Common use of Privacy and Cybersecurity Clause in Contracts

Privacy and Cybersecurity. (a) The Company, the Company’s Subsidiaries and, to the Company’s Knowledge, any Person acting for or on the Company’s or any of its Subsidiaries’ behalf have, since January 1, 2019, complied with (i) all applicable Privacy Laws, (ii) all of the Company’s and its Subsidiaries’ policies and notices regarding Personal Data, and (iii) all of the Company’s and its Subsidiaries’ contractual obligations with respect to Personal Data, except for matters that, individually or in the aggregate, would not reasonably be expected to result in a Company Material Adverse Effect. Except as would not, individually or in the aggregate, be material to the Company (or in the case of (C), the Surviving Corporation) and its Subsidiaries, taken as a whole, (A) the Company and each of its Subsidiaries has implemented and maintained commercially reasonable policies, procedures and systems for receiving and appropriately responding to requests from individuals concerning their Personal Data, (B) none of the Company’s or any of its Subsidiaries’ privacy policies or notices have contained any material omissions or been materially misleading or deceptive and (C) following the Effective Time, the Surviving Corporation will have the same rights on substantially the same terms and conditions to continue to use Personal Data in the possession or control of the Company or any of its Subsidiaries as it had prior to the Effective Time. (b) Except as would not, individually or in the aggregate, be material to the Company and its Subsidiaries, taken as a whole, (i) the Company and each of its Subsidiaries has implemented and at all times since January 1, 2019 maintained commercially reasonable and appropriate technical and organizational safeguards to protect confidential data in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alteration, destruction or disclosure, (ii) the Company, and each of its Subsidiaries has taken commercially reasonable steps to require that any third party with access to Personal Data collected by or on behalf of the Company or any of its Subsidiaries has implemented and maintained the same and (iii) to the Company’s Knowledge, any third party that has provided Personal Data to the Company or any of its Subsidiaries has done so in compliance with applicable Privacy Laws, including providing any notice and obtaining any consent required by applicable Privacy Laws. (i) To the Company’s Knowledge, there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Data in the possession or control of the Company or any of its Subsidiaries or collected, used or processed by or on behalf of the Company or any of its Subsidiaries and neither the Company nor any of its Subsidiaries has provided or been legally required to provide any notices to any Person in connection with a disclosure of Personal Data, and (ii) neither the Company nor any of its Subsidiaries has, between January 1, 2019 and the date hereof, received any written notice of any claims (including notice from third parties acting on its behalf) of or investigations related to, or been charged with, the violation of any Privacy Laws, applicable privacy policies, or contractual commitments with respect to Personal Data. (d) The Company and its Subsidiaries have implemented and maintain reasonable information security safeguards designed to protect the security, confidentiality, integrity and availability of the Company IT Systems consistent with industry practices, which safeguards have been described to the Parent. The Company and its Subsidiaries have implemented reasonable backup, business continuity and disaster recovery technology and arrangements consistent with industry practices.

Privacy and Cybersecurity. (a) The Company, the Company’s Subsidiaries and, to the Company’s Knowledge, any Person acting for or on the Company’s or any of its Subsidiaries’ behalf have, since January 1, 2019, complied with (i) all applicable Privacy Laws, (ii) all of the Company’s and its Subsidiaries’ policies and notices regarding Personal DataExcept as has not had, and (iii) all of the Company’s and its Subsidiaries’ contractual obligations with respect to Personal Data, except for matters that, individually or in the aggregate, would not reasonably be expected to result in have, a material adverse effect on the ability of the Company Material Adverse Effect. Except to enter into and perform its obligations under this Agreement and except as would is not, individually or in the aggregateand would not reasonably be expected to be, be material to the Company (or in the case business of (C), the Surviving Corporation) and its Subsidiaries, taken as a whole, (A) the Company and each of its Subsidiaries has implemented and maintained commercially reasonable policies, procedures and systems for receiving and appropriately responding to requests from individuals concerning their Personal Data, (B) none of the Company’s or any of its Subsidiaries’ privacy policies or notices have contained any material omissions or been materially misleading or deceptive and (C) following the Effective Time, the Surviving Corporation will have the same rights on substantially the same terms and conditions to continue to use Personal Data in the possession or control of the Company or any of its Subsidiaries as it had prior to the Effective Time. (b) Except as would not, individually or in the aggregate, be material to the Company and its Subsidiaries, taken as a whole: (a) The Company and its Subsidiaries are in compliance with, and during the past three (3) years have been in compliance with, (i) all applicable Laws relating to the privacy and/or security of personal information, (ii) the Company’s and its Subsidiaries’ posted or publicly facing privacy policies, (iii) the Company’s and its Subsidiaries’ contractual obligations concerning cybersecurity, data security and the security of the information technology systems used by the Company and each its Subsidiaries and (iv) the Payment Card Industry Data Security Standard (the foregoing clauses (i) through (iv), “Privacy and Cybersecurity Requirements”). There are not, and have not been in the past three (3) years, any Actions by any Person, or, to the knowledge of the Company, any investigations by any Governmental Authority, to which the Company or any of its Subsidiaries is a named party or threatened in writing against the Company or any of its Subsidiaries alleging a violation of any Privacy and Cybersecurity Requirements. (b) To the knowledge of the Company, during the past three (3) years, (i) there have been no breaches of the security of any Company IT Systems or information technology systems controlled by any third Person, and (ii) there has implemented been no failure, breakdown, performance reduction, disruption, or other adverse event (including any ransomware attack) with respect to any Company IT Systems, in each case, that adversely affected the Company’s or the Material Subsidiaries’ business or operations. The Company and at its Subsidiaries have aligned their cybersecurity practices with commercially reasonable industry standards. (c) The Company and its Subsidiaries have established and maintain, and use commercially reasonable efforts to ensure that all times since January 1third Persons operating information technology systems on behalf of the Company or its Subsidiaries or processing personal information in connection with a product or service of the Company or any of its Subsidiaries have established and maintain, 2019 maintained commercially reasonable and appropriate technical and organizational safeguards legally compliant measures to protect the Company IT Systems and all Trade Secrets, material confidential data information, and sensitive or personally identifiable information in its their possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alterationdisclosure or other misuse, destruction including when such personal information is provided or disclosuremade available to third Persons, (ii) through written policies and procedures, and commercially reasonable organizational, administrative, technical and physical safeguards. Neither the Company nor any of its Subsidiaries, nor, to the knowledge of the Company, and each any third Person operating information technology systems on behalf of the Company or its Subsidiaries has taken commercially reasonable steps to require that any third party with access to Personal Data collected by or processing personal information on behalf of the Company or any of its Subsidiaries Subsidiaries, has implemented (A) experienced any material incident in which such information was stolen or improperly accessed or used, including in connection with a breach of security, or (B) received any written notice or complaint from any Person with respect to any of the foregoing, nor has any such notice or complaint been threatened in writing against the Company or any of its Subsidiaries. (d) The consummation of the transactions contemplated hereby shall not breach or otherwise cause any violation of any Privacy and maintained the same and (iii) to the Company’s KnowledgeCybersecurity Requirements, any third party that has provided Personal Data to or result in the Company or any of its Subsidiaries has done so in compliance with applicable Privacy Laws, including providing being prohibited from receiving or using any notice and obtaining any consent required by applicable Privacy Laws. (i) To the Company’s Knowledge, there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Data personal information in the possession manner currently received or control of used by the Company or any of its Subsidiaries or collected, used or processed by or on behalf of the Company or any of its Subsidiaries and neither the Company nor any of its Subsidiaries has provided or been legally required to provide any notices to any Person in connection with a disclosure of Personal Data, and (ii) neither the Company nor any of its Subsidiaries has, between January 1, 2019 and the date hereof, received any written notice of any claims (including notice from third parties acting on its behalf) of or investigations related to, or been charged with, the violation of any Privacy Laws, applicable privacy policies, or contractual commitments with respect to Personal DataSubsidiaries. (d) The Company and its Subsidiaries have implemented and maintain reasonable information security safeguards designed to protect the security, confidentiality, integrity and availability of the Company IT Systems consistent with industry practices, which safeguards have been described to the Parent. The Company and its Subsidiaries have implemented reasonable backup, business continuity and disaster recovery technology and arrangements consistent with industry practices.

Privacy and Cybersecurity. (a) The CompanyCompany and its Subsidiaries are, and during the Company’s Subsidiaries andthree (3) years preceding the date of this Agreement have been, in compliance with all of the following to the Company’s Knowledgeextent governing privacy, data protection or cybersecurity with respect to the collection, processing, storage, use, disclosure, retention, disposal, transfer, protection, or performance of any Person acting other operation (collectively, “Processing”) of Personal Information by or for the Company or on its Subsidiaries: (i) applicable Laws, and the Company’s applicable requirements of applicable industry standards to which the Company or any of its Subsidiaries’ behalf have, since January 1, 2019, complied with (i) all applicable Privacy LawsSubsidiaries is legally bound, (ii) all of the Company’s and its Subsidiaries’ policies and published, public-facing notices regarding Personal Data(the “Privacy Policies”), and (iii) all of the Company’s and its Subsidiaries’ contractual obligations with respect to obligations, (collectively, (i)-(iii), “Personal DataInformation Laws and Policies”), except for matters that, individually or in the aggregate, would not reasonably be expected to result in a Company Material Adverse Effect. Except as would not, individually or in the aggregate, be material to the Company (or in the each case of (Ci)-(iii), as would not have a Material Adverse Effect on the Surviving Corporation) Company and its Subsidiaries, taken as a whole, (A) the Company and each of its Subsidiaries has implemented and maintained commercially reasonable policies, procedures and systems for receiving and appropriately responding . There are no Actions pending to requests from individuals concerning their Personal Data, (B) none of the Company’s or any of its Subsidiaries’ privacy policies or notices have contained any material omissions or been materially misleading or deceptive and (C) following the Effective Time, the Surviving Corporation will have the same rights on substantially the same terms and conditions to continue to use Personal Data in the possession or control of which the Company or any of its the Company’s Subsidiaries as it had prior is a named party or, to the Effective TimeKnowledge of the Company, threatened in writing against the Company or its Subsidiaries, in each case, alleging a violation of any Personal Information Laws and Policies by the Company or any of the Company’s Subsidiaries, and during the three (3) years preceding the date of this Agreement, there have been no such Actions brought against the Company or any of the Company’s Subsidiaries. Except as would not have a Material Adverse Effect on the Company and its Subsidiaries, neither the Company nor any of the Company’s Subsidiaries has as of the date of this Agreement received any written notice from (i) any Governmental Authority or (ii) any other Person, in each case with respect to (i) and (ii), relating to an alleged violation of Personal Information Laws and Policies by the Company or any of the Company’s Subsidiaries. (b) Except as would not, individually or in the aggregate, be material to not have a Material Adverse Effect on the Company and its Subsidiaries, taken as a whole, during the three (i3) years preceding the date of this Agreement, there have been no breaches, cyberattacks, security incidents, unauthorized uses, or other unauthorized access to the IT systems used by the Company (or unauthorized Processing of any Personal Information or confidential data stored thereon or Processed thereby), and (ii) there has been no incident that has caused any material disruption to, or interruption in, the IT systems used by or for the Company or the conduct of the business of the Company and each its Subsidiaries. The Company and its Subsidiaries take, and during the three (3) years preceding the date of this Agreement have taken, commercially reasonable measures designed to protect confidential or sensitive information (including Personal Information) Processed by or for the Company or any of its Subsidiaries has implemented and at all times since January 1, 2019 maintained commercially reasonable and appropriate technical and organizational safeguards to protect confidential data in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alterationloss, destruction or disclosure, (ii) the Companyother Processing, and each of its Subsidiaries has taken commercially reasonable steps to require that any third party with access to Personal Data collected by or on behalf of the Company or any of its Subsidiaries has implemented and maintained other misuse, in each case, except as would not have a Material Adverse Effect on the same and (iii) to the Company’s Knowledge, any third party that has provided Personal Data to the Company or any of its Subsidiaries has done so in compliance with applicable Privacy Laws, including providing any notice and obtaining any consent required by applicable Privacy Laws. (i) To the Company’s Knowledge, there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Data in the possession or control of the Company or any of its Subsidiaries or collected, used or processed by or on behalf of the Company or any of its Subsidiaries and neither the Company nor any of its Subsidiaries has provided or been legally required to provide any notices to any Person in connection with a disclosure of Personal Data, and (ii) neither the Company nor any of its Subsidiaries has, between January 1, 2019 and the date hereof, received any written notice of any claims (including notice from third parties acting on its behalf) of or investigations related to, or been charged with, the violation of any Privacy Laws, applicable privacy policies, or contractual commitments with respect to Personal Data. (d) The Company and its Subsidiaries have implemented and maintain reasonable information security safeguards designed to protect the securitySubsidiaries, confidentiality, integrity and availability of the Company IT Systems consistent with industry practices, which safeguards have been described to the Parent. The Company and its Subsidiaries have implemented reasonable backup, business continuity and disaster recovery technology and arrangements consistent with industry practicestaken as a whole.

Privacy and Cybersecurity. (a) The CompanyCompany and its Subsidiaries are, and during the Company’s Subsidiaries andthree (3) years preceding the date of this Agreement have been, in material compliance with all of the following to the Company’s Knowledgeextent governing privacy, data protection, cybersecurity, or security breach notification or otherwise relating to the access, creation, collection, processing, storage, use, maintenance, disclosure, distribution, sharing, retention, disposal, transfer, transmission, receipt, import, disposal, disclosure, protection or performance of any Person acting other operation (collectively, “Processing” or “Processed”) of Personal Information by or for the Company or on the Company’s or any of its Subsidiaries’ behalf have, since January 1, 2019, complied with : (i) all applicable Privacy Laws, including HIPAA (ii) all of the Company’s and its Subsidiaries’ policies and published, public-facing notices regarding Personal Data(the “Privacy Policies”), and (iii) all of the Company’s and its Subsidiaries’ contractual obligations with respect to obligations, (collectively, (i)-(iii), “Personal DataInformation Laws and Policies”) except in each case of (i)-(iii), except for matters thatas would not be material to the Company. There are no (A) current Legal Proceedings to which the Company or any of the Company’s Subsidiaries is a named party or, individually (B) to the Knowledge of the Company, threatened in writing against the Company or its Subsidiaries, in each case, alleging a violation of any Personal Information Laws and Policies by the Company or any of the Company’s Subsidiaries, in the aggregatecase of (B), except as would not reasonably be expected to result in a Company Material Adverse Effect. Except as would not, individually or in the aggregate, be material to the Company (or in the case of (C), the Surviving Corporation) and its Subsidiaries, taken as a whole, (A) the Company and each of its Subsidiaries has implemented and maintained commercially reasonable policies, procedures and systems for receiving and appropriately responding to requests from individuals concerning their Personal Data, (B) none of the Company’s or any of its Subsidiaries’ privacy policies , and during the three (3) years preceding the date of this Agreement, there have been no such Legal Proceedings brought against the Company or notices any of the Company’s Subsidiaries. Neither the Company nor any of the Company’s Subsidiaries has as of the date of this Agreement received any written notice from (x) any Governmental Authority or (y) except as would not be material to the Company or any of its Subsidiaries, any other Person, in each case with respect to (x) and (y), relating to an alleged violation of Personal Information Laws and Policies by the Company or any of the Company’s Subsidiaries. (b) During the three (3) years preceding the date of this Agreement, there have contained been no material actual (i) breaches, cyberattacks, security incidents, unauthorized uses, or other unauthorized access to the Company Systems, including any “breach” of “unsecured protected health information” (as defined by HIPAA) (ii) unauthorized Processing of any Personal Information or material confidential information stored thereon or Processed thereby), and (iii) there has been no incident that has caused any material omissions disruption to, or been materially misleading or deceptive and (C) following the Effective Timeinterruption in, the Surviving Corporation will Company Systems. The Company and its Subsidiaries take, and during the three (3) years preceding the date of this Agreement have the same rights on substantially the same terms and conditions taken, commercially reasonable measures designed to continue to use protect confidential or sensitive information (including Personal Data in the possession Information) Processed by or control of for the Company or any of its Subsidiaries as it had prior to the Effective Time. (b) Except as would not, individually or in the aggregate, be material to the Company and its Subsidiaries, taken as a whole, (i) the Company and each of its Subsidiaries has implemented and at all times since January 1, 2019 maintained commercially reasonable and appropriate technical and organizational safeguards to protect confidential data in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alterationloss, destruction or disclosure, (ii) the Companyother Processing, and each of its Subsidiaries has taken commercially reasonable steps to require that any third party with access to Personal Data collected by or on behalf of the Company or any of its Subsidiaries has implemented and maintained the same and other misuse, in each case, except as would not have a Company Material Adverse Effect. (iiic) to the Company’s Knowledge, any third party that has provided Personal Data Except as would not be material to the Company or any of its Subsidiaries has done so in compliance with applicable Privacy Laws, including providing any notice and obtaining any consent required by applicable Privacy Laws. (i) To the Company’s Knowledge, there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Data in the possession or control of the Company or any of its Subsidiaries or collected, used or processed by or on behalf of the Company or any of its Subsidiaries and neither the Company nor any of its Subsidiaries has provided or been legally required to provide any notices to any Person in connection with a disclosure of Personal Data, and (ii) neither the Company nor any of its Subsidiaries has, between January 1, 2019 and the date hereof, received any written notice of any claims (including notice from third parties acting on its behalf) of or investigations related to, or been charged withSubsidiaries, the violation of any Privacy Laws, applicable privacy policies, or contractual commitments with respect to Personal Data. (d) The Company and its Subsidiaries have implemented (i) at all times obtained written permission prior to engaging in the de-identification of client Personal Information or providing data aggregation services; (ii) de-identified all Personal Information in accordance with HIPAA; and maintain reasonable information security safeguards designed to protect the security(iii) not sold, confidentialitylicensed, integrity and availability of the Company IT Systems consistent with industry practices, which safeguards have been described to the Parent. The Company and its Subsidiaries have implemented reasonable backup, business continuity and disaster recovery technology and arrangements consistent with industry practicesor otherwise commercialized any “protected health information” (as defined in HIPAA).

Privacy and Cybersecurity. (a) The CompanyCompany and its Subsidiaries are, and during the Company’s Subsidiaries andthree (3) years preceding the date of this Agreement have been, in compliance with all of the following concerning privacy, data protection or cybersecurity with respect to the Company’s Knowledgecollection, any Person acting for processing, storage, use, disclosure, retention, disposal, transfer, or on protection (collectively, “Processing”) of Personal Information: (i) applicable Laws, and the Company’s applicable requirements of applicable industry and self-regulatory organizations with which the Company or any of its Subsidiaries’ behalf have, since January 1, 2019, complied with (i) all applicable Privacy LawsSubsidiaries is obligated by contract or otherwise required to comply, (ii) all of the Company’s and its Subsidiaries’ policies and notices regarding Personal Data(the “Privacy Policies”), and (iii) all of the Company’s and its Subsidiaries’ contractual obligations with respect to obligations, (collectively, (i)-(iii), “Personal DataInformation Laws and Policies”), except for matters thatin each case of (i)-(iii), individually or in the aggregate, as would not reasonably be expected to result in a Company Material Adverse Effect. Except as would not, individually or in the aggregate, be material to the Company (or in the case of (C), the Surviving Corporation) and its Subsidiaries, taken as a whole, (A) the Company and each of its Subsidiaries has implemented and maintained commercially reasonable policies, procedures and systems for receiving and appropriately responding . There are no Actions pending to requests from individuals concerning their Personal Data, (B) none of the Company’s or any of its Subsidiaries’ privacy policies or notices have contained any material omissions or been materially misleading or deceptive and (C) following the Effective Time, the Surviving Corporation will have the same rights on substantially the same terms and conditions to continue to use Personal Data in the possession or control of which the Company or any of its the Company’s Subsidiaries as it had prior is a named party or, to the Effective Time. knowledge of the Company, threatened in writing against the Company or its Subsidiaries, in each case, alleging a violation of any Personal Information Laws and Policies by the Company or any of the Company’s Subsidiaries, and during the three (b3) Except years preceding the date of this Agreement, there have been no such Actions brought against the Company or any of the Company’s Subsidiaries. Neither the Company nor any of the Company’s Subsidiaries has as of the date of this Agreement received any written notice from (i) any Governmental Authority or (ii) except as would not, individually or in the aggregate, not reasonably be expected to be material to the Company and its Subsidiaries, taken as a whole, any other Person, in each case, relating to an alleged violation of Personal Information Laws and Policies by the Company or any of the Company’s Subsidiaries. (b) Except as would not reasonably be expected to be material to the Company and its Subsidiaries, taken as a whole, the IT Systems are in good repair and operating condition and are sufficient (including with respect to working condition, performance and capacity) for the purposes of the business of the Company and its Subsidiaries as currently conducted. During the three (3) years preceding the date of this Agreement, (i) there have been no breaches, cyberattacks or security incidents, unauthorized uses, breakdowns, malfunctions, persistent substandard performance, or failures of, or unauthorized access to, the IT Systems (or any Personal Information or confidential data stored thereon or Processed thereby), that has caused any material disruption to, or interruption in, such IT Systems or the conduct of the business of the Company and each its Subsidiaries, other than those that were resolved without, or otherwise did not involve, (i) cost or liability material to the Company and its Subsidiaries, taken as a whole or (ii) notification to any affected Person or Governmental Authority. The Company and its Subsidiaries take, and during the three (3) preceding the date of this Agreement have taken, commercially reasonable measures designed to protect confidential, sensitive or Personal Information Processed by the Company or any of its Subsidiaries has implemented and at all times since January 1, 2019 maintained commercially reasonable and appropriate technical and organizational safeguards to protect confidential data in its possession or under its control against loss, theft, misuse or unauthorized access, use, modification, alterationloss, destruction disclosure or disclosureother misuse, (ii) including through reasonable administrative, technical and physical safeguards and the Companytimely remediation of material security audit findings known to the Company relating to IT Systems in their possession or otherwise in their control. Except as would not be material to the Company and its Subsidiaries, and each of its Subsidiaries has taken commercially reasonable steps to require that as a whole, neither the Company nor any third party with access to Personal Data collected by or on behalf Subsidiary of the Company has during the three (3) years preceding the date of this Agreement (i) experienced any incident in which such information was stolen, lost or any of its Subsidiaries has implemented and maintained the same and improperly accessed nor (iiiii) to the Company’s Knowledge, any third party that has provided Personal Data to the Company or any of its Subsidiaries has done so in compliance with applicable Privacy Laws, including providing any notice and obtaining any consent required by applicable Privacy Laws. (i) To the Company’s Knowledge, there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Data in the possession or control of the Company or any of its Subsidiaries or collected, used or processed by or on behalf of the Company or any of its Subsidiaries and neither the Company nor any of its Subsidiaries has provided or been legally required to provide any notices to any Person in connection with a disclosure of Personal Data, and (ii) neither the Company nor any of its Subsidiaries has, between January 1, 2019 and the date hereofknowledge, received any written notice of or complaint or Action, or any claims Action threatened in writing, from any Person (including notice from third parties acting on its behalfany Governmental Authority) of or investigations related to, or been charged with, the violation of any Privacy Laws, applicable privacy policies, or contractual commitments with respect to Personal Dataany such incident. (d) The Company and its Subsidiaries have implemented and maintain reasonable information security safeguards designed to protect the security, confidentiality, integrity and availability of the Company IT Systems consistent with industry practices, which safeguards have been described to the Parent. The Company and its Subsidiaries have implemented reasonable backup, business continuity and disaster recovery technology and arrangements consistent with industry practices.