Common use of Privacy and Cybersecurity Clause in Contracts

Privacy and Cybersecurity. (a) The Group Companies maintain and are in compliance with, and during the Lookback Period, have maintained and been in compliance with, (i) all applicable Laws relating to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disclosure or transfer of Personal Information, including all applicable Laws governing breach notification, and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulations, (ii) the Company’s and its Subsidiaries’ posted or publicly facing policies, and (iii) the Group Companies’ contractual obligations concerning cybersecurity, Personal Information and data privacy and security and the security of the Group Companies’ IT Assets (collectively, (i)-(iii), “Personal Information Laws and Policies”). There are no Actions by any Person (including any Governmental Authority) pending to which any Group Company is a named party or, to the knowledge of the Company, threatened against the Company or its Subsidiaries alleging a violation of any Personal Information Laws and Policies, and there have been no such Actions brought against any Group Company. None of the Group Companies has received any written notice from any Person relating to an alleged violation of Personal Information Laws and Policies. During the Lookback Period, each Group Company has had written Contracts in place with third parties processing Personal Information or other data for or on behalf of the Group Company in connection with the operation of the businesses of any Group Company (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and Policies. (b) During the Lookback Period, (i) there have been no material breaches of the security of the IT Assets used or held for use by the Group Companies in their businesses, and (ii) there have been no disruptions in any such IT Assets that materially adversely affected the Group Companies’ business or operations. The Group Companies take commercially reasonable and legally compliant measures designed to protect confidential or sensitive information and Personal Information in its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through administrative, technical and physical safeguards. None of the Group Companies has (A) experienced any incident in which confidential or sensitive information or Personal Information was stolen, or accessed, used or disclosed without authorization, including in connection with a breach of security, or (B) received any written notice or complaint from any Person (including any Governmental Authority) with respect to any of the foregoing, nor has any such notice or complaint been threatened in writing against the Group Companies. (c) With respect to all Personal Information held by or on behalf of any of the Group Companies, or otherwise under its control, the Group Companies have, at all times, taken the steps required and reasonably necessary to protect such Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse (including by the Group Companies’ officers, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures with respect to technical and physical security of such Personal Information. The Group Companies have taken commercially reasonable steps to provide for the back-up and recovery of data and commercially reasonable disaster recovery plans, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement such plans and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security of IT Assets and the information stored thereon from unauthorized use, access, or modification by third parties and from viruses and contaminants.

Privacy and Cybersecurity. (a) The Except as disclosed on Section 3.15(a) of the Company Disclosure Letter or as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, each of the Group Companies, and, to the Knowledge of the Company, any Person acting for or on behalf of any of the Group Companies maintain and are have in compliance with, and during the Lookback Period, have maintained and been in compliance with, past three years materially complied with (i) all applicable Laws relating Privacy Laws, (ii) all of such Group Company’s binding and applicable policies and notices regarding the Processing of Personal Information, and (iii) all of such Group Company’s applicable contractual obligations with respect to cybersecurity and the receipt, collection, compilation, use, storage, processingProcessing, sharing, safeguarding, securitysecurity (technical, disclosure physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) of Personal InformationInformation (the items referred to in clauses (i) through (iv), including all applicable Laws governing breach notificationcollectively “Privacy and Cybersecurity Requirements”). Except as disclosed on Section 3.15(a) of the Company Disclosure Letter, and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulations, (ii) the Company’s and its Subsidiaries’ posted or publicly facing policies, and (iii) the Group Companies’ contractual obligations concerning cybersecurity, Personal Information and data privacy and security and the security none of the Group Companies’ IT Assets Companies have in the past three years (collectively, a) received any written notice of (i)-(iiiincluding from individuals exercising their rights under Privacy Laws), “Personal Information Laws and Policies”). There are no Actions by any Person or claims of (including written notice from third parties acting on its or their behalf),a violation of any Privacy and Cybersecurity Requirements, except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect; (b) been subject to any notices or requests from any Governmental AuthorityAuthority in relation to their data Processing activities, except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect; or (c) pending been subject to which any Group Company is a named party orwritten notice, threatened investigation, investigation or charge from any Governmental Authority regarding any actual or alleged violation of, or failure to comply with, any Privacy and Cybersecurity Requirements, nor, to the knowledge Knowledge of the Company, threatened against has any Person initiated or pursued any Action relating to actual or alleged non-compliance by any Group Company with respect to Privacy and Cybersecurity Requirements. (b) Except as disclosed in Section 3.15(b) of the Company or its Subsidiaries alleging a violation of any Personal Information Laws and PoliciesDisclosure Letter, and there have been no such Actions brought against any Group Company. None each of the Group Companies has received any written notice from any Person relating implemented and maintained commercially reasonable physical, technical, organizational and administrative safeguards designed to an alleged violation of protect Personal Information Laws and Policies. During the Lookback Periodother confidential data in its possession or under its control against loss, each Group Company has had written Contracts in place with third parties processing Personal Information theft, misuse or other data for unauthorized access, transfer, use, modification or on behalf of the Group Company in connection with the operation of the businesses of any Group Company (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and Policiesdisclosure. (bc) During Except as disclosed in Section 3.15(c) of the Lookback PeriodCompany Disclosure Letter, (i) to the Knowledge of the Company there have been no material breaches breaches, security incidents, misuse of the security of the IT Assets used or held for use by the Group Companies in their businessesunauthorized access to, and (ii) there have been no disruptions in or unauthorized use, transfer, disclosure, corruption, destruction or loss of, any such IT Assets that materially adversely affected the Group Companies’ business or operations. The Group Companies take commercially reasonable and legally compliant measures designed to protect confidential or sensitive information and Personal Information in its the possession or control against unauthorized access, use, modification, disclosure or other misuse, including through administrative, technical and physical safeguards. None of any of the Group Companies has (A) experienced any incident in which confidential or sensitive information or Personal Information was stolen, or accessedcollected, used or disclosed without authorization, including in connection with a breach of security, or (B) received any written notice or complaint from any Person (including any Governmental Authority) with respect to any of the foregoing, nor has any such notice or complaint been threatened in writing against the Group Companies. (c) With respect to all Personal Information held Processed by or on behalf of any of the Group Companies. In the past three years, or otherwise under its control, none of the Group Companies havehave provided or been legally or contractually required to provide any notices (i) to any Person in connection with any material breaches, at all timessecurity incidents, taken the steps required and reasonably necessary misuse of or unauthorized access to, unauthorized use or transfer, or disclosure of Personal Information, or (ii) to protect such any Government Authority or any individual whose Personal Information against loss and against was affected, in connection with any breaches, security incidents, misuse of or unauthorized accessaccess to, useunauthorized use or transfer, modification, or disclosure or other misuse (including by the Group Companies’ officers, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures with respect to technical and physical security of such Personal Information. The Each of the Group Companies have taken commercially reasonable steps to provide for the back-up and recovery of data and has implemented commercially reasonable disaster recovery and business continuity plans, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement actions consistent with such plans to safeguard the data and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security of IT Assets and the information stored thereon from unauthorized use, access, Personal Information in its possession or modification by third parties and from viruses and contaminantscontrol.

Privacy and Cybersecurity. (a) The Group Companies maintain Business Entities have and will have, as of the Closing, established policies, programs and procedures with respect to the collection, retention, use, processing, modification, storage, protection, import, export, disclosure and transfer of Personal Information, including privacy policies, consistent with applicable Laws relating to privacy, data protection, data security or the collection, storage, handling, disclosure, transfer, use or processing of Personal Information (“Privacy Laws”), and for the past three (3) years have maintained and enforced such policies, programs and procedures. Except as would not be expected to be material to the business of the Business Entities, taken as a whole, the Business Entities are in compliance with, and during for the Lookback Period, have maintained and past three (3) years has been in compliance with, (i) all applicable Privacy Laws relating to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disclosure or transfer of Personal Information, including all applicable Laws governing breach notification, and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulations, (ii) the Company’s Business Entities’ privacy policies and its Subsidiaries’ posted contractual commitments relating to privacy, data protection, data security or publicly facing policiesthe collection, and (iii) the Group Companies’ contractual obligations concerning cybersecuritystorage, handling, disclosure, transfer, use or processing of Personal Information and data privacy and security and or the security of the Group Companies’ IT Assets Company Systems (collectively, (i)-(iii), “Personal Information Laws and PoliciesPrivacy Obligations”). There are no Actions by any Person (including any Governmental Authority) pending to which any Group Company one of the Business Entities is a named party or, to the knowledge of the Company, threatened against one of the Company or its Subsidiaries Business Entities alleging a violation or breach of any Personal Information Privacy Laws and Policies, and there have been no such Actions brought against any Group Company. None of the Group Companies has received any written notice from any Person relating to an alleged violation of Personal Information Laws and Policies. During the Lookback Period, each Group Company has had written Contracts in place with third parties processing Personal Information or other data for or on behalf of the Group Company in connection with the operation of the businesses of any Group Company (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and PoliciesPrivacy Obligations. (b) During The Company Systems (i) are sufficient for the Lookback Periodimmediate needs of the Business Entities, including as to capacity, scalability and ability to process current and anticipated peak volumes in a timely manner and (ii) are in sufficiently good working condition to effectively perform all information technology operations and include a sufficient number of license seats for all software as necessary for the operation of the Enterprise Apps Business. To the knowledge of the Company, in the past three (3) years, (iA) there have been no material unauthorized intrusions or access or breaches of the security of the IT Assets used or held for use Company Systems controlled by the Group Companies in their businessesBusiness Entities or, to the knowledge of the Company, all other Company Systems, and (iiB) there have been no failures, breakdowns, continued substandard performance, or disruptions in any such IT Assets Company Systems that materially adversely affected the Group CompaniesBusiness Entities’ business businesses or operationsoperations in any material respect. The Group Companies take Business Entities take, and following the Distribution will take, commercially reasonable and legally compliant measures designed to protect confidential confidential, sensitive or sensitive personally identifiable information and (including Personal Information Information) in its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through commercially reasonable administrative, technical and physical safeguards. None of the Group Companies has The Business Entities have not (A) to the knowledge of the Company, experienced any incident in which confidential such information was stolen or sensitive information or Personal Information was stolen, or improperly accessed, used or disclosed without authorization, including in connection with a breach of security, security or (B) received any written notice or complaint from any Person (including any Governmental Authority) with respect to any of the foregoing), nor has any such notice or complaint been threatened in writing against the Group Companies. (c) With respect to all Personal Information held by or on behalf of any of the Group Companies, or otherwise under its control, the Group Companies have, at all times, taken the steps required and reasonably necessary to protect such Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse (including by the Group Companies’ officers, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures Business Entities with respect to technical and physical any breach of the security of such Personal Information. The Group Companies Business Entities have taken commercially reasonable steps to provide for evaluated, and following the back-up and recovery of data and commercially reasonable Distribution will evaluate their disaster recovery plans, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement such backup needs and have implemented plans and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security systems that reasonably address their assessment of IT Assets and the information stored thereon from unauthorized use, access, or modification by third parties and from viruses and contaminantsrisk.

Privacy and Cybersecurity. (a) The Group Companies maintain and are in compliance withCompany is, and during in the Lookback Periodpast three years has made itself, have maintained and been in compliance withcompliance, (i) in all material respects with all applicable Laws relating to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disclosure or transfer of Personal Information, including all applicable Laws governing breach notification, and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulations, (ii) the Company’s and its Subsidiaries’ posted or publicly facing policies, and (iii) the Group Companies’ contractual obligations concerning cybersecurity, Personal Information and data privacy and security and the security of the Group Companies’ IT Assets (collectively, (i)-(iii), “Personal Information Laws and Policies”). There are no Actions by any Person (including any Governmental Authority) pending to which any Group Company is a named party or, to the knowledge of the Company, threatened against the Company or its Subsidiaries alleging a violation of any Personal Information Laws and Policies, and there have been no such Actions brought against any Group Company. None of the Group Companies has received any written notice from any Person relating to an alleged violation of Personal Information Laws and Policies. During the Lookback Period, each Group Company has had written Contracts in place with third parties processing Personal Information or other data for or on behalf of the Group Company in connection with the operation of the businesses of any Group Company (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and PoliciesPrivacy Obligations. (b) During The Company has notified individuals about whom the Lookback Period, (i) there Company Processes or directs the Processing of Personal Data regarding the Company’s Personal Data Processing activities in material conformance with all applicable Privacy Obligations. Complete and correct copies of all written privacy notices have been no material breaches made available to Buyer. The Company has delivered or made available true and complete copies of all current written policies relating to the Processing and security of the IT Assets used or held for use by the Group Companies in their businesses, and (ii) there have been no disruptions in any such IT Assets that materially adversely affected the Group Companies’ business or operations. The Group Companies take commercially reasonable and legally compliant measures designed to protect confidential or sensitive information and Personal Information in its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through administrative, technical and physical safeguards. None of the Group Companies has (A) experienced any incident in which confidential or sensitive information or Personal Information was stolen, or accessed, used or disclosed without authorization, including in connection with a breach of security, or (B) received any written notice or complaint from any Person (including any Governmental Authority) with respect to any of the foregoing, nor has any such notice or complaint been threatened in writing against the Group CompaniesSensitive Data. (c) With respect The Company has contractually obligated all third party service providers and customers’ outsourcers, processors, or other third parties Processing Personal Data to (i) comply with applicable Privacy Obligations and (ii) take reasonable steps to protect and secure Sensitive Data from loss, theft, unauthorized or unlawful Processing or other misuse. (d) The Company maintains an information security program that is comprised of organizational, physical, administrative, and technical safeguards that are reasonable for and customarily used by organizations Processing the types of data Processed by the Company and that are designed to protect the security, confidentiality, integrity and availability of the Company IT Systems including all Personal Information held Sensitive Data Processed thereby against loss, theft, unauthorized or unlawful Processing, or other misuse. (e) Except as set forth in Section 3.13(e) of the Disclosure Schedules, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, (ii) unauthorized access or unauthorized use of any of Company IT Systems or other technology necessary for the operations of the Company, or (iii) any unauthorized access or acquisition of any Sensitive Data maintained by the Company or by any Third Party service provider on behalf of the Company. During the prior two years, the Company has not notified in writing any Person of any Security Breach. (f) During the Group Companiesprior two years, the Company has not been subject to or received any written notice of any audit, investigation, complaint, or otherwise under its control, other Action by any Governmental Authority or other Person concerning the Group Companies have, at all times, taken the steps required and reasonably necessary to protect such Personal Information against loss and against unauthorized accessCompany’s collection, use, modificationprocessing, disclosure or other misuse (including by the Group Companies’ officersstorage, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures with respect to technical and physical security of such Personal Information. The Group Companies have taken commercially reasonable steps to provide for the back-up and recovery of data and commercially reasonable disaster recovery plans, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement such plans and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security of IT Assets and the information stored thereon from unauthorized use, accesstransfer, or modification by third parties protection of personal information or actual, alleged, or suspected violation of any applicable Privacy Obligation, and from viruses and contaminantsto Seller’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Action.

Privacy and Cybersecurity. (a) The Group Companies maintain Company and its Subsidiaries are in compliance in all material respects with, and during the Lookback Period, past three years have maintained and been in compliance in all material respects with, (i) all applicable Laws relating to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disclosure privacy or transfer security of Personal Information, including all applicable Laws governing breach notification, and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulationspersonal information, (ii) the Company’s and its Subsidiaries’ posted or publicly facing policies, privacy policies and (iii) the Group CompaniesCompany’s and its Subsidiaries’ contractual obligations concerning data privacy, cybersecurity, Personal Information and data privacy and security and the security of the Group CompaniesCompany’s and each of its Subsidiaries’ IT Assets information technology systems, in each case of the preceding clauses (collectively, i) through (i)-(iiiiii), “Personal Information Laws other than any non-compliance that, individually or in the aggregate, has not been, and Policies”)would not reasonably be expected to be, material to the Company and its Subsidiaries, taken as a whole. There are is no Actions Action by any Person (including any Governmental Authority) pending to which the Company or any Group Company of its Subsidiaries is a named party or, to the knowledge of the Company, or threatened in writing against the Company or any of its Subsidiaries alleging a violation of any Personal Information Laws and Policiesor Contracts with respect to privacy, and there have been no such Actions brought against any Group Company. None of the Group Companies has received any written notice from any Person relating to an alleged violation of Personal Information Laws and Policies. During the Lookback Period, each Group Company has had written Contracts in place with third parties processing Personal Information personal information rights or other data for or on behalf of the Group Company in connection with the operation of the businesses of any Group Company (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and Policiesinformation security related incidents. (b) During the Lookback Periodpast three years, to the knowledge of the Company (i) there have been no material breaches of the security of the IT Assets used information or held for use by operational technology systems, software or applications of the Group Companies in their businessesCompany and its Subsidiaries, and (ii) there have been no disruptions in any such IT Assets information or operational technology systems, software or applications that materially and adversely affected the Group CompaniesCompany’s and its Subsidiaries’ business or operations. The Group Companies take Company and its Subsidiaries have implemented and maintained commercially reasonable safeguards designed to protect the confidentiality, integrity and legally compliant availability of the information and operational technology systems, software and applications of the Company and its Subsidiaries, including measures designed to protect confidential confidential, sensitive or sensitive personally identifiable information and Personal Information in its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through administrative, technical and physical safeguards. None To the knowledge of the Group Companies Company, neither the Company nor any of its Subsidiaries has (A) experienced any incident material data breaches or security incidents in which confidential personally identifiable information was stolen or sensitive information or Personal Information was stolen, or improperly accessed, disclosed or used or disclosed without authorization, including in connection with a breach of security, or (B) received or provided any written notice notice, or received any written complaint from any Person (including any Governmental Authority) Authority with respect to any of the foregoing, nor has any such notice or complaint been threatened in writing against the Group Companies. (c) With respect to all Personal Information held by Company or on behalf of any of the Group Companies, or otherwise under its control, the Group Companies have, at all times, taken the steps required and reasonably necessary to protect such Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse (including by the Group Companies’ officers, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures with respect to technical and physical security of such Personal Information. The Group Companies have taken commercially reasonable steps to provide for the back-up and recovery of data and commercially reasonable disaster recovery plans, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement such plans and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security of IT Assets and the information stored thereon from unauthorized use, access, or modification by third parties and from viruses and contaminantsCompany’s Subsidiaries.

Privacy and Cybersecurity. (a) The Group Companies Company Parties and their Subsidiaries maintain and are in compliance compliance, in all material respects, with, and during since the Lookback Period, Company’s inception have maintained and been in compliance with, in all material respects, (i) all applicable Laws relating to the privacy and/or security of personal information, including Laws relating to the receipt, collection, compilationstorage, use, storage, processing, sharing, safeguarding, security, disclosure transfer or transfer other processing (collectively, “Processing”) of Personal Informationpersonal information (collectively, including all applicable Laws governing breach notification, and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulations“Privacy Laws”), (ii) the Company’s Company Parties’ and its their Subsidiaries’ posted or publicly facing privacy policies, and (iii) any privacy choices, including opt-out preferences, of end users relating to personal information along with any obligations contained in the Group CompaniesCompany Parties’ and each of their Subsidiaries’, internal and external data privacy and security policies with respect to the Processing of personal information, (together, the “Company Privacy Commitments”), (iv) any contractual commitment made by a Company Party or any Company Party Subsidiary that is applicable to such personal information and (v) the Company Parties’ and their Subsidiaries’ contractual obligations concerning cybersecurity, Personal Information and data privacy and security and the security of the Group CompaniesCompany Parties’ IT Assets and each of their Subsidiaries’ information technology systems, in each case of (collectivelyi)-(v) above, (i)-(iii)other than any non-compliance that, “Personal Information Laws individually or in the aggregate, has not been and Policies”)would not reasonably be expected to be material to the Company Parties and their Subsidiaries. There are no None of the Company Parties have received written notice of any Actions by any Person (including any Governmental Authority) pending to which a Company Party or any Group Company of its Subsidiaries is a named party or, to the knowledge of the CompanyCompany Parties, threatened in writing against the a Company Party or its Subsidiaries alleging a violation of any Personal Information Laws third Person’s privacy or personal information rights. Copies of all current and Policies, and there prior privacy policies used by a Company Party or any Company Party Subsidiary have been no made available to the Acquiror and such Actions brought against any Group Company. None of the Group Companies has received any written notice from any Person relating to an alleged violation of Personal Information Laws copies are true, correct and Policies. During the Lookback Period, each Group Company has had written Contracts in place with third parties processing Personal Information or other data for or on behalf of the Group Company in connection with the operation of the businesses of any Group Company (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and Policiescomplete. (b) During The Company Parties and each Company Party Subsidiary has implemented and maintained appropriate technical, physical and organizational measures, security systems and technologies in compliance, in all material respects, with all data security requirements under applicable Privacy Laws and Company Privacy Commitments that are designed to protect computers, networks, software and systems used by a Company Party or any Company Party Subsidiary from loss, theft, unauthorized access, use, disclosure or modification. The Company Parties and their Subsidiaries have taken appropriate steps to train employees who have access to personal information on all applicable aspects of Privacy Laws and Company Privacy Commitments and to ensure that all employees with the Lookback Period, right to access such data are under written obligations of confidentiality with respect to such data. (c) (i) To the knowledge of the Company Parties, there have been been, no material breaches of the security of the IT Assets used or held for use by information technology systems of the Group Companies in Company Parties and their businessesSubsidiaries, and (ii) there have been no disruptions in any such IT Assets information technology systems that materially adversely affected the Group CompaniesCompany Parties’ and their Subsidiaries’ business or operations. The Group Companies take commercially reasonable and legally compliant measures designed to protect confidential or sensitive information and Personal Information in its possession or control against unauthorized access, use, modification, disclosure or other misuse, including through administrative, technical and physical safeguards. None To the knowledge of the Group Companies Company Parties, none of the Company Parties nor any Subsidiary of the Company Parties has (A) experienced any incident in which personal information or any other confidential or sensitive information of any Company Party was stolen or Personal Information was stolen, or improperly accessed, used or disclosed without authorization, including in connection with a breach of security, security or (B) received any written notice or complaint from any Person (including any Governmental Authority) with respect to any of the foregoing, nor has any such notice or complaint been threatened in writing against the Group Companiesa Company Party or any Company Party Subsidiary. (cd) With respect to all Personal Information held by or on behalf of any To the knowledge of the Group CompaniesCompany Parties, no circumstance has arisen in which Privacy Laws would require the Company Parties or otherwise under its control, the Group Companies have, at all times, taken the steps required and reasonably necessary any Company Party Subsidiary to protect such Personal Information against loss and against unauthorized access, use, modification, disclosure notify a Governmental Authority of a data security breach or other misuse (including by the Group Companies’ officers, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures with respect to technical and physical security of such Personal Information. The Group Companies have taken commercially reasonable steps to provide for the back-up and recovery of data and commercially reasonable disaster recovery plans, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement such plans and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security of IT Assets and the information stored thereon from unauthorized use, access, or modification by third parties and from viruses and contaminantsincident.

Privacy and Cybersecurity. (a) The Except as set forth on Section 5.22(a) of the Company Disclosure Letter, the Group Companies maintain maintains and are has maintained appropriate, and is in material compliance with, as applicable, and during the Lookback Periodthree (3) years preceding the date of this Agreement has maintained appropriate, have maintained and been in material compliance with, as applicable, (i) all applicable Laws relating to the receiptLaws, collectionrules, compilationpolicies, use, storage, processing, sharing, safeguarding, security, disclosure or transfer standards and requirements of Personal Information, including all applicable Laws governing breach notification, industry and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulationsself-regulatory organizations, (ii) the CompanyGroup’s and its Subsidiaries’ posted or publicly facing policiespolicies (the “Privacy Policies”), and (iii) the Group Companies’ Group’s contractual obligations obligations, in each case, concerning cybersecurity, Personal Information (and the collection, processing, sharing, storage, use, disclosure, retention, disposal, transfer and/or protection of same (collectively, “Processing”)), data privacy and security and the security of the Group Companies’ IT Assets Systems (collectively, clauses (i)-(iii), “Personal Information Laws and Policies”), including without limitation any applicable Laws relating to transferring Personal Information and other data outside of PRC. There are no not and have not been any Actions by any Person (including any Governmental Authority) pending to which any the Group Company is a named party or, to the knowledge of the Company, or threatened in writing against the Company or its Subsidiaries Group alleging a violation of any Personal Information Laws and Policies, and there have been no such Actions brought against any the Group. The Group Company. None of the Group Companies has not received any written notice from any Person relating to an alleged violation of Personal Information Laws and Policies. During . (i) The IT Systems are in good repair and operating condition and are sufficient (including with respect to working condition, performance and capacity) for the Lookback Period, each Group Company has had written Contracts in place with third parties processing Personal Information or other data for or on behalf purposes of the business of the Group Company in connection with the operation of the businesses of any Group Company (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and Policies. (b) During the Lookback Period, (i) there have been no material breaches of the security of the IT Assets used or held for use by the Group Companies in their businesses, and as currently conducted; (ii) there have been no disruptions breaches, unauthorized uses of or unauthorized access to, breakdowns, malfunctions, persistent substandard performance, data losses, failures or other defects in the IT Systems (or the data processed thereby), or any other incident that caused any disruption to or interruption in or to the use of such IT Systems or the conduct of the business of the Group in any such IT Assets material respect other than those that materially adversely affected were resolved without material cost, liability or the duty to notify any Person; (iii) the Group Companies’ business or operations. The Group Companies take takes, and has taken, commercially reasonable reasonable, appropriate and legally compliant measures designed to protect confidential confidential, sensitive or sensitive information and Personal Information in its possession or control processed by the Group against unauthorized access, use, modification, loss, disclosure or other misuse, including through administrative, technical and physical safeguards. None of , and the Group Companies has timely and reasonably remediated and addressed any and all material audit findings related to the IT Systems; (iii) the Group has not (A) experienced any incident in which confidential or sensitive such information or Personal Information any other proprietary information was stolen, lost or improperly accessed, used destructed without authorization, processed, modified or disclosed without authorizationin any material respect, including in connection with a breach of security, or (B) received any written notice or complaint or Action from any Person (including any Governmental Authority) with respect to any of the foregoing, nor has any such notice or complaint or Action been threatened in writing against the Group CompaniesGroup. (c) With respect to all Personal Information held by or on behalf of any of the Group Companies, or otherwise under its control, the Group Companies have, at all times, taken the steps required and reasonably necessary to protect such Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse (including by the Group Companies’ officers, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures with respect to technical and physical security of such Personal Information. The Group Companies have taken commercially reasonable steps to provide for the back-up and recovery of data and commercially reasonable disaster recovery plans, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement such plans and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security of IT Assets and the information stored thereon from unauthorized use, access, or modification by third parties and from viruses and contaminants.

Privacy and Cybersecurity. (a) The members of the Target Company Group or to the knowledge of the Target Companies, all vendors processors and other third parties Processing or otherwise with access to Personal Information collected and/or Processed by or for, and/or sharing Personal Information with, the Target Companies maintain and (collectively, “Data Partners”) are in material compliance with, and at all times during the Lookback Periodpast three (3) years the members of the Target Company Group have been, have maintained and been in compliance with, (i) all applicable Laws relating to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disclosure or transfer of Personal Information, including all applicable Laws governing breach notification, and the Mexican Federal Protection Law of Personal Data (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its regulationsPrivacy Laws, (ii) the CompanyTarget Company Group’s internal and its Subsidiaries’ posted or publicly facing external privacy policies, notices and/or statements applicable to the business of the Target Company Group and (iii) the Group Companies’ contractual obligations applicable to the Target Company Group with respect to the business of the Target Company Group concerning privacy, data ​ ​ ​ protection, cybersecurity, Personal Information and data privacy and security and the security of the Group Companies’ IT Assets Target Company Group’s information technology systems (collectively, (i)-(iii), “Personal Information Laws and PoliciesPrivacy Requirements”). There are no Actions by any Person (including any Governmental Authority) pending to which any member of the Target Company Group Company is a named party or, to the knowledge of the CompanyTarget Companies, threatened in writing against any member of the Target Company or its Subsidiaries Group, alleging a violation of any Personal Information Laws and Policies, Privacy Requirement and there have been no such Actions brought against any Group Company. None of during the Group Companies has received any written notice from any Person relating to an alleged violation of Personal Information Laws and Policies. During the Lookback Period, each Group Company has had written Contracts in place with third parties processing Personal Information or other data for or on behalf of the Group Company in connection with the operation of the businesses of any Group Company past three (“Processors”), their respective customers and any other Person that shares Personal Information with any Group Company, that are materially consistent with all requirements of the Personal Information Laws and Policies3) years. (b) During Except as set forth on Section 4.23(b) of the Lookback PeriodTarget Company Disclosure Letter, during the past three (3) years preceding the date of this Agreement, (i) to the knowledge of the Target Companies, there have been no material accidental, unlawful or unauthorized intrusions nor breaches of the security of the Target Companies’, or to the knowledge of the Target Companies, the Data Partner’s, IT Assets used Systems that have resulted in the unauthorized access, use, loss, disclosure, destruction, modification, corruption, compromise or held for use by the Group Companies in their businessesencryption of any Personal Information contained or stored therein (a “Security Incident”), and (ii) there have been no disruptions in any such IT Assets Systems that materially adversely affected have caused a material disruption in the Group Companies’ business or operationsoperation of any member of the Target Company Group. The Target Company Group Companies take has implemented and requires its Data Partners to implement: (A) commercially reasonable and legally compliant measures designed to protect confidential or sensitive information and Personal Information and other confidential information in its possession their possession, custody, or control against unauthorized access, use, modification, disclosure or other misuse, including through administrative, technical and physical safeguards. None of the Group Companies has (A) experienced any incident in which confidential or sensitive information or Personal Information was stolen, or accessed, used or disclosed without authorization, including in connection with a breach of security, or safeguards and (B) received any written notice or complaint from any Person (including any Governmental Authority) with respect to any commercially reasonable security controls and disaster recovery plans and procedures for the IT Systems within their control and used in the business of the foregoingTarget Company Group, nor has any which are designed to protect the confidentiality, integrity and availability of such notice or complaint been threatened in writing against IT Systems and the Group Companiesdata processed by such IT Systems. (c) With respect During the past three (3) years, (i) the Target Company Group, nor to all Personal Information held by or on behalf of any the knowledge of the Group Target Companies, any Data Partner, have not experienced any Security Incident, (ii) no member of the Target Company Group has received any written notice, inquiry, request, claim or otherwise under its controlcomplaint from any Person, the Group Companies haveor provided any written notice or been required to provide notice to any Person, at all times, taken the steps required and reasonably necessary to protect such Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse (including by the Group Companies’ officers, employees, independent contractors and consultants), including implementing and monitoring compliance with reasonable measures with respect to technical and physical security any Security Incident or violation of such Personal Information. The Group Companies have taken commercially reasonable steps the Privacy Requirements or (iii) been subject to provide for the back-up and recovery of data and commercially reasonable disaster recovery plansany investigation or enforcement action by, procedures and facilities and, as applicable, has taken commercially reasonable steps to implement such plans and procedures. The Group Companies has taken all reasonable actions to protect the integrity and security of IT Assets and the information stored thereon from unauthorized use, access, any Governmental Authority or modification by third parties and from viruses and contaminantsother Person.