Common use of Privacy and Cybersecurity Clause in Contracts

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to the Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for the past three (3) years has been in compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There are no Actions by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Privacy Obligations. (b) In the past three (3) years (i) to the knowledge of the Company, there have been no material breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf of the Company or any of its Subsidiaries, and (ii) there have been no disruptions in any IT Systems that materially adversely affected the Company’s or its Subsidiaries’ businesses or operations. The Company and its Subsidiaries take commercially reasonable measures designed to protect confidential or sensitive information (including Personal Information) in their possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable administrative, technical and physical safeguards. Neither the Company nor any Subsidiary of the Company has (A) experienced any incident in which such information was accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including any Governmental Authority) nor has any such notice or complaint been threatened against the Company of any of its Subsidiaries with respect to any breach of the security of Personal Information.

Privacy and Cybersecurity. (a) The Company and its Subsidiaries maintain and are in compliance in all material respects with, and during the five (5) years preceding the date of this Agreement have maintained and been in compliance in all material respects with, (i) all applicable Laws relating to the privacy and/or security of personal information, (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies, and (iii) the Company’s and its Subsidiaries’ contractual obligations concerning cybersecurity, data security and the security of the Company’s and each of its Subsidiaries maintains Subsidiaries’ information technology systems, in each case of (i)-(iii) above, other than any non-compliance that, individually or in the aggregate, has not been and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not reasonably be expected to be material to the Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for the past three (3) years has been in compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There are no Actions by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened in writing against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws third Person’s privacy or Privacy Obligationspersonal information rights. (b) In During the past three five (35) years preceding the date of this Agreement (i) to the knowledge of the Company, there have been been, no material breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf information technology systems of the Company or any of and its Subsidiaries, and (ii) there have been no disruptions in any IT Systems information technology systems that materially adversely affected the Company’s or and its Subsidiaries’ businesses business or operations. The Company and its Subsidiaries take commercially reasonable and legally compliant measures designed to protect confidential confidential, sensitive or sensitive personally identifiable information (including Personal Information) in their its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable administrative, technical and physical safeguards. Neither To the knowledge of the Company, neither the Company nor any Subsidiary of the Company has (A) experienced any incident in which such information was stolen or improperly accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security security, or (B) received any written notice or complaint from any Person (including with respect to any Governmental Authority) of the foregoing, nor has any such notice or complaint been threatened in writing against the Company of or any of its Subsidiaries with respect to any breach of the security of Personal InformationCompany’s Subsidiaries.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained Acquired Companies have one or more privacy policies consistent concerning the collection, use, and disclosure of Personal Information in connection with applicable Privacy Lawsthe operation of the business of the Acquired Companies and have been in compliance in all material respects with such privacy policies. Seller has made available to Purchaser prior to the date hereof copies of all privacy policies that have been used by the Acquired Companies since December 31, 2016. Since December 31, 2016, the Acquired Companies have continuously posted their respective privacy policies in a clear and conspicuous location on all websites and any mobile applications owned or operated by the Acquired Companies and have made such privacy policies available on all other forms used to collect Personal Information. (b) Except as would not not, individually or in the aggregate, reasonably be expected likely to be material to the have a Company and its Subsidiaries, taken as a wholeMaterial Adverse Effect, the Company and each of its Subsidiaries Acquired Companies are in compliance with, and for the past three with applicable Payment Card Industry Data Security Standards. (3c) years has been in compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There are no Actions by any No Person (including any Governmental Authority) pending has commenced any Action relating to which the Company or any of the Company’s Subsidiaries is a named party orAcquired Companies’ information privacy or data security practices, including with respect to the knowledge collection, use, disclosure, transfer, storage, or disposal of the Company, threatened against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Privacy Obligations. (b) In the past three (3) years (i) to the knowledge of the Company, there have been no material breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used Personal Information maintained by or on behalf of the Acquired Companies or, to the Knowledge of Seller, threatened any such Action, or made any formal investigation or inquiry relating to such practices. (d) The execution, delivery, and performance of this Agreement and the consummation of the contemplated transactions, including any transfer of Personal Information resulting from such transactions, will not violate any applicable Law, the privacy policies of the Acquired Companies as they currently exist or as they existed at any time during which the use of Personal Information was consented to by the applicable Person or any Personal Information was collected or obtained by or on behalf of the applicable Acquired Company, or other privacy and data security requirements imposed on the Acquired Company or any party acting on its behalf under any Contracts. Upon the Closing, the Acquired Companies will continue to have the right to use such Personal Information on identical terms and conditions as the Acquired Companies used it immediately prior to the Closing. (e) Except for disclosures of its SubsidiariesPersonal Information permitted by applicable Law and in accordance with all applicable Contracts, no Acquired Company sells, rents, or otherwise makes available any Personal Information to third Persons for compensation of any form. (f) The Acquired Companies have established, implemented, and comply with, and require all third party Persons that hold, process, receive, or have access to Personal Information for or on behalf of any Acquired Company to establish, implement, and comply with, policies, programs, and procedures that are in compliance with Laws that are applicable to the business of the Acquired Companies, NIST Special Publication 800-53 (iiversion 1.0) there have been no disruptions in any IT Systems that materially adversely affected and the Company’s or its Subsidiaries’ businesses or operations. The Company NIST Cybersecurity Framework (version 1.0), including administrative, technical and its Subsidiaries take commercially reasonable measures designed physical safeguards, to protect confidential or sensitive information (including the confidentiality, availability, and integrity of Personal Information) Information in their possession its possession, custody, or control against unauthorized access, use, modification, disclosure disclosure, or other misuse. Since December 31, including through commercially reasonable administrative2016, technical the Acquired Companies have conducted, or have had conducted on their behalf, annual IT security risk assessments and physical safeguards. Neither remediated material risks and vulnerabilities identified in such assessments. (g) To the Company nor any Subsidiary Knowledge of Seller, the Company has (A) Acquired Companies have not, since December 31, 2016, experienced any incident in which such information was accessedloss, useddamage, modifiedor unauthorized access, disclosed without authorization disclosure, use, or otherwise misused, including in connection with a breach of security of Personal Information or (B) received any written notice IT Systems in the Acquired Companies’ possession, custody, or complaint from any Person (including any Governmental Authority) nor has control, or otherwise held or processed on its behalf that affected a material portion of customers of the Acquired Companies and, to the Knowledge of Seller, no circumstances exist, as of the date hereof, that are reasonably likely to give rise to any such notice unauthorized access, disclosure, use, or complaint been threatened against the Company of any of its Subsidiaries with respect to any breach of the security of Personal Informationbreach.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not reasonably be expected to be material to the business of Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for during the past three (3) years has preceding the date of this Agreement have been in compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), including requirements thereunder to maintain privacy policies and notices regarding Personal Information, and (ii) all of the Company’s and its Subsidiaries’ internal and publicly facing privacy policies and notices regarding Personal Information, and (iii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protectionobligations concerning cybersecurity, data security or and the collection, storage, handling, disclosure, transfer, use or security of the Company’s and each of its Subsidiaries’ information technology systems and processing of Personal Information or Information. Except as would not reasonably be expected to be material to the IT Systems (collectivelybusiness of Company and its Subsidiaries, “the Company and its Subsidiaries have implemented and maintained policies, procedures and systems as are required by Privacy Obligations”)Laws for receiving and appropriately responding to requests from individuals concerning their Personal Information. There are no Actions by any Person (including any Governmental Authority) pending ), to which the Company or any of the Company’s Subsidiaries is a named party orparty, pending or to the knowledge of the Company threatened against the Company or its Subsidiaries alleging a violation of any (i) Privacy Laws, or (ii) contractual commitments (including any applicable privacy policies) of the Company or any of the Company’s Subsidiaries with respect to any Personal Information. (b) To the knowledge of the Company, during the three (3) years preceding the date of this Agreement, (i) there have been no actual or reasonably suspected instances of data breaches, security incidents, or misuse of or unauthorized use of, access to, intrusions into, disruptions of, or data loss involving Company Systems which would, individually or in the aggregate, reasonably be expected to result in a Company Material Adverse Effect (a “Data Breach”), (ii) the Company and its Subsidiaries have implemented commercially reasonable measures designed to protect Personal Information in their possession or control against a Data Breach, and (iii) neither the Company nor any Subsidiary of the Company has received any written notice or complaint from any Person with respect to any such Data Breach, nor has any such notice or complaint been threatened in writing against the Company or any of the Company’s Subsidiaries. Neither the Company nor any of its Subsidiaries alleging have provided or been required to provide any written notification to any Person in connection with a violation or breach Data Breach. Neither the Company nor any of its Subsidiaries has paid (i) any perpetrator of any Privacy Laws data breach incident or Privacy Obligationscyber-attack or (ii) any third party with actual or alleged information about any data breach incident or cyber-attack. (bc) In the past three (3) years (i) to the knowledge of the CompanyAll current third-party services providers, there have been no material breaches of the security of the IT Systems controlled by the Company outsourcers, processors or its Subsidiaries other third parties who currently process, store or otherwise handle any other IT Systems used by Personal Information for or on behalf of the Company or any of its SubsidiariesSubsidiaries have contractually agreed to (i) comply with applicable Privacy Laws, and (ii) there have been no disruptions in maintain the confidentiality of Personal Information processed on behalf of the Company or any IT Systems that materially adversely affected the Company’s or its Subsidiaries’ businesses or operations. The Company and of its Subsidiaries take commercially and, (iii) maintain reasonable measures designed and appropriate technical, physical and administrative safeguards to protect confidential and secure such Personal Information from loss, theft, misuse or sensitive information (including Personal Information) in their possession or control against unauthorized access, use, modification, disclosure alteration, destruction or other misusedisclosure. To the knowledge of the Company, including through commercially reasonable administrativesuch third parties have not (A) suffered any Data Breach involving the Company’s or any of its Subsidiaries’ Personal Information, technical (B) breached any obligations relating to the Company’s or any of its Subsidiaries’ Personal Information or (C) violated any Privacy Laws in relation to the Company’s or any of its Subsidiaries’ Personal Information. To the knowledge of the Company, no third party who has provided any Personal Information to the Company and physical safeguards. Neither its Subsidiaries has done so in violation of applicable Privacy Laws. (d) As of the date of this Agreement, neither the Company nor any of its Subsidiaries is subject to any contractual requirements or other legal obligations that, following the Closing, would prohibit Acquiror, the Company, or any of the Company’s Subsidiaries from receiving, accessing, storing or using any Personal Information in the manner in which the Company or the respective Subsidiary received, accessed, stored and used such Personal Information prior to the date of this Agreement. The execution, delivery and performance of this Agreement by the Company does not violate its obligations under applicable Privacy Laws, the Company’s privacy policies and applicable contractual obligations of the Company has (A) experienced any incident in which such information was accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including any Governmental Authority) nor has any such notice or complaint been threatened against the Company of any of its Subsidiaries with respect to any breach of the security regarding its collection, use or disclosure of Personal Information.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains maintain and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to the Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for during the past last three (3) years has have maintained and been in compliance with, (i) all applicable Laws relating to privacythe privacy and/or security of personal information, data protectionin each of the countries in which the Company or its Subsidiaries maintain or transfer data, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies policies, and (iii) the Company’s and its Subsidiaries’ contractual commitments relating to privacy, data protectionobligations concerning cybersecurity, data security or and the collection, storage, handling, disclosure, transfer, use or processing security of Personal Information or the IT Systems (collectively, “Privacy Obligations”)Company’s and each of its Subsidiaries’ information technology systems. There are no Actions by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party orparty, or as to the knowledge of the Company, threatened against which the Company or any of its Subsidiaries has received a threat in writing, alleging a violation or breach of any Privacy Laws third Person’s privacy or Privacy Obligationspersonal information rights. (b) In Except as set forth in Section 4.22(b) of the past Company Disclosure Letter, during the last three (3) years (i) to the knowledge of the Company, there have been been, no material breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf information technology systems of the Company or any of and its Subsidiaries, and (ii) there have been no disruptions in any IT Systems information technology systems that materially adversely affected the Company’s or and its Subsidiaries’ businesses business or operations. The Company and its Subsidiaries take commercially reasonable and legally compliant measures designed to protect confidential confidential, sensitive or sensitive personally identifiable information (including Personal Information) in their its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable administrative, technical and physical safeguardssafeguards applicable in each of the countries in which the Company or its Subsidiaries maintain or transfer data. Neither To the knowledge of the Company, neither the Company nor any Subsidiary of the Company has (A) experienced any incident in which such information was stolen or improperly accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a material breach of security security, or (B) received any written notice or complaint from any Person (including with respect to any Governmental Authority) of the foregoing, nor has any such notice or complaint been threatened in writing against the Company of or any of the Company’s Subsidiaries, save as would not materially adversely affect the Company’s and its Subsidiaries with respect to any breach of the security of Personal InformationSubsidiaries’ business or operations.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains maintain and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to the Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for the past three (3) years has since December 31, 2021 have maintained and been in compliance with, (i) all applicable Laws relating to privacy, data protection, data the privacy and/or security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”)Information, and (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies or notices, and (iii) the Company’s and its Subsidiaries’ contractual commitments relating to privacy, data protection, data obligations concerning the privacy and/or security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or and the IT Systems Assets (clauses (i) through (iii) collectively, “Company Privacy Obligations”), in each case of clauses (i) through (iii) above, other than any non-compliance that, individually or in the aggregate, has not been and would not reasonably be expected to be material to the Company and its Subsidiaries. There are no Actions actions by any Person (including any Governmental AuthorityEntity) pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened in writing against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Company Privacy Obligations. (b) In the past three (3) years (i) to the knowledge of the Company, there have been no material breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf of the Company or any of its Subsidiaries, and (ii) there have been no disruptions in any IT Systems that materially adversely affected the Company’s or its Subsidiaries’ businesses or operations. The Company and its Subsidiaries take have implemented and at all times maintained commercially reasonable measures and legally compliant administrative, technical and physical safeguards designed to protect the IT Assets and all confidential or and sensitive information (including trade secrets) and Personal Information) Information in their the Company or any Subsidiary’s possession or control against unauthorized access, use, loss, modification, disclosure or other misusemisuse (“Security Incident”). Other than as disclosed on Schedule 4.15(b) of the Company Disclosure Letter, including through commercially reasonable administrative, technical and physical safeguards. Neither neither the Company nor any Subsidiary of the Company has (Ai) experienced any incident in which such information was accessedmaterial Security Incident, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (Bii) received any written notice or complaint from any Person (including with respect to any Governmental Authority) of the foregoing, nor has any such notice or complaint been threatened in writing against the Company of or any of its Subsidiaries with respect to any breach of the security of Personal InformationCompany’s Subsidiaries.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains are in compliance, in all material respects, with, and for during the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to preceding the Company and its Subsidiaries, taken as a whole, the Company and each date of its Subsidiaries are in compliance with, and for the past three (3) years has this Agreement have been in compliance compliance, in all material respects, with, (i) all applicable Laws relating to governing privacy, data security, and data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ written and published privacy policies policies, and (iii) the Company’s and its Subsidiaries’ contractual commitments relating to obligations governing privacy, data protection, cybersecurity, data security or and the collectionsecurity of the Company’s and each of its Subsidiaries’ information technology systems, storagein each case of (i)-(iii) above. To the knowledge of the Company, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There there are no Actions Legal Proceedings by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party orand which allege a violation of any applicable Law relating to privacy, to data security, and data protection, or any third Person’s privacy or personal information rights. To the knowledge of the Company, threatened against the Company has not received a threat in writing alleging the Company or any of its Subsidiaries alleging a violation violated any applicable Law relating to privacy, data security, and data protection, or breach of any Privacy Laws third Person’s privacy or Privacy Obligationspersonal information rights. (b) In The Company IT Systems operate and perform, in a reasonable manner, as required for the past three (3) years (i) to conduct of the businesses of the Company and its Subsidiaries as presently conducted. To the knowledge of the Company, during the three (3) years preceding the date of this Agreement, (i) there have been no material breaches of the or security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf incidents materially impacting confidentiality, integrity and availability of the Company or any of its Subsidiaries, IT Systems; and (ii) there have been no disruptions or malfunctions in any Company IT Systems that materially adversely affected the Company’s or and its Subsidiaries’ businesses business or operations. The Company and its Subsidiaries take have implemented commercially reasonable measures security, such as administrative, technical and physical safeguards designed to (i) protect confidential or sensitive the confidentiality, integrity and availability of personal information (including Personal Information) in their possession possession, custody, or control control, including against unauthorized access, use, modification, disclosure or other misuse, including through and (ii) maintain the integrity and availability of the Company IT Systems. (c) To the knowledge of the Company, the Company IT Systems and Company Software do not contain any “time bombs,” “Trojan horses,” “back doors,” “trap doors,” worms, viruses, spyware, keylogger software, or other faults or malicious code or damaging devices. Company uses commercially reasonable administrativesecurity measures designed to detect and remove all such items. (d) To the knowledge of the Company, technical and physical safeguards. Neither during the three (3) years preceding the date of this Agreement, neither the Company nor any Subsidiary of the Company has (A) experienced any material breach or security incident in which such information was accessedmaterially impacted the confidentiality, usedintegrity, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including any Governmental Authority) nor has any such notice or complaint been threatened against the Company availability of any of the Company or its Subsidiaries with respect to any breach of the security of Personal InformationSubsidiaries’ personal information in their possession, custody or control.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains are in compliance in all material respects with, and since the Company’s inception have been in compliance in all material respects with, (i) all applicable Laws relating to the privacy and/or collection, retention, protection and use of information relating to or reasonably capable of being associated with an individual, device or household (“Personal Information”) collected, used, or held for use in connection with the past three business of the Company or its Subsidiaries, (3ii) years the Company’s and its Subsidiaries’ published privacy, cybersecurity and data security policies, as applicable, and (iii) the Company’s and its Subsidiaries’ contractual obligations concerning cybersecurity, data security and the security of the information technology systems used by the Company and its Subsidiaries (the foregoing clauses (i)‑(iii), “Privacy and Cybersecurity Requirements”), other than any non-compliance that, individually or in the aggregate, has maintained privacy policies consistent with applicable Privacy Laws. Except as not been and would not reasonably be expected to be material to the Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for the past three (3) years has been in compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There are no not, and have not been, any Actions by any Person (including Person, or any investigations by any Governmental Authority) , pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge Knowledge of the Company, threatened against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws and Cybersecurity Requirements. The Company and its Subsidiaries take appropriate measures to protect Personal Information against unauthorized access, use, modification, or Privacy Obligationsother misuse, including through administrative, technical and physical safeguards. (b) In Except as set forth on Section 5.22(b) of the past three (3) years Company Disclosure Letter, since the Company’s inception, (i) to the knowledge of the Company, there have been no material security breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf unauthorized processing of the Company IT Systems or any of its SubsidiariesPersonal Information, and (ii) there have has been no disruptions in failure, breakdown, performance reduction, disruption, or other adverse event affecting any Company IT Systems that materially adversely affected the Company’s or and its Subsidiaries’ businesses business or operations. The Company and its Subsidiaries take have aligned their cybersecurity practices with relevant industry standards, carried out external and internal penetration tests and vulnerability assessments of the Company IT Systems and their business environment to identify any cybersecurity threats on no less than an annual basis, and have remediated any and all material vulnerabilities identified through such tests and assessments. The Company IT Systems are in good working order and do not contain any defect, and operate and perform as necessary to conduct the business of the Company and its Subsidiaries. Neither the Company, its Subsidiaries, nor any third party acting at the direction or authorization of the Company or its Subsidiaries have paid any perpetrator of any actual or threatened security breach or cyber attack, including a ransomware attack or a denial-of-service attack. (c) Except as set forth on Section 5.22(c) of the Company Disclosure Letter, the Company and its Subsidiaries have established and maintained, and use commercially reasonable efforts to ensure that all third Persons controlling Company IT Systems or processing Personal Information in connection with a product or service of the Company or its Subsidiaries have established and maintained, commercially reasonable and legally compliant measures designed to protect confidential or sensitive information (including the Company IT Systems and all Trade Secrets and Personal Information) Information in their possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable written internal and external policies and procedures (that comply with the Privacy and Cybersecurity Requirements and are at least as stringent as one or more relevant industry standards) and organizational, administrative, technical and physical safeguards. Neither the Company nor any Subsidiary of the Company, nor, to the Knowledge of the Company, any third Person controlling any Company IT System or processing Personal Information on their behalf, has (Ai) experienced any incident in which such information was stolen or improperly accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (Bii) received any written notice or complaint (or to the Knowledge of the Company, oral notice or complaint) from any Person (including with respect to any Governmental Authority) of the foregoing, nor has any such notice or complaint been threatened in writing or, to the Knowledge of the Company, orally against the Company of or any of the Company’s Subsidiaries. Except as set forth on Section 5.22(c) of the Company Disclosure Letter, where the Company or its Subsidiaries with respect have any third Person controlling Company IT System or processing Personal Information on their behalf, such third Person has provided guarantees, warranties or covenants in relation to any breach of the security processing of Personal Information, confidentiality and security measures and has agreed to comply with those obligations in a manner sufficient for the Company’s and its Subsidiaries’ compliance with the Privacy and Cybersecurity Requirements. (d) The consummation of the transactions contemplated hereby shall not breach or otherwise cause any violation in any material respect of any Privacy and Cybersecurity Requirements.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained privacy policies consistent their officers, employees are and, since December 31, 2018, have been in compliance in all material respects with applicable all Data Privacy Lawsand Security Requirements. Except as would not be expected to be material to the The Company and its Subsidiaries, taken as a whole, the Company Subsidiaries have in place reasonable policies and each of its Subsidiaries are in compliance with, and procedures designed for the past three (3) years has been in compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the proper collection, storageprocessing, handlingtransfer, disclosure, transfersharing, storing, security and use or processing of Personal Information (“Privacy Laws”)Data, and (ii) the Company’s that comply in all material respects with Data Privacy and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There are no Actions by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Privacy ObligationsSecurity Requirements. (b) In the past three (3) years (i) to the knowledge of the Company, there have been no material breaches of the security of the IT Systems controlled by the The Company or and its Subsidiaries have taken commercially reasonable steps to train their employees on privacy and data security matters, and to ensure that such employees are under written obligations of confidentiality with respect to such Personal Data. All Persons authorized to collect, process, transfer, disclose, share, store or any other IT Systems used by or use Personal Data on behalf of the Company or any of its SubsidiariesSubsidiaries have not, and to the Company’s knowledge: (i) materially breached any written contracts or (ii) materially violated any Data Privacy and Security Requirements. (c) Except as set forth on Section 4.22 of the Company Disclosure Letter, there have been no disruptions in material Security Incidents since December 31, 2018. Except as set forth on Section 4.22 of the Company Disclosure Letter, none of the Company or any IT Systems that materially adversely affected of its Subsidiaries has since December 31, 2018: (i) received any written notice (or, to the Company’s knowledge, received any other notice) from any Person; (ii) been required by the Data Privacy and Security Requirements to give any notice to any Person; or its Subsidiaries’ businesses or operations(iii) been subject to any Proceeding, in each case with respect to any Security Incident. The Company and its Subsidiaries take have implemented and maintain commercially reasonable measures designed security, disaster recovery and business continuity plans, procedures and facilities consistent with applicable industry standards. (d) The Company and its Subsidiaries have subscribed to protect confidential a cyber-insurance policy which materially complies with all contractual and statutory requirements to which the Company and its Subsidiaries are subject to in this respect. (e) The Company and its Subsidiaries have not been and are not currently: (a) to the Company’s knowledge, under audit or sensitive information investigation by any authority regarding collection, processing, transfer, disclosure, sharing, storing, protection and use of Personal Data, except for those carried out in the ordinary course of business; or (including b) received in writing (or, to the Company’s knowledge, received in any other form) from any third party a notification, claim, demand, audit or action in relation to Personal Information) in their possession or control against unauthorized access, use, modification, disclosure or other misuseData, including through commercially reasonable administrativea notification, technical and physical safeguards. Neither claim, demand, or action alleging that the Company nor any Subsidiary of the Company has (A) experienced any incident in which such information was accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including any Governmental Authority) nor has any such notice or complaint been threatened against the Company of any of its Subsidiaries with respect have collected, processed, transferred, disclosed, shared, stored or used Personal Data in violation of applicable Data Privacy and Security Requirements. (f) The performance of this Agreement will not materially violate any Data Privacy and Security Requirements. Upon execution of this Agreement, the Company and its Subsidiaries shall continue to, in all material respects, have the right to use and process any breach Personal Data collected, processed or used by it before the signature date of this Agreement in order to be able to conduct the security ordinary course of Personal Informationtheir business.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains are in compliance in all material respects with, and for during the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to the Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for the past three (3) years has have been in compliance in all material respects with, (i) all applicable Laws relating to the privacy, data protectionsecurity, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”)Information, and (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies and (iii) the Company’s and its Subsidiaries’ contractual commitments relating to obligations concerning data privacy, data protectioncybersecurity, data security or and the collection, storage, handling, disclosure, transfer, use or processing security of Personal Information or the Company’s and each of its Subsidiaries’ IT Systems (collectively, “Privacy Obligations”)Systems. There are is no Actions Action by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s its Subsidiaries is a named party or, to the knowledge of the Company’s knowledge, threatened against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Privacy ObligationsContracts relating to the privacy, security, or processing of Personal Information, cybersecurity, or a security incident impacting the confidentiality, integrity, and availability of the Company’s or its Subsidiaries’ information technology systems. (b) In During the past three (3) years years, (i) to the knowledge of the Company, there have been no material data breaches of or security incidents impacting the security confidentiality, integrity and availability of the IT Systems controlled by of the Company or and its Subsidiaries or any other IT Systems used by or on behalf of the Company or any of its Subsidiariesdata and information thereon, and (ii) there have been no disruptions in any IT Systems that materially and adversely affected the Company’s or and its Subsidiaries’ businesses business or operations. The Company and its Subsidiaries take have implemented and maintained commercially reasonable safeguards consistent with Data Security Requirements and that are designed to protect the confidentiality, integrity and availability of the IT Systems of the Company and its Subsidiaries and the data and information thereon, including measures designed to protect confidential Company Owned Intellectual Property and confidential, sensitive or sensitive information (including Personal Information) Information in their its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable administrative, technical and physical safeguards. Neither the Company nor any Subsidiary of the Company its Subsidiaries has (A) experienced received or provided any incident in which such information was accessedwritten notice, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including with respect to any Governmental Authority) nor violations of Law or Contract with respect to Personal Information or a security incident impacting the confidentiality, integrity, and availability of the Company IT Systems or the data or information thereon, nor, to the Company’s knowledge, has any such notice or complaint been threatened against the Company of or any of its Subsidiaries with respect to any breach of the security of Personal InformationCompany’s Subsidiaries.

Privacy and Cybersecurity. (a) The Except as set forth in Section 5.17(a) of the Company Disclosure Letter, (i) since December 31, 2019, the Company and each of its the Company Subsidiaries maintains and for the past three (3) years has maintained privacy policies consistent have been in compliance in all material respects with all applicable Privacy Laws. Except Obligations, including all applicable contractual obligations and all policies of the Company and the Company Subsidiaries relating to privacy, data protection and the collection and use of Personal Data processed by the Company and the Company Subsidiaries, (ii) the Company and the Company Subsidiaries maintain commercially reasonable policies, procedures and security measures with respect to the physical and electronic security and privacy of Personal Data, (iii) to the Knowledge of the Company, there has been no material unauthorized access to, exfiltration, disclosure or theft of any Personal Data processed by the Company or any of the Company Subsidiaries nor any breach, disruption or misuse of IT Systems, that would interfere with the operations of the Company and the Company Subsidiaries, and (iv) as of the date hereof, the Company and the Company Subsidiaries have not received any written notice or claim since December 31, 2019 alleging a violation of any Privacy Law, contractual obligations relating to privacy or Personal Data or any policy of the Company or any of the Company Subsidiaries relating to privacy or Personal Data in each case that, individually or in the aggregate, would not be expected to be material to the Company and its the Company Subsidiaries, taken as a whole. (b) As of the date hereof, no written complaint, claim or enforcement action relating to an improper use or disclosure of, or a breach in the Company and each of its Subsidiaries are in compliance withsecurity of, and for the past three any confidential or sensitive information, payment card data, personally identifiable information (3) years including Personal Data), or other protected information relating to individuals has been made or threatened in compliance withwriting since December 31, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There are no Actions by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened 2019 against the Company or any Company Subsidiary whether by a data subject or a Governmental Entity in each case that, individually or in the aggregate, would be material to the Company and the Company Subsidiaries, taken as a whole. As of its Subsidiaries alleging a violation the date hereof, there has been no material: (i) unauthorized disclosure by the Company or any Company Subsidiary of any sensitive information, payment card data, personally identifiable information (including Personal Data) or other information relating to individuals in the possession, custody or control of the Company or any Company Subsidiary, or (ii) to the Knowledge of the Company, breach of the Company’s security procedures resulting in unauthorized disclosure of such information to a third Person. Solely with respect to the Company and the Company Subsidiaries, neither the execution and delivery of this Agreement nor the consummation of the Closing will, pursuant to any Privacy Laws relevant contract between the Company or any Company Subsidiary and a third party, result in a material breach or violation of, or constitute a material default under, any Privacy Obligations. (bc) In All material Personal Data processing with respect to customers, employees, suppliers and business partners of the past three Company and the Company Subsidiaries is comprehensively mapped and included in a register of processing activities which is compliant in all material respects with Article 30 GDPR (3to the extent applicable). A data protection officer is appointed in respect of the Company and the Company Subsidiaries where one is required to be appointed by applicable Law and where the Company and Company Subsidiaries have determined that a data protection officer is not mandatory, an analysis of why the appointment is not mandatory is made. The Company and the Company Subsidiaries have in place a data protection governance structure and accountability program which are intended to ensure compliance with applicable Law and Privacy Obligations. All notices and consents required by applicable Privacy Laws to ensure that Personal Data held by the Company and the Company Subsidiaries may be used to conduct the business in the same manner following the Closing as currently conducted, have been given and obtained in all material respects in accordance with applicable Privacy Laws. All marketing activities conducted with respect to the Company, any Company Subsidiary or the business of the Company and the Company Subsidiaries are and have been since December 31, 2019 compliant in all material respects with Privacy Obligations. (d) years Since December 31, 2019, to the Company’s Knowledge, all third parties to whom the Company and the Company Subsidiaries or any of its Affiliates disclose Personal Data relating to the business of the Company and the Company Subsidiaries, the Company, any Company Subsidiary or any of their respective business relations: (i) have had legitimate grounds to process such Personal Data and the Company and the Company Subsidiaries and/or its Affiliates has imposed limitations on such third parties’ use to ensure that their use remains within the scope of those grounds, and such use remains within the scope of these grounds; or (ii) process the disclosed Personal Data on the Company’s or its Affiliates’ behalf under data processing agreements which contain all mandatory provisions that meet the applicable Privacy Obligations and are subject to information security requirements that meet the applicable Privacy Obligations. (e) Except as set forth in Section 5.17(e) of the Company Disclosure Letter, all exports of Personal Data related to the knowledge business of the Company and its Subsidiaries, the Company, any of its Subsidiaries or any of their respective business relations outside the country in which the Personal Data was collected comply with Privacy Obligations in all material respects and in each case, where required, export agreements or arrangements that are compliant in all material respects with the Privacy Obligations have been entered into and all associated authorizations, registrations and notification requirements have been completed in all material respects. All valid requests from data subjects in respect of their statutory rights (e.g., access, deletion, portability and rectification) have been complied with in material compliance with Privacy Obligations. Any Security Breach relating to Personal Data has been handled in compliance in all material respects with applicable Privacy Obligations and no such Security Breach has been reported to the relevant Governmental Entity. Since December 31, 2019, there have been no material written complaints or claims made by a data subject or sanctions or enforcement actions imposed by a Governmental Entity, in each case received by the Company or any Company Subsidiary and, to the Knowledge of the Company, there is no fact or circumstance that may lead to any of the foregoing. (f) Since December 31, 2019, the Company and the Company Subsidiaries have implemented and maintain a written information security program comprised of processes, policies and technical, physical and administrative safeguards necessary to comply in all material respects with Privacy Obligations. Such written information security program is intended to (A) identify and address internal and external risks to the privacy, confidentiality, security, integrity and availability of the Company systems including Personal Data Processed therein against loss, theft, unauthorized or unlawful Processing, or other misuse and (B) maintain notification procedures in compliance in all material respects with applicable Privacy Obligations in the event of a Security Breach. The Company is and, since December 31, 2019, has been in compliance with its written information security program. (g) To the Company’s Knowledge, the IT Systems are free of any and all material “back door,” “time bomb,” “Trojan horse,” “worm,” “drop dead device,” “virus” or other software routines or hardware components that permit unauthorized access or the unauthorized disablement or erasure of, or unintended or unauthorized behavior by, such Systems (or all parts thereof) or data or other software of users. Since December 31, 2019, the Company and the Company Subsidiaries have implemented commercially reasonable safeguards intended to protect the IT Systems against the introduction of material malware into the IT Systems from software and technology platforms licensed from third parties. (h) Since December 31, 2019, the Company and the Company Subsidiaries have implemented and maintain reasonable safeguards, including using virus checking software, penetration testing, consistent with reasonable industry standards applicable to the industry, intended to monitor all Company systems with respect to introduction of any malicious software (e.g., ransomware). (i) Except as set forth in Section 5.17(i) of the Company Disclosure Letter, the Company and the Company Subsidiaries have back-ups, disaster recovery business continuity and emergency mode operation procedures in place to ensure the availability of Company information. (j) Since December 31, 2019, the Company and the Company Subsidiaries have used commercially reasonable efforts to cause all third-party service providers, vendors, suppliers, subcontractors or other third parties Processing Personal Data, in each case on behalf of the Company and the Company Subsidiaries, to (i) comply with applicable Privacy Obligations in all material respects, (ii) maintain reasonable and appropriate technical, physical and administrative safeguards to protect the privacy, confidentiality, integrity and security of all Personal Data, and (iii) take reasonable steps to protect Personal Data from loss, theft, unauthorized or unlawful Processing or other misuse. To the Knowledge of the Company, since December 31, 2019, none of the Company’s and the Company Subsidiaries’ material third-party service providers, vendors, suppliers, subcontractors, or other third parties Processing the Company and the Company Subsidiaries Personal Data, have (A) suffered any Security Breach that resulted in any unauthorized access to or use of any Personal Data, (B) breached any obligations relating to Personal Data or (C) violated any Privacy Obligations, in each case of clauses (A)-(C), that, individually or in the aggregate, would be material to the Company and the Company Subsidiaries, taken as a whole. (k) The information technology equipment and systems owned, used, or held for use by the Company are reasonably sufficient for the Company’s immediate needs; provided, however, that the foregoing representation and warranty shall not constitute a representation or warranty with respect to any actual or alleged infringement, misappropriation, or other violation of third-party Intellectual Property Rights. Since December 31, 2019, to the Knowledge of the Company, there have has been no material breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf of the Company or any of its Subsidiaries, and (ii) there have been no disruptions in any IT Systems that materially adversely affected the Company’s or its Subsidiaries’ businesses or operations. The Company and its Subsidiaries take commercially reasonable measures designed to protect confidential or sensitive information (including Personal Information) in their possession or control against unauthorized access, use, modificationintrusion or breach of security, disclosure or material failure, breakdown, performance failure or other misuse, including through commercially reasonable administrative, technical and physical safeguards. Neither adverse event affecting any systems that has caused or would reasonably be expected to cause any substantial disruption to the use of such systems or the Company nor any Subsidiary of the Company has (A) experienced any incident in which such information was accessedmaterial loss or harm to Company, usedits personnel, modified, disclosed without authorization property or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including any Governmental Authority) nor has any such notice or complaint been threatened against the Company of any of its Subsidiaries with respect to any breach of the security of Personal Informationother assets.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to set forth on Section 4.22(a) of the Company and its Subsidiaries, taken as a wholeDisclosure Letter, the Company and each of its Subsidiaries are in compliance with, and for during the past three (3) years has have been in compliance with, (i) all applicable Laws relating to privacythe privacy and/or security of personal information, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies policies, and (iii) the Company’s and its Subsidiaries’ contractual commitments relating to privacy, data protectionobligations concerning cybersecurity, data security or and the collection, storage, handling, disclosure, transfer, use or processing security of Personal Information or the IT Systems information technology systems used by the Company and its Subsidiaries (collectivelythe foregoing (i)-(iii), “Privacy Obligationsand Cybersecurity Requirements”), other than any non-compliance that, individually or in the aggregate, has not been and would not reasonably be expected to be material to the Company and its Subsidiaries. There are no not, and have not been in the past three (3) years been, any Actions by any Person (including Person, or any investigations by any Governmental Authority) , pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened in writing against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Privacy Obligationsand Cybersecurity Requirements. (b) In Except as set forth on Section 4.22(b) of the Company Disclosure Letter, during the past three (3) years (i) to the knowledge of the Companyyears, there have been been, no material breaches of the security of the Company IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or Systems. (c) Except as set forth on behalf Section 4.22(c) of the Company or any of its SubsidiariesDisclosure Letter, and (ii) there have been no disruptions in failure, breakdown, performance reduction, disruption, or other adverse event affecting any Company IT Systems that materially adversely affected the Company’s or and its Subsidiaries’ businesses business or operations. . (d) The Company and its Subsidiaries take have materially aligned their cybersecurity practices with relevant industry standards, including by carrying out regular external and internal penetration tests and vulnerability assessments of the Company IT Systems and their business environment to identify any cybersecurity threats and remediating any and all material identified vulnerabilities (including identifying the root causes thereof). (e) The Company and its Subsidiaries have established and maintained, and use reasonable efforts to ensure that all third Persons controlling Company IT Systems or processing personal information in connection with a product or service of the Company or its Subsidiaries have established and maintained, commercially reasonable and legally compliant measures designed intended to protect confidential or sensitive the Company IT Systems and Trade Secrets and personally identifiable information (including Personal Information) in their possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable written internal and external policies and procedures, and organizational, administrative, technical and physical safeguards. Neither the Company nor any Subsidiary of the Company, nor, to the knowledge of the Company, any third Person controlling any Company has IT System or processing personal information on their behalf, has, within the past three (3) years, (A) experienced any material incident in which such any Trade Secrets or personally identifiable information in the Company’s or any of its Subsidiaries’ possession or control or processed on their behalf was stolen or improperly accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security security, or (B) received any written notice or complaint from any Person (including with respect to any Governmental Authority) of the foregoing, nor has any such notice or complaint been threatened in writing against the Company or any of the Company’s Subsidiaries. (f) To the knowledge of the Company, the consummation of the transactions contemplated hereby shall not breach or otherwise cause any violation in any material respect of any Privacy and Cybersecurity Requirements, or result in the Company or any of its Subsidiaries with respect to being prohibited from receiving or using any breach of personal information in the security of Personal Informationmanner currently received or used.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to the Company and its Subsidiaries, taken as a whole, the The Company and each of its Subsidiaries are in compliance in all material respects with, and for the past three (3) years has been in compliance with, (i) all applicable Laws relating related to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems Systems, as applicable, and (iii) the Company’s and its Subsidiaries’ contractual commitments concerning privacy, data protection, data security, the collection, storage, handling, disclosure, transfer or use of Personal Information and the security of the Company’s and each of its Subsidiaries’ respective IT Systems, in each case of (i)-(iii) above (collectively, “Privacy Obligations”). There are no Actions by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Privacy Obligations. (b) In the past three (3) years (i) to the knowledge of the Company, there have been no material breaches of the security of the IT Systems controlled by the Company or its Subsidiaries or any other IT Systems used by or on behalf of the Company or any of its Subsidiaries, Subsidiaries and (ii) there have been no disruptions in any IT Systems that materially adversely affected the Company’s or its Subsidiaries’ businesses or operations. The Company and its Subsidiaries take commercially reasonable measures designed to protect confidential or sensitive information (including Personal Information) in their possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable administrative, technical and physical safeguards. Neither the Company nor any Subsidiary None of the Company or any of its Subsidiaries has (A) experienced any incident in which such information was accessed, used, modified, stolen, disclosed without authorization or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including any Governmental Authority) nor with respect to any of the foregoing nor, to the knowledge of the Company, has any such notice or complaint been threatened against the Company of or any of its Subsidiaries with respect to any breach of the security of Personal Information.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained and published privacy policies consistent with applicable Privacy Laws. Except as would not be expected to be material to the Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in compliance with, and for the past three (3) years has been in compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and (ii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information or the IT Systems (collectively, “Privacy Obligations”). There are no Actions by any Person (including any Governmental Authority) pending to which the Company or any of the Company’s Subsidiaries is a named party or, to the knowledge of the Company, threatened against the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws Laws, Privacy Obligations or Privacy Obligationsany third Person’s privacy or Personal Information rights. (b) In the past three (3) years years, (i) to the knowledge of the Company, there have been no material breaches of the security of the IT Systems controlled by or, to the knowledge of the Company, used by the Company or its Subsidiaries or any other IT Systems used by or on behalf of the Company or any of its Subsidiaries, and (ii) there have been no disruptions in any IT Systems that materially adversely affected the Company’s or its Subsidiaries’ businesses or operations. The Company and its Subsidiaries take commercially reasonable measures designed to protect confidential confidential, sensitive or sensitive personally identifiable information (including Personal Information) in their its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable administrative, technical and physical safeguards. Neither the Company nor any Subsidiary of the Company has (A) to the knowledge of the Company, experienced any incident in which such information was stolen or improperly accessed, used, modified, disclosed without authorization or otherwise misused, including in connection with a breach of security or (B) received any written notice or complaint from any Person (including any Governmental Authority) nor has any such notice or complaint been threatened in writing against the Company of or any of its Subsidiaries Subsidiaries, with respect to any breach of the security of Personal Information.

Privacy and Cybersecurity. (a) The Company and each of its Subsidiaries maintains and for the past three (3) years has maintained privacy policies consistent with applicable Privacy Laws. Except as would not reasonably be expected to be material to the business of Company and its Subsidiaries, taken as a whole, the Company and each of its Subsidiaries are in material compliance with, and for during the past three (3) years has preceding the date of this Agreement have been in material compliance with, (i) all applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), including requirements thereunder to maintain privacy policies and notices regarding Personal Information, (ii) all of the Company’s and its Subsidiaries’ publicly facing privacy policies and notices regarding Personal Information, and (iiiii) the Company’s and its Subsidiaries’ privacy policies and contractual commitments relating to privacy, data protectionobligations concerning cybersecurity, data security or and the security of the Company’s and each of its Subsidiaries’ information technology systems, including with respect to the receipt, collection, compilation, use, storage, handlingprocessing, sharing, safeguarding, security, disposal, destruction, disclosure, transfer, use or processing transfer (including cross-borders) of Personal Information. Except as would not reasonably be expected to be material to the business of Company and its Subsidiaries, the Company has implemented and maintained policies, procedures and systems as are required by Privacy Laws for receiving and appropriately responding to requests from individuals concerning their Personal Information. None of the Company’s public facing privacy policies regarding Personal Information contain any material misrepresentation or omission likely to mislead any Person acting reasonably under the IT Systems (collectively, “Privacy Obligations”)circumstances to whom such policies are directed. There are no Actions by any Person (including any Governmental Authority) pending ), to which the Company or any of the Company’s Subsidiaries is a named party orparty, pending or to the knowledge of the Company threatened against the Company or its Subsidiaries alleging a violation of (i) any Privacy Laws, including with respect to any third Person’s privacy or Personal Information, (ii) applicable privacy policies, or (iii) contractual commitments of the Company or any of the Company’s Subsidiaries with respect to any Personal Information. (b) To the knowledge of the Company, threatened against during the Company or any of its Subsidiaries alleging a violation or breach of any Privacy Laws or Privacy Obligations. (b) In the past three (3) years preceding the date of this Agreement, (i) to the knowledge of the Company, there have been no material breaches instances of data breaches, security incidents, or misuse of or unauthorized use of, access to, intrusions into, disruptions of, or data loss involving Company Systems which would, individually or in the security of the IT Systems controlled by the aggregate, reasonably be expected to result in a Company or its Subsidiaries or any other IT Systems used by or on behalf of the Company or any of its SubsidiariesMaterial Adverse Effect, and that have not been remediated, (ii) there have been no disruptions in any IT Systems that materially adversely affected the Company’s or its Subsidiaries’ businesses or operations. The Company and its Subsidiaries take have implemented commercially reasonable measures designed to protect confidential or sensitive information (including Personal Information) Information in their possession or control against loss, theft, unauthorized access, use, modification, disclosure alteration, destruction, disclosure, or other misuse, including through commercially reasonable administrative, technical technical, and physical safeguards. Neither , and (iii) neither the Company nor any Subsidiary of the Company has (A) experienced any material incident in which such information was accessedinvolving loss, usedtheft, modified, disclosed without authorization misuse of or otherwise misusedunauthorized access to or disclosure of any Personal Information, including in connection with a breach of security security, or (B) received any written notice or complaint from any Person (including with respect to any Governmental Authority) such incident, nor has any such notice or complaint been threatened in writing against the Company or any of the Company’s Subsidiaries. Neither the Company nor any of its Subsidiaries with respect have provided or been required to provide any written notification to any Person in connection with any unlawful, unauthorized or unintended disclosure of Personal Information. The Company has not paid (i) any perpetrator of any data breach incident or cyber-attack or (ii) any third party with actual or alleged information about any data breach incident or cyber-attack. (c) To the extent required by applicable Privacy Laws, except to the extent it would, individually or in the aggregate, not reasonably be expected to result in a Company Material Adverse Effect, all third-party services providers, outsourcers, processors or other third parties who process, store or otherwise handle any Personal Information for or on behalf of the security Company or any of its Subsidiaries have contractually agreed to comply with applicable Privacy Laws and maintain the confidentiality of Personal Information processed on behalf of the Company or any of its Subsidiaries, and to protect and secure such Personal Information from loss, theft, misuse or unauthorized access, use, modification, alteration, destruction or disclosure. To the knowledge of the Company, no (i) third party who has provided any Personal Information to the Company and its Subsidiaries has done so in violation of applicable Privacy Laws, including requirements thereunder requiring providing any notice and obtaining any consent required and (ii) Person acting for or on behalf of the Company and any of its Subsidiaries has violated any of the requirements or obligations described in Section 4.22(a). (d) The Company is not subject to any contractual requirements or other legal obligations that, following the Closing, would prohibit Purchaser or Company from receiving, accessing, storing or using any Personal Information in the manner in which the Company received, accessed, stored and used such Personal Information prior to the Closing. The execution, delivery and performance of this Agreement by the Company does not violate its obligations under applicable Privacy Laws, the Company’s privacy policies and applicable contractual obligations of the Company regarding its collection, use or disclosure of Personal Information.