Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. (a) Since January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries of any Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries. (d) To the Knowledge of Tempranillo, Tempranillo and its Subsidiaries have executed current and valid Business Associate Agreements with each (i) customer that, to the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiaries. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Since January 1The Acquired Companies and, 2018with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) comply in all material respects, and since the Lookback Date, have complied in all material respects, with applicable Privacy Laws, contractual obligations and industry standards (including PCI DSS) relating to the collection, acquisitionuse and other Processing of Personal Data, useinformation security or cybersecurity and each of the Privacy Policies (collectively, storage, transfer (including any cross-border transfersthe “Privacy Requirements”), distribution or dissemination including with respect to, where required by Tempranillo Law, obtaining all valid and its Subsidiaries informed consents from and offering opt out and giving all required notices to the Persons subject of any the Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse EffectData. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to be material to the Business, since the Lookback Date, (i) neither Parent nor any of its Subsidiaries (including the Acquired Companies) have a Tempranillo Material Adverse Effectreceived any complaints, claims, warnings or other written notification from any Person (including any Governmental Body) in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business, (ii) no Action, enforcement or investigation notices or audit requests have been served on Parent or any Subsidiary thereof in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business and (iii) none of Parent or any of its Subsidiaries have been subject to any Order or Arbitration Decision, nor is any Order or Arbitration Decision pending, nor, to Tempranillo’s Knowledgethe Knowledge of Seller, threatened, alleging noncompliance with any applicable Privacy Requirements in respect of information security, cybersecurity or the Processing of Personal Data in connection with the Business. (c) The execution, delivery or performance of this Agreement and the transactions contemplated by this Agreement will not violate any applicable Privacy Requirements in any material respect and, except as would not reasonably be expected to be material to the Business, following the consummation of the date of transactions contemplated by this Agreement, the IT Assets owned by, Acquired Companies will have substantially the same right to Process any Personal Data currently Processed by Parent or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, Business as Parent and its Subsidiaries have immediately prior to the Closing. (iid) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effectbe material to the Business, the Acquired Companies and, with respect to Tempranillo’s Knowledgethe Business, since January 1Parent and its Subsidiaries (other than the Acquired Companies), 2018, no Person has gained unauthorized access (i) are not in breach or default of any Contracts relating to the IT Assets owned by, or used Systems and controlled by, Tempranillo and its Subsidiaries. (d) To the Knowledge of Tempranillo, Tempranillo and its Subsidiaries have executed current and valid do not transfer Business Associate Agreements Data internationally except where such transfers comply with each (i) customer that, to the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and the corresponding regulations) Privacy Requirements and (ii) “subcontractor” maintain, and have maintained, cyber liability insurance with reasonable coverage limits. (as defined by HIPAA and i) The Acquired Companies and, with respect to the corresponding regulations). Tempranillo Business, Parent and its Subsidiaries (other than the Acquired Companies), have taken reasonable steps (including implementing and maintaining a written information security program that complies with Privacy Requirements, that when appropriately implemented and maintained would constitute reasonable security procedures and practices appropriate to the nature of Business Data and IT Systems and that is at least as stringent as applicable industry standards (“Information Security Program”), compliance with which is appropriately monitored) to protect the integrity, physical and electronic security and continuous operation of the IT Systems owned or controlled by Parent and its Subsidiaries and to ensure that data stored thereon or Processed thereby, including Business Data that is Processed by any service provider, independent contractor or vendor of Parent or its Subsidiaries with respect to the Business (each, a “Sub-Processor”), is protected against loss and against unauthorized access, acquisitions, use, modification, alteration disclosure or use, (ii) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have implemented and maintained a reasonable vendor management program to ensure Sub-Processors are in material compliance with reasonable privacy, information security and cybersecurity standards before allowing Sub-Processors to access or receive Trade Secrets or Process any Personal Data and reasonably frequently (as may be reasonably appropriate) during the period of such access or receipt or Processing, (iii) since the Lookback Date, there have been no material violations of the Information Security Program with respect to the Business Associate Agreements and (iv) except as would not reasonably be expected to be material to the Business, (A) the Acquired Companies or, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) are not experiencing and, to since the Knowledge of TempranilloLookback Date, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiaries. have not experienced a Security Incident and (eB) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo Parent and its Subsidiaries have obtained not made, or been required to make under applicable Privacy Laws, disclosure of any Security Incident to any Person (including any Governmental Body), in each case of (A) and (B), including, for the avoidance of doubt, Security Incidents caused by Sub-Processors. (f) Since the Lookback Date, (i) the Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have established and maintained information security and cybersecurity plans, procedures and facilities consistent in all rights necessary to undertake de-identification material respects with Privacy Requirements and have assessed and tested material components of such user plans, procedures and facilities, as well as their respective Information Security Program, including by performing data security risk audits, assessments and has de-identified such user data penetration testing in accordance with generally recognized industry standards periodically (including at a frequency consistent with such standards, taking into account the requirements volume and sensitivity of HIPAA data (including Personal Data and other Trade Secrets) Processed by or on behalf the Acquired Companies) and the foregoing plans, procedures and facilities and respective Information Security Program have proven sufficient and compliant with Privacy Requirements. To Requirements in all material respects, (ii) the extent Tempranillo Acquired Companies and, with respect to the Business, Parent and its Subsidiaries (other than the Acquired Companies) have mitigated all material findings (including, for the avoidance of doubt, risks, threats and deficiencies designated as “critical”, “severe” or “high” risks, threats or deficiencies) identified in any cybersecurity or information security risk audit, assessment or penetration testing carried out by or for Parent or its Subsidiaries (including the Acquired Companies) with respect to the Business, and (iii) except as would not reasonably be expected to be material to the Business, the IT Systems currently used de-identified databy or on behalf of the Acquired Companies or, Tempranillo with respect to the Business, Parent and its Subsidiaries have obtained all rights (other than the Acquired Companies) are in good working condition, do not contain any Contaminants and operate and perform as necessary for to conduct the use of such de-identified dataBusiness.

Data Privacy and Security. (a) Since January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries of any Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Tempranillo Company Material Adverse Effect: (a) The Company and its Subsidiaries are, and since the Lookback Date have been, in compliance with all applicable Privacy Commitments. To the Knowledge of the Company, all Personal Information collected, processed, transferred, disclosed, shared, stored, protected or used by the Company or its Subsidiaries, or shared with a third party, in connection with the operation of their respective businesses is, and since the Lookback Date has been, collected, processed, transferred, disclosed, shared, stored, protected and used by the Company, its Subsidiaries or third parties acting on their behalf in accordance with all applicable Privacy Commitments. No disclosures made in any written privacy policies, notices, or statements published by the Company or its Subsidiaries have been inaccurate, misleading or deceptive. The Company has not sold, licensed or rented any Personal Information to a third party for monetary or other valuable consideration. To the Knowledge of the Company, the Company and its Subsidiaries are not, and since the Lookback Date have not been, (i) under audit or investigation by any Governmental Authority regarding the Company’s compliance with applicable Privacy Commitments or (ii) subject to any third-party notification, claim, demand, audit or action in relation to the Company’s collection, processing, transfer, disclosure, sharing, storing, security and use of Personal Information. (cb) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo The Company and its Subsidiaries (i) operate have implemented and perform as required by Tempranillo maintain commercially reasonable technical, physical, and organizational measures intended to protect against and identify anticipated threats or hazards to, the security, confidentiality, integrity and availability of Personal Information, Company Information and Systems, including a commercially reasonable incident response plan and backup procedures, and (ii) have commercially reasonable procedures in place designed to remediate (A) Information Security Incidents and (B) audit or security assessment findings deemed to be a material, critical or high risk to the effectiveness of any System. The Company and its Subsidiaries have fully remediated any and all material, critical or high-risk security vulnerabilities associated with Systems for which the Company or its Subsidiaries have or should reasonably have become aware. To the Knowledge of the Company, there are no vulnerabilities existing in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures Systems that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiariescause an Information Security Incident. (dc) To the Knowledge of Tempranillothe Company, Tempranillo since the Lookback Date, the Company and its Subsidiaries have executed current and valid Business Associate Agreements with each (i) customer that, to not experienced any Information Security Incident involving the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiaries. (e) To the extent Tempranillo Company or any of its Subsidiaries has de-identified user data, Tempranillo and or third parties that process Company Information on behalf of the Company or its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy RequirementsSubsidiaries. To the extent Tempranillo and Knowledge of the Company, since the Lookback Date, no circumstance has arisen in which applicable Privacy Laws would require the Company or its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use to notify a person or Governmental Authority of a “breach of security” (or similar term such de-identified dataas “security breach”) as defined by applicable Privacy Laws.

Data Privacy and Security. (a) Since There is not currently pending or, to Acquiror’s knowledge, threatened, and there has not since January 1, 20182019 been any, Proceeding against any Acquiror Group Member initiated by (i) the collectionUnited States Federal Trade Commission, acquisitionany state attorney general or similar state official; (ii) any other Governmental Entity, useforeign or domestic; (iii) any regulatory entity, storageprivacy regulator or otherwise, transfer or (including iv) any crossother Person, in each case, with respect to privacy, cybersecurity, and, to Acquiror’s knowledge, there are no facts upon which such a Proceeding could be based. (b) Except as set forth on Section 5.13 of the Acquiror’s Disclousre Schedules, there have not been any actual, suspected, or alleged material Security Incidents or actual or alleged claims related to material Security Incidents, and, to Acquiror’s knowledge, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims. There are no data security, information security, or other technological vulnerabilities with respect to the Acquiror Group’s services or with respect to the Acquiror IT Systems that would have a materially adverse impact on their operations or cause a material Security Incident. (c) The Acquiror Group Members own or have license to use pursuant to an Acquiror Material Contract the Acquiror IT Systems as necessary to operate their respective businesses as currently conducted and such Acquiror IT Systems are sufficient for the operation of their respective businesses as currently conducted. The Acquiror Group Members have back-border transfers)up and disaster recovery arrangements, distribution or dissemination by Tempranillo procedures and facilities for the continued operation of its Subsidiaries businesses in the event of any Personal Data are a failure of the Acquiror IT Systems that are, in the reasonable determination of Acquiror, commercially reasonable and have been in compliance accordance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effectstandard industry practice. Since January 1, 20182019, there have has not been no any material breaches disruption, failure or, to Acquiror’s knowledge, unauthorized access with respect to any of the Acquiror IT Systems that has not been remedied, replaced or mitigated in all material violations respects. To Acquiror’s knowledge, none of the Acquiror IT Systems contain any such security measuresworm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other damaging devices, malicious codes, designs, hardware component, or software routines that causes the Acquiror Software or any portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiariesperson. (d) To the Knowledge of TempranilloThe Acquiror Group Members have, Tempranillo and its Subsidiaries since January 1, 2019 have executed current had, in place reasonable and valid Business Associate Agreements with each appropriate administrative, technical, physical and organizational measures and safeguards to (i) customer thatensure the integrity, to the Knowledge of Tempranillosecurity, is a “covered entity” (as defined by HIPAA and the corresponding regulations) continued, uninterrupted, and error-free operation of the Acquiror IT Systems, and the confidentiality of the source code of any Acquiror Software, and (ii) “subcontractor” (as defined by HIPAA to protect Business Data against loss, damage, and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements andunauthorized access, to the Knowledge of Tempranillouse, no covered entity modification, or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiariesother misuse. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Since Except as would not have a Company Material Adverse Effect, each member of the Company Group is, and at all times since January 1, 20182021 has been, in compliance with all applicable privacy and information security obligations to which it is subject, including with respect to the Company Group’s collection, acquisitionmaintenance, transmission, accessing, transfer, storage, use, storagedisclosure, transfer disposal, and other processing (including any cross-border transferscollectively, “Processing”) of Personal Information, under applicable Privacy Laws (including, as applicable, Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA”)), distribution Contracts, industry standards (including, as applicable, the Payment Card Industry Data Security Standard), privacy policies or dissemination by Tempranillo and its Subsidiaries online terms of any Personal use (collectively, “Data are and have been in compliance in all material respects with the Privacy Protection Requirements, except where any instances of non-compliance have not had, and ”). Except as would not reasonably be expected to have, have a Tempranillo Company Material Adverse Effect, neither the Company nor any Company Subsidiary has received any written or, to the Knowledge of the Company, other notices or complaints from any person or Governmental Authority alleging, or been subject to any audits or investigations concerning, any failure to comply with any Data Protection Requirements. Except as would not have a Company Material Adverse Effect, there has been no unauthorized access to, or use or disclosure of, any Personal Information collected, maintained, processed or stored by the Company or any Company Subsidiary. Except as would not have a Company Material Adverse Effect, the Company and the Company Subsidiaries have not, nor to the Knowledge of the Company has any third party Processing Business Data, notified or been required under Data Protection Requirements to notify any Governmental Authority or any other person of a data security breach, Security Incident or violation of any data security policy or Data Protection Requirement pertaining to the business of the Company or any Company Subsidiary. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Company Material Adverse Effect, to Tempranillo’s Knowledgethe Systems are adequate for, as of the date of this Agreement, the IT Assets owned by, or used reasonably maintained and controlled by, Tempranillo in sufficiently good working condition and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with performance for the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) the business of the Company and (iii) are free from bugs each Company Subsidiary as currently conducted and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Softwareas currently contemplated to be conducted. Except as would not reasonably be expected to have a Tempranillo Company Material Adverse Effect, the Company and each Company Subsidiary has implemented and maintained all necessary and appropriate controls, policies, procedures, and safeguards to Tempranillo’s Knowledgemaintain and protect the confidentiality, since January 1integrity and security of the Systems, 2018Personal Information and other Business Data used in connection with their businesses, and there has been no Person has gained failure, malfunction, breakdown, performance reduction or other adverse event affecting any Systems, nor any unauthorized access to, or use, intrusion, or breach of security of, any Systems, or any other loss, or unauthorized Processing of any Business Data, including Personal Information, in the possession or control of the Company or any Company Subsidiary (each, as “Security Incident”), nor any incidents under internal review or investigations relating to the IT Assets owned bysame. Except as would not have a Company Material Adverse Effect, the Company and each Company Subsidiary maintains commercially reasonable backup and data recovery, disaster recovery, and business continuity plans, procedures, and facilities, and is and has been in compliance with all of the Company Group’s policies related to the foregoing. Except as would not have a Company Material Adverse Effect, the Systems are free from any disabling codes or instructions, spyware, Trojan horses, worms, viruses or other Software routines that could permit or cause unauthorized access to, or used and controlled bydisruption, Tempranillo and its Subsidiariesimpairment, disablement, or destruction of, Software, data or other materials. (d) To the Knowledge of Tempranillo, Tempranillo and its Subsidiaries have executed current and valid Business Associate Agreements with each (i) customer that, to the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiaries. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Seller complies and since January 1, 2021, has complied in all material respects with, all: (i) applicable Privacy Laws; (ii) Seller’s published policies and contractual obligations; and (iii) all required industry standards including, to the extent applicable, the Payment Card Industry Data Security Standard and all other applicable requirements of the payment card brands, in each case as related to (A) the privacy of all individuals including all users of any web properties, applications, products and/or services of Seller, all Seller employees and all other individuals about whom Seller collects or processes Personal Information, (B) the collection, use, storage, retention, disclosure, transfer, disposal, or any other processing of any Personal Information collected or used by Seller; and (C) the recording or any interception of any communications (collectively, the “Privacy Requirements”). (b) Seller displays a privacy policy on each website owned, controlled or operated by Seller to the extent required by Privacy Laws, and each such privacy policy incorporates all disclosures to data subjects required by the Privacy Laws. None of the disclosures made or contained in any such privacy policy has been inaccurate, misleading or deceptive, or in violation of the Privacy Laws. (c) Seller regularly conducts vulnerability testing or audits of its systems and products, and uses commercially reasonable efforts to remediate or document exceptions for any material vulnerabilities identified in such tests and audits. Seller uses commercially reasonable efforts to timely install software security patches and other fixes to identified technical information security vulnerabilities. (d) In connection with each third-party processing Personal Information on behalf of Seller, Xxxxxx has entered into written data processing agreements with terms as required by applicable Privacy Laws. (e) Since January 1, 20182021, the collectionthere have not been any Actions against Seller related to any data security incidents, acquisitionransomware incidents, use, storage, transfer (including or any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries violations of any Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and there are no facts or circumstances which would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to serve as the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with basis for any such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effectallegations or claims. Since January 1, 20182021, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as Seller has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain received any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries. (d) To the Knowledge of Tempranillo, Tempranillo and its Subsidiaries have executed current and valid Business Associate Agreements with each (i) customer thatwritten or, to the Knowledge of TempranilloSeller, oral, correspondence relating to, or notice of any Actions or alleged violations of the Privacy Requirements from any person or Governmental Authority, and there is a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with no such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity ongoing Action or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiariesallegation. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Since January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo TPCO and each of its Subsidiaries of any Personal Data are complies, and have been in compliance has complied in all material respects respects, with the all Privacy and Information Security Requirements, except where . Neither TPCO nor any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policieshave been notified in writing of, proceduresor is the subject of, trainingsany complaint, regulatory investigation or proceeding related to Processing of Personal Data by any Governmental Entity or payment card association, regarding any violations of any Privacy and security measures Information Security Requirement by or with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries. (d) To the Knowledge of Tempranillo, Tempranillo and its Subsidiaries have executed current and valid Business Associate Agreements with each (i) customer that, to the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo TPCO or any of its Subsidiaries. (eb) To TPCO and each of its Subsidiaries employs commercially reasonable organizational, administrative, physical and technical safeguards that comply with all Privacy and Information Security Requirements to protect Personal Data within its custody or control and requires the extent Tempranillo same of all vendors under contract with TPCO that Process Personal Data on its behalf. TPCO and each of its Subsidiaries have provided all requisite notices and obtained all required consents or otherwise identified legal basis for Personal Data, and satisfied all other requirements (including but not limited to notification to Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with the conduct of the TPCO Business as currently conducted and in connection with the consummation of the transactions contemplated hereunder, except in each case, as would not be reasonably expected to have a Material Adverse Effect with respect to TPCO. (c) Neither TPCO nor any of its Subsidiaries, to TPCO's knowledge, has suffered a security breach with respect to any of the Personal Data and, to TPCO's knowledge, there has been no unauthorized or illegal use of or access to any Personal Data. Neither TPCO nor any of its Subsidiaries has de-identified user datanotified, Tempranillo or been required to notify, any Person of any information security breach involving Personal Data. To TPCO's knowledge, TPCO Systems have had no material errors or defects, and/or if TPCO Systems have had any material errors or defects, such have been fully remedied and its Subsidiaries have obtained all rights necessary contain no code designed to undertake de-identification disrupt, disable, harm, distort, or otherwise impede in any manner the legitimate operation of such user data and has de-identified such user data in accordance with the requirements TPCO Systems (including what are sometimes referred to as "viruses," "worms," "time bombs," or "back doors" or any other form of HIPAA and other Privacy Requirementsmalware) that have not been removed or fully remedied. To TPCO's knowledge, neither it nor any of its Subsidiaries, have experienced any material disruption to, or material interruption in, the extent Tempranillo conduct of its business that effected the business for more than one calendar week, and its Subsidiaries have used de-identified dataattributable to a defect, Tempranillo and its Subsidiaries have obtained all rights necessary for bug, breakdown, ransomware event, unauthorized access, introduction of a virus or other malicious programming, or other failure or deficiency on the use part of such de-identified dataany computer Software or the TPCO Systems.

Data Privacy and Security. (a) Since There is not currently pending or, to Acquirer’s knowledge, threatened, and there has not since January 1, 20182020 been any, Proceeding against any Acquirer Group Member initiated by (i) the collectionUnited States Federal Trade Commission, acquisitionany state attorney general or similar state official; (ii) any other Governmental Entity, useforeign or domestic; (iii) any regulatory entity, storageprivacy regulator or otherwise, transfer or (including iv) any crossother Person, in each case, with respect to privacy, cybersecurity, and, to Acquirer’s knowledge, there are no facts upon which such a Proceeding could be based. (b) Except as set forth on Section 5.13 of the Acquirer’s Disclosure Schedules, there have not been any actual, suspected, or alleged material Security Incidents or actual or alleged claims related to material Security Incidents, and, to Acquirer’s knowledge, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims. There are no data security, information security, or other technological vulnerabilities with respect to the Acquirer Group’s services or with respect to the Acquirer IT Systems that would have a materially adverse impact on their operations or cause a material Security Incident. (c) The Acquirer Group Members own or have license to use pursuant to an Acquirer Material Contract the Acquirer IT Systems as necessary to operate their respective businesses as currently conducted and such Acquirer IT Systems are sufficient for the operation of their respective businesses as currently conducted. The Acquirer Group Members have back-border transfers)up and disaster recovery arrangements, distribution or dissemination by Tempranillo procedures and facilities for the continued operation of its Subsidiaries businesses in the event of any Personal Data are a failure of the Acquirer IT Systems that are, in the reasonable determination of Acquirer, commercially reasonable and have been in compliance accordance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effectstandard industry practice. Since January 1, 20182020, there have has not been no any material breaches disruption, failure or, to Acquirer’s knowledge, unauthorized access with respect to any of the Acquirer IT Systems that has not been remedied, replaced or mitigated in all material violations respects. To Acquirer’s knowledge, none of the Acquirer IT Systems contain any such security measuresworm, bomb, backdoor, trap doors, Trojan horse, spyware, keylogger software, clock, timer or other damaging devices, malicious codes, designs, hardware component, or software routines that causes the Acquirer Software or any portion thereof to be erased, inoperable or otherwise incapable of being used, either automatically, with the passage of time or upon command by any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiariesperson. (d) To the Knowledge of TempranilloThe Acquirer Group Members have, Tempranillo and its Subsidiaries since January 1, 2020 have executed current had, in place reasonable and valid Business Associate Agreements with each appropriate administrative, technical, physical and organizational measures and safeguards to (i) customer thatensure the integrity, to the Knowledge of Tempranillosecurity, is a “covered entity” (as defined by HIPAA and the corresponding regulations) continued, uninterrupted, and error-free operation of the Acquirer IT Systems, and the confidentiality of the source code of any Acquirer Software, and (ii) “subcontractor” (as defined by HIPAA to protect Business Data against loss, damage, and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements andunauthorized access, to the Knowledge of Tempranillouse, no covered entity modification, or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiariesother misuse. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Since January 1Except as would not, 2018individually or in the aggregate, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries of any Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, have a Tempranillo Paramount Material Adverse Effect, since January 1, 2021: (a) Paramount and its Subsidiaries and, to the knowledge of Paramount, all vendors, processors or other third parties Processing Personal Information for or on behalf of Paramount or any Subsidiaries of Paramount or otherwise sharing Personal Information with Paramount or any Subsidiaries of Paramount (each a “Paramount Data Partner”) have complied with (i) all applicable Privacy Laws and (ii) all published privacy and data security policies, notices and statements to which Paramount and its Subsidiaries are subject. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policiesExcept as would not, proceduresindividually or in the aggregate, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, have a Tempranillo Paramount Material Adverse Effect. Since , since January 1, 20182021, there Paramount and its Subsidiaries have, and have been no material breaches required any Paramount Data Partner to have, adopted and implemented at least commercially reasonable industry standard physical, technical, organizational, and administrative security measures and policies to (i) protect all Personal Information stored or material violations processed by or on behalf of Paramount and its Subsidiaries against any such accidental, unlawful or unauthorized access, use, loss, disclosure, alteration, destruction, compromise or other Processing (a “Security Incident”) and (ii) identify and address internal and external risks to the privacy and security measures, of Personal Information processed by or any unauthorized access on behalf of any Personal Data or Tempranillo’s or Paramount and its Subsidiaries’ business data by any Third Party. As of Except as would not, individually or in the date of this Agreementaggregate, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, have a Tempranillo Paramount Material Adverse Effect, since January 1, 2021, Paramount, Subsidiaries of Paramount (and, to the knowledge of Paramount, Paramount Data Partners with respect to Personal Information of Paramount and its Subsidiaries) have not experienced a Security Incident. (c) Except as would not not, individually or in the aggregate, reasonably be expected to have a Tempranillo Paramount Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 20182021, no Person has gained unauthorized access in relation to the IT Assets owned byany Security Incident, or used and controlled by, Tempranillo and its Subsidiaries. (d) To the Knowledge none of Tempranillo, Tempranillo and its Subsidiaries have executed current and valid Business Associate Agreements with each (i) customer that, to the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo Paramount or any of its Subsidiariesthe Subsidiaries of Paramount has been the subject of any formal complaint, claim or investigation or been required to notify any Person. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Since Except for those matters that, individually or in the aggregate, have not been and would not reasonably be expected to be material to the North American Business or the Transferred Group Members, taken as a whole, Parent and the Parent Subsidiaries are and at all times since January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries of any Personal Data are and 2018 have been in compliance in all material respects with (i) all Privacy Laws and (ii) all Privacy and Data Security Policies and written contractual requirements pertaining to the processing of Personally Identifiable Information (collectively, the “Parent Privacy RequirementsCommitments”). (b) Parent and the Parent Subsidiaries have, except where with respect to the North American Business, (i) implemented and maintained industry standard security measures, plans, procedures, controls, and programs, including a written information security program and a data protection management system to prevent data breaches, and (ii) established and implemented Privacy and Data Security Policies and other organizational, physical, administrative and technical measures regarding privacy, cyber security and data security. (c) The execution, delivery and performance of this Agreement will not cause a material breach of any instances Privacy Laws applicable to the North American Business or Parent Privacy Commitments, in each case with respect to the North American Business only. Copies of non-compliance all current Privacy and Data Security Policies applicable to the North American Business have been made available to Purchaser and such copies are true and complete. (d) Except for those matters that, individually or in the aggregate, have not had, been and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect be material to the physical and electronic security and privacy of Personal Data that are designed North American Business or the Transferred Group Members, taken as a whole, to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As Knowledge of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct of their respective businesses, (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects and do not contain any “virus”, “worm”, “spyware” or other malicious Software. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s KnowledgeParent, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries. (d) To the Knowledge of Tempranillo, Tempranillo and its Subsidiaries have executed current and valid Business Associate Agreements with each (i) customer thatneither Parent nor the Parent Subsidiaries have suffered any accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to or misuse of any Personally Identifiable Information, including Personally Identifiable Information processed by a third party on Parent’s or the Parent Subsidiaries’ behalf and (ii) no Action by any Governmental Entity or Person has been asserted or, to the Knowledge of TempranilloParent, is threatened against Parent or the Parent Subsidiaries alleging a “covered entity” (as defined by HIPAA and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo and its Subsidiaries are in material compliance with such Business Associate Agreements andviolation of any Person’s privacy or Personally Identifiable Information or data rights, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its SubsidiariesParent Privacy Commitments. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Since January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo and its Subsidiaries of any Personal Data are and have been in compliance in all material respects with the Privacy Requirements, except where any instances of non-compliance have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or Tempranillo’s or its Subsidiaries’ business data by any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not not, in the aggregate reasonably be expected to have a Tempranillo Material Adverse EffectChange: Borrower, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or used each Subsidiary and controlled by, Tempranillo Managed Practice are and its Subsidiaries have at all times been operating in compliance with: (i) operate applicable laws, rules and perform as required by Tempranillo regulations relating to the processing of data, data privacy, data security, data breach notification, and its Subsidiaries in connection with the conduct cross-border transfer of their respective businesses, Personal Information (“Data Protection Laws”); (ii) since January 1, 2018, have not malfunctioned or failed (except for malfunctions or failures that have been fully remedied) their own privacy policies; and (iii) terms of any agreements to which Borrower, each Subsidiary and Managed Practice are free from bugs and other defects and do not contain any bound relating to the processing of Personal Information (collectively, the “virusData Protection Requirements”, “worm”, “spyware” or other malicious Software). Except as would not not, in the aggregate reasonably be expected to have a Tempranillo Material Adverse EffectChange: to the extent applicable, Borrower, each Subsidiary and Managed Practice have all necessary authority, rights, consents and authorizations to collect, use, maintain, disclose, process or transmit any Personal Information maintained by or for Borrower, each Subsidiary and Managed Practice to the extent required in connection with the operation of Borrower’s, each Subsidiary and Managed Practice’s business as currently conducted and as proposed to be conducted. Except as would not, in the aggregate reasonably be expected to have a Material Adverse Change: each of Borrower, each Subsidiary and Managed Practice has adopted and published privacy notices and policies that accurately describe the privacy practices of Borrower, each Subsidiary and Managed Practice (as applicable), to Tempranilloany website, mobile application or other electronic platform and complied with those notices and policies (collectively, with Borrower’s, each Subsidiary’s Knowledgeand Managed Practice’s internal privacy policies, since January 1the “Privacy Policies”). The execution, 2018delivery and performance of this Agreement by Borrower, no Person has gained unauthorized access each Subsidiary and Managed Practice complies with all Data Protection Requirements and Borrower’s, each Subsidiary and Managed Practice’s Privacy Policies in each case in all material respects. Except as would not, in the aggregate reasonably be expected to have a Material Adverse Change: neither Borrower, any Subsidiary or Managed Practice nor, to the IT Assets owned byknowledge of Borrower, any third party to the extent acting on behalf of Borrower, any Subsidiary or used and controlled byManaged Practice, Tempranillo and its Subsidiarieshas experienced any incidences in which Personal Information was or may have been stolen or improperly accessed, including any breach of security or other loss, unauthorized access, use or disclosure of Personal Information in the possession, custody or control of Borrower, any Subsidiary or Managed Practice or any third party to the extent acting on behalf of Borrower, any Subsidiary or Managed Practice. Except as would not, in the aggregate reasonably be expected to have a Material Adverse Change: neither Borrower, any Subsidiary or Managed Practice, nor, to the knowledge of Borrower, any third party to the extent acting on behalf of Borrower, any Subsidiary or Managed Practice, has received any: (i) complaint alleging noncompliance with Data Protection Laws; (ii) claim for compensation for loss or unauthorized collection, processing or disclosure of Personal Information; or (iii) notification of an application for rectification, erasure or destruction of Personal Information that is outstanding beyond the applicable time period required by Data Protection Laws for such action. (db) To The information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases of Borrower, each Subsidiary and Managed Practice (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the Knowledge operation of Tempranillothe business of Borrower, Tempranillo each Subsidiary and its Subsidiaries Managed Practice as currently conducted and as proposed to be conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Borrower, each Subsidiary and Managed Practice have executed current implemented and valid Business Associate Agreements with each (i) customer thatmaintained commercially reasonable controls, policies, procedures, and safeguards to the Knowledge of Tempranillo, is a “covered entity” (as defined by HIPAA maintain and protect their material confidential information and the corresponding regulationsintegrity, continuous operation, redundancy and security of all IT Systems and data (including Personal Information) used in connection with their businesses, and (ii) “subcontractor” (as defined by HIPAA there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability. Borrower, each Subsidiary and the corresponding regulations). Tempranillo Managed Practice have implemented backup and its Subsidiaries are in material compliance disaster recovery technology consistent with such Business Associate Agreements and, to the Knowledge of Tempranillo, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiariesapplicable Data Protection Laws. (e) To the extent Tempranillo or any of its Subsidiaries has de-identified user data, Tempranillo and its Subsidiaries have obtained all rights necessary to undertake de-identification of such user data and has de-identified such user data in accordance with the requirements of HIPAA and other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified data.

Data Privacy and Security. (a) Since January 1, 2018, the collection, acquisition, use, storage, transfer (including any cross-border transfers), distribution or dissemination by Tempranillo A2iA and its Subsidiaries of any Personal Data are comply, and at all times during the past three (3) years have been in compliance complied, in all material respects with its internal privacy policies relating to the Privacy Requirementsuse, except where collection, storage, disclosure and transfer of any instances Personal Information collected by A2iA or its Subsidiaries or by third parties acting on behalf of non-compliance have not had, and would not reasonably be expected or having authorized access to have, a Tempranillo Material Adverse Effect.the records of A2iA or its Subsidiaries. Neither A2iA nor any of its Subsidiaries has received any written complaint (b) Tempranillo and its Subsidiaries maintain commercially reasonable policies, procedures, trainings, and security measures with respect to the physical and electronic security and privacy of Personal Data that are designed to achieve compliance with the Privacy Requirements, and Tempranillo and its Subsidiaries are in compliance with such policies and procedures, except as have not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. Since January 1, 2018, there have been no material breaches or material violations of any such security measures, or any unauthorized access of any Personal Data or TempranilloA2iA’s or its Subsidiaries’ business data by operation of any Third Party. As of the date of this Agreement, no written claim or other Proceeding is pending against Tempranillo or any of its Subsidiaries, nor to Tempranillo’s Knowledge, threatened, relating to any such obligation, policy, Applicable Law in relation to Personal Data or any breach or alleged breach thereof, except as has not had, and would not reasonably be expected to have, a Tempranillo Material Adverse Effect. (c) Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, as of the date of this Agreement, the IT Assets owned by, or websites used and controlled by, Tempranillo and its Subsidiaries (i) operate and perform as required by Tempranillo and its Subsidiaries in connection with the conduct business of their respective businessesA2iA and its Subsidiaries, (ii) since January 1the content thereof, 2018and all data processed, have not malfunctioned collected, stored or failed (except for malfunctions or failures that have been fully remedied) and (iii) are free from bugs and other defects disseminated in connection therewith, comply in all material respects with all Applicable Laws, and do not contain violate any “virus”, “worm”, “spyware” Person’s right of privacy or other malicious Softwarepublicity. Except as would not reasonably be expected to have a Tempranillo Material Adverse Effect, to Tempranillo’s Knowledge, since January 1, 2018, no Person has gained unauthorized access to the IT Assets owned by, or used and controlled by, Tempranillo and its Subsidiaries. (d) To the Knowledge of Tempranillo, Tempranillo A2iA and its Subsidiaries have executed current posted privacy policies governing A2iA’s and valid Business Associate Agreements with each (i) customer thatits Subsidiaries’ use of data, to the Knowledge and disclaimers of Tempranilloliability, is a “covered entity” (as defined by HIPAA on its websites, and the corresponding regulations) and (ii) “subcontractor” (as defined by HIPAA and the corresponding regulations). Tempranillo A2iA and its Subsidiaries are in material compliance have complied with such Business Associate Agreements and, applicable privacy policies in all material respects. A2iA and its Subsidiaries have taken reasonable steps in accordance with normal industry practices to secure its websites and data from unauthorized access or use thereof by any Person. To the Knowledge of TempranilloSellers’ Knowledge, no covered entity or subcontractor has materially breached any such Business Associate Agreement with Tempranillo or any of its Subsidiaries. (e) To the extent Tempranillo website security measure implemented by A2iA or any of its Subsidiaries has de-identified user databeen penetrated, Tempranillo and no website maintained by A2iA or any of its Subsidiaries have obtained all rights necessary to undertake dehas been the target of any defacement, unauthorized access, denial-identification of such user data and has deof-identified such user data in accordance with the requirements of HIPAA and service assault or other Privacy Requirements. To the extent Tempranillo and its Subsidiaries have used de-identified data, Tempranillo and its Subsidiaries have obtained all rights necessary for the use of such de-identified dataattack by hackers.