Appears in 2 contracts

Samples: Merger Agreement (Tapestry, Inc.), Agreement and Plan of Merger (Capri Holdings LTD)

Privacy and Data Protection. (a) ~~Except~~ Since January 1, 2022, except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: , (i) the Company’s and each Company Subsidiary’s’s Processing of Personal Data (and, ~~and~~ to the Company’s Knowledge, ~~each~~ any such Processing by Company Data ~~Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal~~ Vendors) have complied with all Privacy Obligations. Except as has not had and ~~security, as the case may be, of Personal Data,~~ would not reasonably be expected to have, ~~since March 28~~individually or in the aggregate, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company ~~Subsidiary (such obligations~~Material Adverse Effect, ~~collectively, “Data Privacy Obligations”); (ii)~~ the Company and each Company Subsidiary (and, to the Knowledge of the Company, each Company Data Vendor as it relates to Personal Data of the Company and Company Subsidiaries Processed by such Company Data Vendor) have all rights, authority, consents and authorizations and have provide all notices necessary to ~~receive, retain, access, use and disclose the~~ Process all Personal Data ~~in their possession or under their control~~ that has been Processed in connection with the operation of their business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiarypresently conducted. ~~The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy Obligations. (b)~~ Except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, since ~~March 28~~January 1, ~~2020~~2022, no Person has (A) made any written claim or (B) commenced any Proceeding by or before any Governmental Entity, in each case, against the Company or a Company Subsidiary (or, to the Knowledge of the Company, Company Data Vendors as it relates to Personal Data of the Company and Company Subsidiaries), with respect to any alleged violation of any Privacy Obligations. Except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a whole, all confidential information, including Personal Data, of the Company and the Company Subsidiaries will continue to be available for Processing by the Company and the Company Subsidiaries following the Closing Date on substantially the same terms and conditions as existed immediately before the Closing Date. Except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a whole, the Company and the Company Subsidiaries are not in breach or default of any Contracts relating to the Company Technology or to Company confidential information (including Personal Data) and do not transfer Personal Data internationally except where such transfers comply with Privacy Obligations. (b) Since January 1, 2022, except as has not been and would not reasonably be expected to be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a whole, there has been no ~~(i) data~~ security breach of, unauthorized access to, or ~~malicious~~ unauthorized use, disclosure, or acquisition of, interruption, outage, failure, violation, disruption or other security incident of any Company ~~IT Systems that transmit~~ Technology (or ~~maintain Protected Information owned~~any confidential information, ~~used~~including Personal Data, ~~hosted, maintained~~ stored thereon or ~~controlled by~~ Processed thereby) or ~~on behalf~~ of any Company Data Vendors (as relates to Personal Data of the Company ~~or the~~ and Company ~~Subsidiaries or (ii) incident involving the loss~~Subsidiaries), ~~damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of~~ including any ~~Protected Information owned, used, hosted, maintained or controlled by or on behalf~~ of the ~~Company~~ foregoing that would require notification to any Persons or ~~the Company Subsidiaries (clauses (i)~~ Governmental Entities under any Privacy Obligations. Since January 1, 2022, except as has not been and ~~(ii) collectively, a “Security Incident”). Except as~~ would not reasonably be expected to ~~have~~be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a ~~Company Material Adverse Effect~~whole, ~~none of~~ neither the Company’s , nor the Company Subsidiaries, have been and are not adversely affected by any Malicious Code, ransomware or malware attacks, or denial-of-service attacks on any Company Technology. Since January 1, 2022, the Company, any Company Subsidiary~~’s Data Partners have~~, ~~since March 28, 2020, suffered~~ nor any ~~Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of~~ third party acting at their direction or ~~loss of or damage to any Personal Data held for or on behalf~~ authorization of the Company or any Company ~~Subsidiaries~~Subsidiary has paid any perpetrator of any actual or threatened security breach, security incident or ~~violated any Information Privacy and Security Laws with respect thereto~~cyberattack, including, but not limited to, a ransomware attack or a denial-of-service attack. (c) The Company Technology (including, to the Company’s Knowledge, that of Company Data Vendors) is in good working order and is sufficient to operate the businesses of the Company and Company Subsidiaries as currently conducted. All Company Technology (i) functions in accordance with its specifications, documentation and/or intended purpose, in each case, in all material respects and (ii) to the Company’s Knowledge, is free from material defects, deficiencies, errors, disabling mechanisms, viruses, time locks, Trojan horses, malware or other contaminants or corruptants (collectively, “Malicious Code”). The Company and each of the Company ~~Subsidiary have~~Subsidiaries maintains, implements and ~~have required their Data Partners to have, implemented, monitored and maintained~~ complies with a reasonable written information security ~~program, covering the Company~~ program (including reasonable procedures for redundancy and ~~each Company Subsidiary,~~ disaster recovery) designed to ~~meet or exceed applicable industry standards, to~~ (i1) identify and address internal and external risks to the ~~security~~security of the Company Technology, ~~integrity or privacy of any proprietary or~~ including Personal Data and confidential ~~information (including Protected Information) in their possession~~information, (ii2) implement, monitor and improve ~~adequate and effective~~ reasonable administrative, technical and physical safeguards to control these ~~risks and protect the proprietary or confidential information (including Protected Information) in their possession~~risks, (~~iii) protect against Security Incidents, and (iv~~3) maintain notification procedures in compliance in all material respects with applicable Information Privacy and Security Laws in and (4) protect the ~~case~~ redundancy, continuous operation and recovery of ~~any breach of security~~Company Technology and all data, ~~integrity~~ including Personal Data, Processed thereby or ~~privacy compromising data containing Personal Data in their possession~~stored therein. In each of ~~the past three (3)~~ fiscal ~~years~~years ended December 31, 2022 and December 31, 2023, the Company ~~and each of the Company Subsidiaries have~~ has performed a security risk assessment covering the Company, each Company Subsidiary and each Company ~~Subsidiary~~Data Vendor, as applicable, in each case, as to the extent required under ~~PCI DSS~~all Privacy Obligations and, ~~and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except~~ except as would not reasonably be expected to ~~result~~ be, individually or in the aggregate, material ~~liability, disruption, or other material obligation to or of the Company or any Company Subsidiary, since March 28, 2020, (i) provided a written notice or audit request~~ to the Company and the Company Subsidiaries, taken as a whole, has remediated all critical or high risks, threats, deficiencies or vulnerabilities identified in the same. (d) Since January 1, 2022, except as has not been and would not reasonably expected to be, individually or in the aggregate material to the Company, and the Company subsidiaries, taken as a ~~Company Subsidiary~~whole, no Governmental Entity or Person has (iii) made any written claim (including any notice, enforcement notice, letter, or complaint) against the Company or a Company Subsidiary or (~~iii~~ii) commenced or, to the Company’s Knowledge, ~~commenced~~ threatened any ~~Action as~~ Proceeding by or before any Governmental Entity against the Company, a Company Subsidiary (or a Company Data Vendor with respect to Personal Data of the ~~entry into this Agreement~~Company or the Company Subsidiaries), in each case, with respect to ~~(A) any suspected~~Personal Data, ~~potential~~ a security breach, security incident, or an alleged violation of ~~Data~~ any Privacy ~~Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security Incident. (e)~~ Obligation. The Company and the Company Subsidiaries maintain, and have ~~in place written disaster recovery plans and procedures~~ maintained, cyber liability insurance with ~~respect to the IT Assets that they have identified as essential to the continuity of their business~~reasonable coverage limits.

Appears in 2 contracts

Samples: Merger Agreement (Sterling Check Corp.), Merger Agreement (First Advantage Corp)

Privacy and Data Protection. ~~(a)~~ Except as would not reasonably be ~~expected to have~~expected, individually or in the aggregate, to have a ~~Company~~ Material Adverse Effect: (i) the ~~Company’s~~ Company has operated its business in a manner compliant with all United States federal, state, local and ~~each Company Subsidiary’s~~non-United States privacy, data security and data protection laws and regulations applicable to the Company’s ~~Knowledge, each Data Partner’s, receipt,~~ collection~~, monitoring, maintenance, hosting, creation, transmission~~, use, ~~analysis~~transfer, protection, disposal, disclosure, ~~storage~~handling, ~~retention, disposal~~ storage and ~~security, as the case may be,~~ analysis of ~~Personal Data, have, since March 28, 2020, complied with their respective obligations arising from~~ personal data (in each case, to the extent applicable) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data ~~Privacy Obligations~~Protection Laws”); (ii) the Company has taken reasonable steps to maintain the confidentiality of its personally identifiable information, protected health information, consumer information and ~~each~~ other confidential information of the Company ~~Subsidiary have all rights, authority, consents~~ and ~~authorizations necessary to receive, retain, access, use and disclose the Personal Data~~ any third parties in ~~their~~ its possession ~~or under their control in connection with the operation of their business as currently retained, accessed, used and disclosed by them, including under the Transactions~~(“Sensitive Company Data”); and (iii) the ~~Company~~ information technology systems (including computers, screens, servers, workstations, routers, hubs, switches, networks, data communications lines, technical data and ~~each Company Subsidiary have at all times posted~~hardware), ~~to the extent required under,~~ software and ~~in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available~~ telecommunications systems used or maintained by the Company (the “Company IT Assets”) are adequate and ~~each~~ operational for the business of the Company ~~Subsidiary~~as now operated and as currently proposed to be conducted as described in the Registration Statement, the General Disclosure Package and the Prospectus. The ~~execution~~Company has not suffered or incurred any security breaches, ~~delivery~~compromises or incidents with respect to any Company IT Asset or Sensitive Company Data that have required notification under applicable Data Protection Laws, ~~and performance of this Agreement and the Transactions will not materially conflict with~~ except where such breaches, compromises or ~~result in a material violation or breach of any Data Privacy Obligations. (b) Except as~~ incidents would ~~not reasonably be expected to have~~not, ~~individually~~ singly or in the aggregate, a Company Material Adverse Effect, since March 28, 2020, there has been no (i) data security breach of, unauthorized access to, or malicious disruption of any Company IT Systems that transmit or maintain Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries or (ii) incident involving the loss, damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) collectively, a “Security Incident”). Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf of the Company or any Company Subsidiaries, or violated any Information Privacy and Security Laws with respect thereto. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to (i) identify and address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession, (ii) implement, monitor and improve adequate and effective administrative, technical and physical safeguards to control these risks and protect the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security, integrity or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except as would not reasonably be expected to result in ~~material liability, disruption,~~ a Material Adverse Effect; and there has been no unauthorized or ~~other material obligation~~ illegal use of or access to ~~or of the Company or~~ any Company ~~Subsidiary~~IT Asset or Sensitive Company Data by any unauthorized third party, ~~since March 28~~except where such use of or access would not, ~~2020~~singly or in the aggregate, ~~(i) provided~~ reasonably be expected to result in a ~~written notice~~ Material Adverse Effect. To Company has not been required to notify any individual of any information security breach, compromise or ~~audit request to the~~ incident involving Sensitive Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to (A) any suspected, potential or alleged violation of Data Privacy Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security IncidentData. (e) The Company and the Company Subsidiaries have in place written disaster recovery plans and procedures with respect to the IT Assets that they have identified as essential to the continuity of their business.

Appears in 2 contracts

Samples: Underwriting Agreement (AEON Biopharma, Inc.), Underwriting Agreement (AEON Biopharma, Inc.)

Privacy and Data Protection. (a) ~~Except~~ Since April 1, 2015, except as ~~would~~ has not ~~reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (i) the Company’s~~ had and each Company Subsidiary’s, and to the Company’s Knowledge, each Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”); (ii) the Company and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, retain, access, use and disclose the Personal Data in their possession or under their control in connection with the operation of their business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy Obligations. (b) Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, ~~since March 28~~(i) the Company’s and each Company Subsidiary’s receipt, ~~2020~~collection, monitoring, maintenance, hosting creation, transmission, use, analysis, disclosure, storage, disposal and security, as the case may be, of Protected Information and, to the Company’s Knowledge, any such activities performed or handled by authorized third parties on the Company’s or a Company Subsidiary’s behalf, have complied with, and (ii) neither the execution and delivery of this Agreement nor the consummation of the Transactions will result in the Company, any Company Subsidiary, or the Surviving Company being in breach or violation of, (A) provisions governing privacy, data protection, or information security matters in any Contracts to which the Company or any Company Subsidiary is a party, (B) applicable Information Privacy and Security Laws, (C) all applicable policies and procedures adopted by the Company or a Company Subsidiary relating to privacy, data protection, or information security with respect to Protected Information, including the Privacy Statements and such policies and procedures relating to access control, vulnerability management, incident response and overall network security and (D) all applicable consents and authorizations that apply to Protected Information that have been obtained by the Company or a Company Subsidiary. Except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, the Company and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, access, use and disclose the Protected Information in their possession or under their control in connection with the operation of their business as presently conducted. (b) Since April 1, 2015, to the Company’s Knowledge, except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, there has been no (i) data security breach of, unauthorized access to, or malicious disruption of any Company ~~IT Systems~~ Products or any Company or Company Subsidiary systems, networks or information technology that ~~transmit~~ transmits or ~~maintain~~ maintains Protected Information ~~owned~~or other confidential information, ~~used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries~~ or (ii) ~~incident~~ other incidents involving the ~~loss, damage,~~ unauthorized access, ~~unauthorized~~ acquisition, ~~unauthorized modification, unauthorized~~ use or ~~unauthorized~~ disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company ~~Subsidiaries (clauses (i)~~ Subsidiaries, including any such unauthorized access, acquisition, use or disclosure of Protected Information that would constitute a breach for which notification by the Company or any Company Subsidiary to individuals and/or Governmental Entities is required under any applicable Information Privacy and ~~(ii) collectively~~Security Laws or Contracts to which the Company or a Company Subsidiary is a party. To the Company’s Knowledge, ~~a “Security Incident”). Except~~ since April 1, 2015, except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s ~~Data Partners have~~material vendors, ~~since March 28~~suppliers and subcontractors, ~~2020,~~ have (i) suffered any ~~Security Incident~~ security breach that resulted in any unauthorized access toto or use of any Protected Information, ~~unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage~~ (ii) breached any obligations relating to ~~any Personal Data held for or on behalf of~~ Protected Information in Contracts with the Company or any Company ~~Subsidiaries,~~ Subsidiary or (iii) violated any Information Privacy and Security ~~Laws with respect thereto~~Laws. (c) The Company maintains and ~~each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained~~ implements a reasonable written information security ~~program,~~ program covering the Company and each Company ~~Subsidiary,~~ Subsidiary designed ~~to meet or exceed applicable industry standards,~~ to (i) identify and address internal and external risks to the ~~security, integrity or privacy~~ security of any ~~proprietary or~~ confidential information (in their possession, including Protected Information~~) in their possession~~, (ii) implement, monitor and improve ~~adequate and effective~~ reasonable administrative, technical and physical safeguards to control these risks and ~~protect the proprietary or confidential information (including Protected Information) in their possession,~~ (iii~~) protect against Security Incidents, and (iv~~) maintain notification procedures in compliance in all material respects with applicable Information Privacy and Security Laws that require notification to any Person in the case of any breach of ~~security, integrity or privacy~~ security compromising data containing ~~Personal Data in their possession~~Protected Information. In each of 2016 and 2017, except as would not reasonably be expected to be, individually or in the ~~past three (3) fiscal years~~aggregate, material to the Company and the Company Subsidiaries, taken as a whole, the Company ~~and each of the Company Subsidiaries have~~ has performed a security risk assessment covering the Company and each Company Subsidiary, as applicable, in each case, as to the extent required under PCI ~~DSS,~~ DSS and ~~addressed~~ used reasonable efforts to address and ~~remediated~~ remediate all ~~critical,~~ critical or high risk ~~or material~~ threats and deficiencies identified in those security risk assessments. (d) Except as has not had and would not reasonably be expected to ~~result~~ have, individually or in ~~material liability~~the aggregate, ~~disruption~~a Company Material Adverse Effect, ~~or other material obligation~~ since April 1, 2014, no Person has, to or the Company’s Knowledge as of the ~~Company or any Company Subsidiary, since March 28, 2020~~date hereof, (i~~) provided a written notice or audit request to the Company or a Company Subsidiary, (ii~~) made any written claim against the Company or a Company Subsidiary or (~~iii~~ii) ~~to the Company’s Knowledge,~~ commenced any ~~Action as of~~ Proceeding by or before any Governmental Entity against the ~~entry into this Agreement~~Company or a Company Subsidiary, in each case, with respect to (A) any ~~suspected, potential or~~ alleged violation of ~~Data~~ Information Privacy ~~Obligations~~ and Security Laws by the Company, any Company Subsidiary or any third party in such third party’s collection, maintenance, storage, use, processing, disclosure, transfer or disposal of Protected Information for the Company or any Company Subsidiary pursuant to a Contract with the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security ~~practices~~practices with respect to Protected Information, including any ~~Security Incident~~loss, damage or unauthorized access, acquisition, use, disclosure, modification or other misuse of any Protected Information maintained by or on behalf of the Company or the Company Subsidiaries. As of the date hereof, to the Company’s Knowledge, since April 1, 2015, except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, no Person has provided a complaint (written or otherwise) to the Company or a Company Subsidiary, nor, to the Company’s Knowledge, to any third party, regarding the improper disclosure of Protected Health Information (as defined in HIPAA) by the Company or a Company Subsidiary. (e) ~~The~~ Except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a whole, (i) the Company and the Company Subsidiaries have in place ~~written~~ disaster recovery ~~plans~~ plans, procedures and ~~procedures~~ facilities that satisfy applicable Law and the Company’s and the Company Subsidiaries’ obligations under Contracts with ~~respect~~ all customers, vendors, suppliers and subcontractors of the Company, and the Company Subsidiaries, and (ii) the Company and the Company Subsidiaries are in compliance therewith. (f) To the Company’s Knowledge, no Software included in any Company Product contains any undisclosed disabling codes or instructions, “time bombs,” “Trojan horses,” “back doors,” “trap doors,” “worms,” viruses, bugs, faults, security vulnerabilities or other Software routines that has resulted in (i) any Person accessing without authorization or disabling or erasing any Company Product, (ii) a significant adverse effect on the functionality of any Company Product or (iii) unauthorized acquisition of or access to confidential or proprietary information created, received, maintained or transmitted through any Company Product, except as would not, in the case of (i), (ii),or (iii), reasonably be expected to be, individually or in the aggregate, material to the ~~IT Assets that they have identified~~ Company and the Company Subsidiaries, taken as ~~essential to the continuity of their business~~a whole.

Appears in 2 contracts

Samples: Merger Agreement, Agreement and Plan of Merger (Ca, Inc.)

Privacy and Data Protection. (a) ~~Except~~ Since April 2, 2016, except as has not been and would not reasonably be expected to ~~have~~be, individually or in the aggregate, ~~a Company Material Adverse Effect:~~ material to the Business, (i) ~~the Company~~Seller’s and each ~~Company Subsidiary’s, and to the Company’s Knowledge, each Data Partner’s,~~ of its Subsidiaries’ receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, ~~retention,~~ disposal and security, as the case may be, of ~~Personal Data~~Protected Information and, ~~have~~to Seller’s Knowledge, ~~since March 28~~any such activities performed or handled by authorized third parties on Seller’s or one of its Subsidiary’s behalf, ~~2020, complied with their respective obligations arising from (~~in each ~~case,~~ case in connection with or relating to the ~~extent applicable~~Business, have complied with, and (ii) neither the execution and delivery of this Agreement nor the consummation of the Transactions will result in Seller or any of its Subsidiaries, or, following the Closing, Purchaser, so long as the Protected Information is used in substantially the same manner as it is currently used in the Business, being in breach or violation of, (A) ~~all~~ provisions governing privacy, data protection, or information security matters in any Business Contracts, (B) applicable Information Privacy and Security Laws, (~~B) PCI DSS, (~~C) all applicable policies and procedures adopted by Seller or any of its Subsidiaries relating to privacy, data protection, or information security with respect to Protected Information, including the Privacy ~~Statements~~Statements and such policies and procedures relating to access control, vulnerability management, incident response and overall network security and/or (D) all ~~Contracts to which the Company or Company Subsidiary are bound~~ applicable consents, authorizations and ~~that govern their respective use of Personal Data, and~~ privacy choices (Eincluding opt-out decisions) ~~all consents and authorizations~~ that apply to ~~the Personal Data~~ Protected Information that have been obtained by Seller or any of its Subsidiaries. Except as has not been and would not reasonably be expected to be, individually or in the ~~Company or a Company Subsidiary (such obligations~~aggregate, ~~collectively~~material to the Business, ~~“Data Privacy Obligations”); (ii) the Company~~ Seller and each ~~Company Subsidiary have~~ of its Subsidiaries has all rights, authority, consents and authorizations necessary to receive, ~~retain,~~ access, use and disclose the ~~Personal Data~~ Protected Information in their possession or under their control in connection with the operation of ~~their business~~ the Business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy Obligationspresently conducted. (b) Except as has not been and would not reasonably be expected to ~~have~~be, individually or in the aggregate, ~~a Company Material Adverse Effect~~material to the Business, ~~since March 28~~(i) Seller holds all permits and licenses, ~~2020~~and has made all governmental filings, required under applicable Information Privacy and Security Laws to process, use, and transfer Protected Information in connection with or relating to the Business, and (ii) the consummation of the Transactions will neither invalidate such permits and licenses nor require such permits and licenses to be amended under applicable Information Privacy and Security Laws. (c) Except as has not been and would not reasonably be expected to be, individually or in the aggregate, material to the Business, neither Seller nor any of its Subsidiaries sells or rents to third parties any Protected Information for monetary or other valuable consideration, in each case excluding sale, rental or disclosures of Protected Information to (i) Purchaser and any Person to whom Purchaser sells, rents or discloses Protected Information, (ii) the customers of the Business in Seller’s or its Subsidiaries’ provision of Business Products to the customers of the Business in the ordinary course of business consistent with past practice, or (iii) Seller’s or its Subsidiaries’ service providers when such disclosure is made for the purpose of the service provider’s provision of services to Seller or any of its Subsidiaries, in each case, in connection with or relating to the Business. (d) Since April 2, 2016, to Seller’s Knowledge, except as has not been and would not reasonably be expected to be, individually or in the aggregate, material to the Business, there has been no (i) data security breach of, unauthorized access to, or malicious disruption of any ~~Company IT Systems~~ Business Products or any Seller or any of its Subsidiaries’ systems, networks or information technology that ~~transmit~~ transmits or ~~maintain~~ maintains Protected Information ~~owned~~or other confidential information in connection with or relating to the Business, ~~used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries~~ or (ii) ~~incident~~ other incidents involving the ~~loss, damage,~~ unauthorized access, ~~unauthorized~~ acquisition, ~~unauthorized modification, unauthorized~~ use or ~~unauthorized~~ disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of Seller or any of its Subsidiaries in connection with or relating to the ~~Company~~ Business, including any such unauthorized access, acquisition, use or disclosure of Protected Information that would constitute a breach for which notification by Seller or any of its Subsidiaries to individuals and/or Governmental Entities and/or customers of the ~~Company~~ Business is required under any Information Privacy and Security Laws applicable to the Business or Business Contracts to which Seller or any of its Subsidiaries ~~(clauses (i)~~ is a party. To Seller’s Knowledge, since April 2, 2016, except as has not been and ~~(ii) collectively, a “Security Incident”). Except as~~ would not reasonably be expected to ~~have~~be, individually or in the aggregate, ~~a Company Material Adverse Effect~~material to the Business, none of the ~~Company~~Business’s ~~or any Company Subsidiary’s Data Partners have~~vendors, ~~since March 28~~suppliers and subcontractors, ~~2020,~~ have (i) suffered any ~~Security Incident~~ security breach that resulted in any unauthorized access toto or use of any Protected Information in the possession, ~~unauthorized modification of~~custody, ~~unauthorized use of, unauthorized disclosure~~ or control of ~~or loss of or damage to any Personal Data held for or on behalf of the Company~~ Seller or any ~~Company~~ of its Subsidiaries, (ii) breached any obligations relating to Protected Information in Contracts with Seller or any of its Subsidiaries or (iii) violated any Information Privacy and Security ~~Laws with respect thereto~~Laws. (ce) ~~The Company~~ Seller maintains and ~~each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained~~ implements a reasonably appropriate written information security ~~program,~~ program covering any part of the ~~Company and each Company Subsidiary,~~ Business designed ~~to meet or exceed applicable industry standards,~~ to (i) identify and address internal and external risks to the ~~security, integrity or privacy~~ security of any proprietary or confidential information (in the possession of Seller or any of its Subsidiaries, including Protected Information~~) in their possession~~, (ii) implement, monitor and improve ~~adequate and effective~~ reasonable administrative, technical and physical safeguards to control these risks and ~~protect the proprietary or confidential information (including Protected Information) in their possession,~~ (iii~~) protect against Security Incidents, and (iv~~) maintain notification procedures in compliance in all material respects with applicable Information Privacy and Security Laws that require notification to any Person in the case of any breach of ~~security, integrity or privacy~~ security compromising data containing ~~Personal Data~~ Protected Information, in ~~their possession~~each case, in connection with or relating to the Business. In For each of ~~the past three (3)~~ fiscal ~~years~~year 2018 and 2019, ~~the Company and each of the Company Subsidiaries have~~ Seller has performed a security risk assessment covering the ~~Company and each Company Subsidiary, in each case, as required under PCI DSS~~Business, and ~~addressed~~ has used reasonable efforts to address and ~~remediated~~ remediate all ~~critical,~~ critical and high risk (or ~~material threats~~ similar designation) threats, and deficiencies identified in those security risk assessments. For each of fiscal year 2018 and 2019, Seller has made available to Purchaser all material third party assessments, certifications, test results, audits or reviews (e.g., SSAE 18, SOC I, II and III, SysTrust, WebTrust, CloudTrust, or perimeter certifications) of the information systems or other equivalent evaluations of the Business in Seller’s possession or control. Seller has made available to Purchaser all material documents regarding Seller’s or any of its Subsidiaries’ certification to, adoption of, validation of, compliance with, or participation in, any information security frameworks, standards or similar programs, in each case, in connection with or relating to the Business, including the US Federal Risk and Authorization Management Program, the International Common Criteria Recognition Arrangement, the Federal Identity, Credential and Access Management Framework, the Identity Ecosystem Framework, and the Federal Information Processing Standard Publication 140-2. (df) Except as has not been and would not reasonably be expected to ~~result~~ be, individually or in the aggregate, material ~~liability~~to the Business, ~~disruption~~since April 2, ~~or other material obligation~~ 2016, no Person has, to or Seller’s Knowledge, as of the ~~Company or any Company Subsidiary~~date hereof, ~~since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii)~~ made any written complaint or claim against ~~the Company~~ Seller or ~~a Company Subsidiary~~ any of its Subsidiaries or ~~(iii) to the Company’s Knowledge,~~ commenced any ~~Action as~~ Proceeding by or before any Governmental Entity or arbitration body against Seller or any of ~~the entry into this Agreement~~its Subsidiaries, in each case, with respect to (A) any ~~suspected, potential or~~ alleged violation of ~~Data~~ Information Privacy ~~Obligations~~ and Security Laws by ~~the Company~~ Seller, any of its Subsidiaries or any ~~Company Subsidiary~~ third party in relation to such third party’s collection, maintenance, storage, use, processing, disclosure, security, transfer or disposal of Protected Information on behalf of Seller or any of its Subsidiaries, (B) any of ~~the Company~~Seller’s or ~~a Company Subsidiary’s~~ its Subsidiaries’ privacy or data security ~~practices~~practices with respect to Protected Information, including any ~~Security Incident~~loss, damage or unauthorized access, acquisition, use, disclosure, modification or other misuse of any Protected Information maintained by or on behalf of Seller or any of its Subsidiaries or (C) any provisions governing privacy, data protection, or information security matters in any Business Contracts to which Seller or any of its Subsidiaries is a party, in each case, in connection with or relating to the Business. (eg) ~~The Company~~ Except as would not reasonably be expected to be, individually or in the aggregate, material to the Business, (i) Seller and ~~the Company~~ its Subsidiaries have in place ~~written~~ incident response and disaster recovery ~~plans~~ plans, procedures and ~~procedures~~ facilities that satisfy applicable Law and Seller’s and its Subsidiaries’ obligations under all Business Contracts with ~~respect~~ all customers, vendors, suppliers and subcontractors of the Business, and (ii) Seller and its Subsidiaries are in compliance therewith. (h) To Seller’s Knowledge, no Software included in any Business Product contains any undisclosed disabling codes or instructions, “time bombs,” “Trojan horses,” “back doors,” “trap doors,” “worms,” viruses, bugs, faults, security vulnerabilities or other Software routines, in any case that have resulted in or that may reasonably result in (i) any Person accessing without authorization or disabling or erasing any Business Product, (ii) a significant adverse effect on the functionality of any Business Product or (iii) unauthorized acquisition of or access to confidential or proprietary information or Protected Information created, received, maintained or transmitted on or through any Business Product, except, in the case of (i), (ii) or (iii), as has not been and would not reasonably be expected to be, individually or in the aggregate, material to the ~~IT Assets that they have identified as essential to the continuity of their business~~Business.

Appears in 2 contracts

Samples: Asset Purchase Agreement (Broadcom Inc.), Asset Purchase Agreement (Symantec Corp)

Privacy and Data Protection. (a) ~~Except as would not~~ The operation of the Business complies and, since January 1, 2021, has complied with Privacy Requirements. 50213729.30 (b) The Business has implemented and maintains physical, technical, and administrative safeguards, compliant with Privacy Requirements, that are reasonably ~~be expected~~ designed to ~~have, individually or in the aggregate, a Company Material Adverse Effect:~~ (i) protect the ~~Company’s and each Company Subsidiary’s~~operation, confidentiality, integrity, accessibility, and to the Company’s Knowledge, each Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, security of Personal ~~Data~~Information stored, ~~have~~collected, ~~since March 28~~or otherwise processed by or on behalf of the Business and the Information Technology on which such Personal Information is Processed, ~~2020~~and (ii) identify and alert the Business to, ~~complied~~ and permit response to, any Data Breach experienced by the Business. (c) Since January 1, 2021, the Business has not experienced a Data Breach that would require notification to regulators, law enforcement, Governmental Entity, customers, consumers, or other affected parties under Privacy Laws. (d) The Business has made all required registrations and notifications in accordance with ~~their respective obligations arising~~ Privacy Requirements, and all such registrations and notifications are current, complete, and accurate in all material respects. (e) Since January 1, 2021, the Business has not received any subpoenas, demands, or other written notices from ~~(in each case~~any Governmental Entity investigating, inquiring into, or otherwise relating to any actual or potential violation of any Privacy Requirement, and the Business is not, to the ~~extent applicable~~Knowledge of Seller, under investigation by any Governmental Entity, law enforcement, or other party for any actual or potential violation of any Privacy Requirement. Since January 1, 2021, the Business has not been served or threatened with any notice, complaint, claim, inquiry, audit, enforcement action, or litigation related to any alleged potential or actual violation of a Privacy Requirement. (f) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”); (ii) the Company and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, retain, access, use and disclose the Personal Data in their possession or under their control in connection with the operation of their business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the ~~Transactions will~~ consummation of the transactions contemplated herein shall not ~~materially conflict with~~ cause, constitute, or result in a material violation or breach of any Data Privacy Obligations. (b) Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, since March 28, 2020, there has been no (i) data security breach of, unauthorized access to, or malicious disruption of any Company IT Systems that transmit or maintain Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries or (ii) incident involving the loss, damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) collectively, a “Security Incident”). Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf of the Company or any Company Subsidiaries, or violated any Information Privacy and Security Laws with respect thereto. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to (i) identify and address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession, (ii) implement, monitor and improve adequate and effective administrative, technical and physical safeguards to control these risks and protect the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach ~~of security, integrity~~ or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except as would not reasonably be expected to result in material liability, disruption, or other material obligation to or of the Company or any Company Subsidiary, since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to (A) any suspected, potential or alleged violation of ~~Data~~ a Privacy ~~Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security Incident~~Requirement. (e) The Company and the Company Subsidiaries have in place written disaster recovery plans and procedures with respect to the IT Assets that they have identified as essential to the continuity of their business.

Appears in 1 contract

Samples: Master Transaction Agreement (Arch Capital Group Ltd.)

Privacy and Data Protection. (a) Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (i) the Company’s and each Company Subsidiary’s, and to the Company’s Knowledge, each Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”); (ii) the Company and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, retain, access, use and disclose the Personal Data in their possession or under their control in connection with the operation of their business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary its Subsidiaries have at all times ~~posted~~complied with all applicable legal requirements relating to privacy, data protection and the collection and use of personal information and user information gathered or accessed in the course of the operations of Company including any websites owned and/or operated by Company or any of its Subsidiaries (“Company Websites”). Company and each of its Subsidiaries has at all times complied in all respects with all rules, policies and procedures established by Company and its Subsidiaries from time to time with respect to the foregoing. Company and each of its Subsidiaries has since January 1, 2009 posted its privacy-related rules, policies and procedures on the Company Websites, and such statements have accurately reflected Company’s and its Subsidiaries’ actual privacy-related practices, in all material respects. No claims have been asserted or, to the ~~extent required under~~Knowledge of the Company, threatened against Company or any of its Subsidiaries by any Person alleging a violation of such Person’s privacy, personal or confidentiality rights under any laws, regulations, rules, policies or procedures. The consummation of the transactions will not breach or otherwise cause any violation of any such laws, regulations, rules, policies or procedures. With respect to all personal and user information gathered or accessed in ~~accordance with~~the course of the operations of Company or any of its Subsidiaries, ~~applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the~~ Company and each ~~Company Subsidiary~~of its Subsidiaries has at all times taken all steps commercially reasonably necessary (including, without limitation, implementing and monitoring compliance with adequate measures with respect to technical and physical security) to ensure that the information is protected against loss and against unauthorized access, use, modification, disclosure or other misuse. ~~The execution, delivery, and performance~~ To the Knowledge of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy Obligations. (b) Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, since March 28, 2020Company, there has been no ~~(i) data security breach of,~~ unauthorized access toto or other misuse of that information. Section 3.10(k) of the Company Disclosure Schedule identifies and describes each distinct electronic or other database containing (in whole or in part) Personal Data maintained by or for the Company and each of its Subsidiaries at any time (the “Company Databases”), the types of Personal Data in each such database, the means by which the Personal Data was collected, and the security policies that have been adopted and maintained with respect to each such database. Each Company Database that is required to be registered under any Applicable Law has been duly registered and maintained. No breach or ~~malicious disruption~~ violation of any such security policy has occurred or, to the Knowledge of the Company, is threatened, and there has been no unauthorized or illegal use of or access to any of the data or information in any of the Company ~~IT Systems that transmit or maintain Protected Information owned, used, hosted, maintained or controlled by or~~ Databases. Each of the Company and its Subsidiaries and each third party acting on behalf of the Company or its Subsidiaries has acquired, collected and used all Personal Data pursuant to, and in accordance with the terms of, valid and enforceable Contracts. Neither the Company ~~Subsidiaries~~ nor any Subsidiary as obtained, collected, transferred or ~~(ii) incident involving the loss~~used any Personal Data, ~~damage~~or possessed any data that is not publicly available, ~~unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use~~ in violation or ~~unauthorized disclosure~~ breach of any ~~Protected Information owned, used, hosted, maintained~~ Company Contract or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) collectively, a “Security Incident”). Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf of the Company or any Company Subsidiaries, or violated any Information Privacy and Security Laws with respect theretoApplicable Law. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to (i) identify and address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession, (ii) implement, monitor and improve adequate and effective administrative, technical and physical safeguards to control these risks and protect the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security, integrity or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except as would not reasonably be expected to result in material liability, disruption, or other material obligation to or of the Company or any Company Subsidiary, since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to (A) any suspected, potential or alleged violation of Data Privacy Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security Incident. (e) The Company and the Company Subsidiaries have in place written disaster recovery plans and procedures with respect to the IT Assets that they have identified as essential to the continuity of their business.

Appears in 1 contract

Samples: Share Purchase Agreement (Wave Systems Corp)

Privacy and Data Protection. (a) Except as has not had or would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: , (i) the ~~Company’s~~ Company and each Company Subsidiary’s, and to the Company’s Knowledge, each Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company ~~or Company Subsidiary are bound~~ Subsidiaries have complied and ~~that govern their respective use of Personal Data~~presently comply with all applicable Privacy Requirements, ~~and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”);~~ (ii) the Company and ~~each~~ the Company ~~Subsidiary~~ Subsidiaries have ~~all rights~~taken commercially reasonable actions (including reasonable administrative, ~~authority, consents~~ technical and ~~authorizations necessary~~ physical safeguards) to ~~receive, retain, access, use and disclose the~~ protect Personal ~~Data~~ Information in their possession or under their control ~~in connection with the operation of their business as currently retained~~against unauthorized or unlawful access, ~~accessed~~acquisition, ~~used and disclosed by them~~use, ~~including under the Transactions;~~ modification, disclosure or other misuse or loss, and (iii) the Company and each of the Company Subsidiaries have taken commercially reasonable steps to require all third-party service providers, outsourcers, processors or other Persons who process, store or otherwise handle Personal Information for or on behalf of the Company or any of the Company Subsidiaries to comply with all applicable Privacy Requirements, restrict such Persons from any use or disclosure of such Personal Information other than to provide the contracted-for services and require such Persons to take reasonable or appropriate steps to protect and secure Personal Information from unauthorized or unlawful access, acquisition, use, modification, disclosure or other misuse or loss and to promptly notify the Company or Company Subsidiary ~~have at all times posted~~in the event of a breach of security of such Personal Information. (b) Except as has not had or would not reasonably be expected to have, to individually or in the ~~extent required under~~aggregate, ~~and in accordance with~~a Company Material Adverse Effect, ~~applicable Data~~ (i) since January 1, 2021, neither the Company nor any of the Company Subsidiaries has received any written notice from any Governmental Entity or other Person alleging a violation of any Privacy ~~Obligations, privacy policies governing their use of Personal Data on their websites made available~~ Requirements by the Company or any of the Company Subsidiaries, nor has the Company or any Company Subsidiary been threatened in writing to be charged with any such violation by any Governmental Entity or other Person; and ~~each~~ (ii) since January 1, 2021, there has been no unauthorized or unlawful access, acquisition, use, modification, disclosure or other security incident involving Personal Information or other confidential or proprietary data in possession or under the control of the Company ~~Subsidiary. The~~ or any of the Company Subsidiaries. (c) Except as has not had or would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, the execution, ~~delivery,~~ delivery and performance of this Agreement and the consummation of the Transactions will not ~~materially conflict with or result in a material violation or breach of~~ violate any ~~Data~~ Privacy ~~Obligations~~Requirements. (bd) Except as has not had or would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, (i) the Company or one of the Company Subsidiaries owns or has a valid right to access and use all IT Systems material to the operation of the business of the Company and the Company Subsidiaries as currently conducted; (ii) the IT Systems are reasonably sufficient for the existing needs of the Company and any Company Subsidiary; (iii) since January 1, 2021, the Company and each Company Subsidiary have taken commercially reasonable steps and implemented commercially reasonable safeguards (but in any event no less than is required by applicable Laws) to protect the IT Systems from Contaminants and, to the Knowledge of the Company, the IT Systems and currently free of such Contaminants; and (iv) since January 1, 2021, the Company and the Company Subsidiaries have implemented and maintained commercially reasonable business continuity and disaster recovery plans, procedures and facilities that comply with applicable Privacy Requirements. (e) Except as has not had or would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, since ~~March 28~~January 1, ~~2020, there has been no~~ 2021: (i) data security breach of, unauthorized access to, or malicious disruption of any Company IT Systems that transmit or maintain Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries or (ii) incident involving the loss, damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) collectively, a “Security Incident”). Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf of the Company or any Company Subsidiaries, or violated any Information Privacy and Security Laws with respect thereto. (c) The Company and each Company Subsidiary ~~have~~have taken commercially reasonable measures to provide for the back-up and recovery of Company or Company Subsidiary data without material disruption to, ~~and have required their Data Partners to have~~or material interruption in, ~~implemented, monitored and maintained a written information security program, covering~~ the conduct of the business of the Company ~~and each~~ or Company Subsidiary, designed to meet or exceed applicable industry standards, to (i) identify and address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession, ; (ii) ~~implement, monitor and improve adequate and effective administrative, technical and physical safeguards~~ there has been no failure with respect to ~~control these risks and protect~~ any IT Systems that has had a material effect on the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security, integrity or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except as would not reasonably be expected to result in material liability, disruption, or other material obligation to or operations of the Company or any Company Subsidiary~~, since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or~~ ; and (iii) there has been no cyber-attack, unauthorized access to ~~the Company’s Knowledge, commenced~~ or use of (whether without authorization or in breach of an authorization) or harm to any ~~Action as of the entry into this Agreement, in each case, with respect to~~ IT Systems (~~A) any suspected, potential or alleged violation of Data Privacy Obligations by the Company~~ or any ~~Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy~~ Software or data ~~security practices, including~~ stored on any ~~Security Incident~~IT Systems). (e) The Company and the Company Subsidiaries have in place written disaster recovery plans and procedures with respect to the IT Assets that they have identified as essential to the continuity of their business.

Appears in 1 contract

Samples: Merger Agreement (M.D.C. Holdings, Inc.)

Privacy and Data Protection. (a) Except as would not reasonably be expected to ~~have~~be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a ~~Company Material Adverse Effect:~~ whole, (i) the ~~Company’s~~ Company and ~~each~~ the Company ~~Subsidiary’s~~Subsidiaries have at all times complied, and to the Company’s Knowledge, each Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied presently comply with ~~their respective obligations arising from (in each case, to the extent applicable) (A)~~ all ~~Information~~ applicable Privacy ~~and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data~~Legal Requirements, and ~~(E) all consents~~ their own privacy policies, terms of use and ~~authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such~~ contractual obligations, ~~collectively, “Data Privacy Obligations”);~~ (ii) the Company and ~~each Company Subsidiary~~ its Subsidiaries have ~~all rights~~taken appropriate actions (including reasonable and appropriate administrative, ~~authority, consents~~ technical and ~~authorizations necessary~~ physical safeguards) to ~~receive, retain, access, use and disclose the~~ protect Personal ~~Data~~ Information in their possession or under their control ~~in connection with the operation of their business as currently retained~~against unauthorized or unlawful access, ~~accessed~~use, ~~used and disclosed by them~~modification, ~~including under the Transactions;~~ disclosure or other misuse, and (iii) the Company and each ~~Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use~~ of ~~Personal Data on their websites made available by~~ the Company Subsidiaries have entered into written agreements with all third-party service providers, outsourcers, processors or other Persons who process, store or otherwise handle Personal Information for or on behalf of the business of the Company or any of the Company Subsidiaries that obligate such Persons to comply with all applicable Privacy Legal Requirements and ~~each Company Subsidiary. The execution~~to take steps to protect and secure Personal Information from loss, ~~delivery~~theft, ~~and performance of this Agreement and the Transactions will not materially conflict with~~ misuse or ~~result in a material violation~~ unauthorized use, access, modification or ~~breach of any Data Privacy Obligations~~disclosure. (b) Except as would not reasonably be expected to ~~have~~be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a whole, (i) since April 1, 2018, neither the Company ~~Material Adverse Effect~~nor any of the Company Subsidiaries has received any written notice from any applicable Governmental Entity alleging a violation of any Privacy Legal Requirements by the Company or any of the Company Subsidiaries, nor has the Company or any Company Subsidiary been threatened in writing to be charged with any such violation by any Governmental Entity; and (ii) to the Knowledge of the Company, since ~~March 28~~January 1, ~~2020~~2019, there has been no ~~(i) data security breach of~~unauthorized use, ~~unauthorized access to~~access, disclosure, or ~~malicious disruption~~ other security incident of ~~any Company IT Systems that transmit~~ or ~~maintain Protected~~ involving Personal Information ~~owned~~collected, ~~used, hosted, maintained~~ used in connection with or ~~controlled by or on behalf~~ under the control of the Company or the Company Subsidiaries or (ii) incident involving the loss, damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) collectively, a “Security Incident”). Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf business of the Company or any of the Company Subsidiaries~~, or violated any Information Privacy and Security Laws with respect thereto~~. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to (i) identify and address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession, (ii) implement, monitor and improve adequate and effective administrative, technical and physical safeguards to control these risks and protect the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security, integrity or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except as would not reasonably be expected to ~~result~~ be, individually or in the aggregate, material ~~liability, disruption, or other material obligation~~ to ~~or of~~ the Company ~~or any~~ and the Company ~~Subsidiary~~Subsidiaries, ~~since March 28, 2020~~taken as a whole, (i) ~~provided a written notice or audit request to~~ the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to (A) any suspected, potential or alleged violation of Data Privacy Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security Incident. (e) The Company and the Company Subsidiaries have in place ~~written~~ incident response and disaster recovery ~~plans~~ plans, procedures and ~~procedures~~ facilities that satisfy applicable Law and the Company’s and the Company Subsidiaries’ obligations under Contracts with ~~respect to~~ all customers, vendors, suppliers and subcontractors of the ~~IT Assets that they have identified as essential to~~ Company, and the ~~continuity of their business~~Company Subsidiaries, and (ii) the Company and the Company Subsidiaries are in compliance therewith.

Appears in 1 contract

Samples: Merger Agreement (U.S. Concrete, Inc.)

Privacy and Data Protection. (a) ~~Except~~ The Company’s use, and each Company Subsidiary’s use, of PII and Protected Health Information (PHI, as ~~would not reasonably be expected to have~~that term is defined under HIPAA) complies, ~~individually or~~ and has complied, in ~~the aggregate, a Company Material Adverse Effect~~all material respects with: (i) HIPAA and Other Privacy Laws; (ii) PCI DSS, as applicable; and (iii) all obligations under the contracts of the Company and the Company Subsidiaries (including Business Associate Agreements) relating to PHI or PII. The Company and each Company Subsidiary has all necessary authority, consents and authorizations to use the PHI and PII in the Company’s ~~and each~~ possession or the Company Subsidiary’s’s possession, as applicable, or under their control in connection with their business. (b) Employees of the Company and the Company Subsidiaries who have access to PII and PHI have received reasonable training with respect to compliance with all relevant HIPAA and Other Privacy Laws and all relevant internal policies and procedures relating to privacy, data protection, and to security. The Company and the Company Subsidiaries have maintained reasonable documentation of such training activities. (c) To the Company’s Knowledge, ~~each Data Partner’s~~since January 1, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Laws2016, (B1) ~~PCI DSS~~there have been no unauthorized intrusions or breaches of the security of the computer software, ~~(C) all Privacy Statements~~middleware and systems, ~~(D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data~~firmware, information technology equipment, computer hardware, servers, networks, platforms, peripherals, data communication lines, and ~~(E) all consents~~ other information technology equipment and ~~authorizations that apply to the Personal Data that have been obtained~~ related systems, and associated documentation owned or controlled by the Company ~~or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”); (ii)~~ and the Company ~~and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, retain, access, use and disclose the Personal Data in their possession or under their control~~ Subsidiaries in connection with the operation of their business ~~as currently retained~~(the “IT Assets”) and (2) neither the Company nor any Company Subsidiary has received any written notice of any unauthorized intrusions or breaches of the security of any computer software, ~~accessed~~middleware and systems, firmware, information technology equipment, computer hardware, servers, networks, platforms, peripherals, data communication lines, and other information technology equipment and related systems, and associated documentation used or relied upon by the Company and ~~disclosed~~ the Company Subsidiaries in connection with the operation of their business that was not provided to all users of such IT Assets or is otherwise public knowledge. The IT Assets have not malfunctioned or failed since January 1, 2016 in a manner that has caused or would reasonably be expected to cause material disruption to the Company’s and the Company Subsidiaries’ business and, to the Company’s Knowledge, do not contain any viruses, malware, bugs, vulnerabilities identified in the U.S. National Vulnerability Database maintained by ~~them~~the Department of Homeland Security and the National Institute of Standards and Technology, ~~including under~~ or faults that have or would reasonably be expected to (i) cause any material disruption to the ~~Transactions;~~ Company’s and the Company Subsidiaries’ business, (ii) enable or assist any Person to access without authorization the IT Assets or any information in the IT Assets, if such access would have a material adverse impact on the Company’s and the Company Subsidiaries’ business, or (iii) otherwise materially adversely affect the functionality of the IT Assets, except as disclosed in their documentation. (d) The Company and each Company Subsidiary ~~have~~ is, and at all times ~~posted~~since January 1, 2016 has been, in material compliance with HIPAA and Other Privacy Laws. Neither the Company nor any Company Subsidiary is currently subject to any fine, penalty, or Liability as a result of a failure to comply with any requirement of HIPAA and Other Privacy Laws. (e) Since January 1, 2016, the Company and the Company Subsidiaries have made all necessary filings and registrations and have provided all necessary notices under HIPAA and the Other Privacy Laws. Neither the Company nor the Company Subsidiaries has received any notice of deficiency or noncompliance, warning letter, notice of required corrective action or other similar communication with respect to any alleged violation of HIPAA and the Other Privacy Laws from a Governmental Authority or other Person (including any school district, school, local education agency, or department or division of any state, including a state department of education or similar). (f) The Company and the Company Subsidiaries have executed current and valid “Business Associate Agreements” (as described in 45 C.F.R. §§ 164.502(e) and 164.504(e)) with each (a) “covered entity” (as defined at 45 C.F.R. § 160.103) for whom the Company or the Company Subsidiaries provide functions or activities that render that entity a “business associate” (as defined at 45 C.F.R. § 160.103)), or (b) “subcontractor” (as defined at 45 C.F.R. § 160.103) of the Company or the Company Subsidiaries that are a business associates (pursuant to paragraph (3)(iii) of the definition of “business associate” at 45 C.F.R. § 160.103). Neither the Company nor any Company Subsidiaries have breached in any material respect any such Business Associate Agreement and, to the ~~extent required under~~Company’s Knowledge, ~~and~~ no covered entity or subcontractor has breached in ~~accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available~~ any material respect any such Business Associate Agreement with the Company or any Company Subsidiaries. There have been no material complaints received by the Company ~~and each~~ or the Company ~~Subsidiary~~Subsidiaries, or investigations by the Office for Civil Rights, with respect to HIPAA compliance of the Company or any Company Subsidiaries or, to the Company’s Knowledge, their respective subcontractors, or by state authorities with respect to the Company’s or the Company Subsidiaries’ compliance with all similar state Laws governing the privacy, security or confidentiality of medical and/or health information of patients. ~~The execution~~Except as set forth in Section 2.22(f) of the Company Disclosure Schedule, ~~delivery~~neither the Company nor any Company Subsidiaries nor, ~~and performance~~ to the Company’s Knowledge, any of ~~this Agreement and the Transactions will not materially conflict with or result in a material violation or~~ their subcontractors have experienced any (a) breach of ~~any Data Privacy Obligations.~~ security, as defined by HIPAA or similar state Laws, with respect to medical or health information of patients, (b) ~~Except~~ Breach of Unsecured Protected Health Information, as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, since March 28, 2020, there has been no (i) data security breach of, unauthorized access to“Breach,” “Unsecured Protected Health Information,” and “Protected Health Information” are defined by HIPAA, or ~~malicious disruption of any Company IT Systems~~ (c) a Security Incident, as “Security Incident” is defined by HIPAA, that ~~transmit~~ has the potential to impact the security or ~~maintain Protected Information owned, used, hosted, maintained or controlled by or on behalf~~ integrity of the Company or the Company Subsidiaries or (ii) incident involving the loss, damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) collectively, a “Security Incident”)other covered entity data. Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf of the Company or any Company Subsidiaries, or violated any Information Privacy and Security Laws with respect thereto. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to (i) identify and address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession, (ii) implement, monitor and improve adequate and effective administrative, technical and physical safeguards to control these risks and protect the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security, integrity or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except as would not reasonably be expected to result in material liability, disruption, or other material obligation to or of the Company or any Company Subsidiary, since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to (A) any suspected, potential or alleged violation of Data Privacy Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security Incident. (e) The Company and the Company Subsidiaries have identified, documented and addressed Security Incidents that have the potential to impact in ~~place written disaster recovery plans and procedures with~~ any material respect to the ~~IT Assets that they have identified as essential to~~ security and/or integrity of user data and/or the ~~continuity~~ contractual obligations of ~~their business~~the Company or the Company Subsidiaries.

Appears in 1 contract

Samples: Stock Purchase Agreement (Amn Healthcare Services Inc)

Privacy and Data Protection. (a) Except as would ~~not reasonably be expected to have~~not, individually or in the aggregate, a Company Material Adverse Effect: (i) the Company’s and each Company Subsidiary’s, and to the Company’s Knowledge, each Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”); (ii) the Company and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, retain, access, use and disclose the Personal Data in their possession or under their control in connection with the operation of their business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy Obligations. (b) Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, since ~~March 28~~January 1, ~~2020~~2022, there has been no (i) data security breach of, unauthorized access to, or malicious disruption of any Company IT Systems that transmit or maintain Protected Information owned, used, hosted, maintained or controlled by or on behalf each of the Company or the Company Subsidiaries or (ii) incident involving the loss, damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) collectively, a “Security Incident”). Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf of the Company or any Company Subsidiaries, or violated any Information Privacy and Security Laws with respect thereto. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to is in material compliance with (i) ~~identify~~ its posted website privacy policies and ~~address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession,~~ (ii) ~~implement, monitor and improve adequate and effective administrative, technical and physical safeguards~~ the applicable Privacy Laws relating to control these risks and protect the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security, integrity or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessmentsData. (d) Except as would not reasonably be expected to result in material liability, disruption, or other material obligation to or of the Company or any Company Subsidiary, since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to (A) any suspected, potential or alleged violation of Data Privacy Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security Incident. (eb) The Company and the Company Subsidiaries have commercially reasonable security procedures in place ~~written disaster recovery plans and procedures with respect~~ designed to protect Personal Data they receive from unauthorized access, use or disclosure. To the Knowledge of the Company, since January 1, 2022, the Company has not experienced any unauthorized access, acquisition, theft, destruction, or compromise of any Personal Data in their possession, custody, or control, which, individually or in the aggregate, has had or would reasonably be expected to have a Company Material Adverse Effect. Since January 1, 2022, neither the Company nor any Company Subsidiary has, to the ~~IT Assets that they have identified as essential~~ Knowledge of the Company, been legally required to provide any notices to data owners in connection with an unauthorized disclosure of Personal Data in their possession, custody, or control and neither the Company nor any Company Subsidiary has provided any such notice. (c) To the Knowledge of the Company, neither the Company nor any Company Subsidiary has been for the past three (3) years, and is not currently under investigation by any state, federal, or foreign jurisdiction regarding its protection, storage, use, disclosure, and transfer of Personal Data. (d) Since January 1, 2022, to the ~~continuity~~ Knowledge of ~~their business~~the Company, neither the Company nor any Company Subsidiary has received any written claim, complaint, inquiry, or notice from any governmental, regulatory, or self-regulatory authority or entity related to the Company’s collection, processing, use, storage, security, or disclosure of Personal Data, alleging that any of these activities are in violation of any Privacy Law.

Appears in 1 contract

Samples: Agreement and Plan of Merger (Poseida Therapeutics, Inc.)

Privacy and Data Protection. (a) ~~Except~~ Neither the execution, delivery or performance of this Agreement or any Related Agreement nor the consummation of the Transactions will, with or without notice or the lapse of time, result in a loss by the Company or any Company Subsidiary of any rights to any Company Data. All Company Data will be fully available, transferable, alienable, exploitable, licensable by the Surviving Company following the Closing Date without material restriction (other than any restriction imposed by applicable Law or Contract) and without material payment of any kind to any Person in substantially the same manner and to the same extent as ~~would not reasonably be expected~~ immediately prior to ~~have, individually or in~~ the ~~aggregate, a Company Material Adverse Effect:~~ Closing Date. (b) (i) The Company and the ~~Company’s and each~~ Company ~~Subsidiary’s~~Subsidiaries have at all times complied, and ~~to the Company’s Knowledge~~presently comply, ~~each Data Partner’s~~in all material respects, ~~receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal~~ with applicable Privacy Legal Requirements and ~~security, as the case may be, of~~ their own Privacy Statements regarding Personal Data, ~~have, since March 28, 2020, complied with their respective obligations arising from~~ (~~in each case, to the extent applicable~~ii) ~~(A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which~~ the Company or and the Company ~~Subsidiary are bound and that govern their respective use~~ Subsidiaries have not received any written notice from any applicable Governmental Entity alleging a material violation of ~~Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained~~ any Privacy Legal Requirements by the Company or a Company ~~Subsidiary~~ Subsidiary, and (~~such obligations, collectively, “Data Privacy Obligations”); (ii~~iii) the Company and ~~each~~ the Company ~~Subsidiary~~ Subsidiaries (or United and its Subsidiaries acting on behalf of the Company) have ~~all rights~~taken appropriate actions (including implementing reasonable technical, ~~authority, consents and authorizations necessary~~ physical or administrative safeguards) to ~~receive, retain, access, use and disclose the~~ protect Personal Data in their possession or under their control against any unauthorized use, access or disclosure, including when such Personal Data is provided or made available to a third Person. Since January 1, 2018, to the Knowledge of the Company, there has been no unauthorized use, access, disclosure or other security incident of or involving Personal Data collected by, or used in connection with ~~the operation of their business as currently retained, accessed, used and disclosed by them, including~~ or under the ~~Transactions; and (iii)~~ control of the business of, the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy ObligationsSubsidiaries. (bc) Except as has not been and would not reasonably be expected to ~~have~~be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a ~~Company Material Adverse Effect~~whole, since ~~March 28~~January 1, ~~2020~~2018, ~~there has been no~~ (i) ~~data~~ there have been no security ~~breach of, unauthorized access to, or malicious disruption of any Company IT Systems that transmit or maintain Protected Information owned, used, hosted, maintained or controlled by or on behalf~~ breaches in the information technology systems used in the operation of the Company ~~or the Company Subsidiaries or (ii) incident involving the loss~~Business, damage, unauthorized access, unauthorized acquisition, unauthorized modification, unauthorized use or unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries (clauses (i) and (ii) ~~collectively, a “Security Incident”). Except as would not reasonably be expected to have, individually or~~ there have been no disruptions in any such information technology systems that adversely affected the ~~aggregate, a Company Material Adverse Effect, none~~ operations of the Company’s or any Company Subsidiary’s Data Partners have, since March 28, 2020, suffered any Security Incident that resulted in any unauthorized access to, unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage to any Personal Data held for or on behalf business of the Company ~~or any~~ and the Company Subsidiaries, or violated any Information Privacy and Security Laws with respect thereto. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to (i) identify and address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in their possession, (ii) implement, monitor and improve adequate and effective administrative, technical and physical safeguards to control these risks and protect the proprietary or confidential information (including Protected Information) in their possession, (iii) protect against Security Incidents, and (iv) maintain notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security, integrity or privacy compromising data containing Personal Data in their possession. In each of the past three (3) fiscal years, the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) ~~Except as would not reasonably be expected~~ Notwithstanding any other provision of this Agreement to ~~result~~ the contrary, the representations and warranties contained in ~~material liability, disruption, or other material obligation to or~~ this Section 3.15 are the sole and exclusive representations and warranties of the Company or any Company Subsidiary, since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to ~~(A) any suspected, potential or alleged violation of Data~~ Privacy ~~Obligations by the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security practices, including any Security Incident~~Legal Requirements. (e) The Company and the Company Subsidiaries have in place written disaster recovery plans and procedures with respect to the IT Assets that they have identified as essential to the continuity of their business.

Appears in 1 contract

Samples: Stock Purchase and Agreement and Plan of Merger (Reinvent Technology Partners Y)

Privacy and Data Protection. (a) ~~Except~~ Since May 1, 2019, except as ~~would~~ has not ~~reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect: (i) the Company’s~~ had and each Company Subsidiary’s, and to the Company’s Knowledge, each Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Laws, (B) PCI DSS, (C) all Privacy Statements, (D) all Contracts to which the Company or Company Subsidiary are bound and that govern their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”); (ii) the Company and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, retain, access, use and disclose the Personal Data in their possession or under their control in connection with the operation of their business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy Obligations. (b) Except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, ~~since March 28~~(i) the Company’s and each Company Subsidiary’s receipt, ~~2020~~collection, monitoring, maintenance, hosting creation, transmission, use, analysis, disclosure, storage, disposal and security, as the case may be, of Protected Information and, to the Company’s Knowledge, any such activities performed or handled by authorized third parties on the Company’s or a Company Subsidiary’s behalf, have complied with, and (ii) neither the execution and delivery of this Agreement nor the consummation of the Transactions will result in the Company, any Company Subsidiary, Verona Surviving LLC or Verona Converted LLC being in breach or violation of, (A) provisions governing privacy, data protection, or information security matters in any Contracts to which the Company or any Company Subsidiary is a party, (B) applicable Information Privacy and Security Laws, (C) all applicable policies and procedures adopted by the Company or a Company Subsidiary relating to privacy, data protection, or information security with respect to Protected Information, including the Privacy Statements and such policies and procedures relating to access control, vulnerability management, incident response and overall network security and (D) all applicable consents and authorizations that apply to Protected Information that have been obtained by the Company or a Company Subsidiary. Except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, the Company and each Company Subsidiary have all rights, authority, consents and authorizations necessary to receive, access, use and disclose the Protected Information in their possession or under their control in connection with the operation of their business as presently conducted. (b) Since May 1, 2019, to the Company’s Knowledge, except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, there has been no (i) data security breach of, unauthorized access to, or malicious disruption of any Company ~~IT Systems~~ Products or any Company or Company Subsidiary systems, networks or information technology that ~~transmit~~ transmits or ~~maintain~~ maintains Protected Information ~~owned~~or other confidential information, ~~used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries~~ or (ii) ~~incident~~ other incidents involving the ~~loss, damage,~~ unauthorized access, ~~unauthorized~~ acquisition, ~~unauthorized modification, unauthorized~~ use or ~~unauthorized~~ disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company ~~Subsidiaries (clauses (i)~~ Subsidiaries, including any such unauthorized access, acquisition, use or disclosure of Protected Information that would constitute a breach for which notification by the Company or any Company Subsidiary to individuals or Governmental Entities is required under any applicable Information Privacy and ~~(ii) collectively~~Security Laws or Contracts to which the Company or a Company Subsidiary is a party. To the Company’s Knowledge, ~~a “Security Incident”). Except~~ since May 1, 2019, except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, none of the Company’s or any Company Subsidiary’s ~~Data Partners have~~material vendors, ~~since March 28~~suppliers, ~~2020~~distributors and subcontractors, have (i) suffered any ~~Security Incident~~ security breach that resulted in any unauthorized access toto or use of any Protected Information, ~~unauthorized modification of, unauthorized use of, unauthorized disclosure of or loss of or damage~~ (ii) breached any obligations relating to ~~any Personal Data held for or on behalf of~~ Protected Information in Contracts with the Company or any Company ~~Subsidiaries,~~ Subsidiary or (iii) violated any Information Privacy and Security ~~Laws with respect thereto~~Laws. (c) The Company maintains and ~~each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained~~ implements a reasonable written information security ~~program,~~ program covering the Company and each Company ~~Subsidiary,~~ Subsidiary designed ~~to meet or exceed applicable industry standards,~~ to (i) identify and address internal and external risks to the ~~security, integrity or privacy~~ security of any ~~proprietary or~~ confidential information (in their possession, including Protected Information~~) in their possession~~, (ii) implement, monitor and improve ~~adequate and effective~~ reasonable administrative, technical and physical safeguards to control these risks and ~~protect the proprietary or confidential information (including Protected Information) in their possession,~~ (iii~~) protect against Security Incidents, and (iv~~) maintain notification procedures in compliance in all material respects with applicable Information Privacy and Security Laws that require notification to any Person in the case of any breach of ~~security, integrity or privacy~~ security compromising data containing ~~Personal Data in their possession~~Protected Information. In each of 2020 and 2021, except as would not reasonably be expected to be, individually or in the ~~past three (3) fiscal years~~aggregate, material to the Company and the Company Subsidiaries, taken as a whole, the Company ~~and each of the Company Subsidiaries have~~ has performed a security risk assessment covering the Company and each Company Subsidiary, as applicable, in each case, as to the extent required under PCI ~~DSS,~~ DSS and ~~addressed~~ used reasonable efforts to address and ~~remediated~~ remediate all ~~critical,~~ critical or high risk ~~or material~~ threats and deficiencies identified in those security risk assessments. (d) Except as has not had and would not reasonably be expected to ~~result~~ have, individually or in ~~material liability~~the aggregate, ~~disruption~~a Company Material Adverse Effect, ~~or other material obligation~~ since May 1, 2019, no Person has, to or the Company’s Knowledge as of the ~~Company or any Company Subsidiary, since March 28, 2020~~date hereof, (i~~) provided a written notice or audit request to the Company or a Company Subsidiary, (ii~~) made any written claim against the Company or a Company Subsidiary or (~~iii~~ii) ~~to the Company’s Knowledge,~~ commenced any ~~Action as of~~ Proceeding by or before any Governmental Entity against the ~~entry into this Agreement~~Company or a Company Subsidiary, in each case, with respect to (A) any ~~suspected, potential or~~ alleged violation of ~~Data~~ Information Privacy ~~Obligations~~ and Security Laws by the Company, any Company Subsidiary or any third party in such third party’s collection, maintenance, storage, use, processing, disclosure, transfer or disposal of Protected Information for the Company or any Company Subsidiary pursuant to a Contract with the Company or any Company Subsidiary or (B) any of the Company’s or a Company Subsidiary’s privacy or data security ~~practices~~practices with respect to Protected Information, including any ~~Security Incident~~loss, damage or unauthorized access, acquisition, use, disclosure, modification or other misuse of any Protected Information maintained by or on behalf of the Company or the Company Subsidiaries. As of the date hereof, to the Company’s Knowledge, since May 1, 2019, except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect, no Person has provided a complaint (written or otherwise) to the Company or a Company Subsidiary, nor, to the Company’s Knowledge, to any third party, regarding the improper disclosure of Protected Health Information (as defined in HIPAA) by the Company or a Company Subsidiary. (e) ~~The~~ Except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and the Company Subsidiaries, taken as a whole, (i) the Company and the Company Subsidiaries have in place ~~written~~ disaster recovery ~~plans~~ plans, procedures and ~~procedures~~ facilities that satisfy applicable Law and the Company’s and the Company Subsidiaries’ obligations under Contracts with ~~respect~~ all customers, vendors, suppliers, distributors and subcontractors of the Company, and the Company Subsidiaries, and (ii) the Company and the Company Subsidiaries are in compliance therewith. (f) To the Company’s Knowledge, no Software included in any Company Product contains any undisclosed disabling codes or instructions, “time bombs,” “Trojan horses,” “back doors,” “trap doors,” “worms,” viruses, bugs, faults, security vulnerabilities or other Software routines that has resulted in (i) any Person accessing without authorization or disabling or erasing any Company Product, (ii) a significant adverse effect on the functionality of any Company Product or (iii) unauthorized acquisition of or access to confidential or proprietary information created, received, maintained or transmitted through any Company Product, except as would not, in the case of (i), (ii), or (iii), reasonably be expected to be, individually or in the aggregate, material to the ~~IT Assets that they have identified~~ Company and the Company Subsidiaries, taken as ~~essential~~ a whole. (g) The Company and its Subsidiaries are in material compliance with the cybersecurity and information safeguarding provisions of the Company Government Contracts, including but not limited to Defense Federal Acquisition Regulation Supplement 252.204-7012. (h) The Company represents and warrants to the ~~continuity~~ matter set forth on Section 4.15(h) of ~~their business~~the Company Disclosure Letter.

Appears in 1 contract

Samples: Agreement and Plan of Merger (Broadcom Inc.)

Privacy and Data Protection. (a) ~~Except~~ Since the Lookback Date and except as would not reasonably be expected to have, individually or in the aggregate, a ~~Company~~ Material Adverse Effect: , (i) the ~~Company’s~~ Debtors and ~~each Company Subsidiary’s,~~ their Subsidiaries are and ~~to the Company’s Knowledge, each~~ have been in compliance with all applicable Data Partner’s, receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, retention, disposal and security, as the case may be, of Personal Data, have, since March 28, 2020, complied with their respective obligations arising from (in each case, to the extent applicable) (A) all Information Privacy and Security Protection Laws, ~~(B) PCI DSS, (C) all~~ the Privacy Statements, ~~(D) all Contracts to which~~ PCI DSS and the ~~Company or Company Subsidiary are bound and that govern~~ obligations under their respective use of Personal Data, and (E) all consents and authorizations that apply to the Personal Data that have been obtained by the Company or a Company Subsidiary (such obligations, collectively, “Data Privacy Obligations”)Contracts; (ii) the ~~Company~~ Debtors and ~~each Company Subsidiary~~ their Subsidiaries have ~~all rights~~(A) taken appropriate steps reasonably designed to implement and maintain such policies, ~~authority~~procedures, ~~consents~~ and ~~authorizations necessary to receive, retain, access, use and disclose the~~ practices governing Personal Data ~~in their possession or~~ as are required to comply with all applicable Data Protection Laws, the Privacy Statements, PCI DSS and the obligations under their ~~control in connection with the operation of their business as currently retained~~Contracts, ~~accessed, used and disclosed by them, including under the Transactions;~~ and (~~iii~~B) ~~the Company and each Company Subsidiary have at all times posted~~followed such policies, ~~to the extent required under~~procedures, and practices in ~~accordance with, applicable Data Privacy Obligations, privacy policies governing~~ the conduct of the business of the Debtors and their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy ObligationsSubsidiaries. (b) Except as would not reasonably be expected to have, individually or in the aggregate, a ~~Company~~ Material Adverse Effect, ~~since March 28~~the Debtors and their Subsidiaries have adopted commercially reasonable information security and privacy programs, ~~2020~~including reasonable and appropriate administrative, ~~there has been no (i) data~~ physical, and technical safeguards, to protect the confidentiality, integrity, availability and security ~~breach of, unauthorized access to, or malicious disruption~~ of any Company IT Systems that transmit or maintain Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries or (ii) incident involving the loss, damage, Personal Data against unauthorized access, ~~unauthorized acquisition~~use, ~~unauthorized~~ modification, ~~unauthorized use~~ disclosure or ~~unauthorized disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries~~ other misuse. (~~clauses (i~~c) ~~and (ii) collectively, a “Security Incident”).~~ Except as would not reasonably be expected to have, individually or in the aggregate, a ~~Company~~ Material Adverse Effect, ~~none~~ the Debtors and their Subsidiaries have used commercially reasonable efforts to prevent the introduction into the Systems , and, to the Knowledge of the Company’s , such Systems do not contain, any ransomware, disabling codes or ~~any Company Subsidiary’s Data Partners have~~instructions, ~~since March 28~~spyware, ~~2020~~Trojan horses, ~~suffered any Security Incident~~ worms, viruses or other software routines that ~~resulted in any~~ permit or cause unauthorized access to, ~~unauthorized modification~~ or disruption, impairment, disablement, or destruction of, ~~unauthorized use of~~Software, ~~unauthorized disclosure of~~ data or ~~loss of or damage to any Personal Data held for or on behalf of~~ other materials. Since the ~~Company or any Company Subsidiaries~~Lookback Date, or violated any Information Privacy and Security Laws with respect thereto. (c) The Company and each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained a written information security program, covering the ~~Company and each Company Subsidiary, designed to meet or exceed applicable industry standards, to~~ Systems (i) ~~identify~~ have not suffered any unplanned or critical failures, continued substandard performance, errors, breakdowns or other adverse Events that have caused any disruption or interruption in the operation of the business of the Debtors and ~~address internal and external risks to the security, integrity or privacy of any proprietary or confidential information (including Protected Information) in~~ their ~~possession,~~ Subsidiaries; (ii) implement, monitor and improve adequate and effective administrative, technical and physical safeguards to control these risks and protect the proprietary or confidential information (including Protected Information) have been in ~~their possession,~~ good working order; (iii) ~~protect against Security Incidents,~~ have functioned in accordance with all specifications and any other descriptions under which they were supplied; (iv) ~~maintain notification procedures in compliance with applicable Information Privacy and Security Laws in~~ to the ~~case~~ Knowledge of the Company, have been substantially free of any ~~breach~~ defects, bugs and errors; and (v) have been sufficient for the needs of ~~security~~the business of the Debtors and their Subsidiaries, ~~integrity or privacy compromising data containing Personal Data in their possession. In~~ except, for each of ~~the past three~~ (~~3) fiscal years~~i)-(v), the Company and each of the Company Subsidiaries have performed a security risk assessment covering the Company and each Company Subsidiary, in each case, as required under PCI DSS, and addressed and remediated all critical, high risk or material threats and deficiencies identified in those security risk assessments. (d) Except as would not reasonably be expected to ~~result~~ have, individually or in ~~material liability~~the aggregate, ~~disruption, or other material obligation to or of~~ a Material Adverse Effect. (d) Since the ~~Company or any Company Subsidiary, since March 28, 2020~~Lookback Date, (i) ~~provided a written notice or audit request~~ the Debtors and their Subsidiaries have not suffered any Security Incident, and to the Company or a Company Subsidiary, (ii) made any written claim against the Company or a Company Subsidiary or (iii) to the Company’s Knowledge, commenced any Action as of the entry into this Agreement, in each case, with respect to (A) any suspected, potential or alleged violation of Data Privacy Obligations by the Company or any Company Subsidiary or (B) any Knowledge of the Company’s , no service provider (in the course of providing services for or ~~a Company Subsidiary’s privacy~~ on behalf of the Debtors or ~~data security practices, including~~ any of their Subsidiaries) has suffered any Security Incident, except, for each of (i) and (ii), as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect. To the Knowledge of the Company, there are no pending complaints, actions, fines, or other penalties facing the Debtors or their Subsidiaries in connection with any such Security Incident or other adverse Events relating to Personal Data, except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect. (e) The Company and the Company Subsidiaries have in place written disaster recovery plans and procedures with respect to the IT Assets that they have identified as essential to the continuity of their business.

Appears in 1 contract

Samples: Backstop Commitment Agreement (Spirit Airlines, Inc.)

Privacy and Data Protection. (a) ~~Except~~ Since April 2, 2016, except as has not been and would not reasonably be expected to ~~have~~be, individually or in the aggregate, ~~a Company Material Adverse Effect:~~ material to the Business, (i) ~~the Company~~Seller’s and each ~~Company Subsidiary’s, and to the Company’s Knowledge, each Data Partner’s,~~ of its Subsidiaries’ receipt, collection, monitoring, maintenance, hosting, creation, transmission, use, analysis, disclosure, storage, ~~retention,~~ disposal and security, as the case may be, of ~~Personal Data~~Protected Information and, ~~have~~to Seller’s Knowledge, ~~since March 28~~any such activities performed or handled by authorized third parties on Seller’s or one of its Subsidiary’s behalf, ~~2020, complied with their respective obligations arising from (~~in each ~~case,~~ case in connection with or relating to the ~~extent applicable~~Business, have complied with, and (ii) neither the execution and delivery of this Agreement nor the consummation of the Transactions will result in Seller or any of its Subsidiaries, or, following the Closing, Purchaser, so long as the Protected Information is used in substantially the same manner as it is currently used in the Business, being in breach or violation of, (A) ~~all~~ provisions governing privacy, data protection, or information security matters in any Business Contracts, (B) applicable Information Privacy and Security Laws, (~~B) PCI DSS, (~~C) all applicable policies and procedures adopted by Seller or any of its Subsidiaries relating to privacy, data protection, or information security with respect to Protected Information, including the Privacy ~~Statements~~Statements and such policies and procedures relating to access control, vulnerability management, incident response and overall network security and/or (D) all ~~Contracts to which the Company or Company Subsidiary are bound~~ applicable consents, authorizations and ~~that govern their respective use of Personal Data, and~~ privacy choices (Eincluding opt-out decisions) ~~all consents and authorizations~~ that apply to ~~the Personal Data~~ Protected Information that have been obtained by Seller or any of its Subsidiaries. Except as has not been and would not reasonably be expected to be, individually or in the ~~Company or a Company Subsidiary (such obligations~~aggregate, ~~collectively~~material to the Business, ~~“Data Privacy Obligations”); (ii) the Company~~ Seller and each ~~Company Subsidiary have~~ of its Subsidiaries has all rights, authority, consents and authorizations necessary to receive, ~~retain,~~ access, use and disclose the ~~Personal Data~~ Protected Information in their possession or under their control in connection with the operation of ~~their business~~ the Business as currently retained, accessed, used and disclosed by them, including under the Transactions; and (iii) the Company and each Company Subsidiary have at all times posted, to the extent required under, and in accordance with, applicable Data Privacy Obligations, privacy policies governing their use of Personal Data on their websites made available by the Company and each Company Subsidiary. The execution, delivery, and performance of this Agreement and the Transactions will not materially conflict with or result in a material violation or breach of any Data Privacy Obligationspresently conducted. (b) Except as has not been and would not reasonably be expected to ~~have~~be, individually or in the aggregate, ~~a Company Material Adverse Effect~~material to the Business, ~~since March 28~~(i) Seller holds all permits and licenses, ~~2020~~and has made all governmental filings, required under applicable Information Privacy and Security Laws to process, use, and transfer Protected Information in connection with or relating to the Business, and (ii) the consummation of the Transactions will neither invalidate such permits and licenses nor require such permits and licenses to be amended under applicable Information Privacy and Security Laws. (c) Except as has not been and would not reasonably be expected to be, individually or in the aggregate, material to the Business, neither Seller nor any of its Subsidiaries sells or rents to third parties any Protected Information for monetary or other valuable consideration, in each case excluding sale, rental or disclosures of Protected Information to (i) Purchaser and any Person to whom Purchaser sells, rents or discloses Protected Information, (ii) the customers of the Business in Seller’s or its Subsidiaries’ provision of Business Products to the customers of the Business in the ordinary course of business consistent with past practice, or (iii) Seller’s or its Subsidiaries’ service providers when such disclosure is made for the purpose of the service provider’s provision of services to Seller or any of its Subsidiaries, in each case, in connection with or relating to the Business. (d) Since April 2, 2016, to Seller’s Knowledge, except as has not been and would not reasonably be expected to be, individually or in the aggregate, material to the Business, there has been no (i) data security breach of, unauthorized access to, or malicious disruption of any ~~Company IT Systems~~ Business Products or any Seller or any of its Subsidiaries’ systems, networks or information technology that ~~transmit~~ transmits or ~~maintain~~ maintains Protected Information ~~owned~~or other confidential information in connection with or relating to the Business, ~~used, hosted, maintained or controlled by or on behalf of the Company or the Company Subsidiaries~~ or (ii) ~~incident~~ other incidents involving the ~~loss, damage,~~ unauthorized access, ~~unauthorized~~ acquisition, ~~unauthorized modification, unauthorized~~ use or ~~unauthorized~~ disclosure of any Protected Information owned, used, hosted, maintained or controlled by or on behalf of Seller or any of its Subsidiaries in connection with or relating to the ~~Company~~ Business, including any such unauthorized access, acquisition, use or disclosure of Protected Information that would constitute a breach for which notification by Seller or any of its Subsidiaries to individuals and/or Governmental Entities and/or customers of the ~~Company~~ Business is required under any Information Privacy and Security Laws applicable to the Business or Business Contracts to which Seller or any of its Subsidiaries ~~(clauses (i)~~ is a party. To Seller’s Knowledge, since April 2, 2016, except as has not been and ~~(ii) collectively, a “Security Incident”). Except as~~ would not reasonably be expected to ~~have~~be, individually or in the aggregate, ~~a Company Material Adverse Effect~~material to the Business, none of the ~~Company~~Business’s ~~or any Company Subsidiary’s Data Partners have~~vendors, ~~since March 28~~suppliers and subcontractors, ~~2020,~~ have (i) suffered any ~~Security Incident~~ security breach that resulted in any unauthorized access toto or use of any Protected Information in the possession, ~~unauthorized modification of~~custody, ~~unauthorized use of, unauthorized disclosure~~ or control of ~~or loss of or damage to any Personal Data held for or on behalf of the Company~~ Seller or any ~~Company~~ of its Subsidiaries, (ii) breached any obligations relating to Protected Information in Contracts with Seller or any of its Subsidiaries or (iii) violated any Information Privacy and Security ~~Laws with respect thereto~~Laws. (ce) ~~The Company~~ Seller maintains and ~~each Company Subsidiary have, and have required their Data Partners to have, implemented, monitored and maintained~~ implements a reasonably appropriate written information security ~~program,~~ program covering any part of the ~~Company and each Company Subsidiary,~~ Business designed ~~to meet or exceed applicable industry standards,~~ to (i) identify and address internal and external risks to the ~~security, integrity or privacy~~ security of any proprietary or confidential information (in the possession of Seller or any of its Subsidiaries, including Protected Information~~) in their possession~~, (ii) implement, monitor and improve ~~adequate and effective~~ reasonable administrative, technical and physical safeguards to control these risks and ~~protect the proprietary or confidential information (including Protected Information) in their possession,~~ (iii~~) protect against Security Incidents, and (iv~~) maintain notification procedures in compliance in all material respects with applicable Information Privacy and Security Laws that require notification to any Person in the case of any breach of ~~security, integrity or privacy~~ security compromising data containing ~~Personal Data~~ Protected -48- Information, in ~~their possession~~each case, in connection with or relating to the Business. In For each of ~~the past three (3)~~ fiscal ~~years~~year 2018 and 2019, ~~the Company and each of the Company Subsidiaries have~~ Seller has performed a security risk assessment covering the ~~Company and each Company Subsidiary, in each case, as required under PCI DSS~~Business, and ~~addressed~~ has used reasonable efforts to address and ~~remediated~~ remediate all ~~critical,~~ critical and high risk (or ~~material threats~~ similar designation) threats, and deficiencies identified in those security risk assessments. For each of fiscal year 2018 and 2019, Seller has made available to Purchaser all material third party assessments, certifications, test results, audits or reviews (e.g., SSAE 18, SOC I, II and III, SysTrust, WebTrust, CloudTrust, or perimeter certifications) of the information systems or other equivalent evaluations of the Business in Seller’s possession or control. Seller has made available to Purchaser all material documents regarding Seller’s or any of its Subsidiaries’ certification to, adoption of, validation of, compliance with, or participation in, any information security frameworks, standards or similar programs, in each case, in connection with or relating to the Business, including the US Federal Risk and Authorization Management Program, the International Common Criteria Recognition Arrangement, the Federal Identity, Credential and Access Management Framework, the Identity Ecosystem Framework, and the Federal Information Processing Standard Publication 140-2. (df) Except as has not been and would not reasonably be expected to ~~result~~ be, individually or in the aggregate, material ~~liability~~to the Business, ~~disruption~~since April 2, ~~or other material obligation~~ 2016, no Person has, to or Seller’s Knowledge, as of the ~~Company or any Company Subsidiary~~date hereof, ~~since March 28, 2020, (i) provided a written notice or audit request to the Company or a Company Subsidiary, (ii)~~ made any written complaint or claim against ~~the Company~~ Seller or ~~a Company Subsidiary~~ any of its Subsidiaries or ~~(iii) to the Company’s Knowledge,~~ commenced any ~~Action as~~ Proceeding by or before any Governmental Entity or arbitration body against Seller or any of ~~the entry into this Agreement~~its Subsidiaries, in each case, with respect to (A) any ~~suspected, potential or~~ alleged violation of ~~Data~~ Information Privacy ~~Obligations~~ and Security Laws by ~~the Company~~ Seller, any of its Subsidiaries or any ~~Company Subsidiary~~ third party in relation to such third party’s collection, maintenance, storage, use, processing, disclosure, security, transfer or disposal of Protected Information on behalf of Seller or any of its Subsidiaries, (B) any of ~~the Company~~Seller’s or ~~a Company Subsidiary’s~~ its Subsidiaries’ privacy or data security ~~practices~~practices with respect to Protected Information, including any ~~Security Incident~~loss, damage or unauthorized access, acquisition, use, disclosure, modification or other misuse of any Protected Information maintained by or on behalf of Seller or any of its Subsidiaries or (C) any provisions governing privacy, data protection, or information security matters in any Business Contracts to which Seller or any of its Subsidiaries is a party, in each case, in connection with or relating to the Business. (eg) ~~The Company~~ Except as would not reasonably be expected to be, individually or in the aggregate, material to the Business, (i) Seller and ~~the Company~~ its Subsidiaries have in place ~~written~~ incident response and disaster recovery ~~plans~~ plans, procedures and ~~procedures~~ facilities that satisfy applicable Law and Seller’s and its Subsidiaries’ obligations under all Business Contracts with ~~respect~~ all customers, vendors, suppliers and subcontractors of the Business, and (ii) Seller and its Subsidiaries are in compliance therewith. (h) To Seller’s Knowledge, no Software included in any Business Product contains any undisclosed disabling codes or instructions, “time bombs,” “Trojan horses,” “back doors,” “trap doors,” “worms,” viruses, bugs, faults, security vulnerabilities or other Software routines, in any case that have resulted in or that may reasonably result in (i) any Person accessing without authorization or disabling or erasing any Business Product, (ii) a significant adverse effect on the functionality of any Business Product or (iii) unauthorized acquisition of or access to confidential or proprietary information or Protected Information created, received, maintained or transmitted on or through any Business Product, except, in the case of (i), (ii) or (iii), as has not been and would not reasonably be expected to be, individually or in the aggregate, material to the ~~IT Assets that they have identified as essential to the continuity of their business~~Business.

Appears in 1 contract

Samples: Asset Purchase Agreement

Common use of Privacy and Data Protection Clause in Contracts