Common use of Data Security and Privacy Clause in Contracts

Data Security and Privacy. (a) Each Group Member is, and at all times, has been, in compliance in all material respects with (i) all applicable Data Protection Laws, including, to the extent applicable, but not limited to the GDPR and those relating to cross-border transfers; (ii) all applicable contractual obligations of each Loan Party and its Subsidiaries concerning data privacy and security relating to Personal Data in the possession or control of any Group Member or maintained by third parties on behalf of such Group Member and having access to such information under contracts (or portions thereof) to which a Group Member is a party; and (iii) all applicable data transfer agreements and data processing agreements, including the EU standard contractual clauses, to which a Group Member is a party (collectively, “Privacy Agreements”): (b) Each Group Member is, and has been, in compliance in all material respects with all applicable prior and current written internal and public-facing privacy policies and notices of the Group Members regarding the collection, retention, use, processing, disclosure and distribution of Personal Data by the Group Members or their respective agents (collectively, the “Privacy Policies”), and the Privacy Policies have been maintained to be consistent in all material respects with the actual practices of each Group Member. The Privacy Policies contemplate the Group Members’ current uses of the Personal Data, and to the extent required under applicable Data Protection Laws, each Group Member has sought and obtained the appropriate consent from the applicable data subject for such uses. The Privacy Policies have made all material disclosures to users, customers, employees, or other individuals required by Data Protection Laws. (c) Each Group Member has implemented and maintains a commercially reasonable security program (“Security Program”) that (i) complies in all material respects with all applicable Data Protection Laws, applicable Privacy Policies, and applicable Privacy Agreements, and (ii) includes commercially reasonable administrative, technical, organization, and physical security procedures and measures designed to preserve the security and integrity of all Personal Data and any other sensitive or confidential information or data related to each Group Member (collectively, “Company Sensitive Information”) in such Group Member’s possession or control and to protect such Company Sensitive Information against unauthorized or unlawful processing, access, acquisition, use, theft, interruption, modification, disclosure, loss, destruction or damage. (d) Except as disclosed on Schedule 4.23(d), there has been (i) no actual, suspected or alleged (in writing) incidents of unauthorized access, use, intrusion, disclosure or breach of the security of any information technology systems owned or controlled by a Group Member or any of their contractors and used by such contractors on behalf of a Group Member, and (ii) no actual, suspected or alleged (in writing) incidents of unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or use of any Company Sensitive Information, in each case that could reasonably be expected to cause a Material Adverse Effect. (e) Each Group Member has a valid and legal right (whether contractually, by applicable law or otherwise) to access or use all Personal Data that is accessed and used by or on behalf of a Group Member in connection with the sale, use and/or operation of their products, services and businesses. (f) Except as would not reasonably be expected to have a Material Adverse Effect, there is no pending or to the knowledge of any Loan Party, threatened in writing, complaints, claims, demands, inquiries, proceedings, or other notices, including any notices of any investigation or other legal proceedings, regarding a Group Member, initiated by (i) any Governmental Authority, including the United States Federal Trade Commission, a state attorney general, data protection authority or similar state official, or a supervisory authority; (ii) any counterparty to, or subject of, a Privacy Agreement; or (iii) any self-regulatory authority or entity, alleging that any activity of a Group Member: (1) is in violation of any applicable Data Protection Laws, (2) is in violation of any Privacy Agreements, (3) is in violation of any Privacy Policies or (4) is otherwise in violation of any person’s privacy, personal or confidentiality rights.

Data Security and Privacy. (a) Each Group Member Credit Party and its Subsidiaries is, and at all timesrelevant times since January 31, 2022, has been, in compliance in all material respects with (i) all applicable Data Protection Laws, including, to the extent applicable, including but not limited to the GDPR GDPR, where applicable and those any other applicable laws relating to cross-border transferstransfers of Personal Data; (ii) all applicable contractual obligations of each Loan Party and its Subsidiaries concerning data privacy and data security relating to Personal Data in the possession or control of any Group Member a Credit Party or a Subsidiary or maintained by third parties party processors on behalf of such Group Member Credit Party or Subsidiary and having access to such information under contracts (or portions thereof) to which a Group Member Credit Party or a Subsidiary is a party; and (iii) all applicable data transfer agreements and data processing agreements, including the EU standard contractual clauses, to which a Group Member Credit Party or a Subsidiary is a party (collectively, “Privacy Agreements”):). (b) Each Group Member Credit Party and its Subsidiaries is, and at all relevant times since January 31, 2022, has been, in compliance in all material respects with all applicable prior and current written internal and public-facing binding privacy policies and notices of the Group Members Credit Parties and its Subsidiaries regarding the collection, retention, use, processing, disclosure and distribution of Personal Data by the Group Members Credit Parties or their respective agents Subsidiaries (collectively, the “Privacy Policies”), and the Privacy Policies have been maintained to be consistent in all material respects with the actual practices of each Group MemberCredit Party and its Subsidiaries. The Privacy Policies contemplate the Group MembersCredit Parties’ and its Subsidiaries’ current uses of the Personal Data, and to the extent required under applicable Data Protection Laws, each Group Member has sought and obtained the appropriate consent from the applicable data subject for such uses. The Privacy Policies have made all material disclosures to users, customers, employees, or other individuals required by Data Protection Laws. (c) Each Group Member Credit Party and its Subsidiaries has implemented in place, maintains, and maintains complies with, a commercially reasonable comprehensive written information security program (“Security Program”) that (i) complies in all material respects with all applicable Data Protection Laws, applicable Privacy Policies, and applicable Privacy Agreements, and (ii) includes and incorporates commercially reasonable administrative, technical, organization, and physical security procedures and measures designed to preserve the security and integrity of all any Personal Data and any other data marked or reasonably understood to be sensitive or confidential information or data related to each Group Member Credit Party and its Subsidiaries (collectively, “Company Sensitive Information”) in such Group Member’s the Credit Parties’ or its Subsidiaries’ possession or control and to protect such Company Sensitive Information against unauthorized or unlawful processing, access, acquisition, use, theft, interruption, modification, disclosure, loss, destruction or damage. (d) Except as disclosed on Schedule 4.23(d)Since January 31, 2022, to the knowledge of the Credit Parties, there has been (i) no actual, suspected or alleged (in writing) material incidents of unauthorized access, use, intrusion, disclosure or breach of the security of any information technology systems owned or controlled by a Group Member Credit Party or a Subsidiary or any of their contractors and used by such contractors on behalf of a Group Membercontractors, and (ii) no actual, suspected or alleged (in writing) material incidents of unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or use of any Company Sensitive Information, in each case that could reasonably be expected to cause a Material Adverse Effect. (e) Each Group Member Credit Party and each of its Subsidiaries has a valid and legal right (whether contractually, by applicable law Applicable Law or otherwise) to access or use all Personal Data that is accessed and used by or on behalf of a Group Member Credit Party or a Subsidiary in connection with the sale, use and/or operation of their products, services and businesses. (f) Except as would not reasonably be expected to have a Material Adverse EffectNeither any Credit Party nor any Subsidiary has received any, there is no pending or nor to the knowledge of the Credit Parties are there any Loan Partymaterial pending, threatened in writing, written complaints, claims, demands, inquiries, proceedings, or other noticesnotices that could reasonably be expected to result in an investigation or other legal proceeding, including any notices of any investigation or other legal proceedings, regarding a Group MemberCredit Party or a Subsidiary, initiated by (i) any Person; (ii) any Governmental Authority, including the United States Federal Trade Commission, a state attorney general, data protection authority or similar state official, or a supervisory authority; (ii) any counterparty to, or subject of, a Privacy Agreement; or (iii) any self-regulatory authority or entity, alleging that any activity of a Group MemberCredit Party or a Subsidiary: (1) is in violation of any applicable Data Protection Laws, (2) is in violation of any Privacy Agreements, (3) is in violation of any Privacy Policies or Policies, (4) is otherwise in violation of any person’s privacy, personal or confidentiality rights, or (5) otherwise constitutes an unfair, deceptive, abusive or misleading trade practice, in each case in any material respect.

Data Security and Privacy. (a) Each Group Member Loan Party and its Subsidiaries is, and at all times, has been, in compliance in all material respects with (i) all applicable Data Protection Laws, including, to the extent applicable, but not limited to the GDPR and those relating to cross-border transfers; (ii) all applicable contractual obligations of each Loan Party and its Subsidiaries concerning data privacy and security relating to Personal Data in the possession or control of any Group Member a Loan Party or a Subsidiary or maintained by third parties on behalf of such Group Member Loan Party or Subsidiary and having access to such information under contracts (or portions thereof) to which a Group Member Loan Party or a Subsidiary is a party; and (iii) all applicable data transfer agreements and data processing agreements, including the EU standard contractual clauses, to which a Group Member Loan Party or a Subsidiary is a party (collectively, “Privacy Agreements”): (b) Each Group Member Loan Party and its Subsidiaries is, and has been, in compliance in all material respects with all applicable prior and current written internal and public-facing privacy policies and notices of the Group Members Loan Parties and its Subsidiaries regarding the collection, retention, use, processing, disclosure and distribution of Personal Data by the Group Members Loan Parties or their Subsidiaries or their respective agents (collectively, the “Privacy Policies”), and the Privacy Policies have been maintained to be consistent in all material respects with the actual practices of each Group MemberLoan Party and its Subsidiaries. The Privacy Policies contemplate the Group MembersLoan Parties’ and their Subsidiaries’ current uses of the Personal Data, and to the extent required under applicable Data Protection Laws, each Group Member Loan Party and its Subsidiaries has sought and obtained the appropriate consent from the applicable data subject for such uses. The Privacy Policies have made all material disclosures to users, customers, employees, or other individuals required by Data Protection Laws. (c) Each Group Member Loan Party and its Subsidiaries has implemented and maintains a commercially reasonable security program (“Security Program”) that (i) complies in all material respects with all applicable Data Protection Laws, applicable Privacy Policies, and applicable Privacy Agreements, and (ii) includes commercially reasonable administrative, technical, organization, and physical security procedures and measures designed to preserve the security and integrity of all Personal Data and any other sensitive or confidential information or data related to each Group Member Loan Party and its Subsidiaries (collectively, “Company Sensitive Information”) in such Group MemberLoan Party’s or its Subsidiaries’ possession or control and to protect such Company Sensitive Information against unauthorized or unlawful processing, access, acquisition, use, theft, interruption, modification, disclosure, loss, destruction or damage. (d) Except as disclosed on Schedule 4.23(d), there There has been (i) no actual, suspected or alleged (in writing) incidents of unauthorized access, use, intrusion, disclosure or breach of the security of any information technology systems owned or controlled by a Group Member Loan Party or a Subsidiary or any of their contractors and used by such contractors on behalf of a Group MemberLoan Party or a Subsidiary, and (ii) no actual, suspected or alleged (in writing) incidents of unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or use of any Company Sensitive Information, in each case that could reasonably be expected to cause a Material Adverse EffectChange. (e) Each Group Member Loan Party and its Subsidiaries has a valid and legal right (whether contractually, by applicable law or otherwise) to access or use all Personal Data that is accessed and used by or on behalf of a Group Member Loan Party or a Subsidiary in connection with the sale, use and/or operation of their products, services and businesses. (f) Except as would not reasonably be expected to have a Material Adverse EffectChange, there is no pending or to the knowledge of any Loan Party, threatened in writing, complaints, claims, demands, inquiries, proceedings, or other notices, including any notices of any investigation or other legal proceedings, regarding a Group MemberLoan Party or a Subsidiary, initiated by (i) any Governmental Authority, including the United States Federal Trade Commission, a state attorney general, data protection authority or similar state official, or a supervisory authority; (ii) any counterparty to, or subject of, a Privacy Agreement; or (iii) any self-regulatory authority or entity, alleging that any activity of a Group MemberLoan Party or a Subsidiary: (1) is in violation of any applicable Data Protection Laws, (2) is in violation of any Privacy Agreements, (3) is in violation of any Privacy Policies or (4) is otherwise in violation of any person’s privacy, personal or confidentiality rights.

Data Security and Privacy. (a) Each Group Member isTo the Seller’s Knowledge, and at all timesno breach or violation of any such security policy or privacy policy, including under any customer contracts, has been, in compliance in all material respects with (i) all applicable Data Protection Laws, includingoccurred or, to the extent applicablebest of the Seller’s Knowledge, but not limited is threatened, and there has been no unauthorized or illegal use, disclosure or access to any of the GDPR data or information in any of the Company’s electronic or other database containing (in whole or in part) Personal Data maintained by or for any of the Group Companies (the “Company Databases”). Each Group Company has collected, maintained and those relating to cross-border transfers; (ii) used the data in the Company Databases at all times materially in accordance with the Group Companies’ and – where applicable – their customers’ security policies and privacy policies and with all applicable contractual obligations of each Loan Party and its Subsidiaries concerning data privacy and security relating Legal Requirements pertaining to privacy, User Data, or Personal Data in the possession or control of any Group Member or maintained by third parties on behalf of such Group Member and having access to such information under contracts (or portions thereof) to which a Group Member is a party; and (iii) all applicable data transfer agreements and data processing agreementsData. CERTAIN CONFIDENTIAL INFORMATION CONTAINED IN THIS DOCUMENT, including the EU standard contractual clausesMARKED BY BRACKETS, to which a Group Member is a party (collectivelyHAS BEEN OMITTED AND FILED SEPARATELY WITH THE SECURITIES AND EXCHANGE COMMISSION PURSUANT TO RULE 406 OF THE SECURITIES ACT OF 1933, “Privacy Agreements”):AS AMENDED. (b) Each Group Member isCompany has implemented reasonable steps consistent with the type of activities conducted by it which are known in the information systems industry (and which are generally known as best practices) to protect, physically and has beenelectronically, in compliance in all material respects with all applicable prior their information assets and current written internal and public-facing privacy policies and notices data from unauthorized disclosure, use or modification. To the Sellers’ Knowledge, there have been no breaches of security affecting any of the Group Members regarding the collection, retention, use, processing, disclosure and distribution of Personal Data by the Group Members Companies’ or their respective agents (collectively, the “Privacy Policies”), and the Privacy Policies have been maintained to be consistent in all material respects with the actual practices of each Group Membercustomers’ information assets or data. The Privacy Policies contemplate the Group Members’ current uses of the Personal Data, and to the extent required under applicable Data Protection Laws, each Group Member has sought and obtained the appropriate consent from the applicable data subject for such uses. The Privacy Policies have made all material disclosures to users, customers, employees, or other individuals required by Data Protection Laws. (c) Each Group Member Company has implemented conducted its businesses and maintains a commercially reasonable security program (“Security Program”) that has collected, maintained and used its own and its customers’ data at all times materially in accordance with (i) complies in all material respects with all applicable Data Protection Lawsaccepted industry practice relating to their own and their customers’ industries, applicable Privacy Policies, and applicable Privacy Agreements, as the case may be); and (ii) includes commercially reasonable administrative, technical, organization, and physical security procedures and measures designed to preserve the security and integrity of all Personal Data and any other sensitive or confidential information or data related to each Group Member (collectively, “Company Sensitive Information”) in such Group Member’s possession or control and to protect such Company Sensitive Information against unauthorized or unlawful processing, access, acquisition, use, theft, interruption, modification, disclosure, loss, destruction or damage. (d) Except as disclosed on Schedule 4.23(d), there has been (i) no actual, suspected or alleged (in writing) incidents of unauthorized access, use, intrusion, disclosure or breach of the security of any information technology systems owned or controlled by a Group Member or any of their contractors and used by such contractors on behalf of a Group Member, and (ii) no actual, suspected or alleged (in writing) incidents of unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or use of any Company Sensitive Information, in each case that could reasonably be expected to cause a Material Adverse Effect. (e) Each Group Member has a valid and legal right (whether contractually, by applicable law or otherwise) to access or use all Personal Data that is accessed and used by or on behalf of a Group Member in connection with the sale, use and/or operation of their products, services and businesses. (f) Except as would not reasonably be expected to have a Material Adverse Effect, there is no pending or to the knowledge of any Loan Party, threatened in writing, complaints, claims, demands, inquiries, proceedings, or other noticesLegal Requirements, including any notices of any investigation or other legal proceedingsbut not limited to those relating to privacy (including applicable industry-specific secrecy rules, regarding a Group Member, initiated by (i) any Governmental Authority, including the United States Federal Trade Commission, a state attorney general, data protection authority or similar state official, or a supervisory authority; (ii) any counterparty to, or subject of, a Privacy Agreement; or (iii) any self-regulatory authority or entity, alleging that any activity of a Group Member: (1) is in violation of any applicable Data Protection Laws, (2) is in violation of any Privacy Agreements, (3) is in violation of any Privacy Policies or (4) is otherwise in violation of any person’s privacy, personal or confidentiality rightssuch as banking secrecy).

Data Security and Privacy. (a) Each Group Member is, and at The Company has complied with all times, has been, in compliance in all material respects with applicable: (i) all applicable Data Protection Security and Privacy Laws, including, to the extent applicable, but not limited to the GDPR and those relating to cross-border transfers; (ii) all applicable contractual obligations of each Loan Party and its Subsidiaries concerning data privacy and security relating to Personal Data in the possession or control of any Group Member or maintained by third parties on behalf of such Group Member and having access to such information under contracts (or portions thereof) to which a Group Member is a partyPrivacy Policies; and (iii) the terms of all applicable data transfer agreements and data processing agreements, including the EU standard contractual clauses, Contracts to which the Company is bound relating to the Processing of Personal Information or Business Data (the “Data Protection Requirements”), except as would not have, individually or in the aggregate, a Group Member Material Adverse Effect. The Company has obtained written agreements from all third parties that Process Personal Information or Business Data for or on behalf of the Company (each, a “Third Party Processor”) that satisfy the requirements of applicable Data Protection Requirements, and to the Knowledge of the Company, no such Third Party Processor is a party (collectively, “Privacy Agreements”):in material breach of any such agreement. (b) Each Group Member isThe Company has developed, implemented, and has beenmaintained, all necessary and appropriate policies, procedures and training programs to maintain and protect the Company’s Personal Information and Business Data in compliance with Data Security and Privacy Laws. The Company has all necessary authority, rights, consents and authorizations to Process any Personal Information maintained by or for the Company to the extent required in all material respects connection with all applicable prior and current written internal and public-facing privacy policies and notices the operation of the Group Members regarding the collectionBusiness as currently conducted. The Company does not sell, retentionrent or otherwise make available to any Person any Personal Information, use, processing, disclosure and distribution of Personal Data by the Group Members or their respective agents (collectively, the “Privacy Policies”), and the Privacy Policies have been maintained to be consistent except in a manner that complies in all material respects with the actual practices of each Group Member. The Privacy Policies contemplate the Group Members’ current uses of the Personal Data, and to the extent required under applicable Data Protection Laws, each Group Member has sought and obtained the appropriate consent from the applicable data subject for such uses. The Privacy Policies have made all material disclosures to users, customers, employees, or other individuals required by Data Protection LawsRequirements. (c) Each Group Member The Company has implemented and maintains a commercially reasonable security program (“Security Program”) that not, nor to the Knowledge of the Company has any Third Party Processor, (i) complies been subject to any Order or any Action with respect to the Processing of Personal Information maintained by or for Company, (ii) received written notice of any commenced or threatened Action with respect to the Processing of Personal Information maintained by or for Company; or (iii) received any written complaint from any Person, alleging a violation of any Data Protection Requirement with respect to the Processing of Personal Information maintained by or for Company or in connection with any privacy or data protection practices of the Company. The consummation of the transaction contemplated hereunder will comply in all material respects with all applicable the Data Protection Laws, applicable Privacy Policies, and applicable Privacy Agreements, and (ii) includes commercially reasonable administrative, technical, organization, and physical security procedures and measures designed to preserve the security and integrity of all Personal Data and any other sensitive or confidential information or data related to each Group Member (collectively, “Company Sensitive Information”) in such Group Member’s possession or control and to protect such Company Sensitive Information against unauthorized or unlawful processing, access, acquisition, use, theft, interruption, modification, disclosure, loss, destruction or damageRequirements. (d) Except as disclosed on Schedule 4.23(d)The Company has implemented and maintained reasonable physical, there has been (i) no actualtechnical, suspected or alleged (in writing) incidents of unauthorized accessorganizational and administrative security measures, useprocedures and policies designed to maintain and protect the confidentiality, intrusion, disclosure or breach integrity and security of the security of any information technology systems owned or controlled by a Group Member or any of their contractors IT Systems and used by such contractors on behalf of a Group Member, and (ii) no actual, suspected or alleged (in writing) incidents of unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or use of any Company Sensitive Information, in each case that could reasonably be expected to cause a Material Adverse Effect. (e) Each Group Member has a valid and legal right (whether contractually, by applicable law or otherwise) to access or use all Personal Information and Business Data that is accessed and used by or on behalf of a Group Member in connection with the saleBusiness against any Security Incident (defined below). The Company has implemented appropriate backup and disaster recovery technology, use and/or operation plans and procedures consistent with reasonable industry practices. The Company has not discovered or been notified of their productsany breach or outage of, services and businesses. or unauthorized access to, its IT Systems, or of any unauthorized Processing of Personal Information or Business Data Processed by or for the Company (f) Except as would not reasonably be expected to have a Material Adverse Effect“Security Incident”), there is no pending nor are any incidents under internal review or investigation relating to the knowledge same. The Company has not, nor to the Knowledge of the Company has any Loan PartyThird Party Processor, threatened made or been required to make any notification to any Person in writing, complaints, claims, demands, inquiries, proceedings, or other notices, including connection with any notices of any investigation or other legal proceedings, regarding a Group Member, initiated by (i) any Governmental Authority, including the United States Federal Trade Commission, a state attorney general, data protection authority or similar state official, or a supervisory authority; (ii) any counterparty to, or subject of, a Privacy Agreement; or (iii) any self-regulatory authority or entity, alleging that any activity of a Group Member: (1) is in violation of Security Incident under any applicable Data Protection LawsRequirement. The Company has undertaken appropriate security audits, (2) is in violation of inventories, reviews, risk analyses and/or other security assessments and remediated any Privacy Agreements, (3) is in violation of any Privacy Policies critical or (4) is otherwise in violation of any person’s privacy, personal or confidentiality rightshigh-risk deficiencies identified thereby.

Data Security and Privacy. (a) Each Group Member is, and at all times, has been, in compliance in all material respects with (i) all applicable Data Protection Laws, including, to the extent applicable, but not limited to the GDPR and those relating to cross-border transfers; (ii) all applicable contractual obligations of each Loan Party and its Subsidiaries concerning data privacy and security relating to Personal Data in the possession or control of any Group Member or maintained by third parties on behalf of such Group Member and having access to such information under contracts (or portions thereof) to which a Group Member is a party; and (iii) all applicable data transfer agreements and data processing agreements, ny-2508035 including the EU standard contractual clauses, to which a Group Member is a party (collectively, “Privacy Agreements”): (b) Each Group Member is, and has been, in compliance in all material respects with all applicable prior and current written internal and public-facing privacy policies and notices of the Group Members regarding the collection, retention, use, processing, disclosure and distribution of Personal Data by the Group Members or their respective agents (collectively, the “Privacy Policies”), and the Privacy Policies have been maintained to be consistent in all material respects with the actual practices of each Group Member. The Privacy Policies contemplate the Group Members’ current uses of the Personal Data, and to the extent required under applicable Data Protection Laws, each Group Member has sought and obtained the appropriate consent from the applicable data subject for such uses. The Privacy Policies have made all material disclosures to users, customers, employees, or other individuals required by Data Protection Laws. (c) Each Group Member has implemented and maintains a commercially reasonable security program (“Security Program”) that (i) complies in all material respects with all applicable Data Protection Laws, applicable Privacy Policies, and applicable Privacy Agreements, and (ii) includes commercially reasonable administrative, technical, organization, and physical security procedures and measures designed to preserve the security and integrity of all Personal Data and any other sensitive or confidential information or data related to each Group Member (collectively, “Company Sensitive Information”) in such Group Member’s possession or control and to protect such Company Sensitive Information against unauthorized or unlawful processing, access, acquisition, use, theft, interruption, modification, disclosure, loss, destruction or damage. (d) Except as disclosed on Schedule 4.23(d), there has been (i) no actual, suspected or alleged (in writing) incidents of unauthorized access, use, intrusion, disclosure or breach of the security of any information technology systems owned or controlled by a Group Member or any of their contractors and used by such contractors on behalf of a Group Member, and (ii) no actual, suspected or alleged (in writing) incidents of unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or use of any Company Sensitive Information, in each case that could reasonably be expected to cause a Material Adverse Effect. (e) Each Group Member has a valid and legal right (whether contractually, by applicable law or otherwise) to access or use all Personal Data that is accessed and used by or on behalf of a Group Member in connection with the sale, use and/or operation of their products, services and businesses. (f) Except as would not reasonably be expected to have a Material Adverse Effect, there is no pending or to the knowledge of any Loan Party, threatened in writing, complaints, claims, demands, inquiries, proceedings, or other notices, including any notices of any investigation or other legal proceedings, regarding a Group Member, initiated by (i) any Governmental Authority, including the United States Federal Trade Commission, a state attorney general, data protection authority or similar state official, or a supervisory authority; (ii) any counterparty to, or subject of, a Privacy Agreement; or (iii) any self-regulatory authority or entity, alleging that any activity of a Group Member: (1) is in violation of any applicable Data Protection Laws, (2) is in violation of any Privacy Agreements, (3) is in violation of any Privacy Policies or (4) is otherwise in violation of any person’s privacy, personal or confidentiality rights.

Data Security and Privacy. (a) Each Group Member isThe Company’s information security and privacy program is designed to comply with and, and at all timestimes within the six (6) years prior to Closing, has been, been in compliance in all material respects with, (i) applicable Legal Requirements relating to the rights of any natural Person with respect to Personal Information, including the Processing of Personal Information, data security, breach notification, and all applicable industry standards related to the same (including industry standards with which payment card companies require merchants to comply, including the Payment Card Industry Data Security Standards) (collectively, “Privacy Laws”), (ii) any privacy choices, including opt-in or opt-out preferences and rights’ requests, of natural Persons relating to the Processing of Personal Information, (iii) any obligations contained in or resulting from the Company’s internal and external data privacy, data security, incident response, or similar policies, notices, protocols, or standards with respect to the Processing or security of Personal Information (clauses (ii) and (iii) together, the “Company Privacy Commitments”), and (iv) any Company Contract that is applicable to such Personal Information (each, a “Company Data Agreement”). None of the Company Privacy Commitments conflict in any material respect with any Company Data Agreement. To the extent required under any Privacy Law, the Company has provided adequate notice, obtained valid consents, offered opt-outs, maintained accurate records of the communications preferences of users of Company products, processes, and services (including any of the Company Products) and other natural Persons whose Personal Information is Processed by or on behalf of the Company, and taken all other reasonable actions in connection with the Processing of Personal Information. Neither the execution, delivery, and performance of this Agreement nor the consummation of the Transactions will cause, constitute, or result in a breach or violation of any Privacy Law, Company Privacy Commitments, Company Data Agreements, or standard terms of service entered into by users of any Company products, processes, and services (including any of the Company Products). The Company has made available to Buyer in the Virtual Data Room accurate and complete copies of all current and prior privacy policies used by the Company within the six (6) years prior to the Closing. (b) Each Company Contract between the Company and any Person that Processes Personal Information for or on behalf of the Company (a “Third-Party Processor”) complies in all material respects with all Privacy Laws, Company Privacy Commitments, and Company Data Agreements. Without limiting the generality of the foregoing, the Company has contractually obligated each Third-Party Processor to (i) take appropriate steps to protect and secure from unauthorized disclosure such Personal Information, (ii) restrict use of such Personal Information to those authorized to use such Personal Information or who require the use of such Personal Information in order to perform the applicable services for the Company, (iii) prohibit such Third-Party Processor from further transferring the Company’s data without the prior written consent of the Company, and (iv) afford to the Company or any of the Company’s Representatives reasonable access to the places of business and systems of such Third-Party Processor to audit compliance with such contractual obligations, and in each case, to the Knowledge of Non-ESOP Sellers, no such Third-Party Processor is in breach of any of such Third-Party Processor’s contractual obligations to the Company. (c) The Company has implemented and maintains reasonable written security procedures and practices appropriate to protect Personal Information and employs a system of written internal controls sufficient to provide reasonable assurance that the Company complies in all material respects with all Privacy Laws, Company Privacy Commitments, and Company Data Agreements. No Proceedings are pending or, to the Knowledge of Non-ESOP Sellers, threatened with respect to the Company’s Processing of Personal Information. (d) The conduct and operation of the businesses of the Company, including the operations of Company products, processes, and services (including any of the Company Products) and their distribution to and use by any natural Persons, complies in all material respects with the applicable provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural Persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The conduct and operation of the businesses of the Company complies in all material respects with the applicable provisions of the California Consumer Privacy Act of 2018, as amended. The Company has not sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated orally, in writing, or by electronic or other means, any Personal Information to another Person for monetary or other valuable consideration. The Company has at all times within the six (6) years prior to Closing, complied in all material respects with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). The Company has entered into business associate agreements with (i) all applicable Data Protection Laws“Covered Entities” and “Business Associates” (as such terms are defined in 45 C.F.R. § 160.103) who provide the Company with, includingor for whom the Company receives, to the extent applicablecreates, but not limited to the GDPR maintains, transmits, or processes Protected Health Information (as defined under HIPAA), and those relating to cross-border transfers; (ii) with all applicable contractual obligations Persons acting as “Business Associates” or “Subcontractors” of each Loan Party and its Subsidiaries concerning data privacy and security relating to Personal Data the Company (as such terms are defined in the possession or control of any Group Member or maintained by third parties on behalf of such Group Member and having access to such information under contracts (or portions thereof) to which a Group Member is a party; and (iii) all applicable data transfer agreements and data processing agreements, including the EU standard contractual clauses, to which a Group Member is a party (collectively, “Privacy Agreements”): (b) Each Group Member 45 C.F.R. § 160.103). The Company is, and has at all times been, in compliance in all material respects with all applicable prior and current written internal and public-facing privacy policies and notices of the Group Members regarding the collection, retention, use, processing, disclosure and distribution of Personal Data by the Group Members business associate agreements to which it is a party or their respective agents (collectively, the “Privacy Policies”), and the Privacy Policies have been maintained to be consistent in all material respects with the actual practices of each Group Memberis otherwise bound. The Privacy Policies contemplate Company has performed a security risk assessment that meets the Group Members’ current uses of the Personal Data, HIPAA security rule standards set forth in 45 C.F.R. § 164.306 and to the extent required under applicable Data Protection Laws, each Group Member has sought § 164.308(a)(1)(ii)(A) and obtained the appropriate consent from the applicable data subject for timely addressed and remediated all threats and deficiencies identified in such uses. The Privacy Policies have made all material disclosures to users, customers, employees, or other individuals required by Data Protection Lawssecurity risk assessment. (ce) Each Group Member The Company has implemented and maintains a commercially reasonable maintained at all times within the six (6) years prior to Closing, appropriate technical, physical, and organizational measures, security program (“Security Program”) that (i) complies systems, and technologies in compliance in all material respects with all applicable Data Protection Lawsdata security requirements under all Privacy Laws and Company Privacy Commitments and that are designed to protect computers, applicable Privacy Policiesnetworks, software, and applicable Privacy Agreements, systems used by the Company and (ii) includes commercially reasonable administrative, technical, organization, and physical security procedures and measures designed to preserve Personal Information Processed by the security and integrity of all Personal Data and any other sensitive or confidential information or data related to each Group Member (collectively, “Company Sensitive Information”) in such Group Member’s possession or control and to protect such Company Sensitive Information against unauthorized or unlawful processing, access, acquisition, usefrom loss, theft, interruption, modification, disclosure, loss, destruction or damage. (d) Except as disclosed on Schedule 4.23(d), there has been (i) no actual, suspected or alleged (in writing) incidents of unauthorized access, use, intrusiondisclosure, disclosure or breach of the modification. No breach, security incident, or violation of any data security policy in relation to any information technology systems owned or controlled by a Group Member or any of their contractors and used by such contractors on behalf of a Group Member, and (ii) no actual, suspected or alleged (in writing) incidents of unauthorized acquisition, destruction, damage, disclosure, loss, corruption, alteration, or use of any Company Sensitive Information, in each case that could reasonably be expected to cause a Material Adverse Effect. (e) Each Group Member has a valid and legal right (whether contractually, by applicable law or otherwise) to access or use all Personal Data that is accessed and used data Processed by or on behalf of the Company, including a Group Member “Breach” of “Unsecured Protected Health Information” (as such terms are defined in connection 45 C.F.R. § 164.402), has occurred, and there has been no unauthorized or illegal Processing of any such information or data. The Company has made available to Buyer in the Virtual Data Room accurate and complete copies of all prior reports, studies, and other analyses, in the Company’s possession or control, whether conducted by third Persons or by the Company, of the measures the Company takes or has taken to protect computers, networks, Software, and systems used by the Company. None of such reports, studies, or other analyses has revealed any material failure of such security and other measures to be consistent with customary industry practices, the saleCompany’s obligations to other Persons, use and/or operation or applicable Legal Requirements. To the Knowledge of their productsthe Non-ESOP Sellers, services and businessesno circumstance has arisen in which: (i) any Privacy Law would require the Company to notify a Governmental Authority or Person of a data security breach or security incident or (ii) applicable guidance or codes of practice promulgated under any Privacy Law would recommend the Company to notify a Governmental Authority or other Person of a data security breach or security incident. The Company has ensured that all Third-Party Processors are under written obligations of confidentiality with respect to such data. (f) Except as would not reasonably be expected to have a Material Adverse Effect, there There is no Proceeding pending or or, to the knowledge Knowledge of any Loan PartyNon-ESOP Sellers, threatened in writing, complaints, claims, demands, inquiries, proceedings, or other notices, including any notices of any investigation or other legal proceedings, regarding a Group Member, initiated by against the Company: (i) alleging or confirming non-compliance with any Governmental AuthorityPrivacy Laws, including the United States Federal Trade Commission, a state attorney general, data protection authority or similar state officialCompany Privacy Commitments, or a supervisory authority; Company Data Agreements, (ii) any counterparty torequiring or requesting the Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block, or subject ofdelete any Personal Information, a Privacy Agreement; or (iii) initiating, announcing, permitting or mandating investigations, audits, the requisition of information from, or the entering of the premises of, the Company by any self-regulatory authority Governmental Authorities, or entity(iv) claiming compensation from the Company with respect to the Processing of Personal Information. Within the six (6) years prior to the Closing, alleging that the Company has not been involved in any activity of Proceedings involving a Group Member: (1) is in violation of any applicable Data Protection Laws, (2) is in violation breach or alleged breach of any Privacy Agreements, (3) is in violation of any Law or Company Privacy Policies or (4) is otherwise in violation of any person’s privacy, personal or confidentiality rightsCommitments.