Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. (a) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respects, and since the Lookback Date, have complied in all material respects, with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) relating to the collection, use and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Data. (b) Except as would not reasonably be expected to be material to the Business, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Acquired Companies andSince January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries of any Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the Businessphysical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, Parent and Tempranillo and its Subsidiaries (other than the Acquired Companies) comply are in all material respectscompliance with such policies and procedures, except as have not had, and since would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the Lookback Datedate of this Agreement, have complied in all material respectsno written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, with applicable Privacy Lawsnor to Tempranillo’s Knowledge, contractual obligations and industry standards (including PCI DSS) threatened, relating to the collectionany such obligation, use policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and other Processing of Personal Datawould not reasonably be expected to have, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Dataa Tempranillo Material Adverse Effect. (bc) Except as would not reasonably be expected to be material to the Business, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nora Tempranillo Material Adverse Effect, to the Knowledge of SellerTempranillo’s Knowledge, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by date of this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Parent or Tempranillo and its Subsidiaries in connection with the Business as Parent conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and its Subsidiaries have immediately prior to the Closing. (diii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to be material have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the BusinessIT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries. (d) To the Acquired Companies andKnowledge of Tempranillo, with respect to the Business, Parent Tempranillo and its Subsidiaries (other than the Acquired Companies), have executed current and valid Business Associate Agreements with each (i) are not in breach or default of any Contracts relating customer that, to the IT Systems Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements the corresponding regulations) and (ii) maintain, “subcontractor” (as defined by HIPAA and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent corresponding regulations). Tempranillo and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacysuch Business Associate Agreements and, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business and Associate Agreement with Tempranillo or any of its Subsidiaries. (ive) except as would not reasonably be expected to be material to To the Business, (A) the Acquired Companies or, with respect to the Business, Parent and extent Tempranillo or any of its Subsidiaries (other than the Acquired Companies) are not experiencing andhas de-identified user data, since the Lookback Date, have not experienced a Security Incident and (B) Parent Tempranillo and its Subsidiaries have not made, or been required obtained all rights necessary to make under applicable undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for Requirements. To the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent extent Tempranillo and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plansused de-identified data, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent Tempranillo and its Subsidiaries (other than the Acquired Companies) have mitigated obtained all material findings (including, rights necessary for the avoidance use of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) such de-identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Businessdata.

Data Privacy and Security. (a) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respectsExcept as has not had, and since the Lookback Date, have complied in all material respects, with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) relating to the collection, use and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Data. (b) Except as would not reasonably be expected to be material have, individually or in the aggregate, a Company Material Adverse Effect: (a) The Company and its Subsidiaries are, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the BusinessCompany’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (b) The Company and its Subsidiaries (i) have implemented and maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Company, there are no vulnerabilities existing in Systems that would reasonably be expected to cause an Information Security Incident. (c) To the Knowledge of the Company, since the Lookback Date, (i) neither Parent nor any of the Company and its Subsidiaries (including have not experienced any Information Security Incident involving the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent Company or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order third parties that process Company Information on behalf of the Company or Arbitration Decision pending, nor, to its Subsidiaries. To the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing andCompany, since the Lookback Date, have not experienced a Security Incident and (B) Parent and no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries have not made, to notify a person or been required to make under Governmental Authority of a “breach of security” (or similar term such as “security breach”) as defined by applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Acquired Companies andThere is not currently pending or, to Acquirer’s knowledge, threatened, and there has not since January 1, 2020 been any, Proceeding against any Acquirer Group Member initiated by (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; (iii) any regulatory entity, privacy regulator or otherwise, or (iv) any other Person, in each case, with respect to the Businessprivacy, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respectscybersecurity, and since the Lookback Dateand, have complied in all material respectsto Acquirer’s knowledge, with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) relating to the collection, use and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Datathere are no facts upon which such a Proceeding could be based. (b) Except as would set forth on Section 5.13 of the Acquirer’s Disclosure Schedules, there have not been any actual, suspected, or alleged material Security Incidents or actual or alleged claims related to material Security Incidents, and, to Acquirer’s knowledge, there are no facts or circumstances which could reasonably be expected to be material to serve as the Businessbasis for any such allegations or claims. There are no data security, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection other technological vulnerabilities with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance Acquirer Group’s services or with any applicable Privacy Requirements in respect of information security, cybersecurity to the Acquirer IT Systems that would have a materially adverse impact on their operations or the Processing of Personal Data in connection with the Businesscause a material Security Incident. (c) The executionAcquirer Group Members own or have license to use pursuant to an Acquirer Material Contract the Acquirer IT Systems as necessary to operate their respective businesses as currently conducted and such Acquirer IT Systems are sufficient for the operation of their respective businesses as currently conducted. The Acquirer Group Members have back-up and disaster recovery arrangements, delivery or performance procedures and facilities for the continued operation of this Agreement its businesses in the event of a failure of the Acquirer IT Systems that are, in the reasonable determination of Acquirer, commercially reasonable and the transactions contemplated by this Agreement will in accordance in all material respects with standard industry practice. Since January 1, 2020, there has not violate any applicable Privacy Requirements in been any material disruption, failure or, to Acquirer’s knowledge, unauthorized access with respect andto any of the Acquirer IT Systems that has not been remedied, except as would not reasonably be expected replaced or mitigated in all material respects. To Acquirer’s knowledge, none of the Acquirer IT Systems contain any worm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other damaging devices, malicious codes, designs, hardware component, or software routines that causes the Acquirer Software or any portion thereof to be material to the Businesserased, following the consummation inoperable or otherwise incapable of the transactions contemplated by this Agreementbeing used, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection either automatically, with the Business as Parent and its Subsidiaries have immediately prior to the Closingpassage of time or upon command by any unauthorized person. (d) Except as would not reasonably be expected The Acquirer Group Members have, and since January 1, 2020 have had, in place reasonable and appropriate administrative, technical, physical and organizational measures and safeguards to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default ensure the integrity, security, and the continued, uninterrupted, and error-free operation of the Acquirer IT Systems, and the confidentiality of the source code of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements Acquirer Software, and (ii) maintainto protect Business Data against loss, damage, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processorsmisuse. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respects, Seller complies and since the Lookback DateJanuary 1, have 2021, has complied in all material respectsrespects with, with all: (i) applicable Privacy Laws, ; (ii) Seller’s published policies and contractual obligations obligations; and (iii) all required industry standards including, to the extent applicable, the Payment Card Industry Data Security Standard and all other applicable requirements of the payment card brands, in each case as related to (A) the privacy of all individuals including PCI DSSall users of any web properties, applications, products and/or services of Seller, all Seller employees and all other individuals about whom Seller collects or processes Personal Information, (B) relating to the collection, use use, storage, retention, disclosure, transfer, disposal, or any other processing of any Personal Information collected or used by Seller; and other Processing (C) the recording or any interception of Personal Data, information security or cybersecurity and each of the Privacy Policies any communications (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Data. (b) Except Seller displays a privacy policy on each website owned, controlled or operated by Seller to the extent required by Privacy Laws, and each such privacy policy incorporates all disclosures to data subjects required by the Privacy Laws. None of the disclosures made or contained in any such privacy policy has been inaccurate, misleading or deceptive, or in violation of the Privacy Laws. (c) Seller regularly conducts vulnerability testing or audits of its systems and products, and uses commercially reasonable efforts to remediate or document exceptions for any material vulnerabilities identified in such tests and audits. Seller uses commercially reasonable efforts to timely install software security patches and other fixes to identified technical information security vulnerabilities. (d) In connection with each third-party processing Personal Information on behalf of Seller, Xxxxxx has entered into written data processing agreements with terms as required by applicable Privacy Laws. (e) Since January 1, 2021, there have not been any Actions against Seller related to any data security incidents, ransomware incidents, or any violations of any Privacy Requirements, and there are no facts or circumstances which would not reasonably be expected to be material to serve as the Businessbasis for any such allegations or claims. Since January 1, since the Lookback Date2021, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have Seller has not received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, noror, to the Knowledge of Seller, threatenedoral, alleging noncompliance with any applicable Privacy Requirements in respect of information securitycorrespondence relating to, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default notice of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned Actions or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material alleged violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by from any person or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the BusinessGovernmental Authority, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by there is no such ongoing Action or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Businessallegation.

Data Privacy and Security. (a) The Acquired Companies andExcept as would not, with respect in the aggregate reasonably be expected to the Businesshave a Material Adverse Change: Borrower, Parent each Subsidiary and its Subsidiaries Managed Practice are and have at all times been operating in compliance with: (other than the Acquired Companiesi) comply in all material respectsapplicable laws, rules and since the Lookback Date, have complied in all material respects, with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) regulations relating to the collectionprocessing of data, use data privacy, data security, data breach notification, and other Processing the cross-border transfer of Personal DataInformation (“Data Protection Laws”); (ii) their own privacy policies; and (iii) terms of any agreements to which Borrower, information security or cybersecurity each Subsidiary and each Managed Practice are bound relating to the processing of the Privacy Policies Personal Information (collectively, the “Privacy Data Protection Requirements”). Except as would not, in the aggregate reasonably be expected to have a Material Adverse Change: to the extent applicable, Borrower, each Subsidiary and Managed Practice have all necessary authority, rights, consents and authorizations to collect, use, maintain, disclose, process or transmit any Personal Information maintained by or for Borrower, each Subsidiary and Managed Practice to the extent required in connection with the operation of Borrower’s, each Subsidiary and Managed Practice’s business as currently conducted and as proposed to be conducted. Except as would not, in the aggregate reasonably be expected to have a Material Adverse Change: each of Borrower, each Subsidiary and Managed Practice has adopted and published privacy notices and policies that accurately describe the privacy practices of Borrower, each Subsidiary and Managed Practice (as applicable), to any website, mobile application or other electronic platform and complied with those notices and policies (collectively, with Borrower’s, each Subsidiary’s and Managed Practice’s internal privacy policies, the “Privacy Policies”). The execution, delivery and performance of this Agreement by Borrower, each Subsidiary and Managed Practice complies with all Data Protection Requirements and Borrower’s, each Subsidiary and Managed Practice’s Privacy Policies in each case in all material respects. Except as would not, in the aggregate reasonably be expected to have a Material Adverse Change: neither Borrower, any Subsidiary or Managed Practice nor, to the knowledge of Borrower, any third party to the extent acting on behalf of Borrower, any Subsidiary or Managed Practice, has experienced any incidences in which Personal Information was or may have been stolen or improperly accessed, including any breach of security or other loss, unauthorized access, use or disclosure of Personal Information in the possession, custody or control of Borrower, any Subsidiary or Managed Practice or any third party to the extent acting on behalf of Borrower, any Subsidiary or Managed Practice. Except as would not, in the aggregate reasonably be expected to have a Material Adverse Change: neither Borrower, any Subsidiary or Managed Practice, nor, to the knowledge of Borrower, any third party to the extent acting on behalf of Borrower, any Subsidiary or Managed Practice, has received any: (i) complaint alleging noncompliance with respect toData Protection Laws; (ii) claim for compensation for loss or unauthorized collection, where processing or disclosure of Personal Information; or (iii) notification of an application for rectification, erasure or destruction of Personal Information that is outstanding beyond the applicable time period required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal DataData Protection Laws for such action. (b) Except The information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases of Borrower, each Subsidiary and Managed Practice (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as would not reasonably be expected to be material to the Business, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data required in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent business of Borrower, each Subsidiary and its Subsidiaries Managed Practice as currently conducted and as proposed to ensure that data stored thereon or Processed therebybe conducted, including Business Data that is Processed by any service providerfree and clear of all material bugs, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (eacherrors, a “Sub-Processor”)defects, is protected against loss Trojan horses, time bombs, malware and against unauthorized accessother corruptants. Borrower, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent each Subsidiary and its Subsidiaries (other than the Acquired Companies) Managed Practice have implemented and maintained a commercially reasonable vendor management program controls, policies, procedures, and safeguards to ensure Sub-Processors are maintain and protect their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including Personal Information) used in material compliance connection with reasonable privacytheir businesses, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material violations of the Information Security Program with respect to the Business cost or liability. Borrower, each Subsidiary and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent Managed Practice have implemented backup and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency disaster recovery technology consistent with such standards, taking into account the volume and sensitivity of data (including Personal applicable Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the BusinessProtection Laws.

Data Privacy and Security. (a) The Acquired Companies and, with respect to the Business, Parent A2iA and its Subsidiaries comply, and at all times during the past three (other than the Acquired Companies3) comply years have complied, in all material respects, and since the Lookback Date, have complied in all material respects, respects with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) its internal privacy policies relating to the use, collection, use storage, disclosure and other Processing transfer of any Personal Data, information security Information collected by A2iA or cybersecurity and each its Subsidiaries or by third parties acting on behalf of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices or having authorized access to the Persons subject records of the Personal Data. (b) Except as would not reasonably be expected to be material to the Business, since the Lookback Date, (i) neither Parent A2iA or its Subsidiaries. Neither A2iA nor any of its Subsidiaries (including the Acquired Companies) have has received any complaints, claims, warnings written complaint (b) A2iA’s or other written notification from its Subsidiaries’ operation of any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data websites used in connection with the Businessbusiness of A2iA and its Subsidiaries, (ii) no Actionthe content thereof, enforcement and all data processed, collected, stored or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data disseminated in connection therewith, comply in all material respects with all Applicable Laws, and do not violate any Person’s right of privacy or publicity. A2iA and its Subsidiaries have posted privacy policies governing A2iA’s and its Subsidiaries’ use of data, and disclaimers of liability, on its websites, and A2iA and its Subsidiaries have complied with such applicable privacy policies in all material respects. A2iA and its Subsidiaries have taken reasonable steps in accordance with normal industry practices to secure its websites and data from unauthorized access or use thereof by any Person. To the Business and (iii) none of Parent Sellers’ Knowledge, no website security measure implemented by A2iA or any of its Subsidiaries have has been subject to penetrated, and no website maintained by A2iA or any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with has been the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default target of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintaindefacement, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure denial-of-service assault or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused attack by Sub-Processorshackers. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Acquired Companies andExcept for those matters that, with respect to individually or in the Business, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respects, and since the Lookback Dateaggregate, have complied in all material respects, with applicable Privacy Laws, contractual obligations not been and industry standards (including PCI DSS) relating to the collection, use and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Data. (b) Except as would not reasonably be expected to be material to the North American Business or the Transferred Group Members, taken as a whole, Parent and the Parent Subsidiaries are and at all times since January 1, 2018 have been in compliance in all material respects with (i) all Privacy Laws and (ii) all Privacy and Data Security Policies and written contractual requirements pertaining to the processing of Personally Identifiable Information (collectively, the “Parent Privacy Commitments”). (b) Parent and the Parent Subsidiaries have, with respect to the North American Business, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (implemented and maintained industry standard security measures, plans, procedures, controls, and programs, including the Acquired Companies) have received any complaintsa written information security program and a data protection management system to prevent data breaches, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, and (ii) no Actionestablished and implemented Privacy and Data Security Policies and other organizational, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information physical, administrative and technical measures regarding privacy, cyber security and data security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or and performance of this Agreement and the transactions contemplated by this Agreement will not violate cause a material breach of any Privacy Laws applicable to the North American Business or Parent Privacy Requirements Commitments, in any material each case with respect andto the North American Business only. Copies of all current Privacy and Data Security Policies applicable to the North American Business have been made available to Purchaser and such copies are true and complete. (d) Except for those matters that, except as individually or in the aggregate, have not been and would not reasonably be expected to be material to the BusinessNorth American Business or the Transferred Group Members, following taken as a whole, to the consummation Knowledge of the transactions contemplated by this AgreementParent, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Businesssince January 1, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies)2018, (i) are not in breach neither Parent nor the Parent Subsidiaries have suffered any accidental or default unlawful destruction, loss, alteration or unauthorized disclosure or access to or misuse of any Contracts relating to Personally Identifiable Information, including Personally Identifiable Information processed by a third party on Parent’s or the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements Parent Subsidiaries’ behalf and (ii) maintainno Action by any Governmental Entity or Person has been asserted or, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the BusinessKnowledge of Parent, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of threatened against Parent or its the Parent Subsidiaries with respect to the Business (each, alleging a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure violation of any Person’s privacy or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access Personally Identifiable Information or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not madedata rights, or been required to make under applicable Parent Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-ProcessorsCommitments. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Acquired Companies andExcept as would not, with respect individually or in the aggregate, reasonably be expected to the Businesshave a Paramount Material Adverse Effect, Parent since January 1, 2021: (a) Paramount and its Subsidiaries and, to the knowledge of Paramount, all vendors, processors or other third parties Processing Personal Information for or on behalf of Paramount or any Subsidiaries of Paramount or otherwise sharing Personal Information with Paramount or any Subsidiaries of Paramount (other than the Acquired Companieseach a “Paramount Data Partner”) comply in all material respects, and since the Lookback Date, have complied in with (i) all material respects, with applicable Privacy LawsLaws and (ii) all published privacy and data security policies, contractual obligations notices and industry standards (including PCI DSS) relating statements to the collection, use which Paramount and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Dataits Subsidiaries are subject. (b) Except as would not not, individually or in the aggregate, reasonably be expected to be material to the Businesshave a Paramount Material Adverse Effect, since the Lookback DateJanuary 1, 2021, Paramount and its Subsidiaries have, and have required any Paramount Data Partner to have, adopted and implemented at least commercially reasonable industry standard physical, technical, organizational, and administrative security measures and policies to (i) neither Parent nor any protect all Personal Information stored or processed by or on behalf of Paramount and its Subsidiaries (including the Acquired Companies) have received against any complaintsaccidental, claimsunlawful or unauthorized access, warnings use, loss, disclosure, alteration, destruction, compromise or other written notification from any Person Processing (including any Governmental Bodya “Security Incident”) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, and (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or identify and address internal and external risks to the Processing privacy and security of Personal Data Information processed by or on behalf of Paramount and its Subsidiaries. Except as would not, individually or in connection with the Business and aggregate, reasonably be expected to have a Paramount Material Adverse Effect, since January 1, 2021, Paramount, Subsidiaries of Paramount (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, norand, to the Knowledge knowledge of SellerParamount, threatened, alleging noncompliance Paramount Data Partners with any applicable Privacy Requirements in respect to Personal Information of information security, cybersecurity or the Processing of Personal Data in connection with the BusinessParamount and its Subsidiaries) have not experienced a Security Incident. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except Except as would not not, individually or in the aggregate, reasonably be expected to be material have a Paramount Material Adverse Effect, since January 1, 2021, in relation to the Businessany Security Incident, following the consummation none of Paramount or any of the transactions contemplated by this Agreement, Subsidiaries of Paramount has been the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) Except as would not reasonably be expected to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default subject of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintainformal complaint, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned claim or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, investigation or been required to make under applicable Privacy Laws, disclosure of notify any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-ProcessorsPerson. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Acquired Companies andThere is not currently pending or, to Acquiror’s knowledge, threatened, and there has not since January 1, 2019 been any, Proceeding against any Acquiror Group Member initiated by (i) the United States Federal Trade Commission, any state attorney general or similar state official; (ii) any other Governmental Entity, foreign or domestic; (iii) any regulatory entity, privacy regulator or otherwise, or (iv) any other Person, in each case, with respect to the Businessprivacy, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respectscybersecurity, and since the Lookback Dateand, have complied in all material respectsto Acquiror’s knowledge, with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) relating to the collection, use and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject of the Personal Datathere are no facts upon which such a Proceeding could be based. (b) Except as would set forth on Section 5.13 of the Acquiror’s Disclousre Schedules, there have not been any actual, suspected, or alleged material Security Incidents or actual or alleged claims related to material Security Incidents, and, to Acquiror’s knowledge, there are no facts or circumstances which could reasonably be expected to be material to serve as the Businessbasis for any such allegations or claims. There are no data security, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection other technological vulnerabilities with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance Acquiror Group’s services or with any applicable Privacy Requirements in respect of information security, cybersecurity to the Acquiror IT Systems that would have a materially adverse impact on their operations or the Processing of Personal Data in connection with the Businesscause a material Security Incident. (c) The executionAcquiror Group Members own or have license to use pursuant to an Acquiror Material Contract the Acquiror IT Systems as necessary to operate their respective businesses as currently conducted and such Acquiror IT Systems are sufficient for the operation of their respective businesses as currently conducted. The Acquiror Group Members have back-up and disaster recovery arrangements, delivery or performance procedures and facilities for the continued operation of this Agreement its businesses in the event of a failure of the Acquiror IT Systems that are, in the reasonable determination of Acquiror, commercially reasonable and the transactions contemplated by this Agreement will in accordance in all material respects with standard industry practice. Since January 1, 2019, there has not violate any applicable Privacy Requirements in been any material disruption, failure or, to Acquiror’s knowledge, unauthorized access with respect andto any of the Acquiror IT Systems that has not been remedied, except as would not reasonably be expected replaced or mitigated in all material respects. To Acquiror’s knowledge, none of the Acquiror IT Systems contain any worm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other damaging devices, malicious codes, designs, hardware component, or software routines that causes the Acquiror Software or any portion thereof to be material to the Businesserased, following the consummation inoperable or otherwise incapable of the transactions contemplated by this Agreementbeing used, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection either automatically, with the Business as Parent and its Subsidiaries have immediately prior to the Closingpassage of time or upon command by any unauthorized person. (d) Except as would not reasonably be expected The Acquiror Group Members have, and since January 1, 2019 have had, in place reasonable and appropriate administrative, technical, physical and organizational measures and safeguards to be material to the Business, the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default ensure the integrity, security, and the continued, uninterrupted, and error-free operation of the Acquiror IT Systems, and the confidentiality of the source code of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements Acquiror Software, and (ii) maintainto protect Business Data against loss, damage, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processorsmisuse. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the Business.

Data Privacy and Security. (a) The Acquired Companies andExcept as would not have a Company Material Adverse Effect, each member of the Company Group is, and at all times since January 1, 2021 has been, in compliance with all applicable privacy and information security obligations to which it is subject, including with respect to the BusinessCompany Group’s collection, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respectsmaintenance, transmission, accessing, transfer, storage, use, disclosure, disposal, and since the Lookback Dateother processing (collectively, have complied in all material respects“Processing”) of Personal Information, with under applicable Privacy LawsLaws (including, contractual obligations as applicable, Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”)), Contracts, industry standards (including PCI DSS) relating to including, as applicable, the collectionPayment Card Industry Data Security Standard), privacy policies or online terms of use and other Processing of Personal Data, information security or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Data Protection Requirements”). Except as would not have a Company Material Adverse Effect, including neither the Company nor any Company Subsidiary has received any written or, to the Knowledge of the Company, other notices or complaints from any person or Governmental Authority alleging, or been subject to any audits or investigations concerning, any failure to comply with respect any Data Protection Requirements. Except as would not have a Company Material Adverse Effect, there has been no unauthorized access to, where required or use or disclosure of, any Personal Information collected, maintained, processed or stored by Lawthe Company or any Company Subsidiary. Except as would not have a Company Material Adverse Effect, obtaining all valid the Company and informed consents from and offering opt out and giving all required notices the Company Subsidiaries have not, nor to the Persons subject Knowledge of the Personal Company has any third party Processing Business Data, notified or been required under Data Protection Requirements to notify any Governmental Authority or any other person of a data security breach, Security Incident or violation of any data security policy or Data Protection Requirement pertaining to the business of the Company or any Company Subsidiary. (b) Except as would not have a Company Material Adverse Effect, the Systems are adequate for, reasonably be expected maintained and in sufficiently good working condition and performance for the conduct of the business of the Company and each Company Subsidiary as currently conducted and as currently contemplated to be material to the Business, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreement, the Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the Closing. (d) conducted. Except as would not reasonably be expected to be material to the Businesshave a Company Material Adverse Effect, the Acquired Companies andCompany and each Company Subsidiary has implemented and maintained all necessary and appropriate controls, policies, procedures, and safeguards to maintain and protect the confidentiality, integrity and security of the Systems, Personal Information and other Business Data used in connection with respect to their businesses, and there has been no failure, malfunction, breakdown, performance reduction or other adverse event affecting any Systems, nor any unauthorized access to, or use, intrusion, or breach of security of, any Systems, or any other loss, or unauthorized Processing of any Business Data, including Personal Information, in the Businesspossession or control of the Company or any Company Subsidiary (each, Parent and its Subsidiaries (other than the Acquired Companiesas “Security Incident”), (i) are not in breach nor any incidents under internal review or default of any Contracts investigations relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except same. Except as would not reasonably be expected to be material to have a Company Material Adverse Effect, the BusinessCompany and each Company Subsidiary maintains commercially reasonable backup and data recovery, (A) the Acquired Companies ordisaster recovery, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity business continuity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plansprocedures, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing is and has been in accordance compliance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account all of the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect Company Group’s policies related to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except foregoing. Except as would not reasonably be expected to be material to the Businesshave a Company Material Adverse Effect, the IT Systems currently used by are free from any disabling codes or on behalf of the Acquired Companies orinstructions, with respect to the Businessspyware, Parent and its Subsidiaries (Trojan horses, worms, viruses or other than the Acquired Companies) are in good working conditionSoftware routines that could permit or cause unauthorized access to, do not contain any Contaminants and operate and perform as necessary to conduct the Businessor disruption, impairment, disablement, or destruction of, Software, data or other materials.

Data Privacy and Security. (a) The Acquired Companies and, with respect to the Business, Parent TPCO and each of its Subsidiaries (other than the Acquired Companies) comply in all material respectscomplies, and since the Lookback Date, have has complied in all material respects, with applicable all Privacy Lawsand Information Security Requirements. Neither TPCO nor any of its Subsidiaries have been notified in writing of, contractual obligations and industry standards (including PCI DSS) relating or is the subject of, any complaint, regulatory investigation or proceeding related to the collection, use and other Processing of Personal DataData by any Governmental Entity or payment card association, information security regarding any violations of any Privacy and Information Security Requirement by or cybersecurity and each of the Privacy Policies (collectively, the “Privacy Requirements”), including with respect to, where required by Law, obtaining all valid and informed consents from and offering opt out and giving all required notices to the Persons subject TPCO or any of the Personal Dataits Subsidiaries. (b) Except as would not reasonably be expected to be material to the Business, since the Lookback Date, (i) neither Parent nor any TPCO and each of its Subsidiaries employs commercially reasonable organizational, administrative, physical and technical safeguards that comply with all Privacy and Information Security Requirements to protect Personal Data within its custody or control and requires the same of all vendors under contract with TPCO that Process Personal Data on its behalf. TPCO and each of its Subsidiaries have provided all requisite notices and obtained all required consents or otherwise identified legal basis for Personal Data, and satisfied all other requirements (including but not limited to notification to Governmental Entities), necessary for the Acquired Companies) have received any complaints, claims, warnings or other written notification from any Person Processing (including any Governmental Bodyinternational and onward transfer) in respect of information security, cybersecurity or the Processing of all Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect conduct of information security, cybersecurity or the Processing of Personal Data TPCO Business as currently conducted and in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to the Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the transactions contemplated by this Agreementhereunder, the Acquired Companies will except in each case, as would not be reasonably expected to have substantially the same right a Material Adverse Effect with respect to Process any Personal Data currently Processed by Parent or its Subsidiaries in connection with the Business as Parent and its Subsidiaries have immediately prior to the ClosingTPCO. (dc) Except as would not reasonably be expected Neither TPCO nor any of its Subsidiaries, to be material to the BusinessTPCO's knowledge, the Acquired Companies and, has suffered a security breach with respect to any of the BusinessPersonal Data and, Parent and to TPCO's knowledge, there has been no unauthorized or illegal use of or access to any Personal Data. Neither TPCO nor any of its Subsidiaries (other than the Acquired Companies), (i) are not in breach or default of any Contracts relating to the IT Systems and do not transfer Business Data internationally except where such transfers comply with Privacy Requirements and (ii) maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (i) The Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, since the Lookback Date, have not experienced a Security Incident and (B) Parent and its Subsidiaries have not madehas notified, or been required to make under applicable Privacy Lawsnotify, disclosure any Person of any Security Incident information security breach involving Personal Data. To TPCO's knowledge, TPCO Systems have had no material errors or defects, and/or if TPCO Systems have had any material errors or defects, such have been fully remedied and contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any Person manner the legitimate operation of such TPCO Systems (including what are sometimes referred to as "viruses," "worms," "time bombs," or "back doors" or any Governmental Body)other form of malware) that have not been removed or fully remedied. To TPCO's knowledge, in each case neither it nor any of (A) and (B)its Subsidiaries, includinghave experienced any material disruption to, or material interruption in, the conduct of its business that effected the business for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other more than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all material respects with Privacy Requirements and have assessed and tested material components of such plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the volume and sensitivity of data (including Personal Data and Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements in all material respects, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Businessone calendar week, and (iii) except as would not reasonably be expected attributable to be material to a defect, bug, breakdown, ransomware event, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the Business, part of any computer Software or the IT Systems currently used by or on behalf of the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary to conduct the BusinessTPCO Systems.