Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. Each of Ultimate Parent and its Subsidiaries is, and has for the past three (3) years has been in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect.

Data Privacy and Security. Each of Ultimate Parent and its Subsidiaries is, and has for the past three (3) years has been in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,, to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect.

Data Privacy and Security. (i) Each Acquired Company’s data, privacy and security practices conform, and at all times have conformed, to all of Ultimate the Company Privacy Commitments, Privacy Laws and Company Data Agreements. Each Acquired Company has at all times (A) had the legal basis (including providing adequate notice and obtaining any necessary consents from individuals) required for the Processing of Personal Data as conducted by or for the Acquired Companies, (B) refrained from selling or sharing Personal Data with third parties for the third party’s benefit except as allowed under Applicable Law and (C) abided by any privacy choices (including opt-in and opt-out preferences, as required) of individuals relating to Personal Data (such obligations along with those contained in Company Privacy Policies, collectively, “Company Privacy Commitments”). Copies of all current and prior Company Privacy Policies have been Made Available to Parent and such copies are true, correct and complete. (ii) The Acquired Companies have established and maintained adequate technical, physical and organizational measures and security systems and technologies in compliance with data security requirements under Privacy Laws, Company Data Agreement and Company Privacy Commitments that are designed to protect Company Data against accidental or unlawful Processing, in a manner appropriate to the risks represented by the Processing of such data by each Acquired Company and its Subsidiaries isData Processors. The Acquired Companies and their Data Processors have taken commercially reasonable steps to train vendors, employees and contractors who Process Company Data on applicable material aspects of Privacy Law and Company Privacy Commitments and to ensure that all such vendors, employees and contractors with the authority and/or ability to Process Company Data are under written obligations of confidentiality with respect to Company Data. (iii) No Acquired Company has received or experienced and there is no circumstance (including any circumstance arising as a result of an audit or inspection carried out by any Governmental Body) that would give rise to any Action, Order, notice, communication, warrant, regulatory opinion, audit result or allegation from a Governmental Body or any other Person (including an end user): (A) alleging or confirming non-compliance with a relevant requirement of Privacy Laws or Company Privacy Commitments, (B) requiring or requesting any Acquired Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data; (C) permitting or mandating relevant Governmental Bodies to investigate, requisition information from, or enter the premises or any Acquired Company; or (D) claiming compensation from any Acquired Company. Each Acquired Company has responded to, and has for continues to promptly respond to, requests from individuals or other third parties, and there are no unsatisfied requests from individuals or other third parties to the past three Acquired Companies seeking to exercise any data protection or privacy rights (3such as rights to access, rectify, or delete Personal Data, to restrict or object to processing of Personal Data, or relating to data portability.) years No Acquired Company has been involved in any Actions, involving non-compliance or alleged non-compliance with Privacy Laws or Company Privacy Commitments. (iv) Schedule 3.11(s)(iv) of the Disclosure Schedule contains the complete list of notifications and registrations made by each Acquired Company under Privacy Laws with relevant Governmental Bodies in all material respects connection with all applicable Data Protection Requirements (other than the Disclosed Matters)Acquired Companies’ Processing of Personal Data. Each of Ultimate Parent All such notifications and its Subsidiaries,registrations are valid, accurate, complete and fully paid-up and, to the knowledge of Ultimate Parent and the Company, the consummation of the Transactions will not invalidate such Subsidiaries, has at all times, notification or registration or require such notification to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other be amended. Other than the Disclosed Matters). Neither Ultimate Parent nor any notifications and registrations set forth on Schedule 3.11(s)(iv) of its Subsidiaries sellsthe Disclosure Schedule, rents no other registrations or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) notifications are adequate for, and operate and perform in all material respects as required in connection with the operation Processing of Personal Data by the Acquired Companies. The Acquired Companies do not Process the Personal Data of any natural Person considered a child or minor under Applicable Law. The Acquired Companies do not target advertisements to any natural person considered a child or minor under Applicable Law. (v) Where any Acquired Company has used a Data Processor to Process Personal Data in the last three years, the processor has provided guarantees, warranties or covenants in relation to Processing of Personal Data, confidentiality, security measures and agreed to compliance with those obligations that are sufficient for such Acquired Company’s compliance with Privacy Laws and Company Privacy Commitments, and there is in existence a written Contract between such Acquired Company and each such Data Processor that complies with the requirements of all Privacy Laws and Company Privacy Commitments. The Company has Made Available to Parent true, correct and complete copies of all such Contracts. To the knowledge of the businesses of each of Ultimate Parent and its Subsidiaries as currently conductedCompany, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries such Data Processors have implemented and maintain appropriate physical, technical and administrative safeguards not breached any such Contracts pertaining to protect Personal Information processed Data Processed by or such Persons on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security Acquired Companies. (vi) No Acquired Company has transferred or permitted the transfer of IT Systems used Personal Data originating in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to sameEEA outside the EEA, except for those that where such transfers have been remedied without material cost or liability or complied with the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any requirements of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse EffectPrivacy Laws and Company Privacy Commitments.

Data Privacy and Security. Each (i) The Company and each of Ultimate Parent and its Subsidiaries issubsidiaries complies, and has for during the past three (3) years has complied, in all material respects, with all Privacy and Information Security Requirements. Neither the Company nor any of its subsidiaries has been notified in compliance writing of, or is the subject of, any complaint or proceeding or to the Company’s knowledge, any, regulatory investigation related to Processing of Personal Data by any Governmental Authority or payment card association, regarding any actual or possible violations of any Privacy and Information Security Requirement by or with respect to the Company or any of its subsidiaries. (ii) The Company and each of its subsidiaries employs commercially reasonable organizational, administrative, physical and technical safeguards that comply in all material respects with all applicable Privacy and Information Security Requirements to protect Company Data Protection Requirements within its custody or control and requires the same of all vendors under contract with the Company that Process Company Data on its behalf. The Company and each of its subsidiaries has provided all requisite notices and obtained all required consents, and satisfied all other requirements (other than including but not limited to notification to Governmental Authorities), necessary for the Disclosed Matters). Each Processing (including international and onward transfer) of Ultimate Parent all Personal Data in connection with the conduct of the business as currently conducted and its Subsidiaries,to in connection with the consummation of the transactions contemplated hereunder. (iii) To the knowledge of Ultimate Parent and such Subsidiariesthe Company, has at all times, to neither the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent Company nor any of its Subsidiaries sells, rents or otherwise makes available subsidiaries has suffered a material security breach with respect to any Person of the Company Data and to the Company’s knowledge, there has been no unauthorized or illegal use of or access to any Personal Information, except Company Data which would result in a manner that complies in all material respects with the applicable Data Protection RequirementsMaterial Adverse Effect. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects Except as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in Section 3.1(t)(iii) of the Disclosed Matters. Neither Ultimate Parent Company Disclosure Letter, neither the Company nor any of its Subsidiaries subsidiaries has received notified, or been required to notify, any written notice of (i) any actual or potential violation person of any Data Protection Requirementinformation security breach involving Personal Data. To the Company’s knowledge, the Company Systems have had no material errors or defects that have not been fully remedied and contain no code designed to disrupt, disable, harm, distort or otherwise impede in any material manner the legitimate operation of such Company Systems (including what are sometimes referred to as “viruses”, “worms”, “time bombs” or “back doors”) that have not been removed or fully remedied. Neither the Company nor any of its subsidiaries has experienced any material disruption to, or (ii) material interruption in, the conduct of its business that affected the business for more than one calendar week, and attributable to a defect, bug, breakdown, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the part of any commenced computer software or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse EffectCompany Systems.

Data Privacy and Security. Each of Ultimate Parent (a) The Company and its Subsidiaries ishave developed, implemented and has for maintained a written data protection, data privacy and cybersecurity program (the past three (3“Data Protection Program”) years has been that is in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters)Privacy Requirements. Each of Ultimate Parent Since January 1, 2019, the Company and its Subsidiaries,to Subsidiaries have not experienced any material Security Incident. Since January 1, 2019, no Person has claimed any compensation or damages from the knowledge Company or any of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitationor has brought, adopting Privacy Policies that have been published or threatened in writing to bring, any website, mobile application Action against the Company or other electronic platform that accurately describe the privacy practices any of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, in relation to any actual or alleged Security Incident or otherwise for or arising as a result of any actual or alleged violation, breach or other than non-compliance with or of any Privacy Requirement. (b) Except as set forth in Section 5.14(b) of the Disclosed Matters). Neither Ultimate Parent nor any of Company Disclosure Schedule, since January 1, 2019, the Company and its Subsidiaries sellshave at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Company PII. The Company and its Subsidiaries are not, rents and since January 1, 2019, have not been, subject to a Governmental Order of, or otherwise makes available to have received a written notice from, a Governmental Authority regarding, actual or alleged non-compliance with or violation of any Person Privacy Requirement. (c) To the knowledge of the Company and except as set forth in Section 5.14(c) of the Company Disclosure Schedule, (i) each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Personal Information, except Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries are in a manner that complies compliance in all material respects with the applicable Data Protection Privacy Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3ii) years, there have been no breachesmaterial unauthorized or illegal Processing, violationsor other breach, outages violation or unauthorized uses default (or event that, with or without the giving of notice or accesses to samelapse of time, except would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements. Since January 1, 2019, no Security Incident has occurred for those that have been remedied without material cost which the Privacy Requirements would require the Company or liability or the duty its Subsidiaries to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority. (d) The consummation of the Transactions will not breach any Privacy Requirement, except as would not reasonably be expected to havebe, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a Material Adverse Effectwhole.

Data Privacy and Security. Each of Ultimate Parent (a) Seller complies and its Subsidiaries issince January 1, and 2021, has for the past three (3) years has been in compliance complied in all material respects with with, all: (i) applicable Privacy Laws; (ii) Seller’s published policies and contractual obligations; and (iii) all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,required industry standards including, to the knowledge extent applicable, the Payment Card Industry Data Security Standard and all other applicable requirements of Ultimate Parent the payment card brands, in each case as related to (A) the privacy of all individuals including all users of any web properties, applications, products and/or services of Seller, all Seller employees and such Subsidiariesall other individuals about whom Seller collects or processes Personal Information, has at all times(B) the collection, use, storage, retention, disclosure, transfer, disposal, or any other processing of any Personal Information collected or used by Seller; and (C) the recording or any interception of any communications (collectively, the “Privacy Requirements”). (b) Seller displays a privacy policy on each website owned, controlled or operated by Seller to the extent required by applicable Data Protection RequirementsPrivacy Laws, provided adequate notice and each such privacy policy incorporates all disclosures to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing required by the Privacy Laws. None of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have such privacy policy has been inaccurate, misleading or deceptive deceptive, or in violation of the Privacy Laws. (including by omissionc) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any Seller regularly conducts vulnerability testing or audits of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets systems and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate forproducts, and operate uses commercially reasonable efforts to remediate or document exceptions for any material vulnerabilities identified in such tests and perform in all material respects as required in audits. Seller uses commercially reasonable efforts to timely install software security patches and other fixes to identified technical information security vulnerabilities. (d) In connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect third-party processing Personal Information processed by or on behalf of Ultimate Parent and its SubsidiariesSeller, any other material confidential information and the integrity and security of IT Systems used in connection ▇▇▇▇▇▇ has entered into written data processing agreements with their businessesterms as required by applicable Privacy Laws. (e) Since January 1, and during the past three (3) years2021, there have not been any Actions against Seller related to any data security incidents, ransomware incidents, or any violations of any Privacy Requirements, and there are no breachesfacts or circumstances which would reasonably be expected to serve as the basis for any such allegations or claims. Since January 1, violations2021, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries Seller has not received any written or, to the Knowledge of Seller, oral, correspondence relating to, or notice of (i) any actual Actions or potential violation alleged violations of any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, the Privacy Requirements from any Person person or Governmental Authority, except as would not reasonably be expected to have, individually and there is no such ongoing Action or in the aggregate, a Material Adverse Effectallegation.

Data Privacy and Security. Each of Ultimate Parent (a) Transferor and its Subsidiaries is, and has for the past three (3) years has been in compliance comply in all material respects with all applicable Data Protection Requirements (other than Laws that govern the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosureprocessing, disclosure and protection of personally identifiable information (“PII”) (“Data Protection Laws”). The Transferred Business has in place, and operates in accordance with, reasonable procedures to comply with any Data Protection Laws applicable to the Transferred Business. As it relates to the Transferred Business, all arrangements made for the outsourcing to any third party of the processing of PII, or the international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiariesany PII, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies comply in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries Laws. (collectively, “IT Systems”b) are adequate for, and operate and perform in all material respects as required in connection with In the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past preceding three (3) years, there Transferor and its Subsidiaries, with respect to the Transferred Business, have been no breachespublicly posted a privacy policy that conforms with Data Protection Laws and fairly and accurately describes, violationsin all material respects, outages the actual practices of the Transferred Business with respect to the collection, retention, use and disclosure of PII. Transferor has delivered or unauthorized uses made available to Buyer true, complete, and correct copies of all such privacy policies in effect during the preceding three (3) years. (c) During the preceding three (3) years, neither the Transferred Business nor Transferor or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries with respect to the Transferred Business has suffered any personal data breach that would require, under Data Protection Laws, Transferor or any of its Subsidiaries with respect to the Transferred Business to notify individuals whose information was compromised in that breach or any regulatory agency. (d) During the preceding three (3) years, neither the Transferred Business nor Transferor or any of its Subsidiaries with respect to the Transferred Business has received any written notice of notices or any other communications from any Governmental Authority: (i) any actual or potential violation of alleging material non-compliance with any Data Protection Requirement, Laws; or (ii) notifying Transferor or any commenced or threatened Proceedings of its Subsidiaries with respect to Ultimate Parent the Transferred Business of any material regulatory investigation by a Governmental Authority regarding Transferor or any of its Subsidiaries’ use with respect to the Transferred Business, of PII or non-compliance with Data Protection Laws, and to the Knowledge of Transferor, there are no circumstances as of the date hereof likely to give rise to any such notices or communications. (e) Transferor and its Subsidiaries processing take all commercially reasonable steps to protect the confidentiality, integrity and security of Personal InformationPII processed by the Transferred Business against any unauthorized or improper use, from any Person access, transmittal, interruption, modification or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effectcorruption.

Data Privacy and Security. Each (a) The Company and each of Ultimate Parent and its Subsidiaries ishave, and has for the past three (3) years has been in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to materially complied with each Privacy Legal Requirement. The Company and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sellshas adopted Privacy Policies and materially complied with such Privacy Policies. True, rents or otherwise makes correct and complete copies of all written Privacy Policies have been made available to any Person any Parent. (b) With respect to all Personal Information, except Data gathered or accessed in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment course of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of the Company or any of its Subsidiaries, the Company and each such Subsidiary have taken reasonable measures designed to protect such data against loss, theft, unauthorized access, unauthorized disclosure or unlawful Processing, or other misuse. To the Knowledge of Ultimate Parent the Company, the Company has resolved or taken commercially reasonable steps to mitigate material security vulnerabilities and risks relating to privacy, cybersecurity, or data protection. (c) Since January 1, 2021, there have not been any material Security Incidents or material breaches involving the Company, its Subsidiaries, agents, or employees or, to the Knowledge of the Company, any of its or their respective contractors relating to any Personal Data in its possession or control. There have not been any material incidents of or third-party claims alleging any failure, Security Incidents, or any unauthorized intrusions or breaches, of security with respect to the information technology systems owned or controlled by the Company or any of its Subsidiaries. (d) The Company and its Subsidiaries as currently conductedroutinely engage in due diligence of vendors and business partners, free including the adequacy of their written information security programs, before allowing them to access, receive or Process Sensitive Data, and clear of all material bugsimpose contractual obligations and duties under Privacy Legal Requirements regarding Sensitive Data. (e) Since January 1, errors2021, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent the Company and its Subsidiaries have implemented and maintain appropriate physicalnot been the subject of any audit, technical and administrative safeguards to protect Personal Information processed by investigation, enforcement action (including any fines or on behalf of Ultimate Parent and its Subsidiariesother sanctions) or other Action relating to, any other material confidential information and the integrity and security of IT Systems used in connection with their businessesactual, and during the past three (3) years, there have been no breaches, violations, outages alleged or unauthorized uses of suspected Security Incident or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirementof the Privacy Legal Requirements, the Privacy Agreements or otherwise by any Person, including the U.S. Federal Trade Commission, any similar foreign bodies, or any other Governmental Entity. (iif) To the Knowledge of the Company, neither the execution, delivery or performance of this Agreement nor the consummation of any commenced of the Transactions will violate any Privacy Legal Requirements or threatened Proceedings with respect otherwise prohibit, or require the delivery of any notice to Ultimate Parent or its Subsidiaries processing of Personal Information, obtaining consent from any Person or Governmental Authorityfor, except as would not reasonably be expected the transfer of Sensitive Data to have, individually or in the aggregate, a Material Adverse EffectMerger Sub.

Data Privacy and Security. Each of Ultimate Parent and its Subsidiaries is(a) To Seller’s Knowledge, Seller is operating, and has for the past three (3) years has been at all times operated, in material compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to . Seller has adopted and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting published Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent Seller, to any website and its Subsidiaries, other applicable electronic platforms and no such notices disclosure or disclosures representation made or contained in any such Privacy Policy have has been inaccurate, misleading misleading, or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any To Seller’s Knowledge, Seller has obtained written agreements from all Third Parties that Process Personal Information or Business Data for or on behalf of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner Seller that complies in all material respects with satisfy the applicable requirements of the Data Protection Requirements, and to Seller’s Knowledge, no such Third Party is in material breach of any such agreement. The information technology assets To the extent applicable, Seller has all necessary authority, rights, consents, and equipment authorizations to process any Personal Information or other Business Data maintained by or for Seller to the extent required in connection with the operation of each of Ultimate Parent the Business as currently and its Subsidiaries as proposed to be conducted. (collectivelyb) To Seller’s Knowledge, “the IT Systems”) Systems are adequate for, and operate for and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries Business as currently conducted and as proposed to be conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have To Seller’s Knowledge, Seller has implemented and maintain maintained all necessary and appropriate physicalcontrols, technical policies, procedures, and administrative safeguards to maintain and protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiariesthe confidentiality, any other material confidential information and the integrity and security of the IT Systems Systems, Personal Information and other Business Data used in connection with their businesses, the Business and during the past three (3) years, there have has been no breaches, violations, outages outages, or unauthorized uses Processing of the same (each, a “Security Incident”), nor any incidents under internal review or accesses investigations relating to the same. To Seller’s Knowledge, except for those that no Third Party Processing Personal Information or Business Data on behalf of Seller in connection with the Business has experienced or made or has been required to make any notifications under any Data Protection Requirements in connection with, any Security Incident. (c) No written notices have been remedied without material cost received from, and no Proceedings have been commenced or liability or the duty to notify threatened in writing against Seller by, any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential alleging a violation of any Data Protection RequirementRequirements. To Seller’s Knowledge, or the consummation of the transactions contemplated hereunder will: (i) comply in all material respects with the Data Protection Requirements, (ii) not require the consent of or provision of notice to any commenced Person concerning such Person’s Personal Information; (iii) not give rise to any right of termination or threatened Proceedings with respect other right to Ultimate Parent impair or its Subsidiaries processing limit Seller’s rights to Process any Personal Information or Business Data used in or necessary for the operation of the Business; or (iv) otherwise prohibit the transfer of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected Information to have, individually or in the aggregate, a Material Adverse EffectBuyer.

Data Privacy and Security. Each (a) The Company and each of Ultimate Parent its Subsidiaries has implemented commercially reasonable administrative and technical safeguards designed to protect the integrity, security and confidentiality of Personal Information stored in the IT Systems. Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, since January 1, 2022: (i) there have been no failures, breakdowns or other adverse events materially affecting any such IT Systems that have caused a material disruption or interruption to the conduct of the business of the Company or any of its Subsidiaries as presently conducted, and (ii) there have not been any incidents of unauthorized access or other security breaches of the IT Systems. (b) The Company and each Subsidiary has implemented and maintained commercially reasonable and appropriate technical and organizational safeguards designed to protect Personal Information and other confidential data in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alteration, destruction or disclosure and the Company and its Subsidiaries ishave taken commercially reasonable steps to require that any third party with access to Personal Information collected by or on behalf of the Company or any Subsidiary has implemented and maintained the same. To the Company’s Knowledge, and any third party that has for provided Personal Information to the past three (3) years Company or any Subsidiary has been done so in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent Laws, including providing any notice and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent obtaining any consent required by applicable Data Protection Requirements, provided adequate notice to Laws. (c) The Company and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiarieseach Subsidiary is, and no such notices or disclosures made or contained has been, in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects compliance with the applicable Data Protection Requirements, except for any noncompliance that would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectivelyExcept as would not, “IT Systems”) are adequate forindividually or in the aggregate, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries reasonably be expected to have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) yearsa Company Material Adverse Effect, there have been no breaches, violations, outages or outages, security incidents, unauthorized uses uses, transfer, destruction, disclosures, losses, thefts, ▇▇▇▇▇▇ demands, alterations of or accesses access to samePersonal Information maintained by, except for those to the Knowledge of the Company, or on behalf of the Company or any Subsidiary that have been remedied without material cost would require notification of individuals, law enforcement or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed MattersGovernmental Authority under any applicable Data Protection Law. Neither Ultimate Parent the Company nor any of its Subsidiaries Subsidiary has received any written notice of any claim or investigation or any other written communication (iincluding from any Governmental Authority) that alleges that the Company or any actual or potential violation of Subsidiary is not in compliance with any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental AuthorityLaws, except as would not reasonably be expected to havebe material to the Company, individually or in the aggregate, taken as a Material Adverse Effectwhole.

Data Privacy and Security. Each of Ultimate Parent (a) The Company and its Subsidiaries ishave developed, implemented and has for maintained a written data protection, data privacy and cybersecurity program (the past three (3“Data Protection Program”) years has been that is in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters)Privacy Requirements. Each of Ultimate Parent and its Subsidiaries,to To the knowledge of Ultimate Parent and such Subsidiariesthe Company, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent Company and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, not experienced any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those Security Incident that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirement, was material or (ii) any commenced otherwise in respect of which the Privacy Requirements would require or threatened Proceedings with respect to Ultimate Parent recommend the Company or its Subsidiaries processing of Personal Information, from notify any Person or Governmental Authority, except as would not reasonably be expected to havebe, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a Material Adverse Effectwhole. Since January 1, 2018, no Person has claimed any compensation or damages from the Company or any of its Subsidiaries, or has brought or, to the knowledge of the Company, threatened in writing to bring any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or otherwise for or arising as a result of any actual or alleged violation, breach or other non-compliance with or of any Privacy Requirement in each instance that would reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. (b) The Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data, including (i) providing adequate notice and obtaining any necessary consents from customers required for the Processing of the Company PII as conducted by or on behalf of the Company or any of its Subsidiaries and (ii) abiding by any privacy choices (including opt-outs, do-not-calls or similar choices) of end users relating to Personally Identifiable Information. The Company and its Subsidiaries are not, and since January 1, 2018, have not been, subject to a Governmental Order of, or have received a written notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII, in each case in all material respects. (c) To the knowledge of the Company, each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company or its Subsidiaries are in compliance in all material respects with the Privacy Requirements and there have been no unauthorized or illegal Processing, or other breach, violation or default (or event that, with or without the giving of notice or lapse of time, would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements. (d) To the knowledge of the Company, the consummation of the transactions contemplated by this Agreement will not breach any Privacy Requirements in any material respect.

Data Privacy and Security. (i) Each of Ultimate Parent Acquired Company’s data, privacy and its Subsidiaries issecurity practices conform, and has for the past three (3) years has been in compliance at all times have conformed, in all material respects with to all applicable of the Company Privacy Commitments, Privacy Laws and Company Data Protection Requirements (other than the Disclosed Matters)Agreements. Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, Acquired Company has at all times: (A) had the legal basis (including providing adequate notice and obtaining any necessary consents from individuals) required for the Processing of Personal Data as conducted by or for the Acquired Companies; (B) refrained from selling or sharing Personal Data with third parties for the third party’s benefit except as allowed under Applicable Law; and (C) abided by any privacy choices, (including opt-in and opt-out preferences, as required), of individuals relating to Personal Data (such obligations along with those contained in Company Privacy Policies, collectively, “Company Privacy Commitments”). Neither the execution, delivery and performance of this Agreement nor the taking over by Parent of all of the Company Databases, Company Data and other information relating to each Acquired Company’s end users, customers, contractors, vendors, contingent workers, job applicants or employees, will cause, constitute or result in a breach or violation of any Privacy Laws, Company Privacy Commitments, Company Data Agreements or, to the extent not included in the foregoing, any standard terms of services entered into by any Acquired Company with individuals whose Personal Data is processed by each of the Acquired Companies and their Data Processors. Copies of all current and prior Company Privacy Policies have been Made Available to Parent and such copies are true, correct and complete. (ii) The Acquired Companies have established and maintain appropriate technical, physical and organizational measures and security systems and technologies in compliance with all data security requirements under Privacy Laws, Company Data Agreements and Company Privacy Commitments that are designed to protect Company Data against accidental or unlawful Processing in a manner appropriate to the risks represented by the Processing of such data by each Acquired Company and its Data Processors. The Acquired Companies have and have contractually required their Data Processors to take commercially reasonable steps to train respective employees and contractors who have access to Company Data on all applicable aspects of any Privacy Law, obligations under Company Data Agreements and Company Privacy Commitments, and all employees, vendors and contractors with the authority and/or ability to access such data are under written obligations of confidentiality with respect to such data. (iii) No Acquired Company has received and there is no circumstance (including any circumstance arising as a result of an audit or inspection carried out by applicable any Governmental Body), that would give rise to, any Action, Order, notice, communication, warrant, regulatory opinion, audit result or allegation from a Governmental Body or any other Person (including an end user): (A) alleging or confirming non-compliance with a requirement of Privacy Laws, Company Data Protection RequirementsAgreements or Company Privacy Commitments; (B) requiring or requesting any Acquired Company to amend, provided adequate notice rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data; (C) permitting or mandating Governmental Bodies to investigate, requisition information from, or enter the premises of, any Acquired Company; or (D) claiming compensation from any Acquired Company. Each Acquired Company has responded to, and obtained continues to promptly respond to, requests from individuals or other third parties, and there are no unsatisfied requests from individuals or other third parties to the Acquired Companies seeking to exercise any necessary consents and authorizations from data subjects for any past and present collectionprotection or privacy rights (such as rights to access, userectify, disclosureor delete Personal Data, international transfer and other to restrict or object to processing of Personal Information Data, or relating to data portability). No Acquired Company has been involved in any Actions involving non-compliance or alleged non-compliance with Privacy Laws, Company Data Agreements or Company Privacy Commitments. (iv) Schedule 3.11(u)(iv) of the Disclosure Schedule contains the complete list of notifications and registrations made by or for Ultimate Parent each Acquired Company under Privacy Laws with relevant Governmental Bodies in connection with the Acquired Companies’ Processing of Personal Data. All such notifications and its Subsidiariesregistrations are valid, including without limitationaccurate, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent complete and its Subsidiariesfully paid up, and no the consummation of the Transactions will not invalidate such notices notification or disclosures made registration or contained in any Privacy Policy have been inaccurate, misleading require such notification or deceptive (including by omission) (in each case, other registration to be amended. Other than the Disclosed Matters). Neither Ultimate Parent nor any notifications and registrations set forth on Schedule 3.11(u)(iv) of its Subsidiaries sellsthe Disclosure Schedule, rents no other registrations or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) notifications are adequate for, and operate and perform in all material respects as required in connection with the operation Processing of Personal Data by the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptantsAcquired Companies. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect The Acquired Companies do not Process the Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation Data of any natural Person considered a child or minor under Applicable Law. The Acquired Companies do not target advertisements to any natural person considered a child or minor under Applicable Law. The Acquired Companies do not sell Personal Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effectthird parties.

Data Privacy and Security. Each of Ultimate Parent (a) The Company Entities and its Subsidiaries is, and has for the past three (3) years has been Affiliated Professional Entities are in compliance in all material respects with all applicable Data Protection Requirements (other than Information Privacy and Security Laws, contractual obligations and the Disclosed Matters). Each of Ultimate Parent Company Entities’ and its Subsidiaries,Affiliated Professional Entities’ externally published written privacy policies, in each case relating to the knowledge of Ultimate Parent and such Subsidiariescollection, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collectionstorage, use, disclosure, international disclosure and transfer and other processing of Personal Information collected or maintained by the Company Entities and Affiliated Professional Entities, respectively. The execution, delivery and performance of this Agreement and the other Transaction Documents will not conflict in any material respect with any applicable Information Privacy and Security Law. When acting as a Business Associate (as defined by HIPAA), the Company Entities have in effect agreements with each of their customers that are Covered Entities (as defined by HIPAA) or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform are Business Associates that accurately describe satisfy all of the privacy practices requirements of Ultimate Parent and its SubsidiariesHIPAA, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than agreements permit the Disclosed Matters). Neither Ultimate Parent nor any Company Entities to operate the business of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) Company Entities as they are adequate forpresently conducted, and operate the Company Entities are not in material breach of any such agreements. (b) The Company Entities and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries Affiliated Professional Entities have implemented and maintain appropriate commercially reasonable physical, technical technical, and administrative safeguards in place to protect Personal Information processed collected by them from and against unauthorized access, use or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Mattersdisclosure. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except Except as would not reasonably be expected to havenot, individually or in the aggregate, have a Material Adverse EffectEffect on the Company Entities or Affiliated Professional Entities, the Company Entities and Affiliated Professional Entities have implemented reasonable backup and disaster recovery technology consistent with reasonable industry practices. The Company Entities and Affiliated Professional Entities have undertaken all material and necessary surveys, audits, inventories, reviews, analyses or assessments (including any material and necessary risk assessments and risk analyses) of all areas of their business and operations required by HIPAA and all other applicable Information Privacy and Security Laws. (c) Since January 1, 2023, except as set forth in ‎Section 3.22(c) of the Seller Disclosure Schedule, there have not been any material unauthorized uses or disclosures, security incidents or breaches involving the Company Entities, the Affiliated Professional Entities, or their employees, or to the Knowledge of the Company, any of their agents or contractors relating to any Personal Information maintained by or on behalf of the Company Entities or Affiliated Professional Entities in their possession or control (a “Security Incident”), nor have the Company Entities or Affiliated Professional Entities notified or been required by any applicable Information Privacy and Security Law to notify a Governmental Authority or affected individual in connection with any Security Incident. (d) Since January 1, 2023, the Company Entities and Affiliated Professional Entities have not received any written, or to the Knowledge of the Company, oral complaint or notice of investigation, including but not limited to inquiries or other communications from the Department of Health and Human Services Office for Civil Rights, any Person, entity or Governmental Authority regarding the Company Entities’ or the Affiliated Professional Entities’ compliance with applicable Information Privacy and Security Laws.

Data Privacy and Security. Each of Ultimate Parent (a) The Company and its Subsidiaries ishave developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2017, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2017, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2017, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and has for partners that Process any Company PII or other Personally Identifiable Information on behalf of the past three (3) years has been Company or its Subsidiaries are in compliance in all material respects with all applicable Data Protection the Privacy Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breachesunauthorized or illegal Processing, violationsor other breach, outages violation or unauthorized uses default (or event that, with or without the giving of notice or accesses to samelapse of time, except for those that would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements. No circumstances have been remedied without material cost arisen in which the Privacy Requirements would require or liability recommend the Company or the duty its Subsidiaries to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation Governmental Authority of any Data Protection Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect.

Data Privacy and Security. Each of Ultimate Parent (a) Since January 1, 2019, the Company and its Subsidiaries ishave at all times materially complied, and has for the past three (3) years has been are currently in compliance material compliance, in all material respects with all applicable Data Protection Privacy Requirements and all requirements contained in any Contract to which the Company or any of its Subsidiaries is bound, in each case, relating to (other than i) the Disclosed Matters). Each privacy of Ultimate Parent the users of the products, services and its Subsidiaries,to websites of their business and/or (ii) the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosurestorage, international transfer processing and disclosure of any Personal Data and other processing of Personal Information by confidential data or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application information collected or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed stored by or on behalf of Ultimate Parent their business. No claims or Actions have been asserted or threatened against the Company or any of its Subsidiaries by any Person in relation to any actual or alleged Security Incident or otherwise for or arising as a result of any actual or alleged violation, breach of such Person’s privacy, personal or confidentiality rights under any applicable laws, rules, policies, procedures or Contracts, or other non-compliance with or of any Privacy Requirement in each instance. (b) The Company and its Subsidiaries are not, and since January 1, 2019 have not been, subject to a Governmental Order of, or since January 1, 2019 have received a notice from, and has not been required to notify, any Person or a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) Each of the Company’s and its Subsidiaries’ current and former third-party data suppliers, any other material confidential information and the integrity and security of IT Systems used in connection with their businessesvendors, and during partners that Process or have access to any Company PII or other Personal Data on behalf of the past three (3) years, Company or its Subsidiaries are in material compliance with the Privacy Requirements and there have been no breachesunauthorized or illegal Processing, violationsor other breach, outages violation or unauthorized uses default (or event that, with or without the giving of notice or accesses to samelapse of time, except for those that have been remedied without material cost would constitute a breach, violation or liability default) by any such supplier, vendor or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation partner of any Data Protection Requirement, or Privacy Requirements. (iid) The consummation of the transactions contemplated by this Agreement will not breach any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse EffectPrivacy Requirements.

Data Privacy and Security. Each (a) Except as set forth on Section 3.22(a) of Ultimate Parent the Company Disclosure Schedule, the Company and its Subsidiaries is, and has for the past three (3) years has been in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate followed in all material respects commercially reasonable physical, technical technical, organizational, and administrative safeguards security measures, policies, and procedures that are designed to: (i) mitigate potential security risks with respect to protect Personal Information processed the Company’s services; (ii) comply with the Data Privacy Requirements, (iii) identify security breach risks relating to the Company’s information technology systems, (iv) prevent security breaches, (v) identify, document, and remediate actual or suspected security breaches relating to the Company’s information technology systems and the Company’s services, and (vi) at least annually, train all employees, consultants, agents, and contractors of the Company and each of its Subsidiaries applicable to their service to the Company, in (A) their responsibilities relating to compliance with Data Privacy Requirements, and (B) recognizing and minimizing security breach risks relating to the Company’s information technology systems, the Company’s services, and any customer data held by or on behalf the Company and each of Ultimate Parent and its Subsidiaries. (b) No complaint, claim, enforcement action, or litigation that alleges any other material confidential information and non-compliance by the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages Company or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries with any applicable Data Privacy Requirement has been served on or, to the Knowledge of the Company, initiated against the Company or any of its Subsidiaries and the Company and each of its Subsidiaries have not received any subpoenas, demands, or other written notice notices from any Governmental Entity investigating, inquiring into, or otherwise relating to any actual or alleged violation of (i) any Data Privacy Requirement and, to the Knowledge of the Company, the Company and each of its Subsidiaries are not under investigation by any Governmental Entity for any actual or potential violation of any Data Protection Privacy Requirement. (c) The Company and each of its Subsidiaries have not experienced any security breaches within the past three (3) years that would require law enforcement or Governmental Entity notification, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from remedial action under any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect.applicable Data Privacy

Data Privacy and Security. Each (a) The data, privacy and security practices of Ultimate Parent Acquired Companies’ and its Subsidiaries istheir Subsidiaries’ and their Processing of Personal Data (if any) have complied, and has for the past three (3) years has been in compliance do comply, in all material respects with all applicable Privacy Commitments. To the Knowledge of the Seller, the execution, delivery and performance of this Agreement and the transactions contemplated herein will not cause, constitute or result in a material breach or violation of any applicable Privacy Commitments of the Acquired Companies and their Subsidiaries and, following the Closing Date, the Acquired Companies and their Subsidiaries will continue to be permitted to Process all Personal Data Protection Requirements (other than held by the Disclosed Matters). Each Acquired Companies or their Subsidiaries on terms substantially similar to those in effect as of Ultimate Parent the date of this Agreement and its Subsidiaries,to the knowledge same extent the Acquired Companies and their Subsidiaries would have been able to had the Transactions not occurred. (b) The Acquired Companies and their Subsidiaries maintain reasonable technical, physical and organizational measures and safeguards to prevent the unlawful Processing of Ultimate Parent Personal Data and such Subsidiariesunauthorized access, has accidental loss or destruction of or damage to Personal Data in their respective possession or control, which measures are in material compliance with all applicable data security requirements under the Privacy Laws). (c) The Acquired Companies and their Subsidiaries have at all timestimes presented a privacy policy which complies, in all material respects, with Privacy Laws to data subjects prior to the collection of any Personal Data, and, to the extent required by applicable Data Protection RequirementsKnowledge of Seller, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices privacy policy is or disclosures made or contained in any Privacy Policy have has been inaccurate, misleading or deceptive deceptive. (including by omissiond) (in each caseThe Acquired Companies or their Subsidiaries do not sell, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents rent or otherwise makes make available to any Person any Personal InformationData, except in a manner that complies in all material respects with the applicable Data Protection RequirementsPrivacy Commitments. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with To the operation Knowledge of the businesses Seller, none of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent Acquired Companies nor any of its their respective Subsidiaries have transferred or permitted the transfer of Personal Data originating in the EEA or UK outside the EEA or UK, except where such transfers have materially complied with the requirements of Privacy Laws and the Acquired Companies’ or their Subsidiaries’ Privacy Policies. (e) Neither the Acquired Companies nor any of their Subsidiaries has received any written notice of any Legal Proceeding, Order, regulatory opinion, audit result or other allegation from a Governmental Entity or any other Person in the last six (6) years: (i) any actual alleging or potential violation confirming non-compliance with a relevant requirement of any Data Protection Requirement, Privacy Commitments by any Acquired Company or any of its Subsidiaries; or (ii) giving notice of any commenced Governmental Entity’s investigation, requisition of information from, or threatened Proceedings intention to enter the premises of, the Acquired Companies or any of their Subsidiaries in connection with respect to Ultimate Parent or its Subsidiaries processing any of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effectforegoing.

Data Privacy and Security. Each of Ultimate Parent and its Subsidiaries is, ‌ (a) The Company is in compliance and has for the past three (3) years has been in compliance in all material respects complied with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal InformationLaws, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards where such failure to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to havecomply, individually or in the aggregate, has not had and would not reasonably be expected to have a Company Material Adverse Effect. (b) The Company has in place policies and procedures for the proper collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information that comply with Privacy Laws.‌ (c) There is no currently pending or, to the Company’s knowledge, threatened, and there has not been any, Action against the Company or its Subsidiaries initiated by (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; (iii) any regulatory entity, privacy regulator or otherwise, or (iv) any other Person, in each case, with respect to privacy, cybersecurity, or Personal Information. (d) There have not been any actual, suspected, or alleged material Security Incidents or actual or alleged claims related to material Security Incidents, and, to the Company’s knowledge, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims. There are no data security, information security, or other technological vulnerabilities with respect to the Company’s or its Subsidiaries’ services or with respect to the Company IT Systems that would have a materially adverse impact on their operations or cause a material Security Incident. To the Company’s knowledge, no circumstance has arisen in which Privacy Laws would require the Company to notify a Person or Governmental Entity of a data security breach or Security Incident.‌ (e) The Company and its Subsidiaries own, or have license to use, pursuant to a Contract of the Company or its Subsidiaries, respectively, the Company IT Systems as necessary to operate their respective businesses as currently conducted and such Company IT Systems are sufficient for the operation of their respective businesses as currently conducted. The Company and its Subsidiaries have back-up and disaster recovery arrangements, procedures and facilities for the continued operation of its businesses in the event of a failure of the Company IT Systems that are, in the reasonable determination of the Company, commercially reasonable and in accordance in all material respects with standard industry practice. There has not been any material disruption, failure or, to the Company’s knowledge, unauthorized access with respect to any of the Company IT Systems that has not been remedied, replaced or mitigated in all material respects. To the Company’s knowledge, none of the Company IT Systems contain any worm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other damaging devices, malicious codes, designs, hardware component, or software routines that causes the Company Software or any portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized person. (f) The Company and its Subsidiaries have, and have had, in place commercially reasonable and appropriate administrative, technical, physical and organizational measures and safeguards, in compliance with all data security requirements under Privacy Laws, to (i) ensure the integrity, security, and the continued, uninterrupted, and error-free operation of the Company IT Systems, and the confidentiality of the source code of any Company Software,

Data Privacy and Security. Each of Ultimate Parent and its Subsidiaries is(a) The Company has at all times since May 1, and has for 2017 (and, to the past three (3Seller’s Knowledge, prior to May 1, 2017) years has been in compliance complied in all material respects with all applicable Data Protection Requirements (other than Security Requirements, Privacy Policies, and Privacy Agreements relating to data protection and the Disclosed Matters). Each collection, use or transfer of Ultimate Parent Personal Information, and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all timesno written claims have been asserted or, to the extent required Knowledge of the Company, threatened against the Company by applicable any Person alleging a violation of Data Protection Requirements, Security Requirements concerning such Person’s Personal Information. (b) The Company has provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing copies of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting all written website Privacy Policies that have been published and material Privacy Agreements to any websiteBuyer, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies which comply in all material respects with the applicable all Data Protection Security Requirements. The information technology assets and equipment Company has agreements in place with vendors, business partners, affiliates or other Persons that provide services to the Company that involve the collection, protection, storage, processing, use or disclosure of each of Ultimate Parent and its Subsidiaries (collectivelyPersonal Information, “IT Systems”) are adequate forwhich comply with all applicable Data Security Requirements, Privacy Policies, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conductedPrivacy Agreements. (c) The Company has implemented commercially reasonable, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards that comply with applicable Data Security Requirements, Privacy Policies, and Privacy Agreements and that provide reasonable protection to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed MattersCompany’s possession or control from unintended loss or destruction, unauthorized modification and unauthorized access. Neither Ultimate Parent nor any of its Subsidiaries Since May 1, 2017 (and, to the Seller’s Knowledge, prior to May 1, 2017), the Company has received any no written notice of (i) any actual claims, charges or potential complaints against the Company by any Governmental Authority, data protection authority, or Person alleging a violation of any Data Protection RequirementSecurity Requirements. Since May 1, 2017 (and, to the Seller’s Knowledge, prior to May 1, 2017), neither the Company, nor, to Sellers’ Knowledge, any Person acting on behalf of the Company providing services related to Personal Information has been subject to any data breach of Company Personal Information or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing other security incident that has resulted in unauthorized access of Personal Information, from any Person or Governmental Authorityunauthorized acquisition, except as would destruction, damage, disclosure, loss, corruption, alteration, or use of Personal Information. (d) The Company (i) maintains commercially reasonable backup and data recovery, disaster recovery, and business continuity plans, procedures, and facilities; (ii) acts in compliance therewith; and (iii) tests such plans and procedures on a regular basis, and such plans and procedures meet the Data Security Requirements in all material respects upon such testing, or have been appropriately remediated and proven effective in all material respects upon testing after the applicable remediation. The consummation of this Agreement will not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effectviolate Data Security Requirements.

Data Privacy and Security. Each of Ultimate Parent (a) The Company and its Subsidiaries ishave developed, implemented and maintained a written Data Protection Program that is materially in compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any Security Incident. No Person has brought, or to the knowledge of the Company, otherwise threatened, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) The Company and its Subsidiaries have at all times complied with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data, and has for the past three (3) years have taken commercially reasonable steps designed to ensure that such Personally Identifiable Information and other data is protected against loss and against unauthorized access, use, modification, disclosure or other misuse, to which there has been no unauthorized access to or other misuse. Neither the Company nor any of its Subsidiaries have been subject to an Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps designed to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) Each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and partners that Process any Company PII or other Personally Identifiable Information on behalf of the Company and its Subsidiaries are in compliance in all material respects with all applicable Data Protection the Privacy Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that there have been published to any websiteno unauthorized or illegal Processing, mobile application or other electronic platform that accurately describe breach, violation or default (or event that, with or without the privacy practices giving of Ultimate Parent and its Subsidiariesnotice or lapse of time, and no would constitute a breach, violation or default) by any such notices supplier, vendor or disclosures made or contained in other partner of any Privacy Policy Requirements. No circumstances have been inaccurate, misleading arisen in which the Privacy Requirements would require or deceptive (including by omission) (in each case, other than recommend the Disclosed Matters). Neither Ultimate Parent nor any of Company or its Subsidiaries sells, rents or otherwise makes available to notify any Person Governmental Authority of any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. Security Incident. (d) The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent Company and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal not used any data derived or aggregated from any Personally Identifiable Information processed by received from or otherwise Processed on behalf of Ultimate Parent and any Person in any way that would constitute a breach, violation or default of any Contract to which the Company or its Subsidiaries, any other material confidential information as the case may be, is bound. (e) The consummation of transactions contemplated by this Agreement and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breaches, violations, outages other Transaction Documents will not breach or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify otherwise cause any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Privacy Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect.

Data Privacy and Security. Each of Ultimate Parent (a) The Company and its Subsidiaries ishave materially complied with all applicable Laws relating to patient, medical or individual health information, including HIPAA, as amended from time to time. The Company and each of its Subsidiaries has entered into, where materially required, and has for the past three (3) years has been are in compliance in all material respects with the terms of all applicable Data Protection Requirements (other than Business Associate Agreements at 45 C.F.R 164.504(e), which the Disclosed Matters)Company or its Subsidiaries is a party or otherwise bound. Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent The Company and its Subsidiaries, where required, have (i) created and maintained written policies and procedures to protect the privacy of Protected Health Information in its possession or control, (ii) provided training to all applicable employees, and (iii) materially implemented security procedures, including without limitationphysical, adopting Privacy Policies technical and administrative safeguards, to protect all Protected Health Information stored or transmitted in electronic form. Since [**], the Company has not received written notice from the Office for Civil Rights for HHS or any other Healthcare Regulatory Authority alleging a failure to comply with HIPAA or any other Law applicable to the protection of Protected Health Information. To the Knowledge of the Company, there has been no “breach” of unsecured Protected Health Information, as defined by HIPAA, with respect to information maintained or transmitted to the Company or its Subsidiaries that have been published would require notice to any websiteHealthcare Regulatory Authority. (b) Since [**], mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent Company and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy Subsidiaries have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies at all times complied in all material respects with all applicable Information Privacy and Security Laws, all of the applicable Data Protection RequirementsCompany Privacy Policies, and all their contractual obligations to any Person regarding privacy data security, or the Processing of Personal Data. The information technology assets and equipment As of each of Ultimate Parent the date hereof, the Company and its Subsidiaries (collectivelyhave made available all legally required Privacy Policies, “IT Systems”) are adequate fornotices, and operate disclosures, and perform obtained all legally required consents in relation to the Processing of Personal Data. The Company and its Subsidiaries have at all times complied with all data subject rights requests they have received under applicable Information Privacy and Security Laws, and no such requests are outstanding. (c) As of the date hereof, the Company has made available to the Buyer a true, correct and complete copy of each Data Processing Contract. Each Data Processing Contract complies with applicable Information Privacy and Security Laws. The Company has taken reasonable measures to ensure that all counterparties have complied with their contractual obligations. (d) The Company and its Subsidiaries have not received any notice of any claims, audits, investigations (including investigations by regulatory authorities or any data protection authorities), or allegations of violations of Information Privacy and Security Laws by the Company or its Subsidiaries or with respect to Personal Data Processed by, or under the control of, the Company or its Subsidiaries, and, to the Knowledge of the Company, there are no facts or circumstances that could reasonably form the basis for any such claims, audits, investigations, or allegations. The Company, its Subsidiaries, or to the Knowledge of the Company, any of their respective customers, have not received any written complaints or claims from any Person with respect to the Processing of Personal Data by the Company or its Subsidiaries. (e) The Company and its Subsidiaries have established and are in compliance in all material respects as required in connection with a written information security program designed to comply with all applicable Information Privacy and Security Laws that: (i) includes reasonable and appropriate administrative, technical and physical safeguards designed to safeguard the operation security, confidentiality, and integrity of Company Data; (ii) protects against unauthorized access to the Internal Systems and Company Data (including on the systems of third parties with access to such Internal Systems or Company Data); and (iii) provides for the back-up and recovery of the businesses Company Data Processed using Internal Systems without material disruption or interruption to the conduct of each of Ultimate Parent the Company’s and its Subsidiaries’ respective businesses. The Company and its Subsidiaries as currently conductedhas complied in all respects with such information security program. Since [**], free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and neither the Company nor its Subsidiaries, nor, to the Knowledge of the Company, any other material confidential information and the integrity and security of IT Systems used in connection with third party acting on their businessesbehalf, and during the past three (3) yearshas suffered or incurred a Data Security Incident. Since [**], there have been no breaches, violations, outages breach or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation of any Data Protection Requirementsecurity program described above has occurred or, to the Knowledge of the Company, is threatened, and there has been no unauthorized or (ii) illegal use or acquisition of or access to any commenced Internal System or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental AuthorityCompany Data, except as would not reasonably be expected to havebe material to the Company and its Subsidiaries, individually or in the aggregate, taken as a Material Adverse Effectwhole.

Data Privacy and Security. 4.12.1 Each of Ultimate Parent and its Subsidiaries isSeller is in material compliance, and has for the past three (3) years has been in compliance in all material respects with all applicable Data Protection Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiariessince January 1, 2022, has at all timestimes been in material compliance, to the extent required by with all applicable Privacy and Data Protection Security Requirements. Sellers have at all times obtained all rights, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for licenses necessary to Process Personal Data in the manner it has been Processed, is now Processed and as proposed to be Processed in the Business by any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that Person on their behalf. 4.12.2 Sellers have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiariesat all times maintained, and no such notices or disclosures made or contained in any Privacy Policy have been inaccuratepresently maintain, misleading or deceptive (including by omission) (reasonable backup, security and disaster recovery plans, in each case, other using commercially reasonable efforts no less than industry-standard and in compliance with applicable Privacy and Data Security Requirements for the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “Business-Utilized IT Systems”) are adequate for. Since January 1, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted2022, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) yearsSellers’ Knowledge, there have been (i) no breaches, violations, outages unauthorized access to or unauthorized uses use of any Business-Utilized IT Systems and (ii) no unauthorized intrusions or accesses breaches of security with respect to same, except for those that have been remedied without material cost or liability or the duty to notify any other Person or as otherwise set forth in the Disclosed Matters. Business-Utilized IT Systems. 4.12.3 Neither Ultimate Parent nor any of its Subsidiaries Seller has received any subpoenas, demands, or other written notice of (i) notices from any Governmental Body investigating, inquiring into, or otherwise relating to any actual or potential violation of any Privacy and Data Protection RequirementSecurity Requirements, and neither Seller is under investigation by any Governmental Body for any actual or potential violation of any Privacy and Data Security Requirements. No Person (including any Governmental Body) has commenced any Action nor has any written notice or enforcement Action of any kind been served on, or initiated against, either Seller under any applicable Privacy and Data Security Requirements or with respect to loss, damage or unauthorized access, use or modification of any Personal Data by or on behalf of either Seller and, to Sellers’ Knowledge, there are no facts or circumstances that could form the basis for any such claim. Since January 1, 2022, there have been no, and there are currently no pending or, to Sellers’ Knowledge, threatened, fines or other penalties facing either Seller in connection with any disclosure of Personal Data with respect to the operation of the Business or a violation of any applicable Privacy and Data Security Requirements. 4.12.4 To the extent Sellers use Personal Data as part of developing, training, operating or maintaining internal or third-party Artificial Intelligence Tools, a record is maintained of what data is being used and has been used for these purposes. Sellers use and have used commercially reasonable efforts (including, at a minimum, by conducting regular audits) to ensure (i) Sellers have sufficient rights in all data Processed by Sellers’ Artificial Intelligence Tools and (ii) Sellers’ Artificial Intelligence Tools operate as intended, in compliance with all applicable Laws and are not reasonably likely to harm or disparage Sellers or the reputation or goodwill of Sellers. Sellers’ use of Artificial Intelligence Tools does not and, since January 1, 2022, has not, resulted in the unauthorized disclosure to, or access by, any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing third party of Personal Information, from Data in possession of Sellers. 4.12.5 The consummation of the transactions contemplated by this Agreement as well as any Person subsequent use of Personal Data in a substantially similar manner to how such Personal Data is used by Sellers in connection with the Business immediately prior to the Closing will not breach or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effectotherwise cause any violation of any Privacy and Data Security Requirements.

Data Privacy and Security. Each of Ultimate Parent (a) The Company and its Subsidiaries ishave developed, implemented and maintained a written data protection, data privacy and cybersecurity program (the “Data Protection Program”) that is in material compliance with all Privacy Requirements. The Company and its Subsidiaries have not experienced any material Security Incident. Since January 1, 2018, no Person has brought, or threatened in writing to bring, any Action against the Company or any of its Subsidiaries in relation to any actual or alleged Security Incident or violation or breach of any Privacy Requirement. (b) Since January 1, 2018, the Company and its Subsidiaries have at all times complied in all material respects with all Privacy Requirements with respect to the Processing of Personally Identifiable Information and other data. The Company and its Subsidiaries are not and since January 1, 2018, have not been subject to a Governmental Order of, or have received a notice from, a Governmental Authority regarding actual or alleged non-compliance with or violation of any Privacy Requirement. The Company and its Subsidiaries have taken commercially reasonable steps to ensure the reliability of their employees, representatives, consultants, contractors and agents that have access to Company PII, to train such individuals on all applicable Privacy Requirements and to ensure that all such employees, representatives, consultants, contractors and agents with the right to access such Company PII are under written obligations of confidentiality with respect to such Company PII. (c) To the knowledge of the Company, each of the Company’s and its Subsidiaries’ third-party data suppliers, vendors, and has for partners that Process any Company PII or other Personally Identifiable Information on behalf of the past three (3) years has been Company or its Subsidiaries are in compliance in all material respects with all applicable Data Protection the Privacy Requirements (other than the Disclosed Matters). Each of Ultimate Parent and its Subsidiaries,to the knowledge of Ultimate Parent and such Subsidiaries, has at all times, to the extent required by applicable Data Protection Requirements, provided adequate notice to and obtained any necessary consents and authorizations from data subjects for any past and present collection, use, disclosure, international transfer and other processing of Personal Information by or for Ultimate Parent and its Subsidiaries, including without limitation, adopting Privacy Policies that have been published to any website, mobile application or other electronic platform that accurately describe the privacy practices of Ultimate Parent and its Subsidiaries, and no such notices or disclosures made or contained in any Privacy Policy have been inaccurate, misleading or deceptive (including by omission) (in each case, other than the Disclosed Matters). Neither Ultimate Parent nor any of its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Information, except in a manner that complies in all material respects with the applicable Data Protection Requirements. The information technology assets and equipment of each of Ultimate Parent and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the businesses of each of Ultimate Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Each of Ultimate Parent and its Subsidiaries have implemented and maintain appropriate physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Ultimate Parent and its Subsidiaries, any other material confidential information and the integrity and security of IT Systems used in connection with their businesses, and during the past three (3) years, there have been no breachesunauthorized or illegal Processing, violationsor other breach, outages violation or unauthorized uses default (or event that, with or without the giving of notice or accesses to samelapse of time, except for those that would constitute a breach, violation or default) by any such supplier, vendor or other partner of any Privacy Requirements. No circumstances have been remedied without material cost arisen in which the Privacy Requirements would require or liability recommend the Company or the duty its Subsidiaries to notify any other Person or as otherwise set forth in the Disclosed Matters. Neither Ultimate Parent nor any of its Subsidiaries has received any written notice of (i) any actual or potential violation Governmental Authority of any Data Protection Security Incident. (d) The consummation of transactions contemplated by this Agreement will not breach any Privacy Requirement, or (ii) any commenced or threatened Proceedings with respect to Ultimate Parent or its Subsidiaries processing of Personal Information, from any Person or Governmental Authority, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect.