provided all requisite notices and obtained all required consents or otherwise identified legal basis for Personal Data, and satisfied all other requirements (including but not limited to notification to Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with the conduct of the Company Business as currently conducted and in connection with the consummation of the transactions contemplated hereunder, except in each case, as would not be reasonably expected to have a Material Adverse Effect with respect to the Company’s knowledge, there is . (and since c) Neither the Lookback Date there has been) no material Proceeding pending orCompany nor any of its Subsidiaries, to the Company’s knowledge, threatened against or involving has suffered a security breach with respect to any Group Company initiated by any Person (including (i) of the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies norand, to the Company’s knowledge, is there (has been no unauthorized or illegal use of or access to any Personal Data. Neither the Company nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person Subsidiaries has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified notified, or been required to notify notify, any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, information security breach involving Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses,” “worms,” “time bombs,” or “back doors”) that have not been removed or fully remedied. To the Company’s knowledge, neither it nor any of its Subsidiaries, have experienced within the past twelve (12) months any material failuresdisruption to, breakdowns or continued substandard performance material interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, ransomware event, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the part of any Company IT Systems that have caused a material failure computer Software or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessSystems.

Data Privacy and Security. (a) To The Company has administrative, technical and physical safeguards (including monitoring compliance with such safeguards) to protect the confidentiality, privacy and security of Personal Information and the systems, technology and networks that process Personal Information (the “Company Information Security”). The Company has produced to the Purchaser true, correct and complete copies of all written policies and procedures related to the Company Information Security. Each of the Company’s knowledge, employees has received appropriate training on the Company Information Security relevant to each Group such employee’s role. (b) The Company has implemented adequate written policies relating to the Processing not experienced: (i) any unauthorized processing of Personal Data as Information in the possession, custody or control of any of the Company; or (ii) any unauthorized processing by a third party of Personal Information processed for or on behalf of the Company. The Company has not knowingly acted in a manner, is not aware of any incident or by the exercise or reasonable diligence would not be aware of any incident that would trigger an obligation to notify any person or Governmental Authority under any Laws or Contract. (c) The Company is in compliance with and has complied with (i) all Laws related to Personal Information; (ii) all policies, procedures, processes, statements or notices related to Personal Information to the extent required by applicable Law such policies, procedures, processes, statements or notices are legally binding or give rise to legally-enforceable duties; and (iii) each Contract related to processing (“Privacy and Data Security PoliciesLegal Requirements”). (bd) To The Company either transmits Personal Information across jurisdictional borders in compliance in all material respects with all Privacy Legal Requirements or processes Personal Information exclusively in the same jurisdiction as each data subject to which it relates resides. (e) The Company has entered into written agreements with each third-party service provider, vendor and business partner that processes Personal Information, such as payment card processors, advertising and marketing agencies, cloud storage vendors and outsourced technology or human resource functions, (collectively, “Data Related Vendors”) containing commercially reasonable provisions for data privacy and security. The Company has taken reasonable steps to select and retain only those Data Related Vendors that are capable of maintaining the confidentiality, privacy and security of the Personal Information that they process on behalf of the Company’s knowledge. (f) No Person has commenced or threatened within the past five (5) years any Action or other written complaint, there is (and since the Lookback Date there has been) no material Proceeding pending oraudit, proceeding, claim or investigation arising from or relating to processing by, for or on behalf of the Company’s knowledge. (g) The execution, threatened against delivery and performance of this Agreement and the consummation of the transactions contemplated herein shall not cause, constitute or involving result in a breach or violation any Group Company initiated by any Person (including (i) the United States Federal Trade CommissionPrivacy Legal Requirement, any state attorney general policy, procedure, process, statement or similar state official; (ii) notice of the Company as it currently exists or as it existed at any other Governmental Entity, foreign or domestic; or (iii) time during which any regulatory or self-regulatory entity) alleging that any Processing of Personal Data Information was processed by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all applicable Privacy Requirements. To the knowledge of the Company’s knowledge, each Group since January 1, 2019, the Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2019, no Person has implemented adequate written policies relating brought, or, to the Processing knowledge of Personal Data as and the Company, threatened in writing to bring, any Action against the extent required by Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any applicable Law (“Privacy and Data Security Policies”)Requirement. (b) To the Company’s knowledgeThe Company and its Subsidiaries have, there is (and since the Lookback Date there has been) no January 1, 2019, complied in all material Proceeding pending or, respects with all applicable Privacy Requirements with respect to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by Company PII. The Company and its Subsidiaries are not and, since January 1, 2019, have not been subject to a Governmental Order of, or on behalf of have received a Group Company is written notice from, a Governmental Authority regarding actual or was in alleged non-compliance with or violation of any applicable Privacy Laws or any Privacy Requirement. The Company and Data Security Policies norits Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingright to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, each of the Company’s knowledgeand its Subsidiaries’ third-party data suppliers, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access tovendors, or use, disclosure, or Processing of Personal Data in the possession or control of and partners that Process any Group Company or any of its contractors with regard to any Personal Data obtained from or PII on behalf of the Company or its Subsidiaries are in compliance in all material respects with applicable Privacy Requirements and there has been no material unauthorized or illegal Processing, or other material breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a Group Company; (iimaterial breach, violation or default) no person has alleged by any such supplier, vendor or given written notice other partner in connection with the Processing of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none PII. To the knowledge of the Group Companies has notified Company, no circumstances have arisen in which applicable Privacy Requirements would require the Company or been required its Subsidiaries to notify any Person Governmental Authority or affected individual of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectSecurity Incident. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation The consummation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have Transactions will not been materially breach any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessapplicable Privacy Requirement.

Data Privacy and Security. (aA) To Except as would not, individually or in the Company’s knowledgeaggregate, reasonably be expected to result in a Material Adverse Effect or as otherwise disclosed in the Registration Statement, the Pricing Disclosure Package and the Final Prospectus, (A) the Company and each Group Company has implemented adequate written policies of its Designated Subsidiaries have complied and are presently in compliance in all material respects with all internal and external privacy policies, contractual obligations, industry standards, applicable laws, statutes, judgments, orders, rules and regulations of any court or arbitrator or other governmental or regulatory authority and any other legal obligations, in each case, relating to the Processing collection, use, transfer, import, export, storage, protection, disposal and disclosure by the Company or any of Personal Data as and to the extent required by applicable Law its Designated Subsidiaries of personal, personally identifiable, household, sensitive, confidential or regulated data (“Privacy and Data Security PoliciesObligations,” and such data, “Data”). ; (bB) To the Company’s knowledge, Company has not received any notification of or complaint regarding material non-compliance with any Data Security Obligation; and (C) there is (and since the Lookback Date there has been) no material Proceeding action, suit or proceeding by or before any court or governmental agency, authority or body pending or, to the knowledge of the Company’s knowledge, threatened against or involving alleging non-compliance with any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; Data Security Obligation. (ii) any other Governmental EntityThe Company and each of its Designated Subsidiaries have implemented and maintain controls, foreign policies, procedures, and technological safeguards reasonably consistent with industry standards and practices that are designed to protect against and prevent breach, destruction, loss, unauthorized distribution, use, access, disablement, misappropriation or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access tomodification, or use, disclosure, other compromise or Processing misuse of Personal Data in the possession or control of any Group Company or any of its contractors with regard relating to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for system or Data used in connection with the operation of the Business Company’s and its subsidiaries’ businesses (except for ordinary wear and tear“Breach”). To Except as would not, individually or in the Company’s knowledgeaggregate, since reasonably be expected to result in a Material Adverse Effect or as otherwise disclosed in the Lookback DateRegistration Statement, the Pricing Disclosure Package and the Final Prospectus, (a) there has been no such Breach, and (b) the Company and its Designated Subsidiaries have not been any material failures, breakdowns or continued substandard performance notified of and have no knowledge of any Company IT Systems event or condition that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions would reasonably be expected to result in, any such Breach, except for those that have been remediated in remedied without material cost or liability or the ordinary course of businessduty to notify any governmental or regulatory authority.

Data Privacy and Security. (a) To the Company’s knowledge, each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there There is (and since the Lookback Date there has been) no material Proceeding not currently pending or, to the Company’s knowledge, threatened threatened, and there has not been any, Proceeding against or involving any Company Group Company Member initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory entity, privacy regulator or self-regulatory entityotherwise, or (iv) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was other Person, in violation of any Privacy Laws or any Privacy and Data Security Policies noreach case, with respect to privacy, cybersecurity, and, to the Company’s knowledge, is there are no facts upon which such a Proceeding could be based. (nor since b) There have not been any actual, suspected, or alleged material Security Incidents or actual or alleged claims related to material Security Incidents, and, to the Lookback Date has Company’s knowledge, there been) any are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims. There are no data security, information security, or other technological vulnerabilities with respect to the foregoingCompany Group’s services or with respect to the Company IT Systems that would have a materially adverse impact on their operations or cause a material Security Incident. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged The Company Group Members own or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard have license to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required use pursuant to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Contract the Company IT Systems as necessary to operate their respective businesses as currently conducted and such Company IT Systems are sufficient for the business operation of each Group Company their respective businesses as currently conducted. All The Company Group Members have back-up and disaster recovery arrangements, procedures and facilities for the continued operation of its businesses in the event of a failure of the Company IT Systems that are: (i) free from , in the reasonable determination of the Company, commercially reasonable and in accordance in all material respects with standard industry practice. There has not been any material defectdisruption, bugfailure or, virus to the Company’s knowledge, unauthorized access with respect to any of the Company IT Systems that has not been remedied, replaced or programming, design or documentation error and (ii) mitigated in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear)respects. To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption none of the Company IT Systems contain any worm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other than routine failures damaging devices, malicious codes, designs, hardware component, or disruptions software routines that causes the Company Software or any portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized person. (d) The Company Group Members have, and have been remediated had, in place reasonable and appropriate administrative, technical, physical and organizational measures and safeguards to (i) ensure the ordinary course integrity, security, and the continued, uninterrupted, and error-free operation of businessthe Company IT Systems, and the confidentiality of the source code of any Company Software, and (ii) to protect Business Data against loss, damage, and unauthorized access, use, modification, or other misuse.

Data Privacy and Security. (ai) To The Company and each of its Subsidiaries complies, and during the Company’s knowledgepast two years has complied, each Group in all material respects, with all Privacy and Information Security Requirements. Neither the Company has implemented adequate written policies relating nor any of its Subsidiaries have been notified in writing of, or is the subject of, any complaint, regulatory investigation or proceeding related to the Processing of Personal Data as by any third party, Governmental Entity or payment card association, regarding any material violations of any Privacy and Information Security Requirement by or with respect to the extent required by Company or any of its Subsidiaries; (ii) The Company and each of its Subsidiaries employs commercially reasonable safeguards that comply in all material respects with all applicable Law (“Privacy and Information Security Requirements to protect Company Data Security Policies”within its custody or control and requires the same of all vendors under contract with the Company that Process Company Data on its behalf. The Company and each of its Subsidiaries have provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to notification to applicable Governmental Entities)., necessary for the Processing (including international and onward transfer) of all Personal Data in connection with the conduct of the business as currently conducted and in connection with the consummation of the transactions contemplated hereunder; and (biii) To Neither the Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending orCompany nor any of its Subsidiaries, to the Company’s knowledge, threatened against or involving has suffered a security breach with respect to any Group of the Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies norand, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledgebeen no unauthorized or illegal use of, since the Lookback Date: (i) no person has alleged access or given written notice of unauthorized access disclosure to, or use, disclosure, or Processing of Personal Data in the possession or control unavailability of any Group Company or Data. Neither the Company nor any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person Subsidiaries has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified notified, or been required to notify notify, any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure information security breach or other Processing of, incident involving Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any material failuresmanner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses,” “worms,” “time bombs,” or “back doors”) that have not been removed or fully remedied. Neither it nor any of its Subsidiaries, breakdowns have experienced any disruption to, or continued substandard performance interruption in, the conduct of its business that effected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the part of any Company IT Systems that have caused a material failure computer software or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessSystems.

Data Privacy and Security. (a) To the Company’s knowledge, each Each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”)Requirements. Each Group Company is and has been in compliance in all material respects with all Privacy and Data Security Requirements in all relevant jurisdictions. (b) To the Company’s knowledgeNo Group Company has received notice of any pending Proceedings, nor has there is (and since the Lookback Date there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; or (iiiii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any applicable Privacy and Data Security Policies norRequirements. No Group Company has been notified in writing, or been required by Privacy and Data Security Requirements to the Company’s knowledgenotify in writing, is there (nor since the Lookback Date has there been) any basis for the foregoingPerson or entity of any personal data or information security-related incident. (c) To Since the incorporation of the Company’s knowledge, since the Lookback Date: (i) there has been no person has alleged or given written notice of loss, damage, unauthorized access toaccess, or use, disclosure, breach of security of any Company IT Systems or Processing disclosure of Personal Data or Company information in the possession possession, custody or control of any Group Company or any of otherwise held or processed on its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; and (ii) there has been no person has alleged failure, breakdown, continued substandard performance, data loss, outage, unscheduled downtime, unauthorized intrusion, or given written notice of unauthorized intrusions or breaches breach of security into or technology security or any related incident affecting any such Company IT Systems; Systems that has impacted the integrity or availability of the Company IT Systems or that have caused or could reasonably be expected to result in the substantial disruption of or interruption in or to the use of such Company IT Systems or the conduct and (iii) none operation of the business of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal DataCompanies, except, in each casethe case of clauses (i) and (ii), as would not have a Company Material Adverse Effect. (d) Each Group Company has implemented, and required that its third party vendors implement, adequate policies and commercially reasonable security (i) regarding the confidentiality, integrity, and availability of personal data, and business proprietary or sensitive information, in its possession, custody, or control, or held or processed on its behalf, and (ii) regarding the integrity and availability of the Company IT Systems. (e) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Company IT Systems are: are adequate in all material respects for the operation and conduct of the business of the Group Companies as currently conducted. To the knowledge of the Company, neither the Company IT Systems nor any Software that constitutes Company Owned Intellectual Property contains any viruses, worms, Trojan horses, bugs, faults or other devices, errors, contaminants or effects that (i) free from any material defect, bug, virus materially disrupt or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for materially adversely affect the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption functionality of the Company IT Systems other than routine failures Systems, except as disclosed in their documentation or disruptions that have been remediated (ii) enable or assist any Person to access without authorization any Company IT Systems. The consummation of the transaction contemplated by this Agreement will not result in the ordinary course any violation of businessany Privacy and Data Security Requirements.

Data Privacy and Security. (a) To the The Company’s knowledgedata privacy and security practices and processing of Personal Data comply, each Group and at all times have complied, with all of the Company Privacy Commitments, Privacy Laws and Company Data Agreements. The Company has implemented at all times required by Privacy Laws and Company Data Agreements: (A) had a valid legal basis (including providing adequate written policies relating to notice and obtaining any necessary consents from individuals) required for the Processing of Personal Data as conducted by or for the Company, (B) refrained from selling or sharing Personal Data with third parties for the third party’s benefit except as allowed under Applicable Law, and (C) abided by any privacy rights and choices (including privacy by default obligations under Applicable Law and data-subject opt-out preferences) of individuals relating to the extent required by applicable Law Personal Data (such obligations along with all statements and obligations contained in Company Privacy Policies, collectively, “Company Privacy and Data Security PoliciesCommitments”). (b) To . The Company has not granted any options, rights of first refusal or negotiation or other similar rights, licenses or agreements of any kind relating to any Company Data, and the Company’s knowledgeCompany is not bound by or a party to any option, there is (rights of first refusal or negotiation or other similar rights, license or agreement of any kind with respect to any of the Company Data. Neither the execution, delivery and since performance of this Agreement nor the Lookback Date there has been) no material Proceeding pending or, taking over by Acquirer of all of the Company Data and other information relating to the Company’s knowledgeend users, threatened against employees, vendors or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commissionclients, any state attorney general or similar state official; (ii) any other Governmental Entitycategory of individuals, foreign will cause, constitute or domestic; result in a breach or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or Company Privacy Commitments, any Company Data Agreements or any standard terms of service entered into by the Company with individuals the Personal Data of whom is Processed by the Company or its Processors. Copies of all current and prior Company Privacy Policies have been made available to Acquirer and such copies are true, correct and complete. (b) The Company has established and maintain appropriate technical, physical and organizational measures and security systems and technologies in compliance with all data security and other applicable requirements under Privacy Laws and Company Privacy Commitments that are designed to protect Company Data against: (i) accidental or unlawful Processing or disclosure; (ii) breaches of confidentiality; (iii) unavailability of Company Data; or (iv) other events which affect the integrity of Company Data, in each case, in a manner appropriate to the risks represented by the Processing of such data by the Company, their data processors and any other third party with whom the Company has shared such Company Data (such processors and foregoing third parties, collectively, “Processors”). The Company has taken commercially reasonable steps to ensure the compliance of their respective employees and contractors who have access to Company Data, to train such employees on all applicable aspects of any Privacy Law and Company Privacy Commitments and to ensure that all employees with the authority and/or ability to access such data are under written obligations of confidentiality with respect to such data. The Company has a process in place for identifying Personal Data Security Policies nor, in the materials they offer to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingtheir users on their websites and takes appropriate steps to ensure they are able legally to use such Personal Data as part of its commercial offering. (c) To the Company’s knowledge, since the Lookback Date: The Company has not received or experienced and there is no circumstance (iincluding any circumstance arising as a result of an audit or inspection carried out by any Governmental Entity) no person has alleged or given written notice of unauthorized access that would reasonably be expected to give rise to, any Legal Proceeding, Order, notice, communication, warrant, regulatory opinion, audit result or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company allegation from a Governmental Entity or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; other Person (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any including an end user): (A) lossalleging or confirming non-compliance with a relevant requirement of Privacy Laws or Company Privacy Commitments, theft or damage of, or (B) other unauthorized requiring or unlawful access torequesting the Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data, (C) permitting or mandating relevant Governmental Entities to investigate, requisition information from, or useenter the premises of, disclosure the Company or (D) claiming compensation from the Company. There are no unsatisfied requests from individuals or other Processing ofthird parties to the Company seeking to exercise any data protection or privacy rights (such as rights to access, rectify, or delete Personal Data, exceptto restrict or object to processing of Personal Data, or relating to data portability). The Company has not been involved in each case, as would not have a any Legal Proceedings involving non-compliance or alleged non-compliance with Privacy Laws or Company Material Adverse EffectPrivacy Commitments. (d) Each Group Schedule ‎2.11(d) of the Company owns or has license to use such Disclosure Letter contains the complete list of notifications and registrations made by the Company IT Systems as necessary to operate under Privacy Laws with relevant Governmental Entities in connection with the business Company’s Processing of each Group Company as currently conductedPersonal Data. All such notifications and registrations are valid, accurate, complete and fully paid up and, to the knowledge of the Company, the consummation of the Transactions will not invalidate such notification or registration or require such notification or registration to be amended. To the knowledge of the Company, other than the notifications and registrations set forth on Schedule ‎2.11(d) of the Company IT Systems are: Disclosure Letter, no other registrations or notifications are required in connection with the Processing of Personal Data by the Company. The Company does not Process the Personal Data of any natural person who is under the age of 13 or is otherwise considered a child under Applicable Law. (e) The Company has made available to Acquirer true, correct and complete copies of all Contracts permitting a Processor to Process Personal Data and such Processors have not breached any such Contracts pertaining to Personal Data Processed by such Persons on behalf of the Company. (f) The Company maintains complete, accurate and up to date records of (i) free from any material defect, bug, virus or programming, design or documentation error all Processing activities of Personal Data and their lawful bases and (ii) all data protection impact assessments, in sufficiently good working condition to effectively perform all material information technology operations necessary for each case as required by the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessapplicable Privacy Laws.

Data Privacy and Security. (a) To The Company and its Subsidiaries have at all times for the Company’s knowledgepast two (2) years complied in all material respects with, each Group and are currently in compliance in all material respects with, all applicable Privacy Laws, Privacy and Data Security Policies (as defined below) and contractual commitments relating to the Processing of Personal Data (collectively, the “Privacy Requirements”). The Company has and its Subsidiaries have implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To There is no pending, nor has there been for the Company’s knowledgepast two (2) years, there is (and since any Proceeding against the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against Company or involving any Group Company of its Subsidiaries initiated by any Person (including (i) the any Person, (ii)the United States Federal Trade Commission, any state attorney general or similar state official; , (iiiii) any other Governmental Entity, foreign or domestic; , or (iiiiv) any regulatory or self-regulatory entity) , alleging that any violation of any Privacy Requirement by the Company or its Subsidiaries with respect to any Processing of Personal Data by or on behalf of a Group the Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingof its Subsidiaries. (c) To the Company’s knowledgeThere has been no breach of security resulting in unauthorized access, since the Lookback Date: (i) no person has alleged use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group the Company or any of its Subsidiaries or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged the Company or given written notice any of its Subsidiaries, or any unauthorized intrusions or intrusions, breaches of security into any or other data security incidents with respect to the Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group The Company owns and its Subsidiaries own or has have license to use such the Company IT Systems as necessary to operate the business of each Group Business as currently conducted and the Company IT Systems operate and perform in a manner that permits the Company and its Subsidiaries to conduct the Business as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption none of the Company IT Systems contain any worm, bomb, backdoor, clock, timer or other than disabling device, code, design or routine failures that causes the Software of any portion thereof to be erased, inoperable or disruptions otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized person. (e) The Company has taken commercially reasonable organizational, physical, administrative and technical measures required by Privacy Requirements, and consistent with standards prudent in the industry in which the Company operates, designed to protect the integrity, security and operations of the Company IT Systems. The Company and its Subsidiaries have implemented commercially reasonable procedures, including implementing data backup, disaster avoidance, recovery and business continuity procedures, and have satisfied the requirements of applicable Privacy Laws in all material respects, designed to detect data security incidents and to protect Personal Data against loss and against unauthorized access, use, modification, disclosure or other misuse. (f) The consummation of any of the transactions contemplated hereby or pursuant to any Ancillary Document will not violate any applicable Privacy Requirements. (g) There have not been any Proceedings related to any unauthorized intrusions, breaches of security or other data security incidents, or any violations of any Privacy Requirements, that have been remediated in asserted against the ordinary course Company or any of businessits Subsidiaries and, to the Company’s knowledge, neither the Company nor any of its Subsidiaries has received any information relating to, or notice of any Proceedings with respect to, any alleged violations by the Company or any of its Subsidiaries of any Privacy Requirements.

Data Privacy and Security. (a) To The Company and its Subsidiaries have, in all material respects, implemented and maintain commercially reasonable data backup, system redundancy, and disaster avoidance and recovery plans and procedures, as well as commercially reasonable information security plans, procedures and arrangements designed to protect and preserve the Company’s knowledgeavailability, each Group Company has implemented adequate written policies relating integrity, security, confidentiality and operation of the IT Systems (including all information stored or contained therein or transmitted thereby) against any unauthorized use, access, interruption, modification or corruption. Since January 1, 2019, there have been no data breaches or security incidents with respect to the Processing IT Systems that resulted in any unauthorized access to or use, disclosure, modification or corruption of Personal Data as and any information stored or contained therein, or resulted in the exertion of third-party control over any of the IT Systems, except those that (i) have been remedied without any material cost or material liability to the extent required by applicable Law Company or any of its Subsidiaries or the duty to notify any other Person, and (“Privacy and Data Security Policies”)ii) did not cause a material disruption to the IT Systems or otherwise have a material impact on the operation of the business of the Company or any its Subsidiaries. (b) To Since January 1, 2019, the Company and its Subsidiaries (i) have posted a privacy policy on the Company’s knowledgewebsite regarding the collection, there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, disposal, maintenance and transmission of any Personal Information of visitors to the website, (ii) have and, to the Knowledge of the Company, all affiliates, vendors, or Processing processors, with respect to their processing of Personal Data Information on behalf of the Company and its Subsidiaries, been in compliance in all material respects with all applicable Laws and Orders concerning data protection or information privacy and security and (iii) have complied in all material respects with their posted privacy policies, and contractual requirements pertaining to data protection or information privacy and security. Since January 1, 2019, to the possession Knowledge of the Company, neither the Company nor any of its Subsidiaries (i) has been required to notify a Governmental Authority or control any other Person in relation to a security incident or any applicable Law or Order relating to data protection or information privacy and security, (ii) has received any written notice from any Governmental Authority alleging a violation of any Group applicable Laws or Orders concerning data protection or information privacy and security and (iii) to the Knowledge of the Company, there is no pending investigation by any Governmental Authority of the Company or any of its contractors with regard Subsidiaries relating to any Personal Data obtained from such Laws or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectOrders. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To the Company’s knowledge, each Each Group Company involved in the collection or Processing of Personal Data has implemented adequate and, where applicable, posted written policies privacy notices relating to the Processing of Personal Data as and to the extent required by applicable Law Privacy Laws (“Privacy and Data Security Policies”)) and is in compliance in all material respects with such Privacy and Data Security Policies. (b) To the Company’s knowledge, there is (and since the Lookback Date are no pending Proceedings, nor has there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; Entity or (iiiiv) any regulatory entity or self-regulatory entity) , in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company (A) is in violation of any applicable Privacy Laws or was (B) is in violation of any Privacy Laws or any Privacy and Data Security Policies norPolicies. (c) Since the Lookback Date, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: knowledge (i) there has been no person has alleged unauthorized access, use, acquisition or given written notice disclosure of unauthorized access toPersonal Data, or use, disclosure, or Processing of Personal Data confidential business information in the possession or control of any Group Company or or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or third party service provider acting on behalf of a any Group Company; , and (ii) there have been no person has alleged or given written notice of unauthorized intrusions into or breaches Security Breaches of security into any Group Company systems networks, communication equipment or other technology necessary for the operations of the Group Companies’ business, except in the case of clauses (i) and (ii), as would not be have a Company Material Adverse Effect. The Group Companies have not experienced any material successful unauthorized access to, use or modification of, or interference with Company IT Systems; Systems since the Lookback Date and (iii) none of the Group Companies has notified is aware of any written or, to the Company’s knowledge, oral notices or been required to notify complaints from any Person of any (A) lossregarding such a Security Breach or incident, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, except in each case, case as would not have a Company Material Adverse Effect. Except as would not have a Company Material Adverse Effect, (A) there is no unauthorized code in any of the Company Products and none of the Group Companies has received any written complaints, claims, demands, inquiries or other notices, including a notice of investigation, from any Person (including any Governmental Entity or self-regulatory authority) or entity regarding the Company IT Systems, any of the Group Companies’ Processing of Personal Data, or the Group Companies’ compliance with applicable Privacy and Security Requirements and (B) since the Lookback Date, none of the Group Companies have provided or have been obligated to provide notice under any Privacy and Security Requirements regarding any Security Breach or unauthorized access to or use of any Company IT System or Personal Data. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Group Companies have in place disaster recovery and security plans and procedures, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. The Group Companies have a sufficient number of license seats for all Software included in the Company IT Systems, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (e) Except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole, the Group Companies are and have been in compliance with all applicable Privacy and Security Requirements since the Lookback Date. (f) The Group Companies have implemented reasonable physical, technical and administrative safeguards designed to protect the privacy, operation, confidentiality, integrity and security of all Company IT Systems are: and Personal Data in their possession or control from unauthorized access by any Person, including each of the Group Companies’ employees and contractors, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (g) To the extent required by applicable Privacy Law, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole, the Group Companies have taken commercially reasonable measures designed to ensure all third party service providers, outsourcers, processors, or other third parties Processing Personal Data, in each case on behalf of the Group Companies, (i) free from any material defect, bug, virus or programming, design or documentation error use commercially reasonable measures designed to comply with applicable Privacy and Security Requirements; and (ii) in sufficiently good working condition use reasonable security measures with respect to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessPersonal Data.

Data Privacy and Security. (a) To the Company’s knowledgeThe Group Companies comply with, each Group Company has implemented adequate written policies relating and have at all times since January 1, 2017 complied with, all Data Protection Laws applicable to the Processing of Personal Data as and Group Companies or to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To conduct of the Company’s knowledgeBusiness, there is (and since the Lookback Date there has been) no material Proceeding pending or, except for noncompliance that would not reasonably be expected to the Company’s knowledge, threatened against or involving any Group have a Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access toXxxxx Xxxxxxxx Adverse Effect. Except as would not have, or usewould not reasonably be expected to have, disclosure, individually or Processing of Personal Data in the possession or control of any Group aggregate, a Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) Xxxxx Xxxxxxxx Adverse Effect, none of the Group Companies has notified used, disclosed, transferred, or been required to notify otherwise processed any Person Personal Data in any manner that violates any Data Protection Law or is inconsistent with the terms of any Material Contract. (Ab) lossNone of the Group Companies has received any subpoenas, theft or damage ofdemands, or (B) other unauthorized or unlawful access tonotices from any governmental Authority investigating, inquiring into, or useotherwise relating to any actual or potential violation of any Data Protection Law and, disclosure to the Knowledge of the Seller, none of the Group Companies is under investigation by any governmental Authority for any actual or other Processing ofpotential violation of any Data Protection Law. (c) No notice, Personal Datacomplaint, exceptclaim, in each caseenforcement action, as would not have a Company Material Adverse Effector litigation of any kind has been served on, or to the Knowledge of the Seller, initiated against the Group Companies under any applicable Data Protection Law. (d) Each Except as set forth on Schedule 4.19(d), each of the Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) Companies complies in sufficiently good working condition to effectively perform all material information technology operations necessary for respects with the operation terms of all published and posted policies, procedures, and notices of the Business Group Companies relating to its collection, use, or disclosure of Personal Data. (except for ordinary wear e) Each of the Group Companies has taken commercially reasonable steps, compliant in all material respects with applicable Data Protection Laws and tear)Material Contracts to protect the operation, confidentiality, integrity, and security of the Group Companies’ software, systems, and websites that are involved in the collection and/or processing of Personal Data. (f) Except as would not have, or would not reasonably be expected to have, individually or in the aggregate, a Company Xxxxx Xxxxxxxx Adverse Effect, none of the Group Companies has experienced any security breaches of Personal Data. To the Company’s knowledge, since Knowledge of the Lookback DateSeller, there have not been are no pending or expected complaints, actions, fines, or other penalties facing the Group Companies in connection with any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessdata security breaches.

Data Privacy and Security. (a) To the Company’s knowledgeExcept as would not have a Company Material Adverse Effect, each Private Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledgeExcept as would not have a Company Material Adverse Effect, there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened in writing, against or involving any Private Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; , (ii) any other Governmental Entity, foreign or domestic; domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Private Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies Requirements, nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To Since January 1, 2019, to the Company’s knowledge, since the Lookback Date: (i) there has been no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Private Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Private Group Company; , (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; , and (iii) none of the Private Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each casecase of clauses (i), (ii) and (iii), as would not have a Company Material Adverse Effect. (d) Each Except as would not have a Company Material Adverse Effect, (i) each Private Group Company owns or has license licenses to use such the Company IT Systems as necessary to operate the business of each Private Group Company as currently conducted. All , (ii) to the Company’s knowledge, all Company IT Systems are: (i) are free from any material defect, bug, virus or programming, design or documentation error and (iiiii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledgesince January 1, since the Lookback Date2019, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business. (e) To the knowledge of the Company, the consummation of this Agreement and any transfers of Personal Data necessary to give effect to the Agreement will not violate any Privacy and Security Requirement, except as would not have a Company Material Adverse Effect.

Data Privacy and Security. (a) To Section 3.21(a) of the Disclosure Schedule sets forth a complete list of all current (as of the date of this Agreement): (i) data privacy and security policies of the Company’s knowledge, each Group whether applicable internally, published by the Company has implemented adequate written policies relating or its Subsidiaries, including on a website, or otherwise made available by the Company or any of its Subsidiaries to any Person (“Company Privacy Policies”); and (ii) notifications and registrations made by the Processing of Company with relevant Governmental Entities in connection with Personal Data as and to the extent required by applicable Law (“Company Privacy and Data Security PoliciesRegistrations”). (b) To Except as set forth in Section 3.21(b) of the Disclosure Schedule, since January 1, 2017, the Company’s knowledgedata, there is (privacy and since security practices have conformed with in all material respects, and the Lookback Date there has been) no material Proceeding pending orexecution, delivery and performance of this Agreement will not cause, constitute, or result in a breach or violation of, Privacy Laws, the Company Privacy Policies, the Company Privacy Registrations and any Contract relating to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by to which the Company or on behalf of its Subsidiaries is a Group party or is otherwise bound (“Company is or was in violation of any Data Agreements”) (collectively, “Company Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingCommitments”). (c) To Except as set forth in Section 3.21(c) of the Company’s knowledgeDisclosure Schedule, since the Lookback Date: (i) no person the Company has alleged or given written notice of unauthorized access tonot received any subpoenas, demands, or useother notices from any Governmental Entity investigating, disclosureinquiring into, or Processing of Personal Data in the possession otherwise relating to any actual or control potential violation of any Group Privacy Laws, and to Seller’s Knowledge, the Company or is not under investigation by any Governmental Entity for any violation of its contractors with regard to any Personal Data obtained from or on behalf of a Group CompanyPrivacy Law; and (ii) no person Action has alleged been served on or, to Seller’s Knowledge, initiated or given written notice threatened in writing against the Company alleging violation of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectPrivacy Commitments. (d) Each Group Company owns Except as set forth on Section 3.21(d) in the Disclosure Schedule, no violation of any data security policy, breach, or unauthorized access in relation to Personal Data in the Company’s possession, custody or control or material security incident has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conductedoccurred. All Company IT Systems areNo circumstance has arisen in which: (i) free from any material defect, bug, virus Applicable Laws would require the Company to notify a Governmental Entity of a data security breach or programming, design security incident or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns applicable guidance or continued substandard performance of any Company IT Systems that have caused a material failure codes or disruption of practice promulgated under Applicable Law would recommend the Company IT Systems other than routine failures to notify a Governmental Entity of a data security breach or disruptions that have been remediated in the ordinary course of businesssecurity incident.

Data Privacy and Security. (a) To The Company Entities complied and are in compliance in all material respects with all Privacy Commitments. The Company Entities have implemented and maintained appropriate physical, technical and organizational security measures to prevent the Company’s knowledge, each Group Company has implemented adequate written policies relating to the unlawful Processing of Personal Data as Information and unauthorized access, accidental loss or destruction of or damage to the extent required by applicable Law (“Privacy and Data Security Policies”)Personal Information in their respective control. (b) To the Company’s knowledge, there No Company Entity has received any written notice from any Governmental Authority or any Person alleging that any Company Entity is (and since the Lookback Date there or has been) no material Proceeding pending orbeen in breach of any Privacy Commitment or seeking to limit its use of Personal Information and, to the Knowledge of the Company’s knowledge, threatened against no such breach has occurred within the applicable statute of limitations for a claim arising out of such a breach. No Company Entity has received a written request, complaint or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general objection to its collection or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing use of Personal Data by or on behalf of a Group Company is or was in violation of Information from any Privacy Laws Governmental Authority or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingPerson. (c) To The Company Entities have at all times made all disclosures to and obtained consents from third Persons (or otherwise have an appropriate legal basis) required by applicable Privacy Laws prior to the Processing of any Personal Information from such Persons and none of such disclosures made or contained in any Privacy Policy of a Company Entity or in any such materials has been inaccurate, misleading, or deceptive or in violation of any applicable Privacy Laws, including by omission. No action is pending and, to the Knowledge of the Company’s knowledge, since the Lookback Date: (i) no person Person has alleged threatened to commence any action concerning any claim that any Company Entity has violated any Privacy Commitment in connection with, or given written notice of unauthorized access relating to, any Personal Information or use, disclosure, or the Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into information by any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectEntity. (d) Each Group The execution, delivery and performance of this Agreement and the Transactions comply, and will comply, in all material respects, with all Privacy Commitments. Following the Closing Date, the Company owns or Entities will continue to be permitted to collect, store, use and disclose Personal Information held by the Company Entities on terms substantially similar to those in effect as of the date of this Agreement and to the same extent the Company Entities would have been able to had the Transactions not occurred. (e) No Company Entity and, to the Knowledge of the Company, no Personal Information Processor, has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from experienced any material defectunauthorized access to, bugdeletion or other misuse of, virus any Personal Information in its possession or programmingcontrol (a “Security Incident”) or made or been required to make any disclosure, design notification or documentation error take any other action under any applicable Privacy Laws in connection with any Security Incident. (f) The Company Entities have established and (ii) maintain appropriate technical, physical, administrative and organizational policies, measures and security systems and technologies consistent with industry standards and in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear)compliance with data security requirements under applicable Privacy Laws that ensure that Company Data is protected against unauthorized access, use, modification, disclosure, misuse, or accidental or unlawful Processing. To the Company’s knowledge, since the Lookback Date, there The Company Entities have not received any written complaint, proceeding, investigation (formal or informal) or claim against, any Company Entity, by any private party, data protection authority, the Federal Trade Commission, or any other Governmental Authority, foreign or domestic, with respect to the collection, use, retention, disclosure, transfer, storage, security, disposal, or other Processing of Company Data. There has been any material failures, breakdowns or continued substandard performance no unauthorized Processing of any Company IT Systems that have caused Data and no event or circumstance has occurred or arisen in which Privacy Laws would require any Company Entity to notify a material failure Governmental Authority of a data security breach, security incident or disruption violation of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessany data security policy.

Data Privacy and Security. (a) To The Company and its Subsidiaries comply, and during the Company’s knowledgepast four (4) years have complied with (i) all Privacy and Information Security Requirements, each Group Company has implemented adequate written policies (ii) their respective Privacy Notices, and (iii) their respective Contracts relating to the Processing of Personal Data (including any Personal Data transfer agreements) or cybersecurity (such as and in relation to Data Breaches). Neither the Company nor any of its Subsidiaries, nor, to the extent required Company’s Knowledge, any other Person, has received any notice, allegation, complaint, or other communication, and, to the Company’s Knowledge, there is no pending investigation or Action by applicable Law (“any Governmental Authority or payment card association, regarding, in each case of the above, any actual or possible violation of any Privacy and Data Information Security Policies”)Requirement by or with respect to the Company or its Subsidiaries. (b) To Neither the Company’s knowledgeCompany nor its Subsidiaries, there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (any of its or their respective Service Providers or others acting on their behalf, have had, or have, a Data Breach. Neither the Company nor since its Subsidiaries have notified, or, to the Lookback Date Company’s Knowledge, been required to notify, any Person of any Data Breach. The Company and its Subsidiaries employs and has there been) any basis for employed commercially reasonable physical, technical, and organizational safeguards that comply with all Privacy and Information Security Requirements to protect, or advise on the foregoingprotection of, Personal Data or other Data within its custody or control against a Data Breach and requires the same of all Service Providers that Process Data on its behalf or advise on the protection of Personal Data or other Data. (c) To the Company’s knowledgeThe Company and its Subsidiaries have provided all notices and opt-in or opt-out choices (and honored such choices), since the Lookback Date: and obtained all consents, and satisfied all other requirements (i) no person has alleged or given written notice of unauthorized access including but not limited to notification to, or useregistration with, disclosureany Governmental Authority), in each case, in compliance with Privacy and Information Security Requirements and as necessary for the Company and its Subsidiaries’ respective Processing (including international and onward transfer) of data in connection with the conduct of the business as currently conducted and in connection with the consummation of the transactions contemplated hereunder. The Company and its Subsidiaries are not subject to any contractual requirements, Privacy Notices, or Processing of Personal Data in other legal obligations that, following the possession or control of any Group Closing, would prohibit the Company or any of its contractors with regard to any Subsidiaries from receiving or using Data or Personal Data obtained from in the manner in which the Company or on behalf any of a Group Company; (ii) no person has alleged its Subsidiaries receive or given written notice of unauthorized intrusions use such Data or breaches of security into any Company IT Systems; and (iii) none of Personal Data prior to the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectClosing. (d) Each Group of the Company and its Subsidiaries owns or has license to use such Company the IT Systems as necessary to operate the its business of each Group Company as currently conducted. All The Company and its Subsidiaries have taken reasonable precautions designed to protect the confidentiality, integrity, and security of the IT Systems are: and all information stored or contained therein or transmitted thereby from any loss, theft, or unauthorized disclosure, use, access, interruption or modification by any Person. To Company’s knowledge, all IT Systems are (i) free from any Malicious Code, material defect, bug, virus bug or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business business of the Company and its Subsidiaries (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there There have not been any material failures, breakdowns breakdowns, or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the IT Systems. The Company IT Systems other than routine failures or disruptions that and its Subsidiaries have implemented, maintained and tested commercially reasonable disaster recovery procedures and facilities for the business of the Company and its Subsidiaries and all Data material to the respective businesses of the Company and its Subsidiaries has been remediated regularly backed up in the ordinary course of businessan encrypted manner and tested for restoration.

Data Privacy and Security. (a) To Except as set forth on Section 3.22(a) of the Company’s knowledgeCompany Disclosure Schedules, each Group Company has implemented adequate written internal and external policies relating to the Processing of Personal Data as and to the extent required by applicable Privacy Law (“Privacy and Data Security Policies”). Except as set forth on Section 3.22(a) of the Company Disclosure Schedules, for the past three (3) years, to the knowledge of the Company, each Group Company has at all times complied with all applicable Privacy Laws, the Privacy and Data Security Policies, and contractual obligations entered into by a Group Company relating to the Processing of Personal Data and any other applicable industry standards or requirements binding upon such Group Company (collectively, the “Privacy Requirements”). (b) To the Company’s knowledgeThe Company has not received notice of any pending Proceedings, nor has there is (and since the Lookback Date there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; or (iiiiv) any regulatory state, federal, or self-regulatory entity) international data protection authority, in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirements. (c) To Except as set forth on Section 3.22(c) of the Company Disclosure Schedules, for the past three (3) years, to the knowledge of the Company’s knowledge, since the Lookback Date: (i) there has been no person has alleged material unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group Company or and/or any of its contractors with regard to the service providers of any Personal Data obtained from or on behalf of a Group Company; Company and (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of Systems under the Group Companies has notified or been required to notify any Person control of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectGroup Company. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Each Group Company IT Systems are: has taken commercially reasonable steps to protect (i) free from any material defectthe operation, bugconfidentiality, virus or programming, design or documentation error integrity and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption security of the Company IT Systems other than routine failures or disruptions that have been remediated and (ii) personal data in the ordinary course Group Company’s possession or control, or otherwise processed by the Group Company, from unauthorized, accidental or unlawful use, disclosure and modification. (e) To the knowledge of businessthe Company, each Group Company is, and at all times has been, in compliance with all legal requirements that are applicable to each Group Company’s business as presently conduct pertaining to sales, marketing, and electronic communications, including, without limitation, the U.S. CAN-SPAM Act, the U.S. Telephone Consumer Protection Act (TCPA), and the Fair Credit Reporting Act (FCRA). (f) Each Group Company has reasonable procedures in place to ensure that the third parties with which such Group Company shares or transfers Personal Data are required to protect the confidentiality of the shared or transferred Personal Data in compliance with all applicable Privacy Requirements. Each Group Company has contractual arrangements with such third parties that comply with all applicable Privacy Requirements to the extent applicable to the third party’s services, use, or processing of Personal Data.

Data Privacy and Security. Except as disclosed in the Commission Documents, the Company and its Subsidiaries have at all times since the Business Combination Closing complied in all material respects with all applicable Privacy Laws, Privacy and Data Security Policies (aas defined below), and contractual commitments concerning the Payment Card Industry Data Security Standards (if any) To (collectively, the Company’s knowledge“Privacy Requirements”). Except as disclosed in the Commission Documents, each Group the Company has and its Subsidiaries have implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To . Except as disclosed in the Company’s knowledgeCommission Documents, there is (and no pending, nor has there been since the Lookback Business Combination Closing Date there has been) no any material Proceeding pending or, to Actions against the Company’s knowledge, threatened against Company or involving any Group Company of its Subsidiaries initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental EntityAuthority, foreign or domestic; or (iiiiv) any regulatory or self-regulatory entity) entity alleging that any Processing of Personal Data by or on behalf of a Group the Company or any of its Subsidiaries is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to Requirements. Except as disclosed in the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledgeCommission Documents, since the Lookback Business Combination Closing Date: (i) , there has been no person has alleged material breach of security resulting in unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group the Company or any of its Subsidiaries (as applicable) or, to the Company’s Knowledge, any of their respective contractors with regard to any Personal Data obtained from or on behalf of a Group Company; the Company or any of its Subsidiaries (ii) no person has alleged as applicable), or given written notice of any material unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none the systems of the Group Companies has notified Company or been required to notify any Person of any its Subsidiaries (A) lossas applicable). Except as disclosed in the Commission Documents, theft the Company or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company one of its Subsidiaries owns or has license to use such Company the IT Systems as necessary to operate the business Business of each Group the Company and its Subsidiaries as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledgeKnowledge, except as disclosed in the Commission Documents, none of the IT Systems contain any worm, bomb, backdoor, clock, timer or other disabling device, code, design or routine that causes the software of any portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized Person, except as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, the Company and its Subsidiaries have taken organizational, physical, administrative and technical measures required by Privacy Requirements consistent with standards prudent in the industry in which the Company and its Subsidiaries operate to protect (i) the integrity, security and operations of their information technology systems, and (ii) the confidential data owned by the Company or any of its Subsidiaries or provided by the Company’s or any Subsidiary’s customers, and Personal Data against data security incidents or other misuse, except where the failure to take such organizational, physical, administrative or technical measures would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, the Company and its Subsidiaries have implemented reasonable procedures, satisfying the requirements of applicable Privacy Laws in all material respects, to detect data security incidents and to protect Personal Data against loss and against unauthorized access, use, modification, disclosure or other misuse, except where the failure to implement such reasonable procedures would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, in connection with each third-party service provider whose services are material to the Company or one of its Subsidiaries and involve the Processing of Personal Data on behalf of the Company or any of its Subsidiaries, the Company or one of its Subsidiaries has in accordance with Privacy Laws, since the Lookback Business Combination Closing Date, entered into valid data processing agreements with any such third party in accordance with applicable Privacy Laws, except where the failure to enter into such valid data processing agreements with any such third party would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, there have not been any material failures, breakdowns Actions related to any data security incidents or continued substandard performance any violations of any Company IT Systems Privacy Requirements that have caused a material failure been asserted in writing against the Company or disruption any of its Subsidiaries, and, to the Company’s Knowledge, none of the Company IT Systems or any of its Subsidiaries has received any written correspondence relating to, or written notice of any Actions with respect to, alleged violations by the Company or any of its Subsidiaries of, Privacy Requirements, in each case which Actions, if adjudicated adversely to the Company or any of its Subsidiaries, would, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except as disclosed in the Commission Documents, neither the Company nor any of its Subsidiaries has transferred any Personal Data from the European Union or United Kingdom to a jurisdiction outside the European Economic Area or United Kingdom, other than routine failures in accordance with Articles 45 and 46(2) of the GDPR, except as would not, individually or disruptions that have been remediated in the ordinary course of businessaggregate, reasonably be expected to have a Material Adverse Effect.

Data Privacy and Security. (a) To the Company’s knowledge, each Each Group Company has implemented adequate written commercially reasonable practices, procedures and policies relating designed to address the Processing security and privacy of Personal Data as and Processed by each such Group Company to the extent required by applicable Law (“Privacy and Data Security Policies”)) and such Privacy and Data Security Policies comply with all applicable Privacy Laws in all material respects. Each Group Company complies in all material respects with all applicable Privacy Laws and with all Privacy and Data Security Policies. (b) To the Company’s knowledgeThe Company has not received notice of any pending Proceedings, there is (and since the Lookback Date there has been) no material Proceeding pending or, nor to the Company’s knowledge, threatened knowledge has there been any material Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, Entity foreign or domestic; or (iiiiv) any regulatory or self-regulatory entityentity that, in each case of (i) alleging to (iv), allege that any Processing of Personal Data by or on behalf of a Group Company (A) is in violation of any applicable Privacy Laws or was (B) is in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingPolicies. (c) To the Company’s knowledgeSince January 1, since the Lookback Date: 2018, (i) there has been no person has alleged or given written notice material instance of unauthorized access toaccess, use or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group Company or and, to the knowledge of the Company, any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; Company and (ii) there have been no person has alleged or given written notice of material unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each of the Group Companies has established and complied in all material respects with its information security practices, procedures, and policies, which include commercially reasonable measures such as back-ups, disaster recovery and administrative, technical, and physical safeguards designed to safeguard the security, confidentiality, integrity and availability of Company IT Systems and Personal Data in its possession, custody, or under its control, including against loss, theft, misuse or unauthorized Processing, access, use, modification or disclosure. Each Group Company owns or has a license or right to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To The Company and its Subsidiaries have at all times for the Company’s knowledgepast three (3) years complied in all material respects with all applicable Privacy Laws, each Group Privacy and Data Security Policies (as defined below) and contractual commitments relating to the Processing of Personal Data (collectively, the “Privacy Requirements”). The Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To There is no pending, nor has there been for the Company’s knowledgepast three (3) years, there is (and since any Proceeding against the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against Company or involving any Group Company of its Subsidiaries initiated by any Person (including (i) any Person, (ii) the United States Federal Trade Commission, any state attorney general or similar state official; , (iiiii) any other Governmental Entity, foreign or domestic; , or (iiiiv) any regulatory or self-regulatory entity) , alleging that any Processing of Personal Data by or on behalf of a Group the Company or any of its Subsidiaries is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirements. (c) To For the Company’s knowledgepast three (3) years, since the Lookback Date: (i) there has been no person has alleged breach of security resulting in unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group the Company or any of its Subsidiaries or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged the Company or given written notice any of its Subsidiaries, or any unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified Company’s or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effectits Subsidiaries’ systems. (d) Each Group The Company owns and its Subsidiaries own or has have license to use such the Company IT Systems as necessary to operate the business of each Group Business as currently conducted and the Company IT Systems operate and perform in a manner that permits the Company and its Subsidiaries to conduct the Business as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption none of the Company IT Systems contain any worm, bomb, backdoor, clock, timer or other than disabling device, code, design or routine failures that causes the Software of any portion thereof to be erased, inoperable or disruptions otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized person. (e) The Company has taken commercially reasonable organizational, physical, administrative and technical measures required by Privacy Requirements, and consistent with standards prudent in the industry in which the Company operates, designed to protect the integrity, security and operations of the Company IT Systems. The Company and its Subsidiaries have implemented commercially reasonable procedures, satisfying the requirements of applicable Privacy Laws in all material respects, designed to detect data security incidents and to protect Personal Data against loss and against unauthorized access, use, modification, disclosure or other misuse. (f) The consummation of any of the transactions contemplated hereby or pursuant to any Ancillary Document will not violate any applicable Privacy Requirements. (g) There have not been any Proceedings related to any data security incidents or any violations of any Privacy Requirements that have been remediated in asserted against the ordinary course Company or any of businessits Subsidiaries and, to the Company’s knowledge, neither the Company nor any of its Subsidiaries has received any information relating to, or notice of any Proceedings with respect to, alleged violations by the Company or any of its Subsidiaries of any Privacy Requirements.

Data Privacy and Security. (a) To The Company and its Subsidiaries have developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the Company’s knowledge“Data Protection Program”) that is in compliance in all material respects with the Privacy Requirements. Since January 1, 2019, the Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2019, no Person has claimed any compensation or damages from the Company or any of its Subsidiaries, or has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries, in each Group Company has implemented adequate written policies relating case, in relation to the Processing any actual or alleged Security Incident or otherwise for or arising as a result of Personal Data as and to the extent required by applicable Law (“any actual or alleged violation, breach or other non-compliance with or of any Privacy and Data Security Policies”)Requirement. (b) To Except as set forth in Section 5.14(b) of the Company’s knowledgeCompany Disclosure Schedule, there is (since January 1, 2019, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Company PII. The Company and its Subsidiaries are not, and since the Lookback Date there has January 1, 2019, have not been) no material Proceeding pending or, subject to the Company’s knowledgea Governmental Order of, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commissionhave received a written notice from, any state attorney general a Governmental Authority regarding, actual or similar state official; (ii) any other Governmental Entity, foreign alleged non-compliance with or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirement. (c) To the Company’s knowledgeknowledge of the Company and except as set forth in Section 5.14(c) of the Company Disclosure Schedule, since the Lookback Date: (i) no person has alleged each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or other Personally Identifiable Information on behalf of a Group Company; the Company or its Subsidiaries are in compliance in all material respects with the Privacy Requirements, and (ii) there have been no person material unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements. Since January 1, 2019, no Security Incident has alleged occurred for which the Privacy Requirements would require the Company or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required its Subsidiaries to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectGovernmental Authority. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation The consummation of the Business (Transactions will not breach any Privacy Requirement, except for ordinary wear and tear). To as would not reasonably be expected to be, individually or in the Company’s knowledgeaggregate, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of to the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessand its Subsidiaries, taken as a whole.

Data Privacy and Security. (a) To The Company and its Subsidiaries and, to the Knowledge of the Company, its Data Partners, comply and, within the last five years, have complied in all material respects with all Privacy Laws, Company Privacy Policies and Contracts relating to the processing, privacy and security of Personal Information (collectively, the “Company Privacy Commitments”), including compliance with respect to (i) Personal Information of Company’s website visitors, customers or representatives of Company customers, the Company’s knowledgeor its Subsidiaries’ own employees, each Group or any other individual whose Personal Information is processed by the Company has or its Subsidiaries; and (ii) the sending of solicited or unsolicited electronic or telephonic communications, including via email, text message or phone call. The Company and its Subsidiaries have implemented adequate written policies relating to and maintained processes for identifying and redacting any Personal Information contained in the Processing of Personal Data as and to Spaces created by the extent required by applicable Law (“Privacy and Data Security Policies”)Company Platform. (b) To Neither the Company’s knowledgeexecution, there is (delivery and since performance of this Agreement by the Lookback Date there has been) no material Proceeding pending or, to Company nor the Company’s knowledge, threatened against or involving any Group consummation by the Company initiated by any Person (including of the transactions contemplated hereby will (i) the United States Federal Trade Commission, trigger or require any state attorney general notices to or similar state officialconsents from any Person; (ii) violate any other Governmental Entity, foreign or domesticCompany Privacy Commitments; or (iii) give rise to any regulatory right of termination or self-regulatory entityother right to impair or limit the Company’s or its Subsidiaries’ right to own and process any Personal Information used in or necessary for the operation of the business of the Company or its Subsidiaries. Since July 21, 2021, the Company and its Subsidiaries (A) alleging that any Processing have, in all material respects, implemented and maintain complete, accurate and up to date records of responses to requests from individuals requesting access, rectification or deletion of Personal Data Information or other exercise of rights under Company Privacy Commitments and (B) have responded to all requests from individuals requesting access, rectification, deletion or other exercise of rights under Privacy Laws, in the time period and in accordance in all material respects with the other requirements of Company Privacy Commitments. (c) All Personal Information processed by the Company or its Subsidiaries has been collected fairly and lawfully (including through the provision of information notices and other disclosures (in the Company Privacy Policies or otherwise) and the collection of valid consent where required) and can be used legitimately in the manner used by the Company without breaching any Company Privacy Commitments. The Company and its Subsidiaries have, as of the date hereof and since July 21, 2021, posted and prominently made available on behalf its websites, mobile applications and other mechanisms through which the Company or its Subsidiaries collects Personal Information, a Company Privacy Policy in conformance in all material respects with Privacy Laws. All Company Privacy Policies published by the Company are and, since July 21, 2021, have, in all material respects, been accurate, complete and consistent with the actual practices of a Group the Company is and its Subsidiaries with respect to the processing of Personal Information. As of the date hereof, no disclosure or was representation made or contained in any Company Privacy Policy published by the Company has been intentionally inaccurate, misleading, deceptive or in violation of any Privacy Laws (including by containing any material omission). (d) The Company and its Subsidiaries have in place written Contracts with all of their customers regarding the Company’s or any its Subsidiaries’ processing of Personal Information on behalf of such customers. Such Contracts include written obligations that comply with the requirements of Privacy and Data Security Policies nor, Laws in relation to the Company’s knowledgeand its Subsidiaries’ processing and protection of Personal Information. When acting as a Data Processor on behalf of customers, is there the Company and its Subsidiaries do not process Personal Information for any purpose except on the instruction of the customer (unless required to do so by applicable Law). Neither the Company nor since its Subsidiaries have transferred or permitted the Lookback Date has there beentransfer of Personal Information originating in the European Economic Area (“EEA”) any basis or United Kingdom (“UK”) to outside the EEA or UK (as applicable), or otherwise across jurisdictional borders, except where such transfers have complied with the requirements of the Company Privacy Commitments and with reasonable safeguards in place for the foregoingsuch transfer. (ce) To Where the Company or its Subsidiaries use a Data Partner to process Personal Information or otherwise share or disclose Personal Information with such Data Partner, there is in existence a Contract. Such Contract with the Data Partner includes written obligations in relation to the processing and protection of Personal Information and has agreed to comply with those obligations in a manner sufficient for the Company’s knowledgeand its Subsidiaries’ compliance with Company Privacy Commitments, since including where applicable, obligations for any party acting as a Data Processor (as defined under the Lookback Date: Privacy Laws) to act only on the instructions of the Data Controller (as defined under the Privacy Laws) and such other terms as are required under Privacy Laws. To the Knowledge of the Company, no Data Partner has breached any such Contracts. (f) The Company and its Subsidiaries have, and have required all Data Partners to have, implemented administrative, physical and technical safeguards to protect and maintain the confidentiality, integrity, availability and security of Personal Information and any information technology systems owned by the Company or its Subsidiaries against any accidental, unlawful or unauthorized use, access, disclosure, modification, destruction, loss, or compromise or other processing (a “Security Incident”). The Company and its Subsidiaries use, and have at all times used, reliable methods designed to ensure the correct identity of the users of those with access to any information technology systems owned by the Company or its Subsidiaries, and have used reliable measures designed to protect the security and integrity of transactions executed through the IT Systems of the Company or its Subsidiaries. (g) In relation to any Security Incident and/or violation of Company Privacy Commitments, neither the Company, any Subsidiary, nor to the Knowledge of the Company, as of the date hereof, any Data Partner has: (i) no person has alleged or given written notice of unauthorized access tonotified in writing, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify in writing, any customer, consumer, employee, Governmental Authority or other Person or (ii) received any written notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any (A) lossinvestigation or enforcement action by, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure any Governmental Authority or other Processing of, Personal Data, except, in each casePerson. To the Knowledge of the Company, as of the date hereof, there are no facts or circumstances that would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license give rise to use such Company IT Systems as necessary to operate the business occurrence of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To the Company’s knowledge, each Group The Company has implemented adequate and maintains commercially reasonable written policies relating to (i) the Processing of Personal Data as and to the extent required by applicable Privacy Law (“Privacy and Data Security Policies”)) and (ii) other Data Security Requirements. The conduct of the Business is (and has in the past three (3) years been) in material compliance with all Data Security Requirements. (b) To Since December 31, 2020, the Company’s knowledgeCompany has not received written notice of any pending Proceedings, nor has there is (and since been any Proceedings against the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; or (iiiii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) in each case, alleging that any Processing of Personal Data by or on behalf of a Group the Company is or was in violation of any Privacy Laws or any Privacy and applicable Data Security Policies norRequirements. (c) Since December 31, 2020, to the Company’s knowledgeKnowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) there has been no person has alleged or given written notice of unauthorized access toactual, suspected, or alleged unauthorized or unlawful access, use, disclosureloss, disclosure or other Processing of Personal Data or trade secrets in the possession or control of any Group the Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; and (ii) there have been no person has actual, suspected, or alleged or given written notice of unauthorized intrusions or breaches of security into any the Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group The Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group the Company as currently conducted. All The Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error are sufficient and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear Business, including as to capacity, scalability, and tear)ability to process current and anticipated peak volumes in a timely manner. To the Company’s knowledgeSince December 31, since the Lookback Date2020, there have not been any material no failures, breakdowns or continued substandard performance of or other adverse events affecting any Company IT Systems that have caused a any material failure disruption or disruption interruption in the use of any Company IT Systems or the conduct of the Business. The Company has taken reasonable precautions to protect the confidentiality, integrity and security of the Company IT Systems and Personal Data stored or contained therein or transmitted or Processed thereby from any theft, corruption, loss or unauthorized use, access, interruption or modification or other than routine failures Processing by any Person. The Company maintains commercially reasonable security plans, procedures and facilities, and acts in material compliance therewith. The Company has purchased a sufficient number of license seats (and scope of rights) for all third-party Software that is used or disruptions that have been remediated held for use in the ordinary course conduct of businessthe Business, and the Company has complied in all material respects with the terms and conditions of the agreements corresponding to such Software, including with respect to the use of such Software in the conduct of the Business.

Data Privacy and Security. (a) To Each member of the Company’s knowledge, each Company Group Company involved in the collection or Processing of Personal Information has implemented adequate posted written policies privacy notices relating to the Processing of Personal Data as and to the extent required by applicable Law Information (“Privacy and Data Security Policies”)) and is and has since the Lookback Date (or since such Privacy and Data Security Policy was posted, whichever is later) been in compliance with such Privacy and Data Security Policies in all material respects. (b) To There are no pending Actions, nor has there been any Actions against any member of the Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Company Group Company initiated by any Person (including (i) any Person, (ii) the United States Federal Trade Commission, any state attorney general or similar state official; , (iiiii) any other Governmental EntityAuthority, foreign or domestic; or (iiiiv) any regulatory entity or self-regulatory entity) , in each case, alleging that any Processing of Personal Data Information by or on behalf of a member of the Company Group Company is or was in violation of any applicable Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingLaws. (c) To the Company’s knowledge, since Since the Lookback Date: (i) , to the Knowledge of the Company, there has been no person has alleged material unauthorized access, use, acquisition or given written notice disclosure of unauthorized access toPersonal Information, or use, disclosure, or Processing of Personal Data confidential business information in the possession or control of any Group member of the Company Group, and, to the Knowledge of the Company, any third party service provider of the Company and there have been no material unauthorized intrusions into or Security Breaches of any member of the Company Group’s systems networks, communication equipment or other technology necessary for the operations of the Company Group’s business. There is no unauthorized code in any of its contractors with regard the Company Products. Since the Lookback Date, no member of the Company Group has provided or has been obligated to provide notice under any Personal Data obtained from Privacy and Security Requirements regarding any Security Breach or on behalf unauthorized access to or use of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified Assets or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectInformation. (d) Each The Company Group is and has been in material compliance with all applicable Privacy and Security Requirements since the Lookback Date. (e) The Company owns or Group has license implemented and maintains adequate physical, technical and administrative safeguards designed to use such protect the privacy, operation, confidentiality, integrity and security of all Company IT Systems Assets and Personal Information in its possession or control from unauthorized access by any Person, including each member of the Company Group’s employees and contractors, except as necessary is not and would not reasonably be expected to operate be, individually or in the business aggregate, material to the Company Group, taken as a whole. The Company Group has implemented reasonable procedures, satisfying the requirements of applicable Privacy and Security Requirements, to detect data security incidents and to protect Personal Information against loss and against unauthorized access, use, modification, disclosure, or other misuse. (f) The members of the Company Group have taken commercially reasonable measures designed to ensure all material third party service providers, outsourcers, processors, or other third parties Processing Personal Information, in each Group case on behalf of the Company as currently conducted. All Group, (i) use commercially reasonable measures designed to comply with applicable Privacy and Security Requirements, and (ii) use reasonable security measures with respect to Personal Information. (g) Each member of the Company IT Systems areGroup: (i) free from any material defectconducts periodic vulnerability testing and risk assessments, bugand has procedures for identifying security incidents related to, virus or programmingtheir respective systems and products (collectively, design or documentation error and “Information Security Reviews”); (ii) has procedures reasonably designed to correct any material exceptions or vulnerabilities identified in sufficiently good working condition to effectively perform such Information Security Reviews; (iii) has made available true and accurate copies of all material third-party Information Security Reviews conducted in the past two (2) years; and (iv) has procedures surrounding the timely installation of software security patches and other fixes to identified technical information technology operations necessary for the operation of the Business (except for ordinary wear and tear)security vulnerabilities. To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption Each member of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessGroup provides its employees with regular training on privacy and data security matters.

Data Privacy and Security. (a) To the Company’s knowledge, each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there There is (and since the Lookback Date January 1, 2019 there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; , (ii) any other Governmental Entity, foreign or domestic; domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies norRequirements. Except as otherwise set on Section 3.20(a) of the Company Disclosure Schedules, the Group Companies and the conduct of their business are in material compliance with all Data Security Requirements. (b) Since January 1, 2019, (i) to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) been no person has alleged or given written notice of unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or and the Group Companies have not been notified by any of its contractors with regard to any unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data obtained from or on behalf of a Group Company; , (ii) to the Company’s knowledge, there have been no person has alleged Security Incidents or given written notice of other unauthorized intrusions or breaches of security into any Company IT Systems; , and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as that would not have require notification to a Company Material Adverse EffectPerson or Governmental Entity pursuant to Data Security Requirements. (dc) The Company IT Systems are sufficient in all material respects for the operation of the business as currently conducted by the Group Company. Each Group Company owns or has a license or other right to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All To the Company’s knowledge, all Company IT Systems are: are (i) free from any material defectMalicious Code, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business as currently conducted (except for ordinary wear and tear). To the Company’s knowledgeSince January 1, since the Lookback Date2019, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or material disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To the Company’s knowledge, each Each applicable Group Company involved in the collection of Personal Data subject to applicable Law has implemented adequate and, where applicable, posted written policies privacy notices relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there is (and since the Lookback Date are no pending Proceedings, nor has there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; Entity or (iiiiv) any regulatory or self-regulatory entity) , in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company (A) is in violation of any applicable Privacy Laws or was (B) is in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingPolicies. (c) To the Company’s knowledge, since Since the Lookback Date: , (i) there has been no person has alleged unauthorized access, use, acquisition or given written notice disclosure of unauthorized access toPersonal Data, or use, disclosure, or Processing of Personal Data confidential business information in the possession or control of any Group Company or or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or third party service provider on behalf of a any Group Company; , and (ii) there have been no person has alleged or given written notice of unauthorized intrusions into or breaches Security Breaches of security into any Group Company IT Systems; and (iii) none systems networks, communication equipment or other technology necessary for the operations of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal DataCompanies’ business, except, in each casethe case of clauses (i) and (ii), as would not have a Company Material Adverse Effect. The Group Companies have not experienced any material successful unauthorized access to, use or modification of, or interference with Company IT Systems since the Lookback Date and none of the Group Companies is aware of any written or, to the knowledge of the Company, oral notices or complaints from any Person regarding such a Security Breach or incident, except in each case as would not have a Company Material Adverse Effect. Except as would not have a Company Material Adverse Effect, (A) none of the Group Companies has received any written complaints, claims, demands, inquiries or other notices, including a notice of investigation, from any Person (including any Governmental Entity or self-regulatory authority) regarding any of the Group Companies’ Processing of Personal Data or compliance with applicable Privacy and Security Requirements, and (B) since the Lookback Date, none of the Group Companies have provided or have been obligated to provide notice under any Privacy and Security Requirements regarding any Security Breach or unauthorized access to or use of any Company IT System or Personal Data. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Group Companies have in place disaster recovery and security plans and procedures, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. The Group Companies have a sufficient number of license seats for all Software included in the Company IT Systems, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (e) Except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole, the Group Companies are and have been in compliance with all applicable Privacy and Security Requirements since the Lookback Date. (f) The Group Companies have implemented reasonable physical, technical and administrative safeguards designed to protect the privacy, operation, confidentiality, integrity and security of all Company IT Systems are: and Personal Data in their possession or control from unauthorized access by any Person, including each of the Group Companies’ employees and contractors, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (g) To the extent required by applicable Law, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole, the Group Companies have taken commercially reasonable measures designed to ensure all third party service providers, outsourcers, processors, or other third parties Processing Personal Data, in each case on behalf of the Group Companies, (i) free from any material defect, bug, virus or programming, design or documentation error use commercially reasonable measures designed to comply with applicable Privacy and Security Requirements; and (ii) in sufficiently good working condition use reasonable security measures with respect to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessPersonal Data.

Data Privacy and Security. (a) To the Company’s knowledge, each Group Company has implemented adequate written policies relating to the Processing of Personal Data as The Business and Sellers (to the extent required by Related to the Business) comply with, and have for the three (3) years prior to the date hereof complied with, in all material respects, all Data Protection Laws, internal or publicly posted policies, procedures, agreements, and notices, and in connection with the collection, access, processing, use, storage, disclosure, transmission, or transfer (including cross-border transfer) of Personal Information, the requirements of any Material Contract and/or applicable Law (“Privacy and industry standards, including the Payment Card Industry Data Security PoliciesStandard (collectively the “Data Protection Requirements”). None of the Sellers has used, disclosed, transferred, or otherwise processed any Personal Information that is Related to the Business in any manner that violates any Data Protection Requirement. (b) To In each case to the Company’s knowledgeextent Related to the Business, there is (and since none of the Lookback Date there Sellers has been) no material Proceeding pending orreceived any subpoenas, demands, or other notices from any Governmental Entity investigating, inquiring into, or otherwise relating to any actual or potential violation of any Data Protection Law and, to the Company’s knowledgeKnowledge of the Sellers, threatened against or involving any Group Company initiated none of the Sellers is under investigation by any Person (including (i) the United States Federal Trade Commission, Governmental Entity for any state attorney general actual or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in potential violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingProtection Law. (c) To the Company’s knowledgeNo notice, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access tocomplaint, claim, enforcement action, or use, disclosurelitigation of any kind that is Related to the Business has been served on, or Processing of Personal initiated against the Sellers or the Business under any applicable Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectProtection Requirement. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: The Sellers have established and maintain physical, technical, and administrative security measures and policies, compliant with applicable Data Protection Requirements, that (i) free from any material defectprotect the operation, bugconfidentiality, virus or programmingavailability, design or documentation error integrity, and security of the Sellers’ and the Business’s software, systems, and websites that are involved in the collection and processing of Personal Information and/or business data for the Business, and (ii) in sufficiently good working condition identify internal and organizational risks to effectively perform all material information technology operations necessary for the operation confidentiality, integrity, security, and availability of Personal Information of the Business and/or business data and data systems of the Business. (except for ordinary wear and tear). e) To the Company’s knowledgeKnowledge of Sellers, since none of the Lookback DateBusiness or the Sellers has experienced any security breaches or incidents, there have not been unauthorized access, use, modification, or disclosure, or other adverse events or incidents related to Personal Information of the Business and/or business data and data systems of the Business that would require notification of individuals, other affected parties, law enforcement, or any material failuresGovernmental Entity. (f) Each Seller with respect to the Business has made all required registrations and notifications in accordance with all applicable Data Protection Requirements, breakdowns or continued substandard and all such registrations and notifications are current, complete, and accurate in all respects. (g) The execution, delivery, and performance of this Agreement shall not cause, constitute, or result in a breach or violation of any Company IT Systems that have caused a material failure Data Protection Requirement or disruption other standard terms of service entered into by the users of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessBusiness’s service(s).

Data Privacy and Security. (a) To The Company Entities and, to the Knowledge of the Company’s knowledge, all vendors, processors, or other third parties Processing Personal Information on behalf of the Company Entities and/or with whom the Company Entities otherwise share Personal Information (“Data Partners”), are and since January 1, 2017, have been, in compliance in all material respects with (i) all applicable Privacy and Information Security Requirements, (ii) public-facing data privacy and security policies or notices governing the use of Personal Information by the Company Entities (each Group a “Company has implemented adequate written policies Privacy Policy”) and (iii) all Contractual obligations relating to the Processing of Personal Data as and to the extent required by applicable Law Information (each a “Privacy and Data Security PoliciesContractual Obligation”). (b) To . Neither the execution, delivery or performance of this Agreement by the Company’s knowledge, there is (and since General Partner or Seller nor the Lookback Date there has been) no material Proceeding pending or, to consummation by the Company’s knowledge, threatened against General Partner or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none Seller of the Group Companies has notified or been required to notify any Person of any transactions contemplated hereby will (A) lossviolate, theft or damage oftrigger or require any notices to (or consents from) any Person under, any Company Privacy Policy or Privacy Contractual Obligation or (B) otherwise give rise to any right of termination of other unauthorized or unlawful access rights to, impair or use, disclosure limit the right of Purchaser (or other Processing of, any relevant Affiliate of Purchaser) to Process any Personal Data, except, Information used in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear)business of the Company Entities, other than any such violations, triggers, requirements, impairments or limitations that, individually or in the aggregate, would not reasonably be expected to be material to the Company Entities taken as a whole. To the extent that any Personal Information is comprised of “Personal Information” as defined under the CCPA, all Personal Information is an asset that will be transferred as part of this transaction, as contemplated by section 1798.140(t)(2)(D) of the CCPA. (b) The Company Entities have and to the Knowledge of the Company’s knowledge, since all Data Partners have, implemented and maintain commercially reasonable administrative, organizational, physical and technical safeguards to (i) protect and maintain the Lookback Dateconfidentiality and security of Personal Information against any unlawful, there accidental or unauthorized control, use, access, disclosure, interruption, modification, destruction, compromise of corruption (a “Security Incident”); (ii) identify and address internal and external risks to the privacy and security of Personal Information in the Company Entities’ possession or control; and (iii) provide notification without undue delay to the Company, and/or third parties where applicable, in the case of a Security Incident. (c) Since January 1, 2019, the Company Entities have not suffered a material Security Incident with respect to any Personal Information and the Company is not aware of any unremediated vulnerabilities that could lead to such a Security Incident. There have not been any material failuresActions, breakdowns whether formal or continued substandard performance informal, with respect to the Company Entities regarding the Processing of Personal Information by any Company IT Systems that have caused a material failure Person or disruption Governmental Entity in connection with the businesses of the Company IT Systems other than routine failures Entities or disruptions compliance with any Company Privacy Policy or Privacy Contractual Obligation and, to the Knowledge of the Company, there are no facts are circumstances that have been remediated can give rise to any such Actions. For the avoidance of doubt, “Action” as used in the ordinary course of businessthis Section 4.23(c) does not include individual rights requests made under Privacy and Information Security Requirements or Company Privacy Policies.

Data Privacy and Security. (a) To the Company’s knowledgeSince March 31, 2019, each Group Company has implemented adequate been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between such Group Company and other Persons relating to Personal Data and (ii) applicable written policies policies, public statements and other public representations relating to the Processing of Personal Data as and to the extent Data, inclusive of all disclosures required by applicable Law Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement and the Ancillary Documents to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Group Companies, taken as a whole. (b) To Since March 31, 2019, the Company’s knowledgePrivacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, there are accurate and complete and are not misleading or deceptive (including by omission). The practices of each Group Company with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data. (c) There is (and since in the Lookback Date prior three years there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; , (ii) any other Governmental Entity, foreign or domestic; domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) Commitments. To the Company’s knowledge, since there are no facts, circumstances or conditions that would reasonably be expected to form the Lookback Date: basis for any Proceeding for any potential violation of any Privacy Commitments. (d) In the prior three years, (i) there has been no person has alleged or given written notice of unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; Company (“Security Incident”), (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; , and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each casecase of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each Group Company has implemented commercially reasonable administrative, physical and technical safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data. (de) Each Group Company owns or has a license or other right to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: are (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business Group Companies’ businesses (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. To In the Company’s knowledge, since the Lookback Dateprior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To The Company’s data privacy and security practices and processing of Personal Data comply, and at all times have complied with all of the Company Privacy Commitments, Privacy Laws and Company Data Agreements. The Company has at all times, to the extent applicable to the Company’s knowledge, each Group Company has implemented : (A) had a valid legal basis (including providing adequate written policies relating to notice and obtaining any necessary consents from individuals) required for the Processing of Personal Data as conducted by or for the Company, (B) refrained from selling or sharing Personal Data with third parties for the third party’s benefit except as permitted under Applicable Law and by any Person with the applicable rights in such Personal Data, and (C) abided by any privacy rights and choices (including privacy by default obligations under Applicable Law and data-subject opt-out preferences) of individuals relating to the extent required by applicable Law Personal Data (such obligations along with all statements and obligations contained in Company Privacy Policies, collectively, “Company Privacy and Data Security PoliciesCommitments”). (b) To . The Company has not granted any options, rights of first refusal or negotiation or other similar rights of any kind relating to any Company Data, and the Company’s knowledgeCompany is not bound by or a party to any option, there is (rights of first refusal or negotiation or other similar rights, license or agreement of any kind with respect to any of the Company Data. Neither the execution, delivery and since performance of this Agreement, nor the Lookback Date there has been) no material Proceeding pending or, continued use by the Company of all of the Company Data and other information relating to the Company’s knowledgeend users, threatened against employees, vendors or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commissionclients, any state attorney general or similar state official; (ii) any other Governmental Entitycategory of individuals in a manner consistent with the Company’s past practice, foreign will cause, constitute or domestic; result in a breach or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or Company Privacy Commitments, any Company Data Agreements or any standard terms of service entered into by the Company with individuals the Personal Data of whom is Processed by each of the Company and its Processors. Copies of all current and prior Company Privacy Policies have been made available to Acquirer and such copies are true, correct and complete. (b) The Company has established and maintains appropriate and reasonable technical, physical and organizational measures and security systems and technologies in compliance with all data security and other applicable requirements under Privacy Laws, Company Data Agreements, and Company Privacy Commitments that are designed to protect Company Data against: (i) accidental or unlawful Processing or disclosure; (ii) breaches of confidentiality; (iii) unavailability of Company Data; or (iv) other events which affect the integrity of Company Data, in each case, in a manner appropriate to the risks represented by the Processing of such data by the Company, its data processors and any other third party with whom Company has shared such Company Data (such processors and foregoing third parties, collectively, “Processors”). The Company and Processors have taken commercially reasonable steps to ensure the compliance of their respective employees and contractors who have access to Company Data, to train such employees on all applicable aspects of any Privacy Law and Company Privacy Commitments and to ensure that all employees with the authority and/or ability to access such data are under written obligations of confidentiality with respect to such data. The Company has processes in place to identify Personal Data Security Policies nor, in the materials it offers to the Company’s knowledge, its users on its websites and takes appropriate and reasonable steps to ensure it is there (nor since the Lookback Date has there been) any basis for the foregoingable legally to use such Personal Data as part of its commercial offering. (c) To The Company has not received or experienced and, to the knowledge of the Company’s knowledge, since the Lookback Date: there is no circumstance (iincluding any circumstance arising as a result of an audit or inspection carried out by any Governmental Entity) no person has alleged or given written notice of unauthorized access that would reasonably be expected to give rise to, any Legal Proceeding, Order, notice, communication, warrant, regulatory opinion, audit result or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company allegation from a Governmental Entity or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; other Person (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any including an end user): (A) lossalleging or confirming non-compliance with a relevant requirement of Privacy Laws, theft Company Data Agreement or damage ofCompany Privacy Commitments, or (B) other unauthorized requiring or unlawful access torequesting the Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data, (C) permitting or mandating relevant Governmental Entities to investigate, requisition information from, or useenter the premises of, disclosure the Company or (D) claiming compensation from the Company. There are no unsatisfied requests from individuals or other Processing ofthird parties to the Company seeking to exercise any data protection or privacy rights (such as rights to access, rectify, or delete Personal Data, exceptto restrict or object to processing of Personal Data, or relating to data portability). The Company has not been involved in each case, as would not have a any Legal Proceedings involving non-compliance or alleged non-compliance with Privacy Laws or Company Material Adverse EffectPrivacy Commitments. (d) Each Group Schedule 2.11(d) of the Company owns or has license to use such Disclosure Letter contains the complete list of notifications and registrations made by the Company IT Systems as necessary to operate under Privacy Laws with relevant Governmental Entities in connection with the business Company’s Processing of each Group Company as currently conductedPersonal Data. All such notifications and registrations are valid, accurate, complete and fully paid up and, to the knowledge of the Company, the consummation of the Transactions will not invalidate such notification or registration or require such notification or registration to be amended. Other than the notifications and registrations set forth on Schedule 2.11(d) of the Company IT Systems are: Disclosure Letter, no other registrations or notifications are required in connection with the Processing of Personal Data by Company. The Company does not Process the Personal Data of any natural Person under the age of 13 or is otherwise considered a child under Applicable Law, and has complied with all Privacy Laws (including providing adequate notice and obtaining any necessary parental or other individual consent) for the Processing of Personal Data of any natural person under the age of 18. (e) Where the Company uses a Processor to Process Personal Data, the Processor has provided guarantees, warranties or covenants in relation to Processing of Personal Data, confidentiality, integrity, availability, security measures and agreed to compliance with those obligations that are sufficient for the Company’s compliance with Privacy Laws and Company Privacy Commitments (including for the evaluation of the Processor, including its technical and organizational measures), and there is in existence a written Contract between the Company and each such Processor that complies with the requirements of all Privacy Laws and Company Privacy Commitments. The Company has made available to Acquirer true, correct and complete copies of all such Contracts and, to the knowledge of the Company, such Processors have not breached any such Contracts pertaining to Personal Data Processed by such Persons on behalf of Company. (f) The Company has not transferred or permitted the transfer of Personal Data originating in the EEA outside the EEA, except where such transfers have complied with the requirements of Privacy Laws and Company Privacy Commitments. (g) The Company has complied with Privacy Laws in relation to conducting direct marketing, including electronic marketing, telemarketing, organic growth marketing, and text message marketing. (h) The Company maintains complete, accurate and up to date records of (i) free from any material defect, bug, virus or programming, design or documentation error all Processing activities of Personal Data and their lawful bases and (ii) all data protection impact assessments, in sufficiently good working condition to effectively perform all material information technology operations necessary for each case as required by the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessapplicable Privacy Laws.

Data Privacy and Security. (a) To the Company’s knowledge, each The Company has not received any written notice of any pending or threatened Proceeding against or involving any Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledgeKnowledge, threatened against or involving any Group Company Company’s Affiliates initiated by any Person (Person, including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a any Group Company or its Affiliates is or was in violation of any Privacy Laws or any Privacy and Data Security Policies norRequirements. (b) The Group Companies take, to in the reasonable determination of the Company’s knowledgemanagement team, is there commercially reasonable measures designed to protect and maintain (nor since i) the Lookback Date has there beenownership and confidentiality of their material proprietary Company Intellectual Property and (ii) any basis the security, confidentiality, continuous operation and integrity of their Company IT Systems (and all confidential data and Protected Data stored therein or transmitted thereby). The Group Companies have back-up and disaster recovery arrangements for the foregoingcontinued operation of their business in the event of a failure of its Company IT Systems that are, in the reasonable determination of the Company’s management team, commercially reasonable and in accordance with standard industry practice. (c) To the Company’s knowledgeKnowledge, since there have been no unauthorized intrusions or breaches of security that has resulted in unauthorized use of, or access to, the Lookback Date: Company IT Systems or Protected Data that, pursuant to any applicable Law, would require the Company or a Subsidiary to notify customers or employees of such breach or intrusion. (d) Except as would not, individually or in the aggregate, have, or be reasonably expected to result in, a Company Material Adverse Effect, (i) no person there has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal not been any Data Breach with respect to any Protected Data in the possession or control of any Group Company or its Affiliates, or any of its contractors with regard to any Personal Protected Data obtained from or on behalf of a any Group Company; Company or its Affiliates, (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; Systems or Protected Data, and (iii) none of the Group Companies has nor their Affiliates have been notified or been required to notify any Person of any (Aa) loss, theft or damage of, or (Bb) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectData Breach. (de) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business The Company’s and its Subsidiaries’ collection, use, disclosure, storage and transfer of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) Personal Data complies in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation respects with all Privacy Requirements. The execution, delivery and performance of the Business (except for ordinary wear and tear). To transactions contemplated by this Agreement do not materially violate the Company’s knowledgeprivacy policy as it currently exists or, since to the Lookback Date, there have not been extent any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption previous privacy policy of the Company IT Systems other than routine failures remains applicable to Personal Data maintained by the Company or disruptions that have been remediated in the ordinary course of businessits Subsidiaries, as such previous privacy policy existed before.

Data Privacy and Security. (a) To the Company’s knowledge, each Group The Company has implemented adequate not received any written policies relating to the Processing notice of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there is (and since the Lookback Date there has been) no material any Proceeding pending ornor, to the Company’s knowledgeKnowledge, threatened is any Proceeding threatened, against or involving any Group Company or its Affiliates initiated by any Person (Person, including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a any Group Company or its Affiliates is or was in violation of any Privacy Laws Requirements. (b) The Group Companies take commercially reasonable measures designed to protect and maintain (i) the ownership and confidentiality of their material proprietary Company Intellectual Property and (ii) the security, confidentiality, continuous operation and integrity of their Company IT Systems (and all confidential data and Protected Data stored therein or any Privacy transmitted thereby). The Group Companies have back-up and Data Security Policies nordisaster recovery arrangements for the continued operation of their business in the event of a failure of its Company IT Systems that are, to in the reasonable determination of the Company’s knowledgemanagement team, is there (nor since the Lookback Date has there been) any basis for the foregoingcommercially reasonable and in accordance with standard industry practice. (c) To There have been no unauthorized intrusions or breaches of security that has resulted in unauthorized use of, or access to, the Company’s knowledgeCompany IT Systems or Protected Data that, since pursuant to any applicable Law, would require the Lookback Date: Company or a Subsidiary to notify customers or employees of such breach or intrusion. (d) Except as would not, individually or in the aggregate, have, or be reasonably expected to result in, a Company Material Adverse Effect, (i) no person there has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal not been any Data Breach with respect to any Protected Data in the possession or control of any Group Company or its Affiliates, or any of its contractors with regard to any Personal Protected Data obtained from or on behalf of a any Group Company; Company or its Affiliates, (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; Systems or Protected Data, and (iii) none of the Group Companies has nor their Affiliates have been notified or been required to notify any Person of any (Aa) loss, theft or damage of, or (Bb) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectData Breach. (de) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business The Company’s and its Subsidiaries’ collection, use, disclosure, storage and transfer of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) Personal Data complies in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation respects with all Privacy Requirements. The execution, delivery and performance of the Business (except for ordinary wear and tear). To transactions contemplated by this Agreement do not materially violate the Company’s knowledgeprivacy policy as it currently exists or, since to the Lookback Date, there have not been extent any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption previous privacy policy of the Company IT Systems other than routine failures remains applicable to Personal Data maintained by the Company or disruptions that have been remediated in the ordinary course of businessits Subsidiaries, as such previous privacy policy existed before.

Data Privacy and Security. (ai) To The Company, each of its subsidiaries and each Licensed Entity complies, and during the past three years has complied, in all material respects, with all Privacy and Information Security Requirements. None of the Company, any of its subsidiaries, nor any Licensed Entity has been notified in writing of, or is the subject of, any complaint or proceeding or to the Company’s knowledge, each Group Company has implemented adequate written policies relating any, regulatory investigation related to the Processing of Personal Data as by any Governmental Authority or payment card association, regarding any actual or possible violations of any Privacy and Information Security Requirement by or with respect to the extent required by applicable Law (“Privacy and Data Security Policies”)Company, any of its subsidiaries or any Licensed Entity. (bii) The Company, each of its subsidiaries and each Licensed Entity employs commercially reasonable organizational, administrative, physical and technical safeguards that comply in all material respects with all Privacy and Information Security Requirements to protect Company Data within its custody or control and requires the same of all vendors under contract with the Company that Process Company Data on its behalf. The Company, each of its subsidiaries and each Licensed Entity has provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to notification to Governmental Authorities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with the conduct of the business as currently conducted and in connection with the consummation of the transactions contemplated hereunder. (iii) To the knowledge of the Company, none of the Company, any of its subsidiaries nor any Licensed Entity has suffered a security breach with respect to any of the Company Data and to the Company’s knowledge, there is (and since the Lookback Date there has been) been no material Proceeding pending or, unauthorized or illegal use of or access to any Company Data. None of the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to subsidiaries nor any Personal Data obtained from or on behalf of a Group Company; (ii) no person Licensed Entity has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified notified, or been required to notify notify, any Person person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, information security breach involving Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort or otherwise impede in any manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses”, “worms”, “time bombs” or “back doors”) that have not been removed or fully remedied. None of the Company, any of its subsidiaries nor any Licensed Entity has experienced any material failuresdisruption to, breakdowns or continued substandard performance material interruption in, the conduct of its business that affected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the part of any Company IT Systems that have caused a material failure computer software or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessSystems.

Data Privacy and Security. (a) To The Company and each of its Subsidiaries and, to the Knowledge of the Company, all vendors, partners or other third parties that Process Personal Information on behalf of, or that otherwise share Personal Information with, the Company or any of its Subsidiaries (in the case of such vendors, partners, and other third parties, relating to the Company or any of its Subsidiaries) (“Company Data Partners”), are, and have at all times during the past three (3) years been, in compliance in all material respects with all applicable (i) Privacy Laws, (ii) the Company’s knowledgeand its Subsidiaries’ policies, representations, and notices, (iii) the requirements of any industry standard or self-regulatory organization by which the Company or any of its Subsidiaries is bound, and (iv) contractual commitments by which the Company or any of its Subsidiaries is bound, in each Group Company has implemented adequate written policies case of (ii) – (iv), relating to privacy, data protection, security, or the Processing of Personal Company Data (collectively, (i) – (iv), “Company Privacy Obligations”). The Company and each of its Subsidiaries has at all applicable times during the past three (3) years provided all material notices and obtained all material authorizations, consents, and rights required under Company Privacy Obligations to Process Company Data as and to Processed by or for the extent required by applicable Law (“Privacy and Data Security Policies”)Company or any of its Subsidiaries. (b) To The Company and each of its Subsidiaries has implemented and maintained reasonable and appropriate physical, technical, and organizational measures designed to protect the Company’s knowledge, there is (Company IT Assets and since the Lookback Date there Company Data. There has been) been no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commissionmaterial security incident, any state attorney general breach, or successful ransomware, denial of access attack, denial of service attack, hacking, or similar state official; event with respect to any Company IT Asset, nor (ii) any other Governmental Entitymaterial unauthorized, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies noraccidental, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or usedestruction, disclosure loss, alteration disclosure, or other Processing of, Personal Data, exceptCompany Data (each, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business case of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation ), a “Company Security Incident”). None of the Business (except for ordinary wear and tear)Company or any of its Subsidiaries, nor, to the Knowledge of the Company, the Company Data Partners, has made, or been required to make, any disclosure or notification to any Person under any Company Privacy Obligation in connection with any Company Security Incident. None of the Company or any of its Subsidiaries has received any notification from any Governmental Authority or other Person of any material Action relating to the data privacy, data security, data protection, or the Processing of Company Data, or alleging any violation of any Company Privacy Obligation. To the Knowledge of the Company’s knowledge, since the Lookback Date, there have not has never been any material failuresaudit, breakdowns investigation or continued substandard performance enforcement action (including any fines or other sanctions) by any Governmental Authority or other Person relating to any Company Security Incident or violation of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessPrivacy Obligation.

Data Privacy and Security. (a) To the Company’s knowledge, each Each Group Company involved in the collection or Processing of Personal Data has implemented adequate and, where applicable, posted written policies privacy notices relating to the Processing of Personal Data as and to the extent required by applicable Law Privacy Laws (“Privacy and Data Security Policies”)) and is, and since the Lookback Date, has been, in compliance in all material respects with such Privacy and Data Security Policies. (b) To the Company’s knowledge, there is (and since the Lookback Date are no pending Proceedings, nor has there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; Entity or (iiiiv) any regulatory entity or self-regulatory entity) , in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies norRequirements. The Group Companies do not engage in the sale, as such term is defined by applicable law, of Personal Data. (c) Since the Lookback Date, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: knowledge (i) there has been no person has alleged unauthorized access, use, acquisition or given written notice disclosure of unauthorized access toPersonal Data, or use, disclosure, or Processing of Personal Data confidential business information in the possession or control of any Group Company or or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or third-party service provider acting on behalf of a any Group Company; , and (ii) there have been no person has alleged or given written notice of unauthorized intrusions into or breaches Security Breaches of security into any Company IT Systems; and (iii) none Systems or other technology necessary for the operations of the Group Companies has notified or been required to notify any Person Companies’ business, except in the case of any clauses (Ai) loss, theft or damage of, or and (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each caseii), as would not have a Company Material Adverse Effect. The Group Companies have not experienced any material successful unauthorized access to, use or modification of, or interference with Company IT Systems since the Lookback Date and none of the Group Companies is aware of any written or, to the Company’s knowledge, oral notices or complaints from any Person regarding such a Security Breach or incident, except in each case as would not have a Company Material Adverse Effect. Except as would not have a Company Material Adverse Effect, (A) there is no unauthorized code in any of the Company Products and none of the Group Companies has received any written complaints, claims, demands, inquiries or other notices, including a notice of investigation, from any Person (including any Governmental Entity or self-regulatory authority) or entity regarding the Company IT Systems, any of the Group Companies’ Processing of Personal Data, or the Group Companies’ compliance with applicable Privacy and Security Requirements and (B) since the Lookback Date, none of the Group Companies have provided or have been obligated to provide notice under any Privacy and Security Requirements regarding any Security Breach or unauthorized access to or use of any Company IT System or Personal Data. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Group Companies have in place disaster recovery and security plans and procedures, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. The Group Companies have a sufficient number of license seats for all Software included in the Company IT Systems, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (e) Except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole, the Group Companies are and have been in compliance with all applicable Privacy and Security Requirements since the Lookback Date. (f) The Group Companies have implemented reasonable physical, technical and administrative safeguards designed to protect the privacy, operation, confidentiality, integrity and security of all Company IT Systems are: and Personal Data in their possession or control from unauthorized access by any Person, including each of the Group Companies’ employees and contractors, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (g) To the extent required by applicable Privacy Law, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole, the Group Companies have taken commercially reasonable measures designed to ensure all third-party service providers, outsourcers, processors, or other third parties Processing Personal Data, in each case on behalf of the Group Companies, (i) free from any material defect, bug, virus or programming, design or documentation error use commercially reasonable measures designed to comply with applicable Privacy and Security Requirements; and (ii) in sufficiently good working condition use reasonable security measures with respect to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessPersonal Data.

Data Privacy and Security. (a) To the Company’s knowledge, each Each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”)Requirements. (b) To the Company’s knowledge, there There is (and since the Lookback Date January 1, 2018 there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; , (ii) any other Governmental Entity, foreign or domestic; domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies Requirements, nor, to the Company’s knowledge, is there (nor since the Lookback Date January 1, 2018 has there been) any a reasonable basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: January 1, 2018, (i) there has been no person material Security Incidents with respect to any Company IT Systems, Personal Data, or Company Products, (ii) there has alleged or given written notice of been no unauthorized access to, or use, disclosure, or Processing of Personal Data or any trade secrets, know-how or material confidential information of or in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; , and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as is not and would not have reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a Company Material Adverse Effectwhole. (d) Each Group Company owns or has license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Group Companies have taken reasonable precautions to protect the confidentiality, integrity and security of the Company IT Systems are: and all information stored or contained therein or transmitted thereby from any loss, theft, or unauthorized disclosure, use, access, interruption or modification by any Person. To Company’s knowledge, all Company IT Systems are (i) free from any Malicious Code, material defect, bug, virus bug or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledgeSince January 1, since the Lookback Date2018, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures Systems. The Group Companies have implemented, maintained and tested adequate and commercially reasonable disaster recovery procedures and facilities for the Business and all Data material to the respective businesses of the Group Companies has been regularly backed-up in an encrypted manner and tested for restoration. (e) The Group Companies (i) engage and have engaged in, directly or disruptions that have been remediated indirectly, Data Processing only with respect to such Data as they are authorized to so engage (or to cause such Processing, as applicable) by Law and, as applicable, Contract, except as is not and would not reasonably be expected to be, individually or in the ordinary aggregate, material to the Group Companies, taken as a whole, and (ii) have implemented reasonable safeguards designed to prevent unauthorized use or disclosure of such Data. The Group Companies have, with respect to all such Data that is subjected to any Processing directly or indirectly by the Group Companies in the course of businessoperating the Business, all rights necessary to conduct the operation of the Business as then-currently conducted, in all material respects.

Data Privacy and Security. (a) To The Company and its Subsidiaries have developed, implemented and maintained a written Data Protection Program that is materially in compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any Security Incident. No Person has brought, or to the knowledge of the Company’s knowledge, each Group otherwise threatened, any Action against the Company has implemented adequate written policies relating or any of its Subsidiaries in relation to the Processing any actual or alleged Security Incident or violation or breach of Personal Data as and to the extent required by applicable Law (“any Privacy and Data Security Policies”)Requirement. (b) To The Company and its Subsidiaries have at all times complied with all Privacy Requirements with respect to the Company’s knowledgeProcessing of Personally Identifiable Information and other data, there and have taken commercially reasonable steps designed to ensure that such Personally Identifiable Information and other data is (protected against loss and since the Lookback Date against unauthorized access, use, modification, disclosure or other misuse, to which there has been) been no material Proceeding pending orunauthorized access to or other misuse. Neither the Company nor any of its Subsidiaries have been subject to an Order of, to the Company’s knowledgeor have received a notice from, threatened against a Governmental Authority regarding actual or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general alleged non-compliance with or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy Requirement. The Company and Data Security Policies norits Subsidiaries have taken commercially reasonable steps designed to ensure that all such employees, representatives, consultants, contractors and agents with the right to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingaccess such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To Each of the Company’s knowledgeand its Subsidiaries’ third-party data suppliers, since the Lookback Date: (i) no person has alleged vendors, and partners that Process any Company PII or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or other Personally Identifiable Information on behalf of the Company and its Subsidiaries are in compliance in all material respects with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a Group Company; (iibreach, violation or default) no person has alleged by any such supplier, vendor or given written notice other partner of unauthorized intrusions any Privacy Requirements. No circumstances have arisen in which the Privacy Requirements would require or breaches of security into any recommend the Company IT Systems; and (iii) none of the Group Companies has notified or been required its Subsidiaries to notify any Person Governmental Authority of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectSecurity Incident. (d) Each Group The Company owns and its Subsidiaries have not used any data derived or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free aggregated from any material defect, bug, virus Personally Identifiable Information received from or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance otherwise Processed on behalf of any Company IT Systems Person in any way that have caused would constitute a material failure breach, violation or disruption default of any Contract to which the Company IT Systems or its Subsidiaries, as the case may be, is bound. (e) The consummation of transactions contemplated by this Agreement and the other than routine failures Transaction Documents will not breach or disruptions that have been remediated in the ordinary course otherwise cause any violation of businessany Privacy Requirement.

Data Privacy and Security. (a) To the Company’s knowledgeSince January 1, 2021, each member of the Company Group complies and at all times has complied with (i) the written privacy policies and external representations of the Company has implemented adequate written policies relating to regarding the Processing of Personal Information, (ii) written contractual obligations governing the treatment and Processing of Personal Information by the Company Group, (iii) applicable industry standards legally binding on the Company Group (including, as applicable, the Payment Card Industry Data Security Standard), (iv) registration requirements with any applicable Governmental Entity for the Processing of Personal Information by the Company Group and (v) all Privacy Laws (collectively, the “Company Data Privacy Requirements”), in each case with respect to clauses (i) through (v), except where noncompliance would not reasonably be expected to be material to the Company Group, taken as a whole. Except as would not reasonably be expected to be material to the Company Group, taken as a whole: (i) each member of the Company Group has at all times presented a privacy policy or other privacy-related notices (such as notice of financial incentives) to individuals and obtained prior express consent prior to the collection of any Personal Information, in each case, to the extent required of the Company Group by Company Data Privacy Requirements, and (ii) such privacy policies, notices, and consents are: (a) sufficient under applicable Law Company Data Privacy Requirements to permit the Processing of Personal Information by each member of the Company Group as currently Processed by or for each member of the Company Group and (“Privacy b) have at all times been materially accurate, consistent and Data Security Policies”complete, and not materially misleading or deceptive (including by any material omission). (b) To The execution, delivery, and performance of this Agreement and the Company’s knowledge, there is (transactions contemplated by this Agreement do not and since the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including will not: (i) the United States Federal Trade Commission, conflict with or result in a violation or breach of any state attorney general Company Data Privacy Requirements or similar state official; (ii) require the consent of or provision of notice to any Person concerning such Person’s Personal Information, in each case except for any such conflicts, violations, consents, prohibitions, or other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, occurrences which would not reasonably be expected to be material to the Company’s knowledgeCompany Group, is there (nor since the Lookback Date has there been) any basis for the foregoingtaken as a whole. (c) To the Company’s knowledgeSince January 1, since the Lookback Date: (i) 2021, there has been no person has alleged or given written notice of unauthorized access toaccidental, unlawful, or use, disclosure, or unauthorized Processing of Personal Data Information in the possession or control of any the Company Group (“Company or any PII Security Incident”), except as would not reasonably be expected to be material to the Company Group, taken as a whole. Each member of its contractors with regard the Company Group has taken commercially reasonable steps and implemented and maintained commercially reasonable measures designed to any Personal Data obtained from or on behalf of a Group Company; (i) monitor, detect, prevent, mitigate, and remediate Company PII Security Incidents, (ii) no person has alleged identify and address internal and external material risks to the privacy and security of Personal Information in its possession or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; control, and (iii) none protect such Personal Information and the software, systems, applications, and websites owned and operated by the Company Group that are involved in the Processing of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, Information. Except as would not have reasonably be expected to be material to the Company Group, taken as a whole: (i) the Company Material Adverse Effectrequires all third parties that Process Personal Information on its behalf to enter into written contracts to provide security and privacy protections for Personal Information consistent with Privacy Laws, and (ii) to the Knowledge of Company, such third parties are not in breach of such Contracts with respect to such Personal Information. (d) Each Group Since January 1, 2021, no member of the Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems areGroup: (i) free from has been the subject of any material defectinquiry, buginvestigation, virus or programmingenforcement action by any Governmental Entity with respect to such member’s compliance with any Privacy Law or its Processing of Personal Information, design or documentation error and (ii) in sufficiently good working condition is the subject of any Proceeding alleging or investigating a Company PII Security Incident, or violation of any Company Data Privacy Requirement or relating to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledgeProcessing of Personal Information, since or (iii) received a written claim by or before any Governmental Entity alleging a violation of Company Data Privacy Requirement or relating to the Lookback DateCompany’s Processing of Personal Information, there have in each case with respect to clauses (i) through (iii), except as would not been any reasonably be expected to be material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of to the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessGroup, taken as a whole.

Data Privacy and Security. (a) To Except as would not be reasonably be expected to be material to the Company, taken as a whole, the Company and each Company Subsidiary are, and since the Company’s knowledgedate of incorporation has been, in compliance with all applicable Privacy and Security Requirements. The transactions contemplated by this Agreement will not result in any liabilities in connection with any Privacy and Security Requirements, except where any such liability would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. (b) The Company and each Group Company Subsidiary has implemented adequate written policies relating to the Processing of Personal Data Data, privacy, data protection, cybersecurity, data security and the security of the Company’s and each Company Subsidiaries’ information technology systems, as and to the extent required by applicable Privacy Law (“Privacy and Data Security Policies”). (bc) To Since the Company’s knowledgeincorporation and each Company Subsidiary’s organization, there has been no Proceeding, there is (and since the Lookback Date there has been) no material Proceeding pending or, to and there is no Proceeding threatened in writing against the Company’s knowledge, threatened against Company or involving any Group Company Subsidiary initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; , or (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that, in each case, alleged that any Processing of Personal Data by or on behalf of a Group the Company or any Company Subsidiary is or was in violation of any Privacy Laws and Security Requirements or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingPolicies. (cd) To the Company’s knowledge, since the Lookback Date: Company’s date of incorporation, (i) there have been no person has alleged Security Incidents that have adversely affected the business or given written notice operations of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; Company Subsidiary, and (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into neither the Company nor any Company IT Systems; and (iii) none of the Group Companies Subsidiary has notified notified, or has been required to notify notify, any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure disclosure, or other Processing of, of Personal Data, except, in each case, except with respect to (i) and (ii) as would not have be reasonably be expected to be material to the Company or any Subsidiary, taken as a whole. The Company Material Adverse Effectand each Company Subsidiary takes reasonable action to protect the security of the software, databases, systems, networks, Internet sites and confidential information under their control from any unauthorized use, interruption, access or modification and comply with all Privacy and Security Requirements with regard to the transmission and storage of such information. The Company and each Company Subsidiary maintains reasonable disaster recovery, data breach and security plans, procedures and facilities consistent in all material respects with industry standards and practices. (de) Each Group The Company owns or has license a valid right to use such the Company IT Systems as necessary to operate the business of the Company and each Group Company Subsidiary as currently conducted. All To the knowledge of the Company, the Company IT Systems owned by the Company are: : (i) free from any material defect, bug, virus or programming, design or documentation error and error; and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear)) as currently conducted in all material respects. The Company has taken commercially reasonable steps designed to protect the confidentiality, integrity and security of the Company IT Systems and all material information stored or contained therein or transmitted thereby from any theft, corruption, loss or unauthorized use, access, interruption or modification by any Person. To the Company’s knowledge, since the Lookback DateCompany’s date of incorporation, there have not been any material failures, breakdowns failures or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessSystems.

Data Privacy and Security. (a) To the Company’s knowledge, each Group The Company has implemented adequate delivered accurate and complete copies of all written policies relating and procedures maintained by Holdings or the Company currently in effect or in effect at any time since August 22, 2013 that relate to the Processing of Personal Data as privacy and personal data protection, including any such policies that relate to the extent required by applicable Law personal data from or about any representatives, customers, suppliers, service providers, or any other Persons (“Company Privacy and Data Security Policies”). (b) To Each of Holdings and the Company’s knowledgeCompany has complied in all material respects with, there is not in violation of, and has not received any notice or other communication (and since the Lookback Date there has been) no material Proceeding pending in writing or, to the Company’s knowledge, threatened against or involving in any Group Company initiated by other manner) of any Person (including (i) the United States Federal Trade Commissionviolation with respect to, any state attorney general laws, contracts, Company Privacy Policies or similar state official; (ii) any other Governmental Entitycommitments, foreign obligations, or domestic; representations concerning privacy and personal data protection (“Company Privacy Obligations”). The consummation of the contemplated transactions will not violate any Company Privacy Obligation, or require Holdings or the Company to provide any notice to, or seek any consent or waiver from, any representative, customer, vendor, supplier, service provider, or other person under any Company Privacy Policy. To the Company’s knowledge, no Company Privacy Obligations will impose any restrictions upon the Purchaser’s ability to use, possess, disclose, or transfer any personal data in the manner Holdings or the Company has used, possessed, disclosed, or transferred any personal data before the Closing. Neither Holdings nor the Company has received any notice or other communication (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies norwriting or, to the Company’s knowledge, in any other manner) of any claims or alleged claims that Holdings or the Company has violated any Company Privacy Obligations and, to the Company’s knowledge, no Governmental Authority is there (nor since investigating to determine whether Holdings or the Lookback Date Company has there been) violated any basis for Company Privacy Obligations. Holdings and the foregoingCompany have collected, received, generated, used, processed, imported, exported, transferred, disclosed and disposed of all personally identifiable information in material compliance with all applicable Laws relating to data privacy. (c) To Holdings and the Company’s knowledgeCompany have stored, since the Lookback Date: maintained, and transmitted all personally identifiable information, including, but not limited to, credit card related information, in compliance with (i) no person has alleged or given written notice of unauthorized access toall data protection Laws, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; and (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) lossall contractual obligations, theft or damage ofincluding, or (B) other unauthorized or unlawful access but not limited to, obligations imposed upon Holdings or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a the Company Material Adverse Effectunder any agreement to process credit card transactions. (d) Each Group Holdings and the Company owns have taken commercially reasonable measures to protect all personally identifiable information against loss, or has license to use such unauthorized access, use, modification, or acquisition. In the context of credit card related information, Holdings and the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) are in sufficiently good working condition to effectively perform compliance in all material information technology operations necessary for respects with the operation most recent Payment Card Industry (“PCI”) Data Security Standard (“DSS”). Holdings and the Company have completed an on-site report on compliance (“ROC”) from a qualified security assessor (“QSA”), or have completed a self-assessment questionnaire (“SAQ”) within the 12 months immediately preceding the date of this Agreement. The ROC and/or SAQ did not identify any areas of non-compliance with the Business PCI DSS. The Company is not aware of any facts or circumstances that would prevent a ROC or SAQ from currently being completed that indicates that there are no areas of non-compliance with the PCI DSS. 25 (except for ordinary wear e) Holdings and tear)the Company have taken commercially reasonable measures to detect and respond to security incidents involving any attempted or successful unauthorized access, use, disclosure, modification, or destruction of personally identifiable information. To the Company’s knowledge, since no personally identifiable information, including, but not limited to, credit card related information, has been lost, stolen, hacked, violated or otherwise lawfully removed from the Lookback Datepossession of Holdings or the Company, there have or has been revealed, acquired, accessed, or used by or disclosed to any person not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of authorized by the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessCompany.

Data Privacy and Security. (a) To Since January 1, 2019, the Company’s knowledgeCompany and its Subsidiaries have at all times materially complied, and are currently in material compliance, in all respects with all Privacy Requirements and all requirements contained in any Contract to which the Company or any of its Subsidiaries is bound, in each Group Company has implemented adequate written policies case, relating to (i) the Processing privacy of the users of the products, services and websites of their business and/or (ii) the collection, use, storage, processing and disclosure of any Personal Data and other confidential data or information collected or stored by or on behalf of their business. No claims or Actions have been asserted or threatened against the Company or any of its Subsidiaries by any Person in relation to any actual or alleged Security Incident or otherwise for or arising as and to the extent required by a result of any actual or alleged violation, breach of such Person’s privacy, personal or confidentiality rights under any applicable Law (“laws, rules, policies, procedures or Contracts, or other non-compliance with or of any Privacy and Data Security Policies”)Requirement in each instance. (b) To the Company’s knowledgeThe Company and its Subsidiaries are not, there is (and since the Lookback Date there January 1, 2019 have not been, subject to a Governmental Order of, or since January 1, 2019 have received a notice from, and has been) no material Proceeding pending ornot been required to notify, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other a Governmental Entity, foreign Authority regarding actual or domestic; alleged non-compliance with or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy Requirement. The Company and Data Security Policies norits Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingright to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To Each of the Company’s knowledgeand its Subsidiaries’ current and former third-party data suppliers, since the Lookback Date: (i) no person has alleged vendors, and partners that Process or given written notice of unauthorized have access to, to any Company PII or use, disclosure, or Processing of other Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries are in material compliance with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a Group Company; (iibreach, violation or default) no person has alleged by any such supplier, vendor or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person other partner of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectPrivacy Requirements. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation The consummation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have transactions contemplated by this Agreement will not been breach any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessPrivacy Requirements.

Data Privacy and Security. (a) To Each of the Company’s knowledgeLeading Group Companies is and during the last five (5) years has been in compliance in all material respects with all applicable cybersecurity, each data security and personal information protection Laws and contractual obligations binding upon such Leading Group Company has implemented adequate written policies relating to the Processing receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disposal, destruction, disclosure or transfer of Personal Data as personal data, including any applicable Laws relating to transferring personal information and to other data outside of the extent required by applicable Law (“Privacy and Data Security Policies”)PRC. (b) To As of the Company’s knowledgedate of this Agreement, the Company has not received notice of any pending Action, nor has there is (and since the Lookback Date there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Action against or involving any Leading Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general general, Ministry of Industry and Information Technology of the PRC (including its local counterparts) or similar state official; (ii) official or any other Governmental EntityAuthority (whether in the United States, foreign Cayman Islands or domesticPRC); or (iii) any regulatory or self-regulatory entity) other Governmental Authority, in each case, alleging that any Processing processing of Personal Data personal data by or on behalf of a member of the Leading Group Company Companies is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingrequirements under Section 3.33(a). (c) To During the Company’s knowledge, since the Lookback Date: last five (5) years (i) there has been no person has alleged or given written notice material unauthorized processing of unauthorized access to, or use, disclosure, or Processing of Personal Data personal data in the possession or control of any Leading Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; service providers thereto, (ii) there have been no person has alleged or given written notice of material unauthorized intrusions or breaches of security into any of the IT systems under the control of any Leading Group Company IT Systems; and (iii) none of no Leading Group Company has experienced any security risk or incident that triggers the Group Companies breach notification obligation under the applicable cybersecurity, data security and personal information protection Laws or has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effectactually made such breach notification. (d) Each Leading Group Company owns or has license a binding Contract in place to use such Company the IT Systems systems as necessary to operate its business as currently conducted in all material respects. (e) Each Leading Group Company has implemented and established data safeguards against the destruction, loss, damage, corruption, alteration, loss of integrity, commingling or unauthorized access, acquisition, use, disclosure or other processing of personal data that are consistent with industry standards and the requirements of applicable Law in all material respects. Each Leading Group Company maintains backups of all data used to conduct the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation such member of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused Leading Group Companies at a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessreasonable frequency.

Data Privacy and Security. (a) To the Company’s knowledge, each Each Group Company is, and has implemented adequate written policies relating to been since June 1, 2018 in compliance in all material respects with HIPAA and within a reasonable time thereafter through the Processing of Personal Data as and to the extent required by present was materially complaint with all applicable Law Privacy Laws (“Privacy and Data Security PoliciesCompliance Dates”). (b) To The Group Companies have complied with and are in material compliance with all applicable Privacy Obligations. The Group Companies have adopted and published privacy notices and policies that accurately describe their privacy practices, and they have complied and are in compliance with those notices and policies. The Group Companies have contractually obligated all third parties Processing Personal Data on their behalf to comply with applicable Privacy Obligations. The execution, delivery, performance and consummation of the Company’s knowledgetransaction contemplated hereunder (including the Processing of Personal Data in connection therewith) comply with the Group Companies’ applicable privacy notices and policies and with all applicable Privacy Obligations. (c) The Group Companies have implemented and maintain a written information security program comprising reasonable administrative, there is physical, and technical safeguards that are designed to protect against unauthorized access to or use of or loss of access to the Group Companies’ internal computer systems (the “Company Systems”) or the Group Companies’ Sensitive Data, and consistent with the Group Companies’ Privacy Obligations, and any written contractual commitment made by the Group Companies related to privacy or information security. (d) Each Group Company has completed a security “risk analysis” (as required by 45 C.F.R. § 164.308(a)(1)(ii)(A)) in compliance with HIPAA at least once every 12 months since the Lookback Date requirement to perform such a security risk analysis first became applicable to it. (e) The Company has not received notice of any claims, investigations, or pending Proceedings, nor has there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company Company, initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; or (iiiii) any other Governmental Entity, foreign in each case, alleging violations of Laws or domestic; other Privacy Obligations with respect to Personal Data possessed by any Group Company. (f) There have not been any incidents of, or third party claims, since June 1, 2018, alleging, (i) Security Breaches, (ii) unauthorized access to or use of or loss of access to as a result of any actions by an unauthorized party any of the Company Systems or other technology necessary for the operations of the business, or (iii) any regulatory unauthorized access or self-regulatory entity) alleging that acquisition of any Processing of Personal Sensitive Data maintained by the Group Companies or by any third party service provider on behalf of a any Group Company. No Group Company is has notified in writing, or was been required by applicable Law, Governmental Entity or other Privacy Obligation to notify in violation writing, any Person or Governmental Entity of any Privacy Security Breach. No Group Company has received any notice of any claims, investigations (including investigations by a Governmental Entity), or alleged violations of Laws or other Privacy Obligations with respect to Personal Data possessed by any Privacy Group Company. No Group Company has had a “breach” as defined by HIPAA of unsecured protected health information (as defined under HIPAA) and Data Security Policies nor, to the Company’s knowledge, is there extent that any Group Company has had a “breach” as defined by HIPAA of unsecured protected health information (nor since the Lookback Date as defined under HIPAA) such Group Company has there been) any basis for the foregoingreported each such breach as required by applicable contracts and Law to all applicable Persons and Governmental Entities. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (dg) Each Group Company owns or has license to use current and valid Business Associate Agreements with each business associate of the applicable entity that is a Business Associate (as such Company IT Systems as necessary to operate the business of each terms are defined by HIPAA). Since June 1, 2018, no Group Company as currently conductedhas received written notice of a “breach” under the Privacy Laws or a material breach of contractual obligations by any Business Associate. All Company IT Systems are: (i) free from Since June 1, 2018, no Business Associate has breached in any material defect, bug, virus respect any Business Associate Agreement or programming, design other data privacy or documentation error security contractual obligations between a Business Associate and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the a Group Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To the Company’s knowledgeEach Group Company has since January 1, each 2017 (i) complied in all material respects with all applicable Privacy Laws and published interpretations by Governmental Entities and supervisory authorities of such Privacy Laws. Each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”)) and has complied in all material respects with all Privacy and Data Security Policies, including (A) all privacy policies and similar disclosures published on each web site or mobile app of the Group Company or otherwise communicated in writing to users of any such web site or mobile app and other third parties, (B) any notice to or consent from the provider or data subject of Personal Data, and (C) any contractual commitment made by the Group Company with respect to such Personal Data. (b) To the There is no pending, nor has there been any material Proceedings against any Group Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending orand, to the Company’s knowledge, threatened against there are no facts or involving circumstances which could reasonably serve as the basis for any Group Company such material Proceedings, initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; or (iiiiv) any supervisory authority of any member state of the European Union or the United Kingdom, or any regulatory or self-regulatory entity) entity alleging that any Processing of Personal Data by or on behalf of a Group Company (A) is in violation of any applicable Privacy Laws or was (B) is in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingPolicies. (c) To the Company’s knowledge, since the Lookback Date: (i) Since January 1, 2018, to the knowledge of the Company, there has been no person has alleged material personal data breaches (as defined in the GDPR), unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group Company or and any of its contractors or service providers with regard to any Personal Data obtained from or on behalf of a Group Company; Company and (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Group Company IT Systems; and (iii) none systems. Each Group Company maintains a commercially reasonable data breach response plan that is designed to ensure material compliance with Privacy Laws in the event of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effectpersonal data breach. (d) Each Except as set forth on Section 3.21(d) of the Company Disclosure Schedules, each Group Company owns or has license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Company IT Systems are: (i) free from any material defectare sufficient to operate the Business and the Company owns or has valid and enforceable rights to use the Company IT Systems. The Company has commercially reasonable backup and disaster recovery plans, bug, virus or programming, design or documentation error procedures and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary facilities for the operation business of the Business (except for ordinary wear Group Companies, and tear)has taken and implemented commercially reasonable technical, organizational and security measures to safeguard the Company IT Systems and all data and information processed on the Company IT Systems. To the knowledge of the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns no unauthorized intrusions or continued substandard performance breaches of any Company IT Systems that have caused a material failure or disruption the security of the Company IT Systems or infections by viruses or other than routine failures harmful code. The Company IT Systems operate in a reasonable manner sufficient for the needs of the business of the Group Companies as currently conducted, and there has not been any material known malfunction with the Company IT Systems that has not been remedied or disruptions that have been remediated replaced in all material respects, or any material unplanned downtime or material service interruption. (e) Each Group Company has (a) taken commercially reasonable organizational, physical, administrative and technical measures required by Privacy Laws and consistent with commercially reasonable industry standards in the ordinary course industry in which the Group Company operates, any existing contractual commitment made by the Group Company that is applicable to Personal Data and the Group Company's information security program to protect (i) the integrity, security and operations of businessthe Group Company's information technology systems, and (ii) the data owned by the Group Company and Personal Data against data security incidents or other misuse. The Group Company has (a) implemented commercially reasonable procedures, satisfying the requirements of applicable Privacy Laws, to detect data security incidents; and (b) implemented and monitored compliance with commercially reasonable measures with respect to technical and physical security, to protect Personal Data against loss and against unauthorized access, use, modification, disclosure or other misuse.

Data Privacy and Security. DOCPROPERTY "CUS_DocIDChunk0" (a) To Except as disclosed in the Company’s knowledgeCommission Documents, each Group the Company has and its Subsidiaries have implemented adequate written internal and external policies relating to the Processing of Personal Data as and to the extent required by applicable Privacy Law (“Privacy and Data Security Policies”). Except as disclosed in the Commission Documents, for the past three (3) years, each of the Company and its Subsidiaries has at all times complied in all material respects with all applicable Privacy Laws, the Privacy and Data Security Policies, and contractual obligations entered into by the Company or any of its Subsidiaries relating to the Processing of Personal Data and any other applicable industry standards or requirements binding upon the Company or any of its Subsidiaries (collectively, the “Privacy Requirements”). (b) To Except as disclosed in the Company’s knowledgeCommission Documents, the Company has not received notice of any pending Proceedings, nor has there is (and since been any material Proceedings against the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against Company or involving any Group Company of its Subsidiaries initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; or (iiiiv) any regulatory state, federal, or self-regulatory entity) international data protection authority, in each case, alleging that any Processing of Personal Data by or on behalf of a Group the Company or any of its Subsidiaries is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirements. (c) To Except as disclosed in the Company’s knowledgeCommission Documents, since for the Lookback Date: past three (3) years, (i) there has been no person has alleged material unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group the Company or any of its contractors with regard to Subsidiaries and/or any Personal Data obtained from of the service providers of the Company or on behalf any of a Group Company; its Subsidiaries and (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none Systems under the control of the Group Companies has notified Company or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effectits Subsidiaries. (d) Each Group of the Company and its Subsidiaries owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group the Company and its Subsidiaries as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) conducted in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation respects. (e) Each of the Business (except for ordinary wear Company and tear). To its Subsidiaries is, and at all times has been, in material compliance with all legal requirements that are applicable to each of the Company’s knowledgeand its Subsidiaries’ business as presently conduct pertaining to sales, since marketing, and electronic communications, including, without limitation, the Lookback DateU.S. CAN-SPAM Act, there have not been any material failuresthe U.S. Telephone Consumer Protection Act (TCPA), breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption and the Fair Credit Reporting Act (FCRA). (f) Each of the Company IT Systems other than routine failures and its Subsidiaries has reasonable procedures in place to ensure that the third parties with which the Company and its Subsidiaries shares or disruptions transfers Personal Data are required to protect the confidentiality of the shared or transferred Personal Data in compliance with all applicable Privacy Requirements. Each of the Company and its Subsidiaries has contractual arrangements with such third parties that have been remediated in comply with all applicable Privacy Requirements to the ordinary course extent applicable to the third party’s services, use, or processing of businessPersonal Data.

Data Privacy and Security. (a) To The Company and its Subsidiaries complies, and during the past three (3) years has complied, and to the Knowledge of the Company each Data Processor complies and during the past three (3) years has complied, with all Privacy and Security Requirements and all Data Requirements. The Company’s knowledgeand its Subsidiaries’ processing of Personal Information or Personal Data and Company Data is and, each Group during the past three (3) years, has been in compliance with, applicable Data Requirements. Neither the Company nor any of its Subsidiaries permits the processing of Personal Information or Personal Data outside, and has implemented adequate written policies relating not transferred Personal Information or Personal Data to a country or territory outside, of the Processing United States, the European Economic Area or the United Kingdom in material breach of the Data Protection Laws. For the avoidance of doubt, all disclosures or transfers of Personal Data as and have complied with all applicable requirements set out in the Data Protection Laws. From the date which is three (3) years prior to the extent required by applicable Law (“date hereof through the Closing Date, neither the Company, its Subsidiaries nor the Knowledge of the Company, any other Person has received notice of any complaint, investigation, correspondence, communication or other inquiry from any Governmental Authority or data subject regarding any actual, alleged or possible violation of, or failure to comply with, any Data Requirements or any Privacy and Security Requirement by the Company, its Subsidiaries or, any Data Processor. There is not currently pending and there has not been within the last three (3) years any third-party claim against any member of the Company nor its Subsidiaries alleging any violation of, or failure to comply with, any Privacy and Security Policies”)Requirement. If Seller participates in such cross-border data transfers, Seller has entered into a written contract with each Data Processor that is used by Seller and, where Seller acts as a processor, a written contract has been executed with any data controller, in each case that complies with the requirements of the Data Protection Laws. Neither Seller nor any of its Data Processors is in violation of any restrictions on the transfer of data across national borders that are contained in any contracts or agreements to which Seller is bound. (b) To The Company and each of its Subsidiaries has provided and complied with all requisite notices and obtained all required consents, and satisfied all other requirements necessary for the processing of Company Data and Personal Information or Personal Data by the Company and/or its Subsidiaries as currently conducted. Neither the Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending orits Subsidiaries, nor, to the Knowledge of the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entityof its Data Processors, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws restrictions on the transfer of data across national borders that are contained in any Data Agreement. During the past three (3) years, there has been no Security Incident, nor any material: (i) loss or theft of data, accidental or unlawful destruction, alteration, security breach, personal data breach or accidental or unauthorized access, disclosure or use relating to data (including Company Data) in the possession, custody or control of the Company or its Subsidiaries, or (ii) unintended or improper disclosure of any Privacy and such data (including Company Data Security Policies norin the possession, custody or control of the Company, its Subsidiaries, or a contractor or agent in its provision of material services to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing). (c) To The transactions to be consummated hereunder as of the Company’s knowledge, since the Lookback Date: (i) no person has alleged Closing Date will not cause or given written notice of unauthorized access to, constitute a breach or use, disclosure, or Processing of Personal Data in the possession or control violation of any Group Data Requirements, privacy notice or any other Privacy and Security Requirement by the Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse EffectSubsidiaries. (d) Each Group Company owns or has license The Company, its Subsidiaries, and, to use such Company IT Systems as necessary the Knowledge of the Company, its Data Processors each adhere to operate the business of each Group Company as currently conducted. All Company IT Systems are: a privacy and information security program that (i) free from any material defectconsists of appropriate organizational, bugadministrative, virus physical and technical safeguards designed to safeguard the Company Systems, Company Data and the processing of Personal Information or programmingPersonal Data against the unauthorized or unlawful processing of, design or documentation error accidental loss or damage and (ii) meets relevant industry standards, all applicable requirements of the Privacy and Security Requirements, and all applicable requirements of applicable Law. Except as set forth on Schedule 3.25(d), the Company and its Subsidiaries have employed industry standard encryption on Personal Information or Personal Data at rest and in sufficiently good working condition transit, and on all Company Systems, including on portable devices containing or transmitting confidential information or Personal Information or Personal Data. (e) Within the past three (3) years, (i) no actual or suspected Security Incident has occurred (including any loss of confidentiality, integrity or availability) with respect to effectively any Company Systems, nor the Company Systems of its Subsidiaries, or confidential information or Personal Information or Personal Data thereon, and no Person has, or is suspected to have obtained, used, accessed, disclosed, or otherwise processed any Personal Information or Personal Data or confidential information or Company Systems or the Company Systems of its Subsidiaries, including for any illegal, wrongful or unauthorized purpose; (ii) neither the Company nor any of its Subsidiaries have experienced any interruption or disruption to its IT systems or to the business conducted by the Company and/or its Subsidiaries in connection with any event affecting Company Systems, and (iii) no claims have been asserted or, to the Knowledge of the Company, threatened in writing against the Company or its Subsidiaries relating to data security, privacy, or the storage, transfer, use or processing of Company Data or Personal Information or Personal Data under any Data Agreements. (f) The Company Systems are sufficient for the Company’s and its Subsidiaries’ current operations (including as to capacity, scalability and ability to process current volumes in a timely manner) and operate and perform in all material information technology operations necessary for respects as required in connection with, the operation of the Business business of the Company and/or its Subsidiaries as presently conducted. During the past three (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date3) years, there has been no material breach, intrusion, or unauthorized use of or access to any Company Systems, and the Company Systems have had no material errors or defects that have not been any reasonably mitigated in all material failuresrespects, breakdowns and contain no code designed to disrupt, disable, harm, distort or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.otherwise

Data Privacy and Security. (a) To The Company Group has at all times complied in all material respects with all applicable Privacy and Data Security Obligations. Neither (i) the Company’s knowledgeexecution, each Group Company has implemented adequate written policies relating delivery or performance of this Agreement or any other agreements referred to in this Agreement, nor (ii) the Processing consummation of Personal any of the Transactions, will result in violation of any applicable Privacy and Data as and Security Obligations or any Privacy Policy. (b) Without limiting the foregoing: (i) to the extent required by applicable Law (“any Privacy and Data Security Obligations (A) the Company Group has maintained and posted Privacy Policies providing adequate notice of its privacy, data protection and data security practices regarding the Processing of information, including Personal Information, and (B) the Company Group has at all times posted such Privacy Policies in a clear and conspicuous location on the Company’s external websites and on internal Company websites (as relevant); (ii) true, correct and complete copies of all Privacy Policies (including all available prior and superseded versions thereof) have been provided to Parent; and (iii) no member of the Company Group has made any false or misleading statements in its Privacy Policy or marketing materials. No member of the Company Group has received any written complaint or inquiry, nor is any Proceeding pending or threatened in writing against the Company Group, alleging any breach by the Company Group of any applicable Privacy and Data Security Obligations. (c) The Company Group has at all times implemented and maintained in place appropriate (i) technical and organizational measures; (ii) administrative security programs, policies, procedures; and (iii) such other measures, in each case, that protect Company IT Systems and Personal Information in the possession or under the control of the Company Group against reasonably anticipated threats and hazards to their security and the unauthorized use or disclosure thereof, and include comprehensive plans, policies, procedures and administrative, technical and physical safeguards to protect the Company IT Systems and Personal Information and other material data in the possession or under the control of the Company Group from destruction, loss, alteration, damage, unauthorized access or disclosure or illegal or unauthorized Processing (“Security Policies”). The Company Group has at all times been in compliance with all applicable Security Policies. (bd) To Except as set forth in Section 2.13(d) of the Company’s knowledgeDisclosure Schedule, during the last three (3) years, there has not been (i) any material breach, unauthorized access or other actual or suspected non-compliance related to Privacy and Data Security Obligations, (ii) any information security or privacy breach event that has resulted in or would require notification to any Governmental Authority or other Person by or on behalf of the Company Group under any Privacy and Data Security Obligations, or (iii) any use, access or disclosure by any Person of any Company IT Systems or any Personal Information in the possession or under the control of the Company Group for any illegal or unauthorized purpose. (e) No member of the Company Group has received notice of any claims, and there is (and since the Lookback Date there has been) no material Proceeding pending or, to the Knowledge of the Company’s knowledge, being threatened or reasonably likely to be brought against or involving any the Company Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of either a Group Company is or was in material violation of any Privacy Laws Person’s rights under, or non-compliance, breach or compromise of, any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingObligations. (cf) To The Company Group has at all times established legal basis, made all required disclosures to, and obtained all consents from, users, customers, employees, contractors, governmental bodies and other applicable third parties required by all applicable Privacy and Data Security Obligations and as necessary for their respective Processing of Personal Information in connection with the Company’s knowledgeconduct of their business as it has been conducted and currently planned to be conducted, since and has filed any and all required registrations with the Lookback Dateapplicable data protection authority. (g) Except as set forth in Section 2.13(g) of the Disclosure Schedule, the Company and all other members of the Company Group have entered into written agreements, where required, with all third parties, including subcontractors, third-party vendors, suppliers and customers, that satisfy the requirements of the Privacy and Data Security Obligations, including by correctly identifying the roles and responsibilities of the parties to such agreements and incorporating any contractual provisions mandated by applicable Privacy Laws. (h) Without limiting the foregoing, the Company Group has taken steps to limit access to Personal Information to: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard their respective personnel and to any Personal Data obtained from subcontractors and third-party vendors providing services to or on behalf of a the Company Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, exceptas applicable), in each case, as would not case to those who have a need to know such Personal Information in the execution of their duties to the Company Material Adverse Effect. Group (das applicable) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) such other Persons permitted to access such Personal Information in sufficiently good working condition accordance with the Privacy Policies, and contractual obligations to effectively perform all material information technology operations necessary for which the operation of the Business (except for ordinary wear and tear)Company Group is bound. To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance In respect of any Company IT Systems that have caused a material failure international transfers of Personal Information subject to the GDPR or disruption of the UK GDPR, the Company IT Systems other than routine failures Group has valid data transfer safeguards in place that comply with the GDPR or disruptions that have been remediated in the ordinary course of businessUK GDPR (as relevant).

Data Privacy and Security. Except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole: (a) To the Company’s knowledge, each Each Group Company has implemented adequate (i) written policies relating to the Processing of Personal Data as and to the extent required by applicable Law and (ii) reasonable data security safeguards designed to protect the security and integrity of its Company IT Systems and any Personal Data or other Business Data, including implementing reasonable procedures designed to prevent unauthorized access and the introduction of Disabling Devices (collectively, the “Privacy and Data Security Policies”). Each Group Company currently and since the Reference Date has complied in all material respects with (A) all applicable Privacy Laws and (B) any applicable Privacy and Data Security Policies (collectively, the “Privacy and Data Security Requirements”). No Group Company has inserted and, to the knowledge of the Company, no other Person has inserted or alleged to have inserted any Disabling Device in any of the Company IT Systems or Company Product. (b) To the Company’s knowledgeThe Company has not received notice of any pending Proceedings, nor has there is (and since the Lookback Date there has been) no been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; , (ii) the Office of the Privacy Commissioner of Canada, or (iii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company (A) is in violation of any applicable Privacy Laws or was (B) is in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirements. (c) To Since the Company’s knowledgeReference Date, since the Lookback Date: (i) there has been no person has alleged or given written notice of unauthorized access to, or use, disclosure, to or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; and (ii) to the Company’s knowledge, there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into Security Incidents with respect to any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.

Data Privacy and Security. (a) To The Company and its Subsidiaries have at all times for the Company’s knowledgepast three (3) years complied in all material respects with all applicable Privacy Laws, each Group Privacy and Data Security Policies (as defined below) and contractual commitments relating to the Processing of Personal Data (collectively, the “Privacy Requirements”). The Company has implemented adequate written policies relating to the Processing of Personal Data Data, as and to the extent required by applicable Law Laws (“Privacy and Data Security Policies”). (b) To For the Company’s knowledgepast three (3) years, there is (and since the Lookback Date there has been) no material Proceeding pending ornot been any and, to the Company’s knowledge, threatened knowledge there is no pending Proceeding against the Company or involving any Group Company of its Subsidiaries initiated by any Person (including (i) any Person, (ii) the United States Federal Trade Commission, any state attorney general or similar state official; , (iiiii) any other Governmental Entity, foreign or domestic; , or (iiiiv) any regulatory or self-regulatory entity) , alleging that any Processing of Personal Data by or on behalf of a Group the Company or any of its Subsidiaries is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirements. (c) To the Company’s knowledge, since during the Lookback Date: past three (i3) years, there has been no person has alleged breach of security resulting in unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group the Company or any of its Subsidiaries or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged the Company or given written notice any of its Subsidiaries, or any unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified Company’s or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effectits Subsidiaries’ systems. (d) Each Group The Company owns and its Subsidiaries own or has have a license to use such the Company IT Systems as necessary to operate the business of each Group Company Business as currently conducted. All , and the Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error operate and (ii) perform in sufficiently good working condition a manner that permits the Company and its Subsidiaries to effectively perform all material information technology operations necessary for the operation of conduct the Business (except for ordinary wear and tear)as currently conducted. To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption none of the Company IT Systems contain any worm, bomb, backdoor, clock, timer or other than disabling device, code, design or routine failures that causes the Software of any portion thereof to be erased, inoperable or disruptions that otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized person. (e) The Company has taken commercially reasonable organizational, physical, administrative and technical measures required by the Privacy Requirements, and consistent with industry standards, designed to protect the integrity, security and operations of the Company IT Systems. The Company and its Subsidiaries have been remediated implemented commercially reasonable procedures, satisfying the requirements of applicable Privacy Laws in all material respects, designed to detect data security incidents and to protect Personal Data against loss and against unauthorized access, use, modification, disclosure or other misuse. (f) The consummation of any of the transactions contemplated by this Agreement or any of the Ancillary Documents will not violate any applicable Privacy Requirements, except as would not reasonably be expected to be, individually or in the ordinary course aggregate, material to the Company and its Subsidiaries, taken as a whole, or as would not reasonably be expected to have, individually or in the aggregate, a material adverse effect on the ability of businessthe Company and Pubco to consummate the Mergers.

Data Privacy and Security. (a) To Except as disclosed in the Company’s knowledgeCommission Documents, each Group the Company has and its Subsidiaries have implemented adequate written internal and external policies relating to the Processing of Personal Data as and to the extent required by to comply in all material respects with applicable Privacy Law (“Privacy and Data Security Policies”). Except as disclosed in the Commission Documents, for the past three (3) years, each of the Company and its Subsidiaries has at all times complied in all material respects with all applicable Privacy Laws, the Privacy and Data Security Policies, and contractual obligations entered into by the Company or any of its Subsidiaries relating to the Processing of Personal Data and any other applicable industry standards or requirements binding upon the Company or any of its Subsidiaries (collectively, the “Privacy Requirements”). (b) To Except as disclosed in the Company’s knowledgeCommission Documents, the Company has not received notice of any pending Proceedings, nor has there is (and since been any Proceedings against the Lookback Date there has been) no material Proceeding pending or, to the Company’s knowledge, threatened against Company or involving any Group Company of its Subsidiaries initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; or (iiiiv) any regulatory state, federal, or self-regulatory entity) international data protection authority, in each case, alleging that any Processing of Personal Data by or on behalf of a Group the Company or any of its Subsidiaries is or was in violation of any Privacy Laws Requirements, except in each case of clauses (i) through (iv), as would not, individually or any Privacy and Data Security Policies norin the aggregate, reasonably be expected to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoinghave a Material Adverse Effect. (c) To Except as disclosed in the Company’s knowledgeCommission Documents, since for the Lookback Date: past three (3) years, (i) there has been no person has alleged material unauthorized access, use or given written notice of unauthorized access to, or use, disclosure, or Processing disclosure of Personal Data in the possession or control of any Group the Company or any of its contractors with regard to Subsidiaries and/or any Personal Data obtained from of the service providers of the Company or on behalf any of a Group Company; its Subsidiaries and (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none Systems under the control of the Group Companies has notified Company or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effectits Subsidiaries. (d) Each Group of the Company and its Subsidiaries owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group the Company and its Subsidiaries as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) conducted in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation respects. (e) Each of the Business (except for ordinary wear Company and tear). To its Subsidiaries is, and at all times since January 1, 2021 has been, in material compliance with all legal requirements that are applicable to each of the Company’s knowledgeand its Subsidiaries’ business as presently conduct pertaining to sales, since marketing, and electronic communications, including, without limitation, the Lookback DateU.S. CAN-SPAM Act, there have not been any material failuresthe U.S. Telephone Consumer Protection Act (TCPA), breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption and the Fair Credit Reporting Act (FCRA). (f) Each of the Company IT Systems other than routine failures and its Subsidiaries has reasonable procedures in place to ensure that the third parties with which the Company and its Subsidiaries shares or disruptions transfers Personal Data are required to protect the confidentiality of the shared or transferred Personal Data in material compliance with all applicable Privacy Requirements. Each of the Company and its Subsidiaries has contractual arrangements with such third parties that have been remediated comply in all material respects with all applicable Privacy Requirements to the ordinary course extent applicable to the third party’s services, use, or processing of businessPersonal Data.

Data Privacy and Security. (a) To Except as set forth on Section 3.22(a) of the Company Disclosure Schedule, the Company and each of its Subsidiaries have implemented and followed in all material respects commercially reasonable physical, technical, organizational, and administrative security measures, policies, and procedures that are designed to: (i) mitigate potential security risks with respect to the Company’s knowledgeservices; (ii) comply with the Data Privacy Requirements, each Group Company has implemented adequate written policies (iii) identify security breach risks relating to the Processing of Personal Data as Company’s information technology systems, (iv) prevent security breaches, (v) identify, document, and remediate actual or suspected security breaches relating to the extent required Company’s information technology systems and the Company’s services, and (vi) at least annually, train all employees, consultants, agents, and contractors of the Company and each of its Subsidiaries applicable to their service to the Company, in (A) their responsibilities relating to compliance with Data Privacy Requirements, and (B) recognizing and minimizing security breach risks relating to the Company’s information technology systems, the Company’s services, and any customer data held by applicable Law (“Privacy the Company and Data Security Policies”)each of its Subsidiaries. (b) To No complaint, claim, enforcement action, or litigation that alleges any non-compliance by the Company’s knowledge, there is (and since the Lookback Date there Company or any of its Subsidiaries with any applicable Data Privacy Requirement has been) no material Proceeding pending been served on or, to the Knowledge of the Company’s knowledge, threatened initiated against the Company or involving any Group of its Subsidiaries and the Company initiated by and each of its Subsidiaries have not received any Person (including (i) the United States Federal Trade Commissionsubpoenas, demands, or other written notices from any state attorney general Governmental Entity investigating, inquiring into, or similar state official; (ii) otherwise relating to any other Governmental Entity, foreign actual or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in alleged violation of any Data Privacy Laws or any Privacy and Data Security Policies norRequirement and, to the Knowledge of the Company’s knowledge, is there (nor since the Lookback Date has there been) Company and each of its Subsidiaries are not under investigation by any basis Governmental Entity for the foregoingany actual or potential violation of any Data Privacy Requirement. (c) To The Company and each of its Subsidiaries have not experienced any security breaches within the Company’s knowledge, since the Lookback Date: past three (i3) no person has alleged years that would require law enforcement or given written notice of unauthorized access toGovernmental Entity notification, or use, disclosure, or Processing of Personal any remedial action under any applicable Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of business.Privacy

Data Privacy and Security. (a) To the Company’s knowledge, each Group Company has implemented adequate written policies relating Except as would not be material to the Processing of Personal Data as Business, the Company and the Company Subsidiaries, and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To Knowledge of the Company’s knowledge, there is (all vendors, processors, or other third parties Processing Personal Data for or on behalf of the Company and since the Lookback Date there has been) no material Proceeding pending orCompany Subsidiaries, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including are and have been at all times in compliance with (i) the United States Federal Trade Commissionterms and conditions of any and all of their own privacy policies and other external-facing policies or notices governing the use of Personal Data (each a “Company Privacy Policy”); and (ii) Privacy and Information Security Requirements ((i) and (ii) the “Company Privacy Commitments”). Except as would not be material to the Business, neither the execution, delivery or performance of this Agreement by the Company nor the consummation by the Company of the transactions contemplated hereby will (i) trigger or require any state attorney general notices to or similar state officialconsents from any Person; (ii) violate any other Governmental Entity, foreign or domesticCompany Privacy Commitments; or (iii) give rise to any regulatory right of termination or self-regulatory entity) alleging that any Processing of Personal Data by other right to impair or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to limit the Company’s knowledge, is there (nor since or the Lookback Date has there been) any basis for the foregoing. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard Subsidiaries’ right to own and/or Process any Personal Data obtained from used in or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business business of the Company or the Company Subsidiaries. (except b) Except as would not be material to the Business, (i) the Company and the Company Subsidiaries have at all times posted and prominently made available on its websites, mobile applications, intranet, internal regulations, other mediums made accessible to individuals and other mechanisms through which the Company or the Company Subsidiaries collect Personal Data, a Company Privacy Policy in conformance with Privacy and Information Security Requirements and have satisfied all other requirements necessary for ordinary wear their Processing of all Personal Data, (ii) all Company Privacy Policies are and tearhave at all times been accurate, not misleading or deceptive (including by omission). To , consistent and complete with the actual practices of the Company and the Company Subsidiaries with respect to the processing of Personal Data, and (iii) the Company and the Company Subsidiaries have in place written Contracts with (A) all third parties who Process, store or otherwise handle Personal Data on behalf of the Company and the Company Subsidiaries, or that otherwise receive Personal Data from the Company and the Company Subsidiaries, and (B) all of their customers regarding the Company’s knowledgeor the Company Subsidiaries’ Processing of Personal Data on behalf of such customers, since in each case, sufficient for the Lookback DateCompany’s and the Company Subsidiaries’ compliance with Company Privacy Commitments and that obligate the other Persons to comply with all applicable Privacy and Information Security Requirements. (c) The Company and the Company Subsidiaries have used commercially reasonable efforts to implement administrative, there physical and technical safeguards to (i) protect and maintain the confidentiality, integrity and security of Personal Data against any unauthorized use, access, disclosure, interruption, modification, destruction, comprise or corruption (a “Security Incident”); (ii) identify and address internal and external risks to the privacy and security of Personal Data in their possession or control; and (iii) provide immediate notification to the Company and/or the Company Subsidiaries in the case of Security Incident. (d) Neither the Company nor the Company Subsidiaries have suffered a Security Incident with respect to any of the Personal Data Processed by or, to the Knowledge of the Company, on behalf of, the Company or the Company Subsidiaries. Except as would not be material to the Business, neither the Company nor the Company Subsidiaries have (i) been legally or contractually required to provide any material failuresnotices to any Person in connection with an unauthorized disclosure of Personal Data with respect to the operation of the business, breakdowns or continued substandard performance has done so even if not legally or contractually so required; or (ii) received any written complaints or notices to, or been subject to audits, proceedings, investigations or claims asserted with respect to, by any Person or Governmental Authority, (A) the Company’s or the Company Subsidiaries’ Processing of any Company IT Systems that have caused a material failure or disruption Personal Data in connection with the businesses of the Company IT Systems other than routine failures and the Company Subsidiaries or disruptions (B) compliance with any Company Privacy Commitments and, to the Knowledge of the Company, there are no facts or circumstances in existence that have been remediated in the ordinary course of businesscan give rise to any such complaints, notices, audits, proceedings, investigations or claims.

Data Privacy and Security. (a) To the Company’s knowledge, each Each applicable Group Company involved in the collection of Personal Data subject to applicable Law has implemented adequate and, where applicable, posted written policies privacy notices relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”), except as would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (b) To Except as set forth in Section 3.20(b) of the Company’s knowledgeCompany Disclosure Schedules, there is (and since the Lookback Date there has been) no have not been any material Proceeding pending orProceedings, nor to the Company’s knowledgeknowledge are there any pending Proceedings, threatened against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; Entity or (iiiiv) any regulatory or self-regulatory entity) , in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company (A) is in violation of any applicable Privacy Laws or was (B) is in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingPolicies. (c) To Except as set forth in Section 3.20(c)(i) of the Company’s knowledgeCompany Disclosure Schedules, since the Lookback Date: , (i) there has been no person has alleged or given written notice Security Breach of unauthorized access toPersonal Data, or use, disclosure, or Processing of Personal Data confidential business information in the possession or control of any Group Company or or, to the Company’s knowledge, any of its contractors with regard to any Personal Data obtained from or third party service provider on behalf of a any Group Company; , and (ii) there have been no person has alleged or given written notice of unauthorized intrusions into or breaches Security Breaches of security into any Group Company IT Systems; and (iii) none systems networks, communication equipment or other technology necessary for the operations of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal DataCompanies’ business, except, in each casethe case of clauses (i) and (ii), as would not have a Company Material Adverse Effect. Except as set forth in Section 3.20(c)(ii) of the Company Disclosure Schedules, the Group Companies have not experienced any material successful unauthorized access to, use or modification of, or interference with Company IT Systems since the Lookback Date and none of the Group Companies is aware of any written or, to the knowledge of the Company, oral notices or complaints from any Person regarding such a Security Breach or incident, except in each case as would not have a Company Material Adverse Effect. Except as set forth in Section 3.20(c)(iii) of the Company Disclosure Schedules, (A) none of the Group Companies has received any written complaints, claims, demands, inquiries or other notices, including a notice of investigation, from any Person (including any Governmental Entity or self-regulatory authority) regarding any of the Group Companies’ Processing of Personal Data or compliance with applicable Privacy and Security Requirements, and (B) since the Lookback Date, none of the Group Companies have provided or have been obligated to provide notice under any Privacy and Security Requirements regarding any Security Breach or unauthorized access to or use of any Company IT System or Personal Data. (d) Each Group Company owns or has a license to use such the material Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All The Group Companies have in place disaster recovery and security plans and procedures, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. The Group Companies have a sufficient number of license seats for all Software included in the Company IT Systems, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (e) Except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole, the Group Companies are and have been in compliance with all applicable Privacy and Security Requirements since the Lookback Date. (f) The Group Companies have implemented reasonable physical, technical and administrative safeguards designed to protect the privacy, operation, confidentiality, integrity and security of all Company IT Systems are: and Personal Data in their possession or control from unauthorized access by any Person, including each of the Group Companies’ employees and contractors, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. (g) The Group Companies have used commercially reasonable efforts to ensure that all third party service providers Processing Personal Data, in each case on behalf of the Group Companies, to (i) free to maintain confidentiality of and use Personal Data only for the provision of services to the Group Companies, (ii) comply with applicable Privacy and Security Requirements; and (iii) use reasonable physical, technical and administrative safeguards to secure Personal Data from loss, theft, unauthorized access, use, modification, disclosure or other misuse. (h) The Group Companies own or have a valid and sufficient basis, license or other right, permission, or consent to collect and use all data used in or necessary for the conduct of their business as currently conducted consistent with Privacy and Security Requirements, except as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Group Companies, taken as a whole. Except as set forth in Section 3.20(h) of the Company Disclosure Schedules, to the Group Companies’ knowledge, (i) none of the Group Companies has been or is in material breach of any material defectContract, bug, virus or programming, design or documentation error and (ii) the consummation of the transactions contemplated herein will not result in sufficiently good working condition the loss or impairment of the Group Companies’ basis or rights to effectively perform use any data and will not result in the breach of, or create on behalf of any party, the right to terminate or modify any Contract to which any of the Group Companies is a party and pursuant to which any of the Group Companies is authorized or licensed to use any third-party data. (i) The Group Companies have, on each website and online service operated by the Group Companies, posted a privacy policy conforming in all material information technology operations necessary for respects with all applicable Privacy Laws. Each such privacy policy accurately discloses how the operation of the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Group Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessProcesses Personal Data.

Data Privacy and Security. (a) To the Company’s knowledgeThere is not, each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). (b) To the Company’s knowledge, there is (and since the Lookback Date there has never been) no material , any Proceeding pending or, to the Company’s knowledge, threatened threatened, against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, Commission or any state attorney general or similar state official; , (ii) any other Governmental Entity, foreign or domestic; domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Protected Data by or on behalf of a any Group Company is or was in violation of any Privacy Laws Requirements, nor are there or have there been valid grounds for any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingsuch Proceeding. (cb) To Except as set forth on Section 3.20(b) of the Company’s knowledgeCompany Disclosure Schedules, since the Lookback Date: (i) no person there has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal not been any Data in the possession or control of Breach involving any Group Company Company, or any of its contractors with regard to any Personal Protected Data obtained from or on behalf of a any Group Company; , (ii) there have been no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; , and (iii) none of the Group Companies has have been notified or been required to notify any Person of any (A) of the foregoing or any loss, theft or damage ofof Protected Data. (c) Each Group Company (i) has published and is in compliance with its public-facing privacy policies and its internal privacy policies and guidelines, (ii) has implemented and maintains commercially reasonable administrative, technical and physical measures, policies, procedures, and rules to ensure that Personal Data is protected against Data Breaches and other loss, damage, and unauthorized access, use, modification or other misuse, including a comprehensive written information security plan that complies with all applicable Privacy Requirements, (iii) has made all required disclosures to, and obtained any necessary consents from, users, customers, employees, contractors, governmental authorities and other applicable Persons required by applicable Privacy Requirements related to data privacy, data collection, data protection and data security and has filed any required registrations with the applicable data protection authority, and (iv) maintains systems and procedures to receive and effectively respond to complaints and, to the extent required by applicable Privacy Requirements, individual rights requests, in connection with each Group Company’s Processing of Personal Data, and each has complied with all such complaints and individual rights requests. To the Company’s knowledge, at all times (A) each Group Company has complied in all material respects with applicable Privacy Requirements, and (B) each Group Company has had valid and legal rights to Process all Protected Data that is Processed by or on behalf of such Group Company in connection with the use and/or operation of its products, services and business (including Company Products), and neither the execution, delivery or performance of this Agreement nor any of the other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, agreements contemplated by this Agreement will violate in each case, as would not have a Company Material Adverse Effectany material respects any applicable Privacy Requirements. (d) Each Group Company owns or has a license or other right to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. All To the Company’s knowledge, all Company IT Systems are: (i) are free from any material defect, bug, virus or programming, design or documentation error and do not contain any disabling software, code or instructions, spyware, Trojan horses, worms, viruses or other software routines that permit or cause unauthorized access to, or disruption, impairment, disablement, or destruction of, any software, data or other information (“Malicious Code”), (ii) are in sufficiently good working condition to effectively perform all material information technology operations necessary for the operation of the Business business of the Group Companies (except for ordinary wear and tear), and (iii) include safeguards consistent with industry standards and are designed to protect the security, confidentiality, availability, and integrity of the Group Companies’ Protected Data and includes appropriate backup, disaster recovery, and software and hardware support arrangements. To Each Group Company has taken reasonable precautions to (x) protect the Company’s knowledgeconfidentiality, since integrity and security of the Lookback DateCompany IT Systems and all information and data stored or contained therein or transmitted thereby from any theft, there corruption, loss or unauthorized use, access, interruption or modification by any Person and (x) ensure that all Company IT Systems and Company Products are (A) fully functional and operate and run in a reasonable and efficient business manner in all material respects, and (B) free from any bug, virus, malware, programming, design or documentation error, corruption, material defect, or Malicious Code. There have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been fully remediated in the ordinary course of business.

Data Privacy and Security. (a) To the Company’s knowledge, each Each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”). No Group Company has violated any applicable Privacy Requirements in any material respect, and each Group Company and the operation of the Business (including the Processing of Personal Data) complies, and has completed, in all material respects with all Privacy Requirements. The transactions contemplated by this Agreement and the consummation thereof will not violate any applicable Privacy Requirement. (b) To the Company’s knowledge, there is (and since the Lookback Date there has been) no There have not been any material Proceeding pending or, to the Company’s knowledge, threatened Proceedings against or involving any Group Company initiated by any Person (including (i) any Person, (ii) the United States Federal Trade Commission, any state attorney general or similar state official; official or (iiiii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) in each case, alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any applicable Privacy Laws Requirements or with respect to any Security Incident, and no Group Company has received written notice of any pending or threatened Proceedings, or provided (or been required to provide) notice to any Person, with respect to any of the foregoing or any Privacy Processing of Personal Data. Each Group Company has, with respect to all third party Company Data and all other material Company Data, all rights necessary to operate the business of such Group Company as currently conducted. All Company Data Security Policies nor, will continue to be available for Processing by and on behalf of the Group Companies following the Closing on terms and conditions identical to those under which the Company Data was available for Processing by and on behalf of the Group Companies immediately prior to the Company’s knowledgeClosing, without payment of any additional amounts or consideration. No Group Company has received any written communication from any Person from whom it acquires, purchases, is there provided, or engages in any other business relationship with respect to, Company Data to the effect that, and no Group Company has any reason to believe that, any such Person will stop or decrease the rate of, or materially alter the terms of, the business it conducts with (nor since or the Lookback Date has there beenCompany Data it provides for) the Group Companies. There are no suppliers of Company Data that are subjected to any basis for Processing in connection with the foregoingBusiness or any Company IT System with respect to which practical alternative sources of supply are not generally available on comparable terms (including price) and conditions in the marketplace. (c) To the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access to, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conductedconducted in all material respects. All The Company IT Systems are: (i) free from any , in all material defectrespects, bug, virus or programming, design or documentation error sufficient and (ii) in sufficiently good working condition (subject to effectively perform all material information technology operations necessary ordinary course maintenance and upgrades) for the operation of the Business (except for ordinary wear as currently operated. The Group Companies maintain commercially reasonable security, disaster recovery and tear)business continuity plans, procedures and facilities, and act in compliance therewith. To the knowledge of the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused are free from Malicious Code. The Group Company at all times (x) when such encryption would be reasonably required to meet industry security standards encrypts Personal Data in transit and at rest on all Company IT Systems, and (y) encrypts sensitive Personal Data (e.g., bank account information and social security numbers) in transit and at rest on all Company IT Systems. Since December 31, 2019, (i) no Group Company has been subject to or experienced a material failure or disruption Security Incident, and (ii) none of the Company IT Systems has had any material failures, breakdowns, continued substandard performance, or other than routine failures adverse events that has not been remedied or disruptions that have been remediated replaced in the ordinary course of businessall material respects.

Data Privacy and Security. (a) To the Company’s knowledgeEach Group Company is presently in compliance with, each and has at all times been in compliance with, in all material respects, all applicable Privacy and Security Requirements. Each Group Company has implemented adequate written policies relating to the Processing of Personal Data as and to the extent required by applicable Law (“Privacy and Data Security Policies”)Requirements. (b) To the Company’s knowledgeThere is no pending, and since April 1, 2020, there is (and since the Lookback Date there has been) no material Proceeding pending not been any Proceedings asserted or, to the Company’s knowledge, threatened against or involving any Group Company initiated by any Person (including (i) any Person; (ii) the United States Federal Trade Commission, any state attorney general or similar state official; (iiiii) any other Governmental Entity, foreign or domestic; or (iiiiv) any regulatory or self-regulatory entity) entity alleging that any Processing of Personal Data by breach or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies nor, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoingRequirement. (c) To the Company’s knowledge, since the Lookback Date: April 1, 2020 (i) there has been no person has alleged or given written notice of unauthorized access to, or use, disclosure, or other Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; , (ii) there have been no person has alleged or given written notice of unauthorized intrusions use, access, intrusions, interruptions, modifications, corruptions or breaches (including any ransomware attacks) of security into into, or other cyber or security incidents with respect to, any Company IT Systems; and System, (iii) none of the no Group Companies Company has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has a license to use such the Company IT Systems as necessary to operate the business of each Group Company as currently conducted. The Group Companies have taken commercially reasonable precautions, to protect the confidentiality, integrity and security of the material Company IT Systems (and all information and transactions stored or contained therein or transmitted thereby). All Company IT Systems are: are (i) to the Company’s knowledge, free from any “Trojan horse”, “virus”, “ransomware”, or other malicious code, material defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively operate and perform in all material information technology operations respects in accordance with their documentation and functional specifications and otherwise in the manner necessary for the operation of the Business business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback DateApril 1, 2020, there have not been any material failures, failures or breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption Systems. (e) The consummation of the Transactions shall not breach or otherwise cause any violation of any Privacy and Security Requirements, or result in any Group Company IT Systems other than routine failures being prohibited from receiving or disruptions that have been remediated using any Personal Data in the ordinary course of businessmanner currently received or used by such Group Company in all material respects.

Data Privacy and Security. (a) To the Company’s knowledge, each Group Company has implemented adequate written policies relating Except as disclosed to the Processing of Personal Data as and Purchaser in writing (including email) prior to the extent required by date hereof or in the Company Public Documents, the Company Entities currently comply and have complied at all times with applicable Law Company Privacy Policies and the Privacy Requirements in all material respects. The Company Entities have established and maintained a commercially reasonable Information Security Program, and there have been no material violations of the Information Security Program. The Company Entities have (“i) assessed and tested the Information Security Program on a no less than annual basis, (ii) remediated all critical, high and medium risks and vulnerabilities, and (iii) the Information Security Program has proven sufficient and compliant with Privacy and Data Security Policies”)Requirements in all material respects. (b) To the Company’s knowledge, there is (and since the Lookback Date there has been) no material Proceeding pending or, Except as disclosed to the Company’s knowledgePurchaser in writing (email included) prior to the date hereof or would not reasonably be expected to be material, threatened against or involving any Group Company initiated by any Person (including (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of a Group Company is or was in violation of any Privacy Laws or any Privacy and Data Security Policies norEntities and, to the Company’s knowledge, is there (nor since the Lookback Date has there been) any basis for the foregoing. (c) To Knowledge of the Company’s knowledge, since the Lookback Date: (i) no person has alleged or given written notice of unauthorized access totheir Data Processors have not suffered a Security Incident, or use, disclosure, or Processing of Personal Data in the possession or control of any Group Company or any of its contractors with regard to any Personal Data obtained from or on behalf of a Group Company; (ii) no person has alleged or given written notice of unauthorized intrusions or breaches of security into any Company IT Systems; and (iii) none of the Group Companies has notified or have not been required to notify any Person or Governmental Authority of any (A) lossSecurity Incident, theft and have not been adversely affected by any Malicious Code, ransomware or damage ofmalware attacks, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing denial-of, Personal Data, except, in each case, as would not have a Company Material Adverse Effect. (d) Each Group Company owns or has license to use such Company -service attacks on any IT Systems as necessary to operate the business of each Group Company as currently conducted. All Company IT Systems are: (i) free from any material defect, bug, virus or programming, design or documentation error and Systems; (ii) in sufficiently good working condition to effectively perform all material information technology operations necessary for neither the operation of Company Entities nor any third party acting at the Business (except for ordinary wear and tear). To the Company’s knowledge, since the Lookback Date, there have not been any material failures, breakdowns direction or continued substandard performance of any Company IT Systems that have caused a material failure or disruption authorization of the Company Entities have paid any perpetrator of any actual or threatened Security Incident or cyber attack, including, but not limited to a ransomware attack or a denial-of-service attack; (iii) the Company Entities have not received a written notice (including any enforcement notice), letter, or complaint from a Governmental Authority or any Person alleging noncompliance or potential noncompliance with any Privacy Requirements or Company Privacy Policies and has not been subject to any actions, suits, demands, orders or proceedings relating to noncompliance or potential noncompliance with Privacy Requirements or the Company Entities’ Processing of Personal Data; and (iv) the Company Entities are not in breach or default of any Contracts relating to the IT Systems other than routine failures or disruptions that have been remediated in the ordinary course of businessto Company Data and does not transfer Personal Data internationally except where such transfers comply with Privacy Requirements and Company Privacy Policies.