Privacy and Data Security. (a) In the prior three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole. (b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data. (c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments. (d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data. (e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 8 contracts
Samples: Merger Agreement (Steinberg Michael), Merger Agreement (RiverRoad Capital Partners, LLC), Merger Agreement (Lewis & Clark Ventures I, LP)
Privacy and Data Security. (a) In The Company and its Subsidiaries comply and have at all times complied in all material respects with all Privacy Obligations. The Company and its Subsidiaries have adopted and published a privacy notice and policy at xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/Privacy that accurately describes their privacy practices. The Company and its Subsidiaries maintain commercially reasonable privacy and data security policies, processes, and controls, and an appropriate privacy program. The Company and its Subsidiaries have obtained all necessary consents, required for them to Process Personal Information.
(b) The execution, delivery, performance and consummation of the prior three transactions contemplated by this Agreement (3including the Processing of Personal Information in connection therewith) yearswill not cause or constitute a breach or violation of any applicable Privacy Obligations.
(c) The Company and its Subsidiaries have implemented and maintain an information security program comprising reasonable and appropriate physical, administrative and technical safeguards that are (i) appropriate to the size and scope of the Company and its Subsidiaries have been and the Personal Information and other confidential information they Process in compliance the conduct of their business, (ii) consistent with Privacy Lawsthe best practices adopted for the industry in which the Company and its Subsidiaries operate, (iii) designed to protect the operation, confidentiality, integrity, availability and security of the Company’s and its Subsidiaries’ IT systems, and in all Personal Information and other confidential information processed thereby, against unauthorized access, acquisition, interruption, alteration, modification, or use, and (iv) consistent with the Company’s and its Subsidiaries’ Privacy Obligations. To the Knowledge of the Company, neither the Company nor any of its Subsidiaries has experienced any material respects failure of these physical, administrative and technical safeguards.
(d) The Company and its Subsidiaries have taken reasonable measures to ensure that all third parties that Process Personal Information on their behalf comply with applicable Privacy Obligations. The Company and its Subsidiaries obligate third parties that Process Personal Information on their behalf to take reasonable measures to safeguard Personal Information.
(e) The Company has: (i) Contracts regularly conducted and regularly conducts vulnerability testing, risk assessments, and external audits of, and tracks security incidents related to the Company’s systems and products (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data collectively, “Information Security Reviews”); and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data timely corrected any material exceptions or vulnerabilities identified in such Information Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”)Reviews. The execution, delivery Company provides its employees with regular training on privacy and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholedata security matters.
(bf) In the prior three (3) yearsThere is not currently pending and there has not been since January 1, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required 2016 any claim, action, litigation, investigation, audit, complaint, or other proceeding to, from, by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of before any Governmental Authority against the Company or any of its Subsidiaries with respect to privacy or data security, and, to the Knowledge of the Company, there is no reasonable basis for such actions.
(g) Neither the Company nor any of its Subsidiaries has, in the past two years, experienced any security incident, nor has, to the Knowledge of the Company, any third party who Processes Personal information on the Company’s or its Subsidiaries’ behalf, experienced any Security Incident affecting the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against Information or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or confidential information on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal DataSubsidiaries.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 4 contracts
Samples: Agreement and Plan of Merger (Alaska Communications Systems Group Inc), Agreement and Plan of Merger (Alaska Communications Systems Group Inc), Merger Agreement (Alaska Communications Systems Group Inc)
Privacy and Data Security. (a) In Except as would not result in Liabilities that are material to the prior three Target Companies taken as a whole, to the extent that a Target Company collects any personally identifiable information (3“PII”) yearsfrom third party individual persons as of the date of this Agreement, such Target Company has a privacy policy (which may be a group wide policy covering affiliated entities) regarding the collection, use and disclosure of such PII in connection with the operation of the its business as conducted as of the date of this Agreement, and each Target Company is and its Subsidiaries have has been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating any such privacy policy applicable to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeit.
(b) In Except as would not result in Liabilities that are material to the prior three (3) yearsTarget Companies taken as a whole, the Privacy and Data Security Policies all Target Companies have complied at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to with all applicable Laws regarding the Privacy collection, retention, use and Data Security Policies that govern protection of personal information. There is no claim pending or threatened in writing against any Target Company regarding any violation of or noncompliance with such Personal Dataapplicable Laws.
(c) There is (and Except as would not result in the prior three years there has been) no Liabilities that are material Legal Proceeding pending or, to the Company’s knowledgeTarget Companies taken as a whole, threatened against or involving the Target Companies are in compliance with the terms of all contracts to which such Target Company or its Subsidiaries initiated by any Person Target Companies are a party related to data privacy, security or breach notification (including (i) provisions that impose conditions or restrictions on the Federal Trade Commissioncollection, any state attorney general use, disclosure, transmission, destruction, maintenance, storage or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing safeguarding of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitmentspersonal information).
(d) In To the prior three (3) yearsKnowledge of the Company, (i) there has been no unauthorized access tonone of the Target Companies have experienced any loss, damage, or unauthorized useaccess, disclosure, use or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches breach of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) lossPII in their possession, theft custody or damage ofcontrol, or (B) other unauthorized otherwise held or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Dataprocessed on their behalf.
(e) Each To the Knowledge of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defectCompany, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past last three (3) years, there have has been no unauthorized material access, intrusion or breach of security, or material failure, breakdown, performance reduction or other adverse event affecting any of the Target Company’s systems, that has caused or could reasonably be expected to cause any: (except i) material disruption of or interruption in or to the extent completely remediated)use of such systems or the conduct of the business of any Target Company ; or (ii) material loss, destruction, damage or harm to any Target Company or any of their material operations, personnel, property or other material assets. Each Target Company has taken reasonable actions, consistent with industry practices, to protect the integrity and to security of the Target Company’s Knowledge, there are no material security deficiencies or vulnerabilities in systems and the Company IT Systemsdata and other information stored thereon.
Appears in 2 contracts
Samples: Business Combination Agreement (TradeUP Global Corp), Business Combination Agreement (Far Peak Acquisition Corp)
Privacy and Data Security. (a) In Each of the prior three (3) yearsAcquired Companies is currently complying and has, the Company and its Subsidiaries have been in compliance with Privacy Lawssince January 1, and 2017 complied in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries all applicable Privacy and other Persons relating to Personal Data and (ii) applicable written policiesInformation Security Laws, public statements and other public representations including Laws relating to the Processing privacy of Personal DataInformation regarding clinical trial participants, inclusive patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers and pharmacists that interact with any of all disclosures required the Acquired Companies in connection with the operation of the Acquired Companies’ business. To the Knowledge of the Company, no investigations, claims or complaints are pending or have been threatened against the Acquired Companies by applicable Privacy Laws (“any Person regarding a violation of Privacy and Data Information Security Policies,Laws, and/or other information security policies. None of the Acquired Companies is a “covered entity” and together with Privacy Laws and such Contracts, or “Privacy Commitments”)business associate” for purposes of HIPAA. The executionAcquired Companies have provided all requisite notices, delivery and performance by the Company of this Agreement to which the Company is or will be a partyobtained all required consents, and satisfied all other material requirements for their processing of Personal Information for the conduct of business as currently conducted and in connection with the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeContemplated Transactions.
(b) In the prior three (3) yearsThe Acquired Companies have adopted reasonable and appropriate, the Privacy organizational, physical, administrative and Data Security Policies have at all times been maintained and made available to individuals in accordance technical measures consistent with reasonable industry practices to protect Personal Information and protect against Security Incidents (as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omissiondefined below). The practices Without limitation to the generality of the Company foregoing, such measures are appropriate to protect the Personal Information collected, stored, or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data otherwise processed by or on behalf of the Acquired Companies, the confidential or proprietary information of or related to their businesses, and the Company IT Systems from unauthorized access, acquisition, interruption, alteration, modification, use or its Subsidiaries is other processing, or was in violation any other compromise of their confidentiality, integrity or availability (any such incident a “Security Incident”). Except as expressly disclosed pursuant to Section 3.17 of the Company Disclosure Schedule, since January 1, 2017, none of the Acquired Companies (nor, to the Knowledge of the Company, any Third Parties acting on their behalf) have experienced any actual or alleged Security Incident, and none of the Acquired Companies (nor, to the Knowledge of the Company, any Third Parties acting on their behalf) have notified, or been required to notify, any person of any Privacy CommitmentsSecurity Incident or other event involving Personal Information that is in the custody, possession or control of any of the Acquired Companies. To In addition, to the Knowledge of the Company’s Knowledge, there are no factsindividuals or Third Parties (including any threat actors described in Section 3.17 of the Company Disclosure Schedule) have ongoing unauthorized access to Company IT Systems, circumstances and to the Knowledge of the Company, none of the Acquired Companies or conditions Company IT Systems have any information security vulnerabilities that would reasonably be expected to form materially adversely impact the basis for any proceeding for any potential violation operation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the relevant Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as cause a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT SystemsSecurity Incident.
Appears in 2 contracts
Samples: Merger Agreement (BioNTech SE), Merger Agreement (Neon Therapeutics, Inc.)
Privacy and Data Security. (a) In Except as would not be material to the prior three (3) yearsGroup Companies, taken as a whole, each Group Company complies, and since January 1, 2018 has complied, with all applicable Privacy Laws, with Privacy Policies, and with applicable contractual obligations of the Company and its Subsidiaries have been in compliance with Privacy Lawsgoverning privacy, data protection, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries data security with respect to the Processing of Personal Data conform in all by the Company and its Subsidiaries. To the knowledge of the Company, neither the execution of this Agreement nor the consummation of the Transactions constitutes a material respects breach or violation of any applicable Privacy Law, any applicable Privacy Policy, or any applicable contractual obligations of the Company and its Subsidiaries governing privacy, data protection, and data security with respect to the Privacy Processing of Personal Data by the Company and Data Security Policies that govern such Personal Data.
its Subsidiaries. From January 1, 2018 until the date hereof, except as set forth in Section 3.15 of the Company Disclosure Schedule, there is no, and has not been any, (ci) There is (and in the prior three years there has been) no material Legal Proceeding Action of any nature pending or, to the knowledge of the Company’s knowledge, threatened against or involving the Company or any of its Subsidiaries initiated by any Person (including (i) relating to privacy, data protection, or data security with respect to the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by the Company and its Subsidiaries; (ii) written notice of any actual or on behalf asserted noncompliance with any Law to which the Company or any of its Subsidiaries are subject relating to privacy, data protection, or data security with respect to the Processing of Personal Data by the Company; or (iii) known data breach or data security incident that compromised the data security of the Company or its Subsidiaries is and impacted compliance with applicable Privacy Law by the Company or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitmentsits Subsidiaries.
(db) In the prior three (3) years, The Company and its Subsidiaries have taken commercially reasonable steps to (i) there has been no implement and maintain sufficient technical and organizational measures in compliance with applicable Privacy Laws, designed to preserve and protect the confidentiality, availability, security (including disaster recovery), and integrity of all Systems and Personal Data within the possession or control of the Company and its Subsidiaries; (ii) implement and maintain commercially reasonably sufficient disaster recovery programs and mechanism and business continuity plans for their business; and (iii)defend against any security breach (x) resulting in any unauthorized access to, or unauthorized useacquisition of, disclosure, or Processing of any Personal Data in within the possession or control of the Company or any of its Subsidiaries or any of its contractors with regard (y) which required a regulatory notification or reporting to any Personal Data obtained from or on behalf Governmental Authority.
(c) The Company and its Subsidiaries have taken commercially reasonable steps to (i) ensure the IT Assets of the Company or and its Subsidiaries (“Security Incident”), are reasonably adequate and sufficient to protect the privacy and confidentiality of all Personal Data in compliance with reasonable industry practices and all applicable Privacy Laws and (ii) there implement and maintain reasonable technical and organizational measures in compliance with applicable cybersecurity Laws (including but not limited to Privacy Laws), that are designed to preserve and protect the cybersecurity of all IT Asset and Systems within the possession or control of the Company and its Subsidiaries. Except as set forth in Section 3.15 of the Company Disclosure Schedule or as would not reasonably be expected to have been a Company Material Adverse Effect, no unauthorized intrusions person (including any Governmental Authority) has made any claim or breaches of security into commenced any proceeding against the Company IT Systems, and (iii) none of or any Third Party service provider to the Company or any of its Subsidiaries has notified or been required with respect to notify any Person of any (A) loss, theft damage or damage ofunauthorized access, or (B) other unauthorized or unlawful access todisclosure, or use, disclosure modification or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security misuse of Personal Data against by the Company, any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been or any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemstheir respective service providers.
Appears in 2 contracts
Samples: Merger Agreement (Yan Rick), Merger Agreement (51job, Inc.)
Privacy and Data Security. (a) In the prior three (3) years, the Company Homology and its Subsidiaries have been in compliance complied with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation applicable terms of any Privacy Commitments that would be materially adverse Homology Contracts relating to the Company and its Subsidiariesprivacy, taken as a whole.
(b) In the prior three (3) yearssecurity, the Privacy and Data Security Policies have at all times been maintained and made available to collection or use of Personal Information of any individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company clinical trial participants, patients, patient family members, caregivers or its Subsidiaries advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists) that interact with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company Homology or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for connection with the operation of businesses of the Company Homology’s and its Subsidiaries (Subsidiaries’ business, except for ordinary wear and tear)such noncompliance as has not had, except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to behave, individually or in the aggregate, material a Homology Material Adverse Effect. To the Knowledge of Homology, Homology has implemented and maintains reasonable written policies and procedures, satisfying the requirements of applicable Privacy Laws and Homology Contracts, concerning the privacy, security, collection and use of Personal Information (“Homology Privacy Policies”) and has complied with the same, except for such noncompliance as has not to the Company Knowledge of Q32 had, and would not reasonably be expected to have, individually or in the aggregate, a Q32 Material Adverse Effect. To the Knowledge of Homology, as of the date hereof, no claims have been asserted or threatened against Homology by any Person alleging a violation of Privacy Laws, Privacy Policies and/or the applicable terms of any Homology Contracts relating to privacy, security, collection or use of Personal Information of any individuals and Homology has not received written notice of any of the same. To the Knowledge of Homology, there have been no data security incidents, personal data breaches or other adverse events or incidents related to Personal Information or Homology data in the custody or control of Homology or any service provider acting on behalf of Homology, in each case where such incident, breach or event would result in a notification obligation to any Person under applicable law or pursuant to the terms of any Homology Contract.
(b) The information technology assets and equipment of Homology and its Subsidiaries (collectively, “Homology IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of Homology and its Subsidiaries as currently conducted, and to the Knowledge of Homology, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Homology and its Subsidiaries have implemented and maintain commercially reasonable physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Homology and its Subsidiaries, taken as a whole. In any other material confidential information and the prior three years, there have not been any material failures, breakdowns or continued substandard performance integrity and security of any Company Homology IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated used in the Ordinary Course of Business. In connection with their businesses, and during the past three (3) years, there have been no (breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemsnotify any other Person.
Appears in 2 contracts
Samples: Merger Agreement (Homology Medicines, Inc.), Merger Agreement (Homology Medicines, Inc.)
Privacy and Data Security. (a) In To the prior three (3) yearsKnowledge of the Company, as of the Company and its Subsidiaries have been in compliance with Privacy Lawsdate hereof, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policiesat no time since April 30, public statements and other public representations relating 2017 to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company date of this Agreement to which the Company is or will be a partyAgreement, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation has there been any material data security breach of any Privacy Commitments that would be materially adverse to the Company and its SubsidiariesBusiness IT Assets or material unauthorized access, taken as a whole.
(b) In the prior three (3) yearsuse, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Lawsor disclosure of any Personal Information owned, are accurate and complete and are not misleading used, maintained, received, or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data controlled by or on behalf of the Company or its Subsidiaries is any Company Subsidiary, including any unauthorized access, use or was in violation disclosure of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions Personal Information that would reasonably be expected constitute a breach, in each case, for which notification to form the basis for individuals or Governmental Authorities is required under any proceeding for any potential violation of any applicable Information Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, and Security Laws or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard Contracts to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of which the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have Company Subsidiary is a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Dataparty.
(eb) Each of Except for matters which, individually or in the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defectaggregate, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is have not had and would not reasonably be expected to behave a Company Material Adverse Effect, the Company’s and each Company Subsidiary’s collection, maintenance, transmission, transfer, use, disclosure, storage, disposal and security of Personal Information has complied in all material respects since April 30, 2017 to the date of this Agreement with (i) Information Privacy and Security Laws, (ii) Contracts to which the Company or any Company Subsidiary is a party that govern that Personal Information, and (iii) applicable privacy policies or disclosures posted to websites maintained by the Company or any Company Subsidiary that govern Personal Information processed by the Company or the Company Subsidiary (the “Privacy Policies”). Since April 30, 2017 to the date of this Agreement, no suit, claim, action, proceeding, arbitration, mediation or, to the Knowledge of the Company, investigation is pending or, to the Knowledge of the Company, threatened in writing against the Company or any Company Subsidiary relating to the processing or security of Personal Information, except as would not individually or in the aggregate, reasonably be expected to result in material liability to the Company and its the Company Subsidiaries.
(c) Included in the Business IT Assets are standalone databases which contain a records of known customers of any of the product or service offerings of the businesses conducted by the Company and the Company Subsidiaries, taken as a whole. In all of which are free and clear of all restrictions or limitations on the prior three years, there have not been any use of such databases in all material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems respects other than routine failures restrictions or disruptions that have been remediated in limitations required under applicable Law, or the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies Privacy Policies or vulnerabilities in the Company IT Systemsother contractual commitments under which such information as collected.
Appears in 2 contracts
Samples: Merger Agreement (Peak Resorts Inc), Merger Agreement (Vail Resorts Inc)
Privacy and Data Security. (a) In Except as has not had and would not reasonably be expected to have, individually or in the prior three aggregate, a Company Material Adverse Effect, (3i) years, the Company and its Subsidiaries have been at all times in compliance with Privacy Lawsthe prior three years complied, and in presently comply, with all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries applicable Privacy Legal Requirements, and other Persons relating to Personal Data their own respective privacy policies, terms of use and contractual obligations and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement and its Subsidiaries have taken appropriate actions (including reasonable and appropriate administrative, technical and physical safeguards) to which protect Personal Information in their possession or under their control against unauthorized or unlawful access, use, modification, disclosure or other misuse.
(b) Except as has not had and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect (i) in the prior three years neither the Company is or will be a party, and the consummation nor any of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in its Subsidiaries has received any written notice from any applicable Governmental Entity alleging a violation of any Privacy Commitments that would be materially adverse to Legal Requirements by the Company and or any of its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of nor has the Company or any of its Subsidiaries been threatened in writing to be charged with respect any such violation by any Governmental Entity; (ii) no claims have been asserted or threatened against the Company or any of its Subsidiaries (and to the Processing knowledge of Personal Data conform in all material respects the Company, no such claims are likely to be asserted or threatened) by any Person alleging a violation of such Person’s privacy, personal or confidentiality rights under any Privacy Legal Requirements, or the Company’s privacy policies, terms of use or contractual obligations and (iii) to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and Knowledge of the Company, in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access touse, or unauthorized useaccess, disclosure, or Processing other security incident of or involving Personal Data Information in the possession of or under the control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal DataSubsidiaries.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 2 contracts
Samples: Merger Agreement (Kimball International Inc), Merger Agreement (Kimball International Inc)
Privacy and Data Security. (a) In Except as would not reasonably be expected to be material to the prior three (3) yearsGroup Companies, taken as a whole, the Company and its Subsidiaries have been in compliance with Privacy LawsGroup Companies comply, and since January 1, 2018 have complied, in all material respects with all: (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and applicable Privacy Laws; (ii) applicable written policiesobligations imposed upon the Group Company regarding Personal Information under any Contracts; (iii) internal and public-facing privacy, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation data handling and/or data security policies of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation Group Company; and (iv) applicable data privacy rules of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeapplicable self-regulatory organizations.
(b) In To the prior three (3) yearsCompany’s knowledge, each of the Privacy Group Companies has established commercially reasonable technical and Data Security Policies have at all times been maintained organizational measures to safeguard the security, confidentiality, integrity and made available to individuals availability of IT Assets and Personal Information, in its possession, custody, or under its control, in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Dataapplicable laws.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to To the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including : (i) no Group Company has suffered any material security breach with respect to any Personal Information and/or with respect to the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) IT Assets and there has been no material misuse of, or unauthorized Processing of, access to, or unauthorized usedisclosure of, disclosure, or Processing of any Personal Data Information in the possession possession, custody, or control of the Company or its Subsidiaries or any of its contractors with regard to any the Group Companies or Processed by the Group Companies (each, a “Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security IncidentInformation Breach”), ; (ii) there none of the Group Companies have been no unauthorized intrusions experienced any information security incidents that have materially compromised the integrity or breaches availability of security into any Company the IT Systems, Assets or the data thereon; and (iii) none of the Company or any of its Subsidiaries has notified or Group Companies have been legally required to notify provide any notices to any Person as a result of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal DataInformation Breach.
(ed) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems Except as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, be material to the Company and its SubsidiariesGroup Companies, taken as a whole. In , the prior three yearsCompany warrants that, there since January 1, 2018, each of the Group Companies ensure all cross border transfers of Personal Information are compliant with applicable Privacy Laws in all material respects.
(e) Except as would not reasonably be expected to be material to the Group Companies, taken as a whole, the Company warrants that, since January 1, 2018, each of the Group Companies which have distributed marketing communications to any Person are compliant with applicable Privacy Laws in all material respects.
(f) The Group Companies have not been intentionally sold or rented and are not sharing or renting to third parties any material failures, breakdowns or continued substandard performance Personal Information.
(g) None of the Group Companies has received any written notice of any Company IT Systems that have caused a material failure claims, investigations, or disruption alleged violations of Privacy Laws with respect to Personal Information possessed by the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT SystemsGroup Companies.
Appears in 2 contracts
Samples: Business Combination Agreement (Valens Semiconductor Ltd.), Business Combination Agreement (PTK Acquisition Corp.)
Privacy and Data Security. (a) In the prior three (3) years, the Company Q32 and its Subsidiaries have been in compliance complied with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation applicable terms of any Privacy Commitments that would be materially adverse Q32 Contracts relating to the Company and its Subsidiariesprivacy, taken as a whole.
(b) In the prior three (3) yearssecurity, the Privacy and Data Security Policies have at all times been maintained and made available to collection or use of Personal Information of any individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company clinical trial participants, patients, patient family members, caregivers or its Subsidiaries advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists) that interact with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company Q32 or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for connection with the operation of businesses of the Company Q32’s and its Subsidiaries (Subsidiaries’ business, except for ordinary wear and tear)such noncompliance as has not had, except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to behave, individually or in the aggregate, material a Q32 Material Adverse Effect. To the Knowledge of Q32, Q32 has implemented and maintains reasonable written policies and procedures, satisfying the requirements of applicable Privacy Laws and Q32 Contracts, concerning the privacy, security, collection and use of Personal Information (the “Q32 Privacy Policies”) and has complied with the same, except for such noncompliance as has not to the Company Knowledge of Q32 had, and would not reasonably be expected to have, individually or in the aggregate, a Q32 Material Adverse Effect. To the Knowledge of Q32, as of the date hereof, no claims have been asserted or threatened against Q32 by any Person alleging a violation of Privacy Laws, Q32 Privacy Policies and/or the applicable terms of any Q32 Contracts relating to privacy, security, collection or use of Personal Information of any individuals and Q32 has not received written notice of any of the same. To the Knowledge of Q32, there have been no data security incidents, personal data breaches or other adverse events or incidents related to Personal Information or Q32 data in the custody or control of Q32 or any service provider acting on behalf of Q32, in each case where such incident, breach or event would result in a notification obligation to any Person under applicable law or pursuant to the terms of any Q32 Contract.
(b) The information technology assets and equipment of Q32 and its Subsidiaries (collectively, “Q32 IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of Q32 and its Subsidiaries as currently conducted, and to the Knowledge of Q32, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Q32 and its Subsidiaries have implemented and maintain commercially reasonable physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Q32 and its Subsidiaries, taken as a whole. In any other material confidential information and the prior three years, there have not been any material failures, breakdowns or continued substandard performance integrity and security of any Company Q32 IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated used in the Ordinary Course of Business. In connection with their businesses, and during the past three (3) years, there have been no (breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or Liability or the duty to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemsnotify any other Person.
Appears in 2 contracts
Samples: Merger Agreement (Homology Medicines, Inc.), Merger Agreement (Homology Medicines, Inc.)
Privacy and Data Security. (a) In None of the prior three Company or any of its affiliates is a “covered entity” or is engaging in activities that make it a “business associate” as those terms are defined in the Health Insurance Portability and Accountability Act and the regulations promulgated thereunder and codified at 45 C.F.R. Parts 160 and 164 (3) yearscollectively, “HIPAA”). Since, January 1, 2020, the Company and its Subsidiaries have the Company Subsidiary has been in compliance with applicable Privacy Laws and, to the knowledge of the Company, the Company is not under investigation by any Governmental Entity for a violation of such Privacy Laws, except, in each case, as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect.
(b) At all times since January 1, 2020, the Company and in all material respects with (i) Contracts (Company Subsidiary have provided appropriate notice and obtained any necessary consents from Persons required for the processing of Personal Data as conducted by or portions thereof) between for the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policiesthe Company Subsidiary, public statements and other public representations relating in each case to the Processing of Personal Data, inclusive of all disclosures extent required by applicable Privacy Laws Laws, except where the failure to do so would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. The Company and the Company Subsidiary have in place all legally required, and have complied in all respects with each of their respective, written and published policies and procedures concerning the privacy and security of Personal Data (the “Privacy and Data Security Policies,” and together with ”), except where the failure to do so would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. Since January 1, 2020, neither the Company nor the Company Subsidiary have received, in writing, any asserted or threatened claims by any Person alleging a violation of Privacy Laws and/or Privacy Policies. To the knowledge of the Company, the Transactions and such Contracts, “Privacy Commitments”). The the execution, delivery and performance by the Company of this Agreement to which the Company is will not cause, constitute or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a breach or violation of any applicable Privacy Commitments that Law or Privacy Policies, except where such failure to comply would not reasonably be materially adverse expected to have, individually or in the aggregate, a Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal DataMaterial Adverse Effect.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending orAt all times since January 1, to the Company’s knowledge2020, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) and the Federal Trade CommissionCompany Subsidiary have maintained a commercially reasonable information security program in accordance with applicable Privacy Laws in all material respects. The Company has implemented at all times since January 1, any state attorney general or similar state official2020, (ii) any other Governmental authoritycommercially reasonable administrative, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of technical, and physical security measures with respect to Personal Data and other confidential data collected by or on behalf of the Company or its Subsidiaries is the Company Subsidiary and the networks, equipment, software, and other systems and assets of the Company and the Company Subsidiary. Since January 1, 2020, neither the Company nor the Company Subsidiary have experienced any security breach or was in violation of cyber security event, including, without limitation, any Privacy Commitments. To the Company’s Knowledgetheft, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access toloss, or unauthorized use, disclosure, access or Processing acquisition of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (each, a “Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against except for any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and Incidents that would not reasonably be expected to behave, individually or in the aggregate, material to the a Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT SystemsMaterial Adverse Effect.
Appears in 2 contracts
Samples: Merger Agreement (Indivior PLC), Merger Agreement (Indivior PLC)
Privacy and Data Security. (ai) In Each of the prior three (3) years, the Company Company’s and its Subsidiaries have been in compliance with Privacy LawsSubsidiaries’ receipt, collection, monitoring, maintenance, creation, transmission, use, analysis, disclosure, storage, disposal and security of Protected Information has complied, and complies in all material respects with (iA) Contracts (any privacy- or portions thereof) between the Company data security-related provisions of agreements or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement contracts to which the Company or a Subsidiary is or will be a party, (B) applicable privacy and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy data security Laws, are accurate and complete (C) applicable policies and are not misleading or deceptive (including procedures adopted by omission). The practices of the Company or its Subsidiaries with respect a Subsidiary relating to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending orProtected Information, to the Company’s knowledge, threatened against or involving including any privacy policy made available by the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse EffectSubsidiary. Each of the Company and its Subsidiaries has implemented adopted commercially reasonable administrativepolicies and procedures relating to privacy, physical data protection, data security and technical safeguards, the collection and ensures that its contractors processing Personal Data take such safeguards to protect use of Protected Information gathered or accessed in the confidentiality, integrity and security course of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each the operations of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and Subsidiaries.
(ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), Except as is not and would not reasonably be expected to be, individually or in the aggregate, be material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not has been any material failures, breakdowns or continued substandard performance no data security breach of any Company IT Systems that have caused a material failure Assets or disruption unauthorized access, use or disclosure of any Protected Information owned, transmitted, stored, received, or controlled by or on behalf of the Company or any of its Subsidiaries, including any unauthorized access, use or disclosure of Protected Information that would constitute a breach for which notification to individuals, customers or Governmental Entities is required under any applicable privacy and data security Laws or contracts or agreements to which the Company or any of its Subsidiaries is a party.
(iii) The IT Systems Assets have not materially malfunctioned or failed since January 1, 2013. The IT Assets do not contain any viruses, bugs, vulnerabilities, faults or other than routine failures devices or disruptions effects that have been remediated could (i) enable or assist any person to access without authorization the IT Assets or any information in the Ordinary Course IT Assets, or (ii) otherwise significantly adversely affect the functionality of Businessthe IT Assets, except as disclosed in their documentation. In the past three (3) yearsThe Company and its Subsidiaries have implemented reasonable backup, there have been no (except to the extent completely remediated)security and disaster recovery technology, plans, procedures and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemsfacilities.
Appears in 2 contracts
Samples: Merger Agreement (Cyan Inc), Merger Agreement (Ciena Corp)
Privacy and Data Security. (a) In The Company and its Subsidiaries comply and have at all times complied in all material respects with all Privacy Obligations. The Company and its Subsidiaries have adopted and published a privacy notice and policy at xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/Privacy that accurately describes their privacy practices. The Company and its Subsidiaries maintain commercially reasonable privacy and data security policies, processes, and controls, and an appropriate privacy program. The Company and its Subsidiaries have obtained all necessary consents, required for them to Process Personal Information.
(b) The execution, delivery, performance and consummation of the prior three transactions contemplated by this Agreement (3including the Processing of Personal Information in connection therewith) yearswill not cause or constitute a breach or violation of any applicable Privacy Obligations.
(c) The Company and its Subsidiaries have implemented and maintain an information security program comprising reasonable and appropriate physical, administrative and technical safeguards that are (i) appropriate to the size and scope of the Company and its Subsidiaries have been and the Personal Information and other confidential information they Process in compliance the conduct of their business, (ii) consistent with Privacy Lawsthe best practices adopted for the industry in which the Company and its Subsidiaries operate, (iii) designed to protect the operation, confidentiality, integrity, availability and security of the Company’s and its Subsidiaries’ IT systems, and in all Personal Information and other confidential information processed thereby, against unauthorized access, acquisition, interruption, alteration, modification, or use, and (iv) consistent with the Company’s and its Subsidiaries’ Privacy Obligations. To the Knowledge of the Company, neither the Company nor any of its Subsidiaries has experienced any material respects failure of these physical, administrative and technical safeguards.
(d) The Company and its Subsidiaries have taken reasonable measures to ensure that all third parties that Process Personal Information on their behalf comply with applicable Privacy Obligations. The Company and its Subsidiaries obligate third parties that Process Personal Information on their behalf to take reasonable measures to safeguard Personal Information.
(e) The Company has: (i) Contracts regularly conducted and regularly conducts vulnerability testing, risk assessments, and external audits of, and tracks security incidents related to the Company’s systems and products (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data collectively, “Information Security Reviews”); and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data timely corrected any material exceptions or vulnerabilities identified in such Information Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”)Reviews. The execution, delivery Company provides its employees with regular training on privacy and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholedata security matters.
(bf) In the prior three (3) yearsThere is not currently pending and there has not been since January 1, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required 2016 any claim, action, litigation, investigation, audit, complaint, or other proceeding to, from, by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of before any Governmental Authority against the Company or any of its Subsidiaries with respect to privacy or data security, and, to the Knowledge of the Company, there is no reasonable basis for such actions.
(g) Neither the Company nor any of its Subsidiaries has, in the past two years, experienced any security incident, nor has, to the Knowledge of the Company, any third party who Processes Personal information on the Company’s or its Subsidiaries’ behalf, experienced any Security Incident affecting the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against Information or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or confidential information on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal DataSubsidiaries.
(eh) Each of Neither the Company and nor any of its Subsidiaries owns do business in California or has a license or Europe, other right than to use provide services to Alaska based customers. Neither the Company IT Systems as necessary to operate the business nor any of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material subject to the Company European Union’s Directive on Privacy and its Subsidiaries, taken as a whole. In Electronic Communications (2002/58/EC) and/or the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three General Data Protection Regulation (3) years, there have been no (except to the extent completely remediated2016/679), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 2 contracts
Samples: Merger Agreement (Alaska Communications Systems Group Inc), Merger Agreement (Alaska Communications Systems Group Inc)
Privacy and Data Security. (a) In The use, storage, sharing, disclosure, dissemination, Processing and disposal of any personally identifiable information and Personal Data of the prior three (3) years, the Company and its Subsidiaries have been Business is in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) all applicable written privacy policies, public statements terms of use, contractual obligations and other public representations relating to the Processing of Personal Dataapplicable Laws, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeincluding GDPR.
(b) In Seller maintains complete, accurate and up to date records of their Personal Data Processing activities in relation to the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals Business in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy with applicable data protection and Data Security Policies that govern such Personal Dataprivacy Laws, including GDPR.
(c) There is (and Seller has, in the prior three years there has been) no material Legal Proceeding pending or, relation to the Company’s knowledgeBusiness, threatened against issued privacy notices to, and (when necessary) has obtained consents from, all relevant Data Subjects which comply in all material respects with applicable data protection and privacy Laws.
(d) Since January 1, 2019, there have been no security breaches relating to, or involving the Company violations of any security policy regarding, or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commissionunauthorized access of, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data used by or on behalf of Seller in connection with the Company Business, other than those that were resolved without material cost, material liability or its Subsidiaries is or was in violation of the duty to notify any Privacy CommitmentsPerson. To the Company’s KnowledgeFurther, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.Seller has:
(d) In the prior three (3) years, (i) there has been no implemented appropriate technical and organizational measures designed to protect against the unauthorized access or unlawful Processing of, and accidental loss of or damage to, or unauthorized use, disclosure, or Processing of Personal Data in relating to the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from Business which is Processed by or on behalf of the Company or Seller and its Subsidiaries (“Security Incident”), Subsidiaries;
(ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systemsput in place appropriate agreements, as required by applicable data protection and privacy Laws, with all third parties Processing Personal Data on their behalf relating to the Business; and
(iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) lossundertaken reasonably appropriate privacy and information security due diligence on all such third parties in accordance with, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), applicable data protection and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Dataprivacy Laws.
(e) Each There is no, and there has been no, written complaint to, or any audit, proceeding, claim or, to the knowledge of Seller, investigation (formal or informal) against, the Company and its Subsidiaries owns or has a license or other right Seller with respect to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are Business by: (i) free from any defect, bug, virus private party; or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear)any Governmental Authority, except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material with respect to the Company and its Subsidiariessecurity, taken as a whole. In the prior three yearsconfidentiality, there have not been availability or integrity of information technology assets, Personal Data, or other data, 249717839 v15 information or Intellectual Property, except for any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions foregoing that arose prior to the date of this Agreement and have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemsfully resolved.
Appears in 1 contract
Privacy and Data Security. (a) In the prior three (3) years, the The Company and its Subsidiaries have been in compliance with Privacy Laws, and (i) are compliant in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) all applicable written policies, public statements and other public representations relating Laws related to the Processing privacy, security, or protection of Personal Data, inclusive of (ii) have implemented one or more privacy and data security policies that comply with all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to regarding the Privacy collection, use and disclosure of Personal Data Security Policies that govern such Personal Data.
(c) There is (and proprietary information in the prior three years there has been) no material Legal Proceeding pending orconnection with its business and operations, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or have trained its employees and independent contractors on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systemssuch policies, and (iiiiv) none are, and have been, in compliance in all material respects with such policies at all times. True, complete and correct copies of all privacy and data security policies that have been used by the Company or any of its Subsidiaries in the past three (3) years have been made available to Parent. The Company has notified posted all applicable external privacy and data security policies in clear and conspicuous locations on all websites and any mobile applications owned or been required operated by the Company.
(b) The execution, delivery and performance of this Agreement and the consummation of the contemplated transactions, including any transfer of Personal Data or proprietary information resulting from such transactions, will not materially violate any obligation, disclosure, representation or undertaking to notify any Person of any (A) lossregarding data privacy, theft or damage ofsecurity, breach notification, or their or its Personal Data or proprietary information.
(Bc) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the The Company and each of its Subsidiaries has have established and implemented commercially reasonable policies, programs and procedures that are in compliance in all material respects with applicable industry practices, including administrative, technical and physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards are designed to protect the confidentiality, integrity and security of Personal Data and proprietary information gathered, stored, processed, used or communicated by or on behalf of the Company or any of its Subsidiaries, as applicable, against loss, theft or the unauthorized access, use, modification, disclosure or other misuse of such information.
(d) Neither the Company nor any Security Incidentof its Subsidiaries have ever experienced any loss, theft, damage, or, to the Knowledge of the Company, unauthorized access, disclosure, use or breach of security of any Personal Data or proprietary information gathered, stored, processed, used or communicated by or on behalf of itself.
(e) No Person (including any Governmental Entity) has commenced any Proceeding relating to the Company’s or any of its Subsidiary’s privacy or data security policies, including taking all reasonable steps with respect to safeguard the collection, use, transfer, storage, or disposal of Personal Data and back up proprietary information maintained by or on behalf of the Company or any of its Subsidiaries, or threatened any such Proceeding, or made any complaint or, to the Company’s Knowledge, any investigation or inquiry relating to such practices.
(f) As of the date of this Agreement, there are no Proceedings pending against the Company or any of its Subsidiaries asserting any violation by the Company or any of its Subsidiaries of any (i) Information Privacy and Security Law, (ii) agreement (or portion thereof) to which the Company or any of its Subsidiaries is a party that relates to the protection of Personal Data, or (iii) of the Company’s or its Subsidiaries’ privacy and security policies applicable to Personal Data.
(eg) Each of The IT Assets (i) operate in all material respects in accordance with their documentation and functional specifications and otherwise as required by the Company and its Subsidiaries owns and have not materially malfunctioned or has a license or other right to use failed in the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are last three (i3) free from any defectyears, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary are sufficient for the operation immediate and reasonably foreseeable needs of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, including as to capacity, scalability, and ability to process current and anticipated peak volumes in a timely manner. The Company and its Subsidiaries have taken as a wholecommercially reasonable actions designed to protect the confidentiality, integrity and security of the IT Assets against unauthorized use, access, interruption, modification and corruption. In To the prior three yearsKnowledge of the Company, there have not has been no unauthorized access to the IT Assets that resulted in any material failuresunauthorized use, breakdowns access, modification, misappropriation, deletion, corruption, or continued substandard performance encryption of any information or data stored therein. The Company IT Systems that and its Subsidiaries have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) yearsimplemented commercially reasonable data backup, there have been no (except data storage, system redundancy and disaster avoidance and recovery procedures with respect to the extent completely remediated)IT Assets, and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemseach case consistent with customary industry practices.
Appears in 1 contract
Samples: Merger Agreement (Synacor, Inc.)
Privacy and Data Security. (a) In The Company has at all times in the prior three past two (32) years, the Company and its Subsidiaries have been in compliance with Privacy Lawsyears materially complied, and in all material respects is currently complying, with (i) Contracts all Privacy Laws, (ii) to the extent applicable, the Payment Card Industry-Data Security Standard and (iii) all contractual obligations (including those with the Company’s customers) relating to (1) the privacy of users of any of the Company’s web properties, products and/or services; (2) the collection, use, storage, retention, disclosure, transfer, disposal, or portions thereof) between any other processing of any Personal Information collected or used by the Company or its Subsidiaries and other Persons relating by third parties having access to Personal Data such information on behalf of the Company; and (ii3) applicable written policiesthe transmission of marketing and/or commercial messages through any means, public statements including email and other public representations relating to text message (the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy CommitmentsRequirements”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In Except as would not reasonably be expected to be material to the prior three (3) yearsCompany, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are Company has not misleading or deceptive received written notice from any Person (including by omission). The practices any Governmental Authority) of the Company commencement of any Action relating to the Company’s information privacy or its Subsidiaries data security practices, including with respect to the Processing collection, use, transfer, storage or disposal of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data Information maintained by or on behalf of the Company or its Subsidiaries is or was in violation Company, and, to the Knowledge of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that such Action has been threatened.
(c) Except as would not reasonably be expected to form be material to the basis for Company, the Company has taken organizational, physical, administrative and technical measures required by Privacy Laws, any proceeding for existing contractual commitment made by the Company that is applicable to Personal Information, any potential violation written policy adopted by the Company, and the Company’s information security program designed to protect (i) the integrity, security and operations of any the Company’s information technology systems, and (ii) the Personal Information owned, maintained or otherwise processed by the Company against data security incidents or other misuse. Except as would not reasonably be expected to be material to the Company, the Company has implemented reasonable procedures, satisfying the requirements of applicable Privacy CommitmentsLaws, to detect data security incidents.
(d) In Except as would not reasonably be expected to be material to the prior three Company, the Company has contractually obligated all third parties to which it provides Personal Information and/or access thereto to protect such Personal Information from unauthorized access by and/or disclosure to any unauthorized third parties.
(3e) yearsExcept as would not reasonably be expected to be material to the Company, to the Knowledge of the Company, (i) there has have been no unauthorized access todata security incidents, personal data breaches or unauthorized use, disclosure, other adverse events or Processing of incidents related to Personal Data Information in the possession custody or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or service provider acting on behalf of the Company or its Subsidiaries (“Security Incident”)Company, (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually no breach or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption violation of the Company IT Systems other than routine failures has occurred or disruptions that have is threatened in writing, and there has been remediated no unauthorized or illegal use of or access to any Personal Information.
(f) The consummation of any of the transactions contemplated hereby will not violate any applicable Privacy Laws.
(g) The Company has not sold the Personal Information or access thereto under its control and/or in its possession to a third party.
(h) The Company has not had customers or users in the Ordinary Course of Business. In European Economic Area or the past three (3) years, there have been no (except United Kingdom that would cause the Company to be subject to the extent completely remediated), European General Data Protection Regulation 2016/679 and to the Company’s Knowledge, there are no material security deficiencies other European or vulnerabilities in the Company IT SystemsUnited Kingdom data protection and privacy laws.
Appears in 1 contract
Samples: Merger Agreement (3d Systems Corp)
Privacy and Data Security. (a) In the prior three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), Except as would not have a Company Material Adverse Effect, the Company is, and at since the Reference Date has been, in compliance with all (i) applicable Laws pertaining to data protection, data privacy, data security and data breach notification in the United States and elsewhere in the world, including the EU’s General Data Protection Regulation (collectively, “Privacy Laws”); (ii) published policies or notices relating to the Company’s collection, use, storage, disclosure, processing, handling, protection, or cross-border transfer (“Processing”) of Personal Information; (iii) terms of any material Contracts to which the Company is bound relating to the Processing of Personal Information; and (iv) industry standards and/or codes-of-conduct to which the Company and/or any of its Subsidiaries are bound relating to the Company’s or any of its Subsidiaries’ Processing of Personal Information (collectively, “Privacy Requirements”).
(b) Except as would not have a Company Material Adverse Effect, since the Reference Date, the Company has not received any subpoenas, demands, or other written notices from any Governmental Body or other entity investigating, inquiring into, or otherwise relating to any actual violation of any Privacy Laws. Each To the Knowledge of the Company, the Company and its Subsidiaries is not under investigation by any Governmental Body or other entity for any actual violation of any Privacy Laws.
(c) The Company has implemented taken commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards steps designed to protect (i) the operation, confidentiality, integrity integrity, and security of the Company’s software, systems, and websites (“IT Assets”) that are involved in the Processing of Personal Data against any Security IncidentInformation, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) Personal Information in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries Company’s possession and/or control from unauthorized use, access, disclosure, deletion, and/or modification.
(except for ordinary wear and tear), except in each case of clauses (id) and (ii), Except as is not and would not reasonably be expected to behave a Company Material Adverse Effect, individually or in since the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated)Reference Date, and to the Knowledge of the Company’s Knowledge, the Company has not experienced any failures; crashes; security incidents; data breaches; unauthorized access, use, or disclosure; or other adverse events or incidents related to Personal Information that would require notification of individuals, law enforcement, any Governmental Body, customers, vendors, or any others under any applicable Privacy Laws. Except as would not have a Company Material Adverse Effect, to the Knowledge of the Company, there are no material security deficiencies pending complaints, Actions, fines, or vulnerabilities in other penalties facing the Company IT Systemsin connection with any such failures; crashes; security incidents; data breaches; unauthorized access, use, or disclosure.
Appears in 1 contract
Privacy and Data Security. (a) In the prior three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken Except as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to behave, individually or in the aggregate, material to a Company Material Adverse Effect, the Company IT Assets operate and its Subsidiariesperform in a manner that permits the Acquired Companies to conduct their business as currently conducted, taken and the Acquired Companies have implemented and maintain commercially reasonable administrative, technical, and physical measures designed to protect the Company IT Assets (and all Personal Information and other confidential information stored or contained therein or transmitted thereby) against loss, damage and unauthorized access, use, modification or other misuse, including the implementation of commercially reasonable (i) data backup, (ii) disaster avoidance and recovery procedures and (iii) business continuity procedures, in each case designed to be consistent with practices in the industry in which the Acquired Companies operate. To the Knowledge of the Company, as a whole. In of the prior three yearsdate hereof, there have not has been any no material failuresunauthorized: use, breakdowns access or continued substandard performance security breaches, or material unauthorized: interruption, modification, loss or corruption of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures Assets.
(b) Since January 1, 2021, each of the Acquired Companies has complied with all applicable Privacy Laws in connection with the operation of the Acquired Companies’ business, except as would not reasonably be expected to have, individually or disruptions that have been remediated in the Ordinary Course aggregate, a Company Material Adverse Effect. The Acquired Companies have complied with each of Businesstheir respective written and published (both internally and externally) policies concerning the privacy of Personal Information, and contractual obligations involving Personal Information and cybersecurity (together, “Privacy Requirements”), except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. In As of the past three (3) yearsdate hereof, the Company has not received written notice of any claims against the Acquired Companies by any Person alleging a violation of Privacy Laws and/or Privacy Requirements. To the Knowledge of the Company, as of the date hereof, there have been no (except to the extent completely remediated)i) material losses or thefts of, and to the Company’s Knowledge, there are no or material security deficiencies or vulnerabilities breaches relating to, Personal Information in the possession, custody or control of any Acquired Company, (ii) material unauthorized access or material unauthorized use of any Personal Information in the possession, custody, or control of any Acquired Company IT Systemsor (iii) material unauthorized disclosure of any Personal Information in the possession, custody or control of any Acquired Company.
Appears in 1 contract
Privacy and Data Security. (a) In Except as disclosed in Section 3.26(a) of the prior three (3) yearsDisclosure Schedules, the Company has at all times in the last six (6) years collected, stored, maintained, used, shared and its Subsidiaries have been otherwise processed Personal Data and Government Data in compliance with Privacy Laws, and accordance in all material respects with applicable Privacy Laws and the Company’s Privacy Policies and has only done so (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating with respect to Personal Data and Government Data of U.S. data subjects; and (ii) applicable written policieswithin the United States. Except as disclosed in Section 3.26(a) of the Disclosure Schedules, public statements at all times in the last six (6) years, the Company’s privacy and other public representations relating security practices have conformed, in all material respects, to the Processing Company’s contractual and legal obligations applicable to the privacy, data protection or processing of Personal Data and Government Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance of this Agreement, and the operation of the Company’s business consistent with its current operations, will not: (A) breach applicable Privacy Laws, any Privacy Policy or the Company’s contractual obligations applicable to the privacy, data protection or processing of Personal Data and Government Data (including, without limitation, under any HIPAA business associate agreement (“BAA”), Agreement for the Use of Centers for Medicare & Medicaid Services Data Containing Individual Identifiers (“DUA”) and U.S. Governmental Authority Authorizations to Operate); or (B) require the consent of any Person to whom Personal Data held by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholerelates.
(b) In Except as disclosed in Section 3.26(b) of the prior three (3) yearsDisclosure Schedules, where any Privacy Policy is required to be posted or otherwise provided pursuant to applicable Privacy Laws, the Privacy and Data Security Policies have Company at all times been maintained in the last six (6) years has posted applicable Privacy Policies on its websites, applications, and made other online services, or otherwise, in a manner readily available to individuals visitors and current and potential users and customers or otherwise provided them in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform compliance in all material respects to with all Privacy Laws. No statement made in connection the Privacy and Data Security Policies that govern such Company’s collection of Personal Data, including, without limitation, on any Company website, application, or other online service, is or was, at the time made, misleading, deceptive or in violation of any Privacy Law. Information marked “[***]” has been omitted pursuant to Item 601(b)(10)(iv) of Regulation S-K because it (i) is not material and (ii) is the type of information the registrant treats as private or confidential.
(c) There Except as disclosed in Section 3.26(c) of the Disclosure Schedules, the Company has implemented and maintains a comprehensive written data security program sufficient to comply with applicable Privacy Laws and the Company’s contractual obligations, and designed to help ensure the confidentiality, availability, and integrity of Personal Data and Government Data, the Company’s Source Code and other confidential information and to help protect Personal Data and Government Data, the Company’s Source Code, and its confidential information from unauthorized access, disclosure, acquisition, destruction, loss, alteration, misuse or use by any Person, including implementing and maintaining commercially reasonable disaster recovery and security plans and procedures for the business of the Company. Except as disclosed in Section 3.26(c) of the Disclosure Schedules, without limiting the generality of the foregoing, the Company (i) has implemented and maintains a comprehensive written data security program that is designed to: (A) identify internal and external risks to the security of the Company’s confidential information and any Personal Data and Government Data held or used by the Company and (B) implement, monitor and improve adequate and effective safeguards to control those risks; (ii) meet the National Institute of Standards and Technology Special Publication 800-171 (version 2) standards and requirements, including without limitation, to access controls, configuration management, maintenance, media protection, personnel security, physical security and system and communications protection, as to all Government Data that the Company processes and with respect to the information technology it creates for any U.S. Governmental Authority or uses in connection with performing services for any U.S. Governmental Authority; (iii) fully complies with Company’s “playbook” posted at document 7.
2.1 in the prior three years there has beenVDR; (iv) no material Legal Proceeding pending ormeets the standards and requirements of the HIPAA privacy, security and breach notification Laws with respect to protected health information that the Company processes; (v) meets the standards and requirements of ISO/IEC 27001 with respect to the Company’s knowledgedata processing and information technology; (vi) maintains policies, practices and safeguards to terminate its personnel’s use of and access to the Company’s and its customers’ data and information technology as soon as any such person is no longer authorized to do so; and (vii) contractually obligates its subcontractors that have access to the Company’s or its customers’ data or information technology to perform the services for the Company in a manner that protects the privacy and security of the Company’s and its customers’ data and information technology systems with substantially the same level of protection as the Company represents in this Section 3.26 that the Company itself maintains (including, without limitation, with regard to BAA and DUA obligations), as well as the Company’s contractual obligations. The Company has in the last six (6) years taken, and is currently taking, reasonable measures to detect breaches of Personal Data, or other data security incidents, and to train applicable personnel on policies and procedures to escalate any suspected or detected incidents to the attention of the Company’s applicable executives.
(d) In the last six (6) years, to the Knowledge of the Company (i) there has been no data security breach or other unauthorized (A) access to, (B) use of, (C) disclosure of, (D) unavailability of, (E) modification to, or (F) other misuse of Personal Data and Government Data owned, accessed, controlled or processed by the Company; and (ii) the Company has not had or experienced any other breach of data security or cybersecurity, whether physical or electronic.
(e) In the last six (6) years, Company has not received any data subject complaints or inquires related to Privacy Laws or data handling policies, practices, and/or procedures. Information marked “[***]” has been omitted pursuant to Item 601(b)(10)(iv) of Regulation S-K because it (i) is not material and (ii) is the type of information the registrant treats as private or confidential.
(f) There are no current or pending Legal Proceedings asserted by any Person or threatened against in writing with respect to the collection, storage, hosting, use, disclosure, transmission, transfer, disposal, possession, interception, other processing or involving security of any Personal Data and Government Data by or for the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any otherwise related to Privacy CommitmentsLaws. To the Company’s Knowledge, there are no facts, facts or circumstances or conditions that would reasonably be expected to form the could constitute a reasonable basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, such a Legal Proceeding. There has been no (i) there has been no unauthorized access toorder, writ, judgment, injunction, ruling, edict, or unauthorized other decree, whether temporary, preliminary or permanent, enacted, issued, promulgated, enforced or entered by any arbitrator or Governmental Authority, or (ii) government or third-party settlement, in each case adversely affecting the collection, storage, hosting, use, disclosure, transmission, transfer, disposal, possession, interception, other processing or Processing security of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from and Government Data by or on behalf of for the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal DataCompany.
(eg) Each Section 3.26(g) of the Disclosure Schedules contains a true and complete list of all Company Data Processing Contracts (excluding Government Contracts, DUAs and its Subsidiaries owns or XXXx). The Company has made available to the Purchaser a license or other right to use the Company IT Systems as necessary to operate the business true, correct and complete copy of each Company Data Processing Contract.
(h) The Company has implemented and maintains access and security safeguards in respect of the Company Personal Data and Government Data maintained by or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of Company, including computer security, password protection and physical security that are in compliance with all applicable Privacy Laws, the Company’s contractual obligations and the Company’s data retention and disposal programs. The Company has at all times within the last five (5) years made all disclosures to, and its Subsidiaries (except for ordinary wear obtained any necessary consents from, users, consumers, customers, employees, contractors, data subjects, and tear)other applicable Persons, except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated)such disclosure or consents are required to be obtained by the Company pursuant to applicable Privacy Laws. Without limiting the generality of the foregoing, to the extent required to be provided by the Company under applicable Privacy Laws, the Company has provided appropriate notice to, and received affirmative express consent from, all natural persons prior to any Company Product disclosing or making available to any other Person any content that the Company has characterized as, or that such natural person reasonably would consider, confidential, private, or unsuitable for disclosure to such Persons. Neither the Company, nor to the Company’s Knowledge, there are no material any Person performing services for the Company has attempted to reverse engineer Personal Data in a manner intended to de-anonymize data in violation of Privacy Laws. The Company has not used Personal Data of a customer to benefit other customers or the Company’s algorithms in violation of Privacy Laws or the terms of any Contract. The Company has not made any statements to the general public regarding any privacy or information security deficiencies or vulnerabilities practices applicable to any Personal Data other than those made in the Privacy Policies made available by the Company.
(i) With respect to any information that the Company IT Systemsconsiders “de-identified or anonymized” and therefore not Personal Data for purposes of any Privacy Laws, the Company has acted so as to qualify the data as de-identified or otherwise not Personal Data under Privacy Laws, including without limitation:
(i) implemented technical safeguards that prohibit re-identification of the consumer to whom the information may pertain; Information marked “[***]” has been omitted pursuant to Item 601(b)(10)(iv) of Regulation S-K because it (i) is not material and (ii) is the type of information the registrant treats as private or confidential.
(ii) implemented business processes that specifically prohibit re-identification of the information;
(iii) implemented business processes to prevent inadvertent release of de-identified information; and
(iv) made no attempt to re-identify the information.
(j) In the event the Company has or will use data derived from the performance of services for one customer for purposes other than the performance of such services for such customer, including without limitation, to (i) improve the Company’s products or services, (ii) for analytics purposes and/or (iii) provide services or deliverables to any other client, the Company is and has been in compliance with all contractual obligations and all applicable Laws, including Privacy Laws. Further, the Company’s use of data or derivatives thereof outside of the purposes for which such data was collected does not and will not incur any cost or liability to the Purchaser.
(k) None of the Software included in any Company Product performs the following functions, without the knowledge and consent of the owner or authorized user of a computer system or device: (i) sends information of a user to any other Person without the user’s consent or collects Personal Data stored on the computer system or device; (ii) interferes with the owner’s or an authorized user’s control of the computer system or device; (iii) changes or interferes with settings, preferences or commands already installed or stored on the computer system or device without the knowledge of the owner or an authorized user of the computer system or device; (iv) changes or interferes with data that is stored, accessed or accessible on any computer system or device in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system or device; (v) causes the computer system or device to communicate with another computer system or device; (vi) installs a computer program that may be activated by a Person other than the owner or an authorized user of the computer system or device; (vii) records a user’s actions without the user’s knowledge; or (viii) employs a user’s internet connection without the user’s knowledge to gather or transmit information regarding the user or the user’s behavior. Information marked “[***]” has been omitted pursuant to Item 601(b)(10)(iv) of Regulation S-K because it (i) is not material and (ii) is the type of information the registrant treats as private or confidential.
Appears in 1 contract
Samples: Equity Purchase Agreement (ICF International, Inc.)
Privacy and Data Security. (a) In The Company and each of its Subsidiaries (i) is and, since January 1, 2011, has been, in compliance in all material respects with all Privacy Laws governing the prior three receipt, collection, use, storage, processing, sharing, security disposal, disclosure, or transfer of Personal Information that is collected or possessed by or otherwise subject to the control of the Company’s or its Subsidiaries’ policies regarding privacy and data security, including all privacy policies and similar disclosures published on the Company’s or its Subsidiaries’ websites or otherwise communicated to third parties, and (3ii) years, has implemented and maintained measures sufficient to provide reasonable assurance that the Company and its Subsidiaries have been comply with such Privacy Laws and that neither the Company nor its Subsidiaries will acquire, fail to secure, share or use such Personal Information in compliance a manner inconsistent with (A) such Privacy Laws, and in all material respects with (iB) Contracts any notice to or consent from the provider of Personal Information, (C) any policy adopted by the Company or portions thereofits Subsidiaries, (D) between any Contract to which the Company or its Subsidiaries and other Persons relating are party that is applicable to such Personal Data Information, and (iiE) applicable written policies, public statements and other public representations relating any privacy policy or privacy statement from time to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance time published or otherwise made available by the Company of this Agreement or its Subsidiaries to which the Company is or will be a party, and Persons to whom the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse Personal Information relates.
(b) With respect to all Personal Information collected by the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have such Person has at all times been maintained taken steps required and made available reasonably necessary to individuals in accordance protect such Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse, including implementing and monitoring compliance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries measures with respect to the Processing technical and physical security of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (Information. The Company and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or each of its Subsidiaries initiated has commercially reasonable safeguards in place to protect Personal Information in its possession or control from unauthorized access or disclosure, including by any Person (including (i) the Federal Trade Commissionits officers, any state attorney general or similar state officialemployees, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitmentsindependent contractors and consultants. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there There has been no unauthorized access to, or unauthorized use, disclosuredisclosure of, or Processing other misuse of any Personal Data in Information.
(c) Neither the possession Company nor its Subsidiaries has received any written notice of any claims, investigations, or alleged violations of Privacy Laws with respect to Personal Information collected or possessed by or otherwise subject to the control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal DataCompany.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 1 contract
Samples: Purchase Agreement (Ezcorp Inc)
Privacy and Data Security. (a) In the prior three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken Except as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, Subsidiaries taken as a whole, the Company’s or any of its Subsidiaries’ collection, maintenance, transmission, transfer, storage, disposal, security, use and disclosure of Personal Information complies with and for the past three years has complied with all (i) Information Privacy and Security Laws; (ii) Contracts to which the Company or any of its Subsidiaries is a party; (iii) the Company’s then-current written privacy policies; and (iv) any consents, approvals, registrations or authorizations relating to Personal Information that were received from any Governmental Authority or the subject of that Personal Information, or that are required under any Information Privacy and Security Law.
(b) Except as would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries taken as a whole, the Company and each of its Subsidiaries have implemented and maintains a reasonable security plan in accordance with industry standards that (i) identifies internal and external risks to the security of Personal Information; (ii) implements and monitors adequate and effective administrative, electronic and physical safeguards to control those risks; (iii) maintains notification procedures in compliance with applicable Information Privacy and Security Laws in the case of any breach of security compromising data containing Personal Information; and (iv) includes commercially reasonable policies and procedures that apply to the Company and/or each Subsidiary with respect to privacy, data protection, processing, security and the collection and use of Personal Information gathered or accessed in the course of the operations of the Company and its Subsidiaries.
(c) The Company’s and its Subsidiaries’ IT Systems are in sufficiently good repair and operating condition for the business as currently conducted. In the prior three yearsSince January 1, 2014, there have not has been any material failuresno (A) failure, breakdowns breakdown or continued substandard performance of any Company IT Systems System that have has caused a material failure significant disruption or disruption interruption in or to the operation of the business, (B) theft, breach, loss, unauthorized acquisition or access, or other misuse of any Personal Information; (C) unauthorized disclosure of electronic communications or Personal Information to any third party, including any Governmental Authority; or (D) breach of the security or other unauthorized access, control, modification or destruction of any IT System. The Company IT Systems other than routine failures or disruptions that have been remediated in and each of its Subsidiaries has implemented reasonable backup, security and disaster recovery technology, plans, procedures and facilities consistent with industry practice.
(d) To the Ordinary Course Knowledge of Business. In the past three (3) yearsCompany, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT SystemsProducts as delivered by the Company and its Subsidiaries do not contain any computer code designed to disrupt, disable, harm, distort or otherwise impede in any manner the legitimate operation of such Company Products by or for the Company or any of its Subsidiaries or its respective authorized users, or any other associated Software, firmware, hardware, computer system or network (including what are sometimes referred to as “viruses,” “worms,” “time bombs” and/or “back doors”).
Appears in 1 contract
Privacy and Data Security. (a) In Except as would not reasonably be expected to be material to the prior three (3) yearsGroup Companies, taken as a whole, the Company and its Subsidiaries have been in compliance with Privacy LawsGroup Companies comply, and since January 1, 2019 have complied, in all material respects with all: (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and applicable Privacy Laws; (ii) obligations imposed upon the Group Company regarding Personal Information under any Contracts; (iii) internal and public-facing privacy, data handling and/or data security policies of the Group Company; and (iv) applicable written policies, public statements and other public representations relating data privacy rules of applicable self-regulatory organizations.
(b) Except as would not reasonably be expected to be material to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its SubsidiariesGroup Companies, taken as a whole.
(b) In , each of the prior three (3) yearsGroup Companies has established and implemented a comprehensive written security plan which implements and monitors commercially reasonable technical and organizational measures designed to safeguard the security, the Privacy confidentiality, integrity and Data Security Policies have at all times been maintained availability of IT Assets and made available to individuals Personal Information, in its possession, custody, or under its control, in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Dataapplicable laws.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to To the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including : (i) no Group Company has suffered any material security breach with respect to any Personal Information (including any such breach of security leading to the Federal Trade Commissionaccidental or unlawful destruction, any state attorney general or similar state officialloss, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing alteration of Personal Data by or on behalf of Information) and/or with respect to the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) IT Assets and there has been no material misuse, destruction, loss or alteration of, or unauthorized Processing of, access to, or unauthorized usedisclosure of, disclosure, or Processing of any Personal Data Information in the possession possession, custody, or control of the Company or its Subsidiaries or any of its contractors with regard to any the Group Companies or Processed by the Group Companies (each, a “Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security IncidentInformation Breach”), ; (ii) there none of the Group Companies have been no unauthorized intrusions experienced any information security incidents that have materially compromised the integrity or breaches availability of security into any Company the IT Systems, and Assets or the data thereon; (iii) none of the Company or any of its Subsidiaries has notified or Group Companies have been legally required to notify provide any notices to any Person as a result of any Personal Information Breach or information security incident.
(Ad) lossSince January 1, theft or damage of2019, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security Group Companies ensure all cross border transfers of Personal Data against any Security Incident, including taking Information are compliant with applicable Privacy Laws in all reasonable steps to safeguard and back up Personal Datamaterial respects.
(e) Each Since January 1, 2019, each of the Company and its Subsidiaries owns Group Companies that have distributed marketing communications to any Person and/or that have engaged (whether directly or has through a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (iithird party) in sufficiently good working condition to effectively perform any TABLE OF CONTENTS direct or behavioral marketing location tracking or customer tracking are compliant with applicable Privacy Laws in all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries material respects.
(except for ordinary wear and tear), except in each case of clauses (if) and (ii), Except as is not and would not reasonably be expected to be, individually or in the aggregate, be material to the Company and its SubsidiariesGroup Companies, taken as a whole. In , the prior three years, there Group Companies have not been sold or rented and are not selling or renting to third parties any material failures, breakdowns or continued substandard performance Personal Information.
(g) None of the Group Companies has received any written notice of any Company IT Systems that have caused a material failure claims, investigations, or disruption alleged violations of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemsapplicable Privacy Laws.
Appears in 1 contract
Privacy and Data Security. (a) In the prior three (3) years, the The Company and its Subsidiaries are, and at all times have been been, in compliance with Privacy Laws, and in all material respects with (i) Contracts all applicable Data Protection Laws; (or portions thereofii) between the Company or its Subsidiaries all applicable contractual obligations concerning data privacy and other Persons security relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data Information in the possession or control of the Company or any of its Subsidiaries or maintained by third parties having access to such information under Contracts (or portions thereof) to which the Company or any of its contractors with regard Subsidiaries is a party; and (iii) the requirements of any privacy or security-related self-regulatory organizations or certifications to which the Company is obligated to adhere (collectively, “Privacy Agreements”). The Company and its Subsidiaries have not transferred any Personal Information across any international borders except in material compliance with applicable Data obtained from Protection Laws.
(b) The Company and its Subsidiaries have in place, maintain, and comply with, a comprehensive written information security program that (i) complies in all material respects with all applicable Data Protection Laws; and (ii) includes and incorporates all administrative, technical, organization, and physical security procedures and measures that are commercially reasonable and appropriate to preserve the confidentiality, integrity, and availability of all Personal Information in the possession or on behalf control of the Company and its Subsidiaries and to protect against Security Breaches.
(c) The Company and its Subsidiaries have had no Security Breaches that have materially impacted the Company or its Subsidiaries or resulted in material Liability to the Company or its Subsidiaries. The Company and its Subsidiaries have not received written notice of any pending, nor has there ever been any Action against the Company or any of its Subsidiaries initiated by (“Security Incident”), i) any Person; or (ii) any other Governmental Authority, alleging that there have has been no unauthorized intrusions a Security Breach or breaches of security into alleging that any Company IT Systems, and (iii) none activity of the Company or any of its Subsidiaries has notified or been required to notify any Person is in violation of any (A) lossapplicable Data Protection Laws, theft or damage ofPrivacy Agreements, or Privacy Policies, and to the Knowledge of Seller, there is no reasonable basis for any such Action.
(Bd) other unauthorized or unlawful access toThe Company and its Subsidiaries are, or use, disclosure or other Processing of, Personal Data, exceptand at all times have been, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each material compliance with all applicable public-facing privacy policies of the Company and its Subsidiaries has implemented commercially reasonable administrativeregarding their privacy policies and practices (collectively, physical and technical safeguardsthe “Privacy Policies”), and ensures that the Privacy Policies have been maintained to be compliant in all material respects with Data Protection Laws and consistent with the actual practices of the Company and its contractors processing Subsidiaries. The Privacy Policies permit the current uses of the Personal Data take such safeguards to protect Information by the confidentiality, integrity Company and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Dataits Subsidiaries.
(e) Each of The Company and its Subsidiaries contractually require all third parties providing services to the Company and its Subsidiaries owns that have access to or has a license receive Personal Information from or other right to use the Company IT Systems as necessary to operate the business on behalf of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as to comply with all applicable Data Protection Laws and to take all commercially reasonable steps to ensure that all Personal Information in such third parties’ possession or control is protected in a whole. In manner that is consistent with the prior three years, there have requirements of the security program.
(f) The execution and delivery of this Agreement and the consummation of the transactions contemplated hereby will not been violate in any material failuresrespects any applicable Data Protection Laws, breakdowns Privacy Policies, or continued substandard performance Privacy Agreements or result in or give rise to any right of termination or other right to impair or limit in any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to respect the Company’s Knowledge, there are no material security deficiencies or vulnerabilities any of its Subsidiaries’ rights to own or use any Personal Information used in or necessary for the Company IT Systemsconduct of their businesses.
Appears in 1 contract
Samples: Stock Purchase Agreement (Heritage-Crystal Clean, Inc.)
Privacy and Data Security. (ai) In The Company and its Subsidiaries have in place (A) administrative, technical and physical safeguards designed to protect against the prior destruction, loss, or alteration of Personal Information, (B) reasonable security measures designed to protect Personal Information, and (C) privacy policies and procedures, all of which safeguards, measures and policies and procedures described in (A) – (C) above meet or exceed the requirements of applicable Law; (ii) the Company and each of its Subsidiaries have complied with applicable Law in all material respects and with all applicable contractual privacy obligations and their respective internal privacy policies and guidelines relating to the collection, storage, use and transfer of Personal Information; (iii) neither the Company nor any of its Subsidiaries is, or, during the preceding three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, under investigation or audit, by any private party or Governmental Authority, arising out of an actual or alleged data privacy or security incident nor, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf Knowledge of the Company Seller Parties, has any private party or its Subsidiaries is Governmental Authority alleged any breach of contract or was in violation of any Privacy Commitments. To the Company’s Knowledgenon-compliance with Law related to a data privacy or security matter, there are no factsand (iv) since January 1, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years2016, (i) there has been (x) to the Knowledge of the Seller Parties, no unauthorized access toaccess, or unauthorized use, disclosure, disclosure or Processing transfer of any Personal Data Information in the possession possession, custody or control of the Company or its Subsidiaries or Company, any of its contractors with regard to any Personal Data obtained from Subsidiaries, or a contractor or agent acting on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii)Subsidiaries, and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards y) no claim communicated to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or any if its Subsidiaries as currently conducted. All Company IT Systems are (i) free in writing from any defectaffected individual nor any written request or inspection from any Governmental Authority that will likely give rise or has given rise to any liability under applicable Law in relation to data protection, bug, virus data security or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemsprivacy.
Appears in 1 contract
Samples: Purchase Agreement (Horace Mann Educators Corp /De/)
Privacy and Data Security. (a) In the prior three (3) yearsSeller is, the Company and its Subsidiaries have has been at all times, in compliance with Privacy Laws, and in all material respects with (i) Contracts (all Data Protection Requirements, and no written claims have been received by, and no written claims, charges or portions thereof) between complaints have been made or, to the Company or its Subsidiaries Knowledge of Seller, Threatened against, Seller alleging a violation of any Data Protection Requirements, and other Persons relating Seller has not been subject to Personal any governmental investigation with regard to any Data and (ii) applicable written policies, public statements and other public representations Protection Requirements. Seller maintains internal privacy policies relating to the Processing use, collection, storage, disclosure and transfer of any Personal DataData collected by it or by third parties having authorized access to the records of the Seller. To the Knowledge of Seller, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby Transactions will not violate any privacy policy, terms of use, Legal Requirements, or therebycontractual obligation relating to the use, are not reasonably expected todissemination, directly or indirectly, result in a violation transfer of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholedata or information.
(b) In Seller has implemented and maintains technical, physical, and administrative measures reasonable and appropriate to protect the prior three (3) yearsoperation, the Privacy confidentiality, integrity, and Data Security Policies have at security of all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to and other confidential information processed by Seller and the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending orinformation technology systems of Seller, to the Company’s knowledgeincluding against unauthorized access, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commissionacquisition, any state attorney general or similar state officialinterruption, (ii) any other Governmental authorityalternation, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledgemodification, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access touse, or unauthorized use, disclosure, other compromise of such information or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries systems (“Security Incident”) and which measures are consistent with industry practices. Except as set forth on Schedule 3.28(b), since the Reference Date, (i) Seller, or any third party acting on its behalf, experienced any Security Incident, (ii) there have been no Seller notified any consumer or regulator of any Security Incident or other unauthorized intrusions processing of Personal Data, or breaches of security into any Company IT Systems, and (iii) none there been any other unauthorized or accidental acquisition or disclosure of material non-public computerized data of Seller that has compromised the Company security, confidentiality or any of its Subsidiaries has notified or been required to notify any Person integrity of any such information. To the Knowledge of Seller, there are no cyber security or other vulnerabilities with respect to its systems, and Seller has not been notified by any third party (including by “white hat” hackers) of any such vulnerabilities, that (i) are unpatched or otherwise unresolved and (ii) could (A) loss, theft or damage of, adversely impact the operation of the systems or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have cause a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 1 contract
Samples: Asset Purchase Agreement (Quanex Building Products CORP)
Privacy and Data Security. (a) In Except as would not reasonably be expected to be material to the prior three (3) yearsGroup Companies, taken as a whole, the Company and its Subsidiaries have been in compliance with Privacy LawsGroup Companies comply, and since January 1, 2019 have complied, in all material respects with all: (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and applicable Privacy Laws; (ii) obligations imposed upon the Group Company regarding Personal Information under any Contracts; (iii) internal and public-facing privacy, data handling and/or data security policies of the Group Company; and (iv) applicable written policies, public statements and other public representations relating data privacy rules of applicable self-regulatory organizations.
(b) Except as would not reasonably be expected to be material to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its SubsidiariesGroup Companies, taken as a whole.
(b) In , each of the prior three (3) yearsGroup Companies has established and implemented a comprehensive written security plan which implements and monitors commercially reasonable technical and organizational measures designed to safeguard the security, the Privacy confidentiality, integrity and Data Security Policies have at all times been maintained availability of IT Assets and made available to individuals Personal Information, in its possession, custody, or under its control, in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Dataapplicable laws.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to To the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including : (i) no Group Company has suffered any material security breach with respect to any Personal Information (including any such breach of security leading to the Federal Trade Commissionaccidental or unlawful destruction, any state attorney general or similar state officialloss, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing alteration of Personal Data by or on behalf of Information) and/or with respect to the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) IT Assets and there has been no material misuse, destruction, loss or alteration of, or unauthorized Processing of, access to, or unauthorized usedisclosure of, disclosure, or Processing of any Personal Data Information in the possession possession, custody, or control of the Company or its Subsidiaries or any of its contractors with regard to any the Group Companies or Processed by the Group Companies (each, a “Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security IncidentInformation Breach”), ; (ii) there none of the Group Companies have been no unauthorized intrusions experienced any information security incidents that have materially compromised the integrity or breaches availability of security into any Company the IT Systems, and Assets or the data thereon; (iii) none of the Company or any of its Subsidiaries has notified or Group Companies have been legally required to notify provide any notices to any Person as a result of any Personal Information Breach or information security incident.
(Ad) lossSince January 1, theft or damage of2019, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security Group Companies ensure all cross border transfers of Personal Data against any Security Incident, including taking Information are compliant with applicable Privacy Laws in all reasonable steps to safeguard and back up Personal Datamaterial respects.
(e) Each Since January 1, 2019, each of the Company and its Subsidiaries owns Group Companies that have distributed marketing communications to any Person and/or that have engaged (whether directly or has through a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (iithird party) in sufficiently good working condition to effectively perform any direct or behavioral marketing location tracking or customer tracking are compliant with applicable Privacy Laws in all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries material respects.
(except for ordinary wear and tear), except in each case of clauses (if) and (ii), Except as is not and would not reasonably be expected to be, individually or in the aggregate, be material to the Company and its SubsidiariesGroup Companies, taken as a whole. In , the prior three years, there Group Companies have not been sold or rented and are not selling or renting to third parties any material failures, breakdowns or continued substandard performance Personal Information.
(g) None of the Group Companies has received any written notice of any Company IT Systems that have caused a material failure claims, investigations, or disruption alleged violations of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systemsapplicable Privacy Laws.
Appears in 1 contract
Samples: Business Combination Agreement (Endurance Acquisition Corp.)
Privacy and Data Security. (a) In the prior three (3) years, The Company and each of the Company Subsidiaries is, and its Subsidiaries have has been within the five (5) year period prior to the date hereof, in material compliance with all applicable Privacy LawsObligations. The Company and each of the Company Subsidiaries has adopted and published privacy notices and policies that accurately describe their respective privacy practices. The Company and each of the Company Subsidiaries maintains appropriate privacy and data security policies, processes, and controls, and an appropriate, comprehensive privacy program, all of which meet or exceed the standards set forth in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by any applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeObligations.
(b) In the prior three (3) years, the Privacy The Company and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices each of the Company or its Subsidiaries with respect has provided all required notices, and obtained all necessary consents, required for them to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Process Personal Data.
(c) There is To the knowledge of the Company, the execution, delivery, performance and consummation of the transactions contemplated by this Agreement (including the Processing of Personal Data in connection therewith) will not cause or constitute a breach or violation of any applicable Privacy Obligations.
(d) The Company and each of the Company Subsidiaries has contractually obligated all third parties Processing Personal Data on their behalf to and take reasonable measures to protect the confidentiality of any Personal Data to which such third party has been provided access.
(e) The Company and each of the Company Subsidiaries has implemented and maintains an information security program comprising reasonable and appropriate physical, administrative and technical safeguards that are (i) appropriate to the size and scope of the Company and any Company Subsidiary and the Personal Data they Process in the conduct of their business, (ii) designed to protect the operation, confidentiality, integrity, availability and security of the Company’s and any of the Company’s Subsidiaries IT systems, and all Personal Data, against unauthorized access, acquisition, interruption, alteration, modification, or use, and (iii) consistent with the Company’s and any of the Company Subsidiaries’ Privacy Obligations. To the knowledge of the Company, within the three (3) years prior three years to the date hereof, neither the Company nor any Company Subsidiary has experienced any material failure of these physical, administrative and technical safeguards.
(f) To the knowledge of the Company, there is not currently pending and there has beennot been within the five (5) year period prior to the date hereof, any claim, action, litigation, investigation, audit, complaint, or other proceeding to, from, by or before any Governmental Entity against the Company or any of the Company’s Subsidiaries with respect to privacy or data security, and, to the knowledge of the Company, there is no material Legal Proceeding pending orreasonable basis for such actions. To the knowledge of the Company, neither the Company nor any of the Company’s Subsidiaries has, within the five (5) year period prior to the date hereof, experienced any Security Incident, nor has, to the Company’s knowledge, threatened against any third party who Processes Personal Data on the Company’s or involving any of the Company or its Company’s Subsidiaries initiated by behalf, experienced any Person (including (i) Security Incident affecting the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation any of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy CommitmentsSubsidiaries.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 1 contract
Samples: Merger Agreement (Virtusa Corp)
Privacy and Data Security. (a) In Except as set forth in section 4.13 of the prior three Disclosure Schedule, in the collection, use, storage and Processing (3including transfer to a third party or to any jurisdiction, to the extent applicable) yearsby the Company or any of its Subsidiaries of any Personal Data, the Company and or such Subsidiarity, its Subsidiaries Personal Data Processors and, to the Company’s Knowledge, its Personal Data Suppliers have been in compliance with Privacy Laws, and complied in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Information Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) yearsLaws, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified and, to the extent obligated by contract to do so, the Privacy Policies of Personal Data Suppliers. The Company and its Subsidiaries have taken commercially reasonable measures to prevent unauthorized use, access or been alteration of Personal Data in their possession or control, which measures are in material compliance with applicable Information Privacy Laws and Privacy Policies. Without limiting the foregoing, (i) the Company and its Subsidiaries and, to the Company’s Knowledge, its Personal Data Suppliers have provided, and in such manner as required under applicable Information Privacy Laws, adequate notices to notify any Person and acquired all necessary consents from Data Subjects for the use, and Processing (including transfer to a third party of any jurisdiction, to the extent applicable) of all Personal Data Processed by the Company or any of its Subsidiaries and otherwise have all requisite legal authority to Process, use and hold (Aincluding transfer to a third party of any jurisdiction, to the extent applicable) lossPersonal Data in the manner it is now Processed by the Company, theft any of its Subsidiaries or damage ofany Personal Data Processor on behalf of the Company or any of its Subsidiaries and (ii) with respect to all Personal Data in the databases owned or licensed by the Company or its Subsidiary, the Company, its Subsidiaries and, to the Company’s Knowledge, its Personal Data Suppliers have provided, where and in such manner as required under applicable Information Privacy Laws, adequate disclosures and notices, requisite consents from Data Subjects and have sufficient legal ground under applicable law to Process such Personal Data in the manner it is now Processed by the Company or its Subsidiary or any Personal Data Processor on behalf of the Company, including transfer to a third party of any jurisdiction, to the extent applicable).
(b) To the extent that the Company or any of its Subsidiaries Processes any financial account numbers (such as credit cards, bank accounts, PayPal accounts, debit cards), passwords, CCV data, or other related data (B) other unauthorized “Cardholder Data”), the Company and/or each of its Subsidiaries as applicable has implemented information security procedures, processes and systems that have at all times met or unlawful access to, or use, disclosure or other exceeded all applicable Laws related to the Processing of, Personal of Cardholder Data, except, in each case of clauses (i), (ii)including those established by applicable Governmental Authorities, and the Payment Card Industry Standards Council (iiiincluding the Payment Card Industry Data Security Standard), as would not have a Company Material Adverse Effect. .
(c) Each of the Company and its Subsidiaries has implemented at all times made available, where and in such manner as required under applicable Information Privacy Laws, a Privacy Policy which materially complies with applicable Information Privacy Laws to Persons (including any Data Subjects) prior to and during the collection of any Personal Data online. Such Privacy Policy, and any other representations, marketing materials and advertisements that address privacy issues and the treatment of Personal Data, accurately and completely describe, in a timely manner in accordance with applicable Law, the Company’s or its Subsidiaries’, as applicable, information collection and use practices, including reasonable safeguards in place designed to protect the privacy, security, and integrity of all Personal Data, and no such notices or disclosures have been misleading or deceptive or, to the Knowledge of the Company, inaccurate. To the Knowledge of the Company, neither the Company nor any of its Subsidiaries has collected or received any Personal Data online from children under the age of 16 without verifiable parental consent or directed any of its websites to children under the age of 16 through which such Personal Data could be obtained.
(d) Other than as set forth on Section 4.13(d) of the Disclosure Schedule, none of the Company or its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Data, except in a manner that complies in all material respects with the applicable Privacy Policies and in compliance with Information Privacy Laws. The execution, delivery and performance of this Agreement and the transactions contemplated herein, including any transfer of Personal Data resulting from the execution, delivery and performance of this Agreement, complies, and will comply with, all Information Privacy Laws, the Privacy Policy of the Company and its Subsidiaries, and, to the extent obligated by contract to do so, the Privacy Policies of Personal Data Suppliers. Following the Closing Date, the Company and its Subsidiaries will continue to be permitted to collect, store, use and disclose Personal Data held by the Company or its Subsidiaries on terms identical to those in effect as of the date of this Agreement and to the same extent they would have been able to had the transactions contemplated by this Agreement not occurred.
(e) None of the Company and its Subsidiaries has received any written notice that it is or has been in material breach of any contractual obligation to limit its use of, secure or otherwise safeguard Personal Data, including any allegation that there has been a material breach of any Business Associate Agreement (i.e., a “business associate contract” as described under HIPAA at 45 C.F.R. § 164.504(e)) to which the Company or any of its Subsidiaries is a party, the EU General Data Protection Regulation, any data protection agreement (including standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council or any equivalent of successor thereof) to which the Company or any of its Subsidiaries is a party or of any violation by the Company or any of its Subsidiaries of their commitments under the EU-US Privacy Shield (as applicable), and, to the Company’s Knowledge, no such breach or violation has occurred within the applicable statute of limitation for a claim arising out of such a breach or violation. The Company and its Subsidiaries have in place and follows commercially reasonable administrativeprocedures designed to ensure that all written contracts with Confidential Data Processors require that such Confidential Data Processor Process Data in compliance with the Information Privacy Laws, physical the Company’s or its Subsidiaries’ Privacy Policy and technical safeguardsthe Company’s or its Subsidiaries’ obligations under any contract that governs the Processing of any Confidential Data.
(f) Except as set forth on Section 4.13(f) of the Disclosure Schedule, (i) neither the Company nor any of its Subsidiaries has experienced any unauthorized access to, disclosure, deletion or other misuse of, any Personal Data in its possession or control (a “Security Incident”) or made or been required to make any disclosure, notification or take any other action under any applicable Information Privacy Laws in connection with any Security Incident, (ii) no Confidential Data Processor has experienced any Security Incident or made or been required to make any disclosure, notification or take any other action under any applicable Information Privacy Laws in connection with any Security Incident with respect to any Personal Data Processed by it for the Company or for any of its Subsidiaries, (iii) to the Company’s Knowledge, no Personal Data Supplier has experienced any Security Incident or made or has been required to make any disclosure, notification or take any other action under any applicable Information Privacy Laws in connection with any Security Incident with respect to any Personal Data provided by it to the Company or to any of its Subsidiaries. The Company and each of its Subsidiaries has made all notifications to Data Subjects, customers or individuals required to be made by the Company or any of its Subsidiaries (as applicable) under any applicable Information Privacy Laws arising out of or relating to any event of unauthorized access to or disclosure or acquisition of any Personal Data by any person of which the Company has Knowledge.
(g) No action, audit, assessment, suit, legal proceeding, investigation, administrative enforcement proceeding or arbitration proceeding before any court, administrative body or Governmental Authority has been filed or commenced against the Company, any of its Subsidiaries or, to the Company’s Knowledge, threatened against the Company or its Subsidiaries, alleging any failure to comply with any Information Privacy Laws, and ensures that the Company and each of its contractors processing Subsidiaries has not incurred any material liabilities under any Information Privacy Laws. To the Company’s Knowledge, no Action has been filed, commenced or threatened against any Personal Data take such safeguards Supplier or Confidential Data Processor with respect to any Personal Data supplied to or Confidential Data Processed for the Company and each of its Subsidiaries.
(h) The Company, its Subsidiaries and its third-party service provider(s), if applicable, have implemented appropriate technical and organizational security measures to protect the confidentiality, integrity and security of Personal Data the IT Assets (and information stored or contained therein or transmitted thereby) against any Security Incidentunauthorized use, including taking all reasonable steps to safeguard and back up Personal Dataaccess, disclosure, loss, destruction, interruption, modification or corruption.
(ei) Each of In the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each Processing by the Company or any of its Subsidiaries as currently conducted. All Company IT Systems are (i) free from of any defectPersonal Data, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation each of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three yearsits Confidential Data Processors and, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies its Personal Data Suppliers has materially complied with all applicable Information Privacy Laws and applicable codes of practice in relation to marketing, advertising and profiling activities, as well as the placing of cookies on the Company’s or vulnerabilities in the Company IT Systemsits Subsidiaries’ websites, including providing any notices an disclosures and obtaining any consents as necessary under applicable Laws.
Appears in 1 contract
Privacy and Data Security. (a) In Except as set forth in section 4.13 of the prior three Disclosure Schedule, in the collection, use, storage and Processing (3including transfer to a third party or to any jurisdiction, to the extent applicable) yearsby the Company or any of its Subsidiaries of any Personal Data, the Company and or such Subsidiarity, its Subsidiaries Personal Data Processors and, to the Company’s Knowledge, its Personal Data Suppliers have been in compliance with Privacy Laws, and complied in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Information Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) yearsLaws, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified and, to the extent obligated by contract to do so, the Privacy Policies of Personal Data Suppliers. The Company and its Subsidiaries have taken commercially reasonable measures to prevent unauthorized use, access or been alteration of Personal Data in their possession or control, which measures are in material compliance with applicable Information Privacy Laws and Privacy Policies. Without limiting the foregoing, (i) the Company and its Subsidiaries and, to the Company’s Knowledge, its Personal Data Suppliers have provided, and in such manner as required under applicable Information Privacy Laws, adequate notices to notify any Person and acquired all necessary consents from Data Subjects for the use, and Processing (including transfer to a third party of any jurisdiction, to the extent applicable) of all Personal Data Processed by the Company or any of its Subsidiaries and otherwise have all requisite legal authority to Process, use and hold (Aincluding transfer to a third party of any jurisdiction, to the extent applicable) lossPersonal Data in the manner it is now Processed by the Company, theft any of its Subsidiaries or damage ofany Personal Data Processor on behalf of the Company or any of its Subsidiaries and (ii) with respect to all Personal Data in the databases owned or licensed by the Company or its Subsidiary, the Company, its Subsidiaries and, to the Company’s Knowledge, its Personal Data Suppliers have provided, where and in such manner as required under applicable Information Privacy Laws, adequate disclosures and notices, requisite consents from Data Subjects and have sufficient legal ground under applicable law to Process such Personal Data in the manner it is now Processed by the Company or its Subsidiary or any Personal Data Processor on behalf of the Company, including transfer to a third party of any jurisdiction, to the extent applicable).
(b) To the extent that the Company or any of its Subsidiaries Processes any financial account numbers (such as credit cards, bank accounts, PayPal accounts, debit cards), passwords, CCV data, or other related data (B) other unauthorized “Cardholder Data”), the Company and/or each of its Subsidiaries as applicable has implemented information security procedures, processes and systems that have at all times met or unlawful access to, or use, disclosure or other exceeded all applicable Laws related to the Processing of, Personal of Cardholder Data, except, in each case of clauses (i), (ii)including those established by applicable Governmental Authorities, and the Payment Card Industry Standards Council (iiiincluding the Payment Card Industry Data Security Standard), as would not have a Company Material Adverse Effect. .
(c) Each of the Company and its Subsidiaries has implemented at all times made available, where and in such manner as required under applicable Information Privacy Laws, a Privacy Policy which materially complies with applicable Information Privacy Laws to Persons (including any Data Subjects) prior to and during the collection of any Personal Data online. Such Privacy Policy, and any other representations, marketing materials and advertisements that address privacy issues and the treatment of Personal Data, accurately and completely describe, in a timely manner in accordance with applicable Law, the Company’s or its Subsidiaries’, as applicable, information collection and use practices, including reasonable safeguards in place designed to protect the privacy, security, and integrity of all Personal Data, and no such notices or disclosures have been misleading or deceptive or, to the Knowledge of the Company, inaccurate. To the Knowledge of the Company, neither the Company nor any of its Subsidiaries has collected or received any Personal Data online from children under the age of 16 without verifiable parental consent or directed any of its websites to children under the age of 16 through which such Personal Data could be obtained. 50
(d) Other than as set forth on Section 4.13(d) of the Disclosure Schedule, none of the Company or its Subsidiaries sells, rents or otherwise makes available to any Person any Personal Data, except in a manner that complies in all material respects with the applicable Privacy Policies and in compliance with Information Privacy Laws. The execution, delivery and performance of this Agreement and the transactions contemplated herein, including any transfer of Personal Data resulting from the execution, delivery and performance of this Agreement, complies, and will comply with, all Information Privacy Laws, the Privacy Policy of the Company and its Subsidiaries, and, to the extent obligated by contract to do so, the Privacy Policies of Personal Data Suppliers. Following the Closing Date, the Company and its Subsidiaries will continue to be permitted to collect, store, use and disclose Personal Data held by the Company or its Subsidiaries on terms identical to those in effect as of the date of this Agreement and to the same extent they would have been able to had the transactions contemplated by this Agreement not occurred.
(e) None of the Company and its Subsidiaries has received any written notice that it is or has been in material breach of any contractual obligation to limit its use of, secure or otherwise safeguard Personal Data, including any allegation that there has been a material breach of any Business Associate Agreement (i.e., a “business associate contract” as described under HIPAA at 45 C.F.R. § 164.504(e)) to which the Company or any of its Subsidiaries is a party, the EU General Data Protection Regulation, any data protection agreement (including standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council or any equivalent of successor thereof) to which the Company or any of its Subsidiaries is a party or of any violation by the Company or any of its Subsidiaries of their commitments under the EU-US Privacy Shield (as applicable), and, to the Company’s Knowledge, no such breach or violation has occurred within the applicable statute of limitation for a claim arising out of such a breach or violation. The Company and its Subsidiaries have in place and follows commercially reasonable administrativeprocedures designed to ensure that all written contracts with Confidential Data Processors require that such Confidential Data Processor Process Data in compliance with the Information Privacy Laws, physical the Company’s or its Subsidiaries’ Privacy Policy and technical safeguardsthe Company’s or its Subsidiaries’ obligations under any contract that governs the Processing of any Confidential Data.
(f) Except as set forth on Section 4.13(f) of the Disclosure Schedule, (i) neither the Company nor any of its Subsidiaries has experienced any unauthorized access to, disclosure, deletion or other misuse of, any Personal Data in its possession or control (a “Security Incident”) or made or been required to make any disclosure, notification or take any other action under any applicable Information Privacy Laws in connection with any Security Incident, (ii) no Confidential Data Processor has experienced any Security Incident or made or been required to make any disclosure, notification or take any other action under any applicable Information Privacy Laws in connection with any Security Incident with respect to any Personal Data Processed by it for the Company or for any of its Subsidiaries, (iii) to the Company’s Knowledge, no Personal Data Supplier has experienced any Security Incident or made or has been required to make any disclosure, notification or take any other action under any applicable Information Privacy Laws in connection with any Security Incident with respect to any Personal Data provided by it to the Company or to any of its Subsidiaries. The Company and each of its Subsidiaries has made all notifications to Data Subjects, customers or individuals required to be made by the Company or any of its Subsidiaries (as applicable) under any applicable Information Privacy Laws arising out of or relating to any event of unauthorized access to or disclosure or acquisition of any Personal Data by any person of which the Company has Knowledge.
(g) No action, audit, assessment, suit, legal proceeding, investigation, administrative enforcement proceeding or arbitration proceeding before any court, administrative body or Governmental Authority has been filed or commenced against the Company, any of its Subsidiaries or, to the Company’s Knowledge, threatened against the Company or its Subsidiaries, alleging any failure to comply with any Information Privacy Laws, and ensures that the Company and each of its contractors processing Subsidiaries has not incurred any material liabilities under any Information Privacy Laws. To the Company’s Knowledge, no Action has been filed, commenced or threatened against any Personal Data take such safeguards Supplier or Confidential Data Processor with respect to any Personal Data supplied to or Confidential Data Processed for the Company and each of its Subsidiaries.
(h) The Company, its Subsidiaries and its third-party service provider(s), if applicable, have implemented appropriate technical and organizational security measures to protect the confidentiality, integrity and security of Personal Data the IT Assets (and information stored or contained therein or transmitted thereby) against any Security Incidentunauthorized use, including taking all reasonable steps to safeguard and back up Personal Dataaccess, disclosure, loss, destruction, interruption, modification or corruption.
(ei) Each of In the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each Processing by the Company or any of its Subsidiaries as currently conducted. All Company IT Systems are (i) free from of any defectPersonal Data, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation each of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three yearsits Confidential Data Processors and, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies its Personal Data Suppliers has materially complied with all applicable Information Privacy Laws and applicable codes of practice in relation to marketing, advertising and profiling activities, as well as the placing of cookies on the Company’s or vulnerabilities in the Company IT Systemsits Subsidiaries’ websites, including providing any notices an disclosures and obtaining any consents as necessary under applicable Laws.
Appears in 1 contract
Samples: Share Purchase Agreement
Privacy and Data Security. (a) In Except as, individually or in the prior three aggregate, has not had and would not reasonably be expected to have a Company Material Adverse Effect, (3i) years, the Company and its the Company Subsidiaries have been in compliance with Privacy Lawsare, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained been, in compliance with all Privacy Obligations and made available to individuals in accordance with reasonable industry practices and as required by Privacy all Cybersecurity Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of and the Company or its Subsidiaries or any of its contractors have adopted and published privacy notices and policies that accurately describe their privacy practices, and complied and are in compliance with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systemsthose privacy notices and policies, and (iii) none of the Company representations or disclosures made or contained in any of its Subsidiaries has notified such privacy notices or policies are or have been required to notify any Person inaccurate, misleading or deceptive in violation of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal DataPrivacy Obligation.
(eb) Each of Except as, individually or in the Company and its Subsidiaries owns or aggregate, has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not had and would not reasonably be expected to behave a Company Material Adverse Effect, (i) the Company and the Company Subsidiaries have taken commercially reasonable steps to limit access to Personal Information and Sensitive Data by the personnel of the Company and the Company Subsidiaries and subcontractors and third-party vendors providing services to or on behalf of the Company and the Company Subsidiaries, in each case, to those who have a need to access such Personal Information in the execution of their duties to the Company and the Company Subsidiaries, and (ii) to the knowledge of the Company, the Company and the Company Subsidiaries have neither intercepted or made unauthorized use of the audio, written, or electronic content of communications to which they have access, nor divulged, sold, shared, or otherwise made available such content or records regarding such communications to Governmental Authorities without receipt of written legal process that is valid in the jurisdiction where served, in each case, in violation of applicable Law.
(c) Except as, individually or in the aggregate, material has not had and would not reasonably be expected to have a Company Material Adverse Effect, the Company and the Company Subsidiaries have, where required under applicable Privacy Obligations and Cybersecurity Laws, contractually obligated all third parties Processing Personal Information on their behalf to (i) comply with all applicable Privacy Obligations and Cybersecurity Laws, (ii) take reasonable steps to protect and secure Sensitive Data from any Security Breaches, and (iii) comply with all other obligations required to be incorporated into such contracts by applicable Privacy Obligations and Cybersecurity Laws.
(d) Except as, individually or in the aggregate, has not had and would not reasonably be expected to have a Company Material Adverse Effect, the Company and the Company Subsidiaries are, and have at all times been, in compliance with all Privacy Obligations and all Cybersecurity Laws, in each case, relating to network security, cyber security, Processing of Sensitive Data, third party data transfers, cross border data transfers, data localization, and data sharing with judicial, regulatory, or law enforcement authorities.
(e) None of the Company or Company Subsidiaries owns, controls, or operates any critical information infrastructure (as such term is defined under applicable Laws of the People’s Republic of China) located in the People’s Republic of China, nor Processes any important data (as such term is defined under applicable Laws of the People’s Republic of China).
(f) Except as, individually or in the aggregate, has not had and would not reasonably be expected to have a Company Material Adverse Effect, the execution, delivery, and performance by the Company of each Transaction Agreement to which it is a party, and consummation of the Merger (including the Company’s Processing of Personal Information in connection therewith), will not result in any violation by the Company and the Company Subsidiaries of the Company’s and Company Subsidiaries’ applicable privacy notices and policies and any applicable Privacy Obligations.
(g) Except as, individually or in the aggregate, has not had and would not reasonably be expected to have a Company Material Adverse Effect, (i) the Company, the Company Subsidiaries, and, to the knowledge of the Company, all third parties Processing Sensitive Data on behalf of the Company or the Company Subsidiaries have not experienced, nor, to the knowledge of the Company, have there been third-party claims to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused Subsidiaries alleging, a material failure or disruption Security Breach, (ii) neither the Company nor any of the Company IT Systems Subsidiaries have notified in writing, nor been required by any applicable Privacy Obligation to notify in writing, any Person of any Security Breach, (iii) neither the Company nor any of the Company Subsidiaries have, since January 1, 2019 received any written notice of any claims, investigations (including investigations by a Governmental Authority), or allegations regarding any violation of Laws or other than routine failures Privacy Obligations by the Company or disruptions that any of the Company Subsidiaries with respect to Personal Information possessed by the Company or any of the Company Subsidiaries or any violation of any Cybersecurity Laws by the Company or any of the Company Subsidiaries, and (iv) the Company and the Company Subsidiaries are not currently involved in, and have never been remediated involved in, any Actions related to any Privacy Obligations or violations of any Cybersecurity Laws.
(h) Except as, individually or in the Ordinary Course aggregate, has not had and would not reasonably be expected to have a Company Material Adverse Effect, the Company and the Company Subsidiaries have implemented and maintain an information security program that comprises commercially reasonable and appropriate organizational, physical, administrative and technical safeguards to protect against unauthorized access to, or use of, or loss of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and access to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in Company Subsidiaries’ IT Systems and all Sensitive Data Processed by the Company IT Systemsor Company Subsidiaries in compliance with all Privacy Obligations and Cybersecurity Laws applicable to the Company or the Company Subsidiaries.
Appears in 1 contract
Privacy and Data Security. (i) The Company and its Subsidiaries have (i) complied in all material respects with its applicable privacy and data protection policies, procedures, and applicable Information Privacy and Security Laws with respect to Personal Data that is accessed, collected, possessed by or otherwise subject to the use or control of the Company or any of its Subsidiaries; (ii) implemented and maintained measures, including appropriate technical, physical and administrative safeguards, sufficient to ensure that the Company and its Subsidiaries and the operation of the businesses of the Company and its Subsidiaries materially complies with (a) In applicable Information Privacy and Security Laws, (b) any notice to or consent from the prior three individual to whom the Personal Data relate(s) (3“Data Subjects”), (c) yearsany policy adopted by the Company or any of its Subsidiaries, (d) any Company Material Contract made by any of the Company or its Subsidiaries that is applicable to such Personal Data or (e) any information technology or privacy policy or privacy statement from time to time published or otherwise made available to Data Subjects and (iii) in connection with each third party servicing, outsourcing or similar arrangement involving Personal Data used, processed, stored, transferred, collected or otherwise exploited in connection with the businesses of the Company and its Subsidiaries, contractually obligated any such third party service provider to (w) comply with the applicable Information Privacy and Security Laws with respect to Personal Data, (x) protect and secure from loss or damage, unauthorized access, use, disclosure or modification, or any other misuse of Personal Data, (y) restrict use of Personal Data to those authorized or required under the servicing, outsourcing or similar arrangement and (z) certify or guarantee the return or adequate disposal of Personal Data. The Company and its Subsidiaries have the right (and upon consummation of this Agreement will have the right) to use all of the Personal Data in each of its databases in the operation of the business conducted by the Company and its Subsidiaries. Except for disclosures of Personal Data required or permitted by applicable Legal Requirements, or authorized by a Data Subject or other party authorized to permit disclosure, the Company and its Subsidiaries have not sold, leased, transferred or otherwise made available to third parties any Personal Data. The execution of this Agreement and the consummation of the transactions contemplated hereby do not violate any privacy policy, Company Material Contract or Information Privacy and Security Laws. For the avoidance of doubt, the term “privacy” as used in this Section 7K includes the concepts of data protection and data security.
(ii) The Company and each of its Subsidiaries is in and, since the date compliance became required, has been in compliance in all material respects with, the applicable requirements of HIPAA, state privacy laws and other Legal Requirements applicable to the privacy and security of Personal Data. When acting as a Business Associate of a Covered Entity or as a Subcontractor of a Business Associate (such terms as defined by HIPAA), the Company and its Subsidiaries have in effect agreements with Privacy Lawseach such Covered Entity and Business Associate, as applicable, that satisfy the requirements of HIPAA in all material respects (“BA Agreements”). Except as disclosed in Section 7K(ii) of the Company Disclosure Letter, the Company and its Subsidiaries have in effect with each entity acting as a Business Associate or Subcontractor (as defined in HIPAA) of the Company, an agreement that satisfies the requirements of HIPAA in all material respects (“Vendor BA Agreements”).
(iii) The Company and each of its Subsidiaries is, and has been, in compliance in all material respects with (i) Contracts (all contracts or portions thereof) other arrangements in effect between the Company and its customers that apply to or its Subsidiaries and other Persons relating to restrict the use, disclosure or security of Personal Data Data, including BA Agreements; and (ii) applicable written policies, public statements all contracts or other arrangements between the Company and vendors and other public representations relating business partners that apply to or restrict the Processing use, disclosure or security of Personal Data by such vendors and other business partners, including Vendor BA Agreements (such contracts or other arrangements referenced in clauses (ii) and (iii) collectively referred to as “Privacy Agreements”). To the extent required by applicable Legal Requirements, the Company and its Subsidiaries have in place, and has complied and is in compliance in all material respects with, written policies to protect the security and privacy of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The Company and its Subsidiaries have the right pursuant to the Privacy Agreements and its privacy and security policies to use and disclose Personal Data for the purpose such information is and has been used and disclosed. Neither the execution, delivery and or performance by the Company of this Agreement to which the Company is or will be a partyany Transaction Document, and nor the consummation of any of the transactions contemplated hereby by this Agreement, including the Merger, or therebyany Transaction Document, are not reasonably expected toincluding the direct or indirect transfer of Personal Data resulting from such transactions, directly will violate any of the Company’s or indirectly, result in a violation of its Subsidiaries’ policies or any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeAgreements.
(biv) In the prior three (3) yearsThe Company and each of its Subsidiaries have maintained, the Privacy commercially reasonable physical, technical, organizational and administrative security safeguards designed to protect all Personal Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required collected by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform from and against unauthorized access, use and/or disclosure and that comply in all material respects to the with all Privacy Agreements and Data Security Policies that govern such applicable Legal Requirements regarding Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to . To the Company’s knowledge, threatened against or involving no Person has submitted a written request to the Company to withdraw his or its Subsidiaries initiated by her consent to any Person (including (i) the Federal Trade Commission, any state attorney general use or similar state official, (ii) any other Governmental authority, foreign processing of his or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of her Personal Data or submitted a written request for erasure of their Personal Data by the Company in the three (3) years prior to the date of this Agreement where the Company has not complied with such request.
(v) Except as set forth on Section 7K(v) of the Company Disclosure Letter, there have not been any material non-permitted uses or disclosures, material security incidents, or material breaches involving Personal Data held or collected by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of Subsidiaries. Neither the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or nor any of its Subsidiaries has notified or been required is subject to notify any Person of pending Proceeding nor, to the Company’s knowledge, is any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of Proceeding threatened against the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledgeknowledge, there no such Proceedings are no material security deficiencies likely to be asserted or vulnerabilities in threatened against the Company) by any third party or entity, including any Governmental Entity, alleging (i) a violation of the Company’s policies or any Privacy Agreements; (ii) a violation of any third party or entity’s privacy rights under any Legal Requirements; or (iii) the failure of the Company IT Systemswith respect to any security audit.
(vi) The Company and each of its Subsidiaries has not, since December 31, 2013, notified any affected individual, any customer, any Governmental Entity, or the media of any breach of Personal Data. The Company and its Subsidiaries are not currently planning to conduct any such notification.
Appears in 1 contract
Privacy and Data Security. (a) In The Company has a privacy policy regarding the prior collection, use and disclosure of personal information in connection with the operation of the Business for which the Company is the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information, or otherwise held or processed on its behalf and the Company is and has been in material compliance with such privacy policy. The Company has posted a privacy policy in a clear and conspicuous location on all public websites owned or operated by the Company.
(b) Without limiting the generality of Section 4.14, the Company has in the past three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and years complied in all material respects with (i) Contracts (or portions thereof) between all applicable Laws regarding the Company or its Subsidiaries collection, retention, use and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing protection of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Datapersonal information.
(c) There is (and in Without limiting the prior three years there has been) no material Legal Proceeding pending orgenerality of Section 4.16(b), the Company and, to the Knowledge of the Company’s knowledge, threatened against each other party thereto is in material compliance with the terms of all Material Contracts relating to data privacy, security or involving the Company or its Subsidiaries initiated by any Person breach notification (including (i) provisions that impose conditions or restrictions on the Federal Trade Commissioncollection, any state attorney general use, disclosure, transmission, destruction, maintenance, storage or similar state officialsafeguarding of personal information), (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitmentsif any.
(d) In No Person (including any Governmental Authority) has, in the prior past three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of commenced any Action against the Company relating to the Company’s information privacy or its Subsidiaries data security practices relating to the personal information of consumers, including with respect to the access, disclosure or any use of its contractors with regard to any Personal Data obtained from personal information of consumers maintained by or on behalf of the Company or its Subsidiaries (“Security Incident”)Company, or, (ii) there have been no unauthorized intrusions to the Knowledge of the Company, threatened any such Action, or breaches made any complaint or investigation relating to such practices.
(e) The execution, delivery and performance of security into this Agreement and the consummation of the contemplated transactions, including any Company IT Systemstransfer of personal information resulting from such transactions, and (iii) none will not violate the privacy policy of the Company or any of its Subsidiaries as it currently exists.
(f) The Company has notified or been required to notify any Person of any (A) lossestablished and implemented policies, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, exceptprograms and procedures that are commercially reasonable, in each case of clauses (i)material compliance with applicable industry practices and appropriate, (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable including administrative, technical and physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data personal information for which the Company is the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information against any Security Incidentunauthorized access, including taking all reasonable steps to safeguard and back up Personal Datause, modification, disclosure or other misuse.
(eg) Each Without limiting the generality of Section 4.15, to the Knowledge of the Company and its Subsidiaries owns or Company, the Business has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) not in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) yearsyears experienced any material loss, there have been no (except to the extent completely remediated)damage, and to the Company’s Knowledgeor unauthorized access, there are no material disclosure, use or breach of security deficiencies or vulnerabilities in of any personal information for which the Company IT Systemsis the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information or otherwise held or processed on its behalf that has not been cured or otherwise resolved.
Appears in 1 contract
Privacy and Data Security. (a) In the prior three (3) years, the Company Buddy’s and its Subsidiaries have been comply in compliance with Privacy Lawsall respects with, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals complied in accordance with reasonable industry practices and as required by Privacy all respects with, all applicable Data Protection Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of except where the Company or its Subsidiaries failure to comply with respect to the Processing of Personal all applicable Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and Protection Laws would not reasonably be expected to behave, individually or in the aggregate, material a Buddy’s Material Adverse Effect.
(b) Neither Buddy’s nor any of its Subsidiaries have received any written subpoenas, demands or other notices from any Governmental Authority investigating, inquiring into or otherwise relating to any actual or potential violation of any Data Protection Law and, to the Company Knowledge of Buddy’s, neither Buddy’s nor any of its Subsidiaries are under investigation by any Governmental Authority for any actual or potential violation of any Data Protection Law, except where any such subpoena demand or other notice or investigation would not reasonably be expected to have, individually or in the aggregate, a Buddy’s Material Adverse Effect.
(c) Buddy’s and its SubsidiariesSubsidiaries have each taken commercially reasonable steps, taken compliant with applicable Data Protection Laws, to protect Personal Data in the possession and/or control of Buddy’s or its Subsidiaries from unauthorized use, access, disclosure and modification, except where the failure to take such commercially reasonable steps would not reasonably be expected to have, individually or in the aggregate, a Buddy’s Material Adverse Effect.
(d) Since May 1, 2016, to the Knowledge of Buddy’s, except as a whole. In set forth in Section 4.26(d) of the prior three yearsBuddy’s Disclosure Letter, there have not been neither Buddy’s nor any material of its Subsidiaries has experienced any failures, breakdowns crashes, security breaches, unauthorized access, use, disclosure, or continued substandard performance modification, or other adverse events or incidents related to Personal Data that would require notification of individuals, law enforcement, or any Company IT Systems that have caused a material failure Governmental Authority or disruption of the Company IT Systems other than routine failures any remedial action under any Data Protection Laws, except as would not reasonably be expected to have, individually or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) yearsaggregate, there have been no (except to the extent completely remediated), and to the Companya Buddy’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT SystemsMaterial Adverse Effect.
Appears in 1 contract
Samples: Merger Agreement (Liberty Tax, Inc.)
Privacy and Data Security. (a) In The Acquired Companies comply with, and have complied at all times in all material respects with all Data Security Requirements, and all generally accepted industry standards in relation to Personal Information as applicable to the Acquired Companies. The disclosure of any Personal Information to the Purchaser in connection with the execution, delivery or performance of this Agreement or any of the other agreements, instruments or documents contemplated hereby; or the consummation of any of the transactions contemplated by this Agreement, will not result in any violation of any Data Security Requirement, provided that the Parties comply with Section 6.9 of this Agreement.
(b) No Personal Information other than the Personal Information specifically requested by the Purchaser has been disclosed to the Purchaser prior to closing the transactions contemplated by this Agreement, and the Acquired Companies and/or the Vendors have rendered anonymized all information requested by the Purchaser to the extent reasonably required by Applicable Laws prior to disclosure of such information to the Purchaser.
(c) The Acquired Companies have at all times timely filed all material reports, applications, statements, documents, registrations, filings, amendments and submissions required to be filed under applicable Data Security Requirements.
(d) The Acquired Companies have not, within the preceding three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Lawsreceived any subpoena, and in all material respects with (i) Contracts (demand, or portions thereof) between the Company other written notice from any Governmental Entity investigating, inquiring into, or its Subsidiaries and other Persons otherwise relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is any actual or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries Security Requirement or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps nor is any of the Acquired Companies otherwise aware that it is under investigation by any Governmental Entity for any actual or potential violation of any Data Security Requirement or relating to safeguard and back up Personal Dataany Data Security Incident. No notice, complaint, claim, enforcement action, or litigation of any kind has been threatened in writing, served on, initiated or otherwise asserted, against the Acquired Companies relating to any actual or potential violation of any Data Security Requirements or any Data Security Incident, or under any applicable industry standards as applicable to the Acquired Companies.
(e) Each of To the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defectVendors’ Knowledge, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past preceding three (3) years, there have been no Data Security Incidents related to Personal Information in the custody and control of the Acquired Companies; no breach or violation of the Acquired Companies’ information security program has occurred or is threatened in writing, and there has been no unauthorized or illegal use of or access to any Personal Information; and the Acquired Companies have not been notified or been required to notify any person of any Data Security Incidents related to Personal Information.
(except f) The Acquired Companies are not (or for the past three (3) years has not been) in breach of any reporting or notification requirements regarding any Data Security Incident that has been discovered by or made known to the extent completely remediated)Corporation, and whether pursuant to the Company’s Knowledge, there are no material security deficiencies any applicable Data Security Requirements or vulnerabilities in the Company IT Systemsany other Applicable Law.
Appears in 1 contract
Privacy and Data Security. (a) In The Company has a privacy policy regarding the prior collection, use and disclosure of personal information in connection with the operation of the Business for which the Company is the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information, or otherwise held or processed on its behalf and the Company is and has been in material compliance with such privacy policy. The Company has posted a privacy policy in a clear and conspicuous location on all public websites owned or operated by the Company.
(b) Without limiting the generality of Section 4.09, the Company has in the past three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Laws, and years complied in all material respects with (i) Contracts (or portions thereof) between all applicable Laws regarding the Company or its Subsidiaries collection, retention, use and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing protection of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Datapersonal information.
(c) There is (and in Without limiting the prior three years there has been) no material Legal Proceeding pending orgenerality of Section 4.12(b), the Company and, to the Knowledge of the Company’s knowledge, threatened against each other party thereto is in material compliance with the terms of all Material Contracts relating to data privacy, security or involving the Company or its Subsidiaries initiated by any Person breach notification (including (i) provisions that impose conditions or restrictions on the Federal Trade Commissioncollection, any state attorney general use, disclosure, transmission, destruction, maintenance, storage or similar state officialsafeguarding of personal information), (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitmentsif any.
(d) In No Person (including any Governmental Authority) has, in the prior past three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of commenced any Action against the Company relating to the Company’s information privacy or its Subsidiaries data security practices relating to the personal information of consumers, including with respect to the access, disclosure or any use of its contractors with regard to any Personal Data obtained from personal information of consumers maintained by or on behalf of the Company or its Subsidiaries (“Security Incident”)Company, or, (ii) there have been no unauthorized intrusions to the Knowledge of the Company, threatened any such Action, or breaches made any complaint or investigation relating to such practices.
(e) The execution, delivery and performance of security into this Agreement and the consummation of the contemplated transactions, including any Company IT Systemstransfer of personal information resulting from such transactions, and (iii) none will not violate the privacy policy of the Company or any of its Subsidiaries as it currently exists.
(f) The Company has notified or been required to notify any Person of any (A) lossestablished and implemented policies, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, exceptprograms and procedures that are commercially reasonable, in each case of clauses (i)material compliance with applicable industry practices and appropriate, (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable including administrative, technical and physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data personal information for which the Company is the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information against any Security Incidentunauthorized access, including taking all reasonable steps to safeguard and back up Personal Datause, modification, disclosure or other misuse.
(eg) Each Without limiting the generality of Section 4.11, the Company and its Subsidiaries owns or Business has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) not in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) yearsyears experienced any loss, there have been no (except to the extent completely remediated)damage, and to the Company’s Knowledgeor unauthorized access, there are no material disclosure, use or breach of security deficiencies or vulnerabilities in of any personal information for which the Company IT Systemsis the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information or otherwise held or processed on its behalf.
Appears in 1 contract
Privacy and Data Security. (a) In the prior three (3) years, the The Company and its Subsidiaries have been is currently in compliance with Privacy Lawsthe injunctive provisions and obligations imposed on it by the February 23, 2010 order and the December 22, 2015 order entered by the United States District Court for the District of Arizona in the matter of Federal Trade Commission v. LifeLock, Inc., as amended by the Court’s January 4, 2016 order (together, the “FTC Order”), and has not since January 4, 2016 been informed by the FTC that it is not in all material respects compliance with (i) Contracts (the FTC Order or portions thereof) between received any correspondence from the Company or its Subsidiaries and other Persons FTC relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and any such Contracts, “Privacy Commitments”)noncompliance. The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are Except as would not reasonably be expected to, directly or indirectly, to result in a violation of any Privacy Commitments that would be materially adverse material liability to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy Company and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices each of the Company or its Subsidiaries with respect (i) has adopted and published from time to the Processing time privacy policies describing its collection, use and transfer of Personal Data conform personal information about users of its products and services (each, a “Company Privacy Policy”); (ii) is in compliance in all material respects with (A) each applicable Company Privacy Policy and (B) all applicable Laws and regulations pertaining to privacy and personally identifiable information of the users of its products and services (“Data and Privacy Laws”); (iii) maintains a documented information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers; and (iv) takes commercially reasonable steps to protect such personally identifiable information maintained on its systems from unauthorized third-party access and acquisition. Except as would not be reasonably expected to result in a material liability to the Privacy Company and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending orits Subsidiaries, taken as a whole, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf Knowledge of the Company or as of the date of this Agreement, the Company and each of its Subsidiaries is or was in violation has not at any time since January 1, 2015, suffered any security breach of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for of its systems resulting in any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized third-party access to, or unauthorized use, disclosure, or Processing acquisition of Personal Data in the possession or control any personally identifiable information of the Company or its Subsidiaries or any users of its contractors with regard to any Personal Data obtained from or products and services stored on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), such systems. Except as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, be material to the Company and its Subsidiaries, taken as a whole. In , the prior three years, there have Merger will not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities result in the Company IT Systemsor any of its Subsidiaries being in breach of any Data and Privacy Laws.
Appears in 1 contract
Samples: Merger Agreement (Lifelock, Inc.)
Privacy and Data Security. (a) In The Company and the Company Subsidiaries in the five (5) years prior three to the date hereof has, in all material respects, complied with all Privacy Laws and binding data processing industry standards or frameworks applicable to the Company or the Company Subsidiaries, including in relation to (3i) yearsspam, unsolicited communications, marketing, (ii) any privacy policy or notice of the Company and its Subsidiaries the Company Subsidiaries, (iii) any obligations under any Contract relating to privacy or processing of Personal Information, and (iv) any Personal Information that has been collected, acquired, accessed, viewed, used, processed, disclosed, transferred and received, or obtained from any other Person.
(b) Copies of all current Company’s and the Company Subsidiaries’ written and final form policies required under Privacy Laws have been made available to the Purchaser and such copies are, in compliance with all material respects, true, correct, and complete.
(c) The Company and each of the Company Subsidiaries is not subject to any prohibition or restriction which would prevent or restrict it, in any material respect, from processing or continuing to process any Personal Information previously collected by them in the context of the Business as currently conducted (“Target Data”) immediately following the Closing on the terms of such collection.
(d) Where the Company or any of the Company Subsidiaries uses a Person to process Personal Information on its behalf, where required by Privacy Laws, there is in existence a written Contract, that complies with the requirements of all Privacy Laws, including any cross border transfer requirements for transferring European and in all material respects with (i) Contracts (or portions thereof) United Kingdom Personal Information to the United States, applicable to the processing and transfer of such Personal Information, between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a partySubsidiary and each such Person, and the consummation of the transactions contemplated hereby or thereby, are except as would not reasonably expected tobe expected, directly individually or indirectlyin the aggregate, result in a violation of any Privacy Commitments that would to be materially adverse material to the Company and its the Company Subsidiaries, taken as a whole.
(be) In the five (5) years prior three (3) yearsto the date hereof, the Privacy Company and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices each of the Company Subsidiaries (i) have not suffered a Personal Data Breach of any Personal Information in their possession, custody or its control and (ii) has not provided or been legally required to provide any notices to any Person in connection with any such Personal Data Breach.
(f) In the five (5) years prior to the date hereof, the Company and the Company Subsidiaries have regularly (at least annually) performed vulnerability assessments and used commercially reasonable efforts to address and remediate, in all material respects, all critical or high-risk threats and deficiencies identified in each such assessment.
(g) In the five (5) years prior to the date hereof, no Person (including any Governmental Authority) has made any material written claim or commenced any action of any kind against the Company or a Company Subsidiary with respect to the Processing loss, damage, or unauthorized access, use, processing, modification of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending oror other misuse of, to the Company’s knowledgeor illegal or unpermitted processing of, threatened against any information or involving data by the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard their respective employees or contractors.
(h) In the five (5) years prior to the date hereof, no Person (including any Personal Data obtained from Governmental Authority) has made any material written claim, written notice or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of investigation against the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Dataalleging non-compliance with Privacy Laws.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), Except as is not and would not reasonably be expected to beexpected, individually or in the aggregate, to be material to the Company and its the Company Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems and the Company Subsidiaries have procured valid consents, where required under Privacy Laws, including in relation to cookies or other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) yearstracking technologies, there have been no (except as well as to the extent completely remediated)required for the execution, delivery, and performance of this Agreement.
(j) Except as would not reasonably be expected, individually or in the aggregate, to be material to the Company’s KnowledgeCompany and the Company Subsidiaries, there are no material security deficiencies or vulnerabilities taken as a whole, the Company and the Company Subsidiaries do not knowingly process and have not in the five (5) years prior to the date hereof processed Personal Information of any natural Person known to be under the age of 18 (or other age applicable to children under applicable Privacy Laws) in violation of any Privacy Laws and the Company IT Systemsand the Company Subsidiaries have procedures in place to comply with Privacy Laws related to children’s privacy, including COPPA, to the extent applicable.
(k) The Company has at all times in the five (5) years prior to the date hereof complied in all material respects with all Privacy Laws related to spam, unsolicited communications and marketing.
Appears in 1 contract
Privacy and Data Security. (a) The use and dissemination by the Company or its Subsidiaries of any Personal Data within the prior three (3) years is in compliance in all material respects with the Company or any Subsidiary’s privacy policies and terms of use, relevant industry standards, all applicable Laws, and all Contracts to which the Company or any of its Subsidiaries is bound. Neither the Company nor any of its Subsidiaries collect, possess, or process any Personal Data which is subject to the data protection laws, privacy laws, or any similar laws of any jurisdiction outside of the United States. No Personal Data is transmitted or otherwise provided by the Company or any of its Subsidiaries to any third party electronically except by a secure, encrypted means. Neither the Company nor any of its Subsidiaries engages in any processing or disclosure of Personal Data that would be considered a “sale” or the “selling” of Personal Data under any applicable Laws.
(b) The Company and its Subsidiaries maintain policies and procedures regarding data security and privacy and each maintain administrative, technical and physical safeguards that are commercially reasonable and, in any event, in material compliance with all applicable Laws, and all Contracts to which the Company or any of its Subsidiaries is bound. The Company and its Subsidiaries have complied in all material respects with the terms of all Contracts to which the Company or any of its Subsidiaries is a party relating to data privacy, security or breach notification (including provisions that impose conditions or restrictions on the collection, use, disclosure, transmission, destruction, maintenance, storage, or safeguarding of Personal Data). The Company and its Subsidiaries have contractually required its and their third-party service providers who access, use, process, or further disclose Personal Data to comply with the Company or any Subsidiary’s privacy policies and all applicable Laws.
(c) Except as set forth on Schedule 3.27(c) of the Disclosure Schedule, (i) neither the Company nor any Subsidiary has experienced any “breach” or “breach of security” as those terms are defined under applicable Law (including HIPAA), either affecting the Personal Data of more than 500 individuals, or otherwise requiring notification to individuals and/or regulatory authorities (except for those breaches disclosed to Buyer in annual reports made to the Office for Civil Rights); (ii) no notice has been provided to the Company by any Person of any security breach or incident relating to Personal Data and (iii) no Person (including any Governmental Entity) has commenced any action relating to the Company’s or any Subsidiary’s information privacy or data security practices, or to the Knowledge of the Company, threatened in writing any such action or made any complaint, investigation, or inquiry relating to such practices.
(d) In the prior past three (3) years, the Company and its Subsidiaries have been in compliance with Privacy Lawsat least annually performed a security risk assessment, penetration test, and in all material respects with a privacy impact assessment (iif required) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required obtained an independent vulnerability assessment performed by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”)a recognized third-party audit firm. The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeeach Subsidiary has used commercially reasonable efforts to address and remediate all “critical” threats and deficiencies identified in each such assessment.
(be) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading All material Company IT Systems owned or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data used by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) are sufficient in sufficiently good working condition to effectively perform all information technology operations necessary material respects for the operation current operations of the respective businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption operations of the Company IT Systems other than routine failures after Closing consistent with operations immediately prior to Closing; (ii) operate without any material defect, malfunction, unavailability or disruptions that have been remediated in the Ordinary Course of Businesserror; and (iii) are reasonably secure against unauthorized access, intrusion, tampering, impairment, disruption, computer virus and malfunction. In the past three (3) years, there have has been no no: (except to A) breach of the extent completely remediated)Company IT Systems or successful unauthorized incidents of access, and to the Company’s Knowledgeuse, there are no material security deficiencies disclosure, modification or vulnerabilities destruction of information or interference with systems operations (including denial-of-service or other cyber incident, ransomware attack, or malware) in all or any portion of the Company IT Systems, including any such breach or incident that requires notice to any Person; or (B) unauthorized disclosure, access, destruction, use, modification or other exploitation of any confidential information in the possession, custody or control of the Company or any of its Subsidiaries. In the past three (3) years, there has been no malfunction, failure, continued substandard performance, or other impairment of the Company IT Systems that has resulted or is reasonably likely to result in material disruption or damage to the business of the Company that has not been remedied. The Company and its Subsidiaries have taken commercially reasonable steps consistent with applicable Law to safeguard the confidentiality, availability, security, and integrity of the Company IT Systems, including implementing and maintaining appropriate backup, disaster recovery, and software and hardware support arrangements.
(f) The Company and its Subsidiaries have implemented and maintained (or, where applicable, have required their vendors, processors, or other third parties acting for or on behalf of the Company or any of its Subsidiaries, to maintain), consistent with commercially reasonable and industry practices, applicable Laws, and in compliance with Contracts, reasonable security measures designed to protect the Company IT Systems from viruses and similar malware, and the Company IT Systems and all Personal Data maintained by the Company or any of its Subsidiaries from unauthorized physical or virtual access, use, modification, acquisition, disclosure, disposal or other misuse. The Company and its Subsidiaries have implemented commercially reasonable backup and disaster recovery technology processes, as well as a commercially reasonable business continuity plan, in each case consistent in all material respects with applicable Laws, and have tested such plans and processes no less than annually. Such plans and processes have been found to be adequate in connection with such testing.
(g) The Company and its Subsidiaries have taken commercially reasonable steps consistent with applicable Law to limit access to Personal Data to (i) those employees of the Company and each Subsidiary and third-party vendors providing services to or on behalf of the Company or any Subsidiary who have a need to know such Personal Data in the execution of their duties to the Company or any Subsidiary, and (ii) such other Persons permitted to access such Personal Data in accordance (in all material respects) with the privacy policies and terms of use, all applicable Laws, and all Contracts to which the Company and each Subsidiary is bound.
Appears in 1 contract
Privacy and Data Security. (a) In The Company and its Subsidiaries, and to the prior three (3) yearsKnowledge of the Company, its and their vendors, processors or third parties that process Personal Information, have, since the Compliance Date, taken commercially reasonable measures to protect the privacy and security of the Personal Information of each student or other natural person collected by the Company and its Subsidiaries have been or on its or their behalf and to maintain in confidence such Personal Information, and is in material compliance with Privacy Laws, and in all material respects with its or their: (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and published privacy policies, (ii) applicable written policiesinternal privacy policies and guidelines, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by (iii) applicable Privacy Laws and Requirements, and (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company iv) contractual requirements or terms of this Agreement use concerning processing of Personal Information to which the Company or any of its Subsidiaries is a party or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeotherwise bound.
(b) In No Claim is pending, or to the prior three (3) yearsKnowledge of the Company, has, since the Privacy and Data Security Policies have at all times Compliance Date, been maintained and made available threatened in writing against the Company or any of its Subsidiaries by any individual, third party or any Governmental Entity with respect to individuals in accordance with reasonable industry practices and as required Personal Information collected, used, processed or shared by Privacy Lawsthe Company or any of its Subsidiaries, are accurate and complete and are not misleading or deceptive (including held or processed by omission). The practices of any vendor, processor, or other third party for or on behalf the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending orSubsidiaries, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by alleging any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy CommitmentsLaws and Requirements. To Since the Company’s KnowledgeCompliance Date, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, loss or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of other misuse by the Company or its Subsidiaries or any of its contractors with regard to Subsidiaries, or by any Personal Data obtained from vendor, processor, or third party for or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries of such Personal Information, and, to the Knowledge of the Company, no third party has notified had unauthorized access to or been required misused the Personal Information collected by the Company or any of its Subsidiaries, or collected by any vendor, processor, or third party for or on behalf of the Company or any of its Subsidiaries.
(c) The execution, delivery and performance of this Agreement and the consummation of the transactions contemplated hereby, do not and will not: (i) conflict with or result in a material violation or breach of any applicable Privacy Laws and Requirements or applicable published privacy policies or internal privacy policies or guidelines (as currently existing or as existing at the time during which any Personal Information was collected or processed by, for, or on behalf of the Company or any of its Subsidiaries); or (ii) require the consent of or notice to notify any Person of any concerning such Person’s Personal Information.
(Ad) lossSince the Compliance Date, theft or damage ofto the extent required by applicable Privacy Laws and Requirements, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries have posted to each of their websites and mobile applications and provided or otherwise made available in connection with any Company products or services a Company privacy policy. No disclosure or representation made or contained in any Company privacy policy has implemented commercially reasonable administrativebeen materially inaccurate, physical misleading, deceptive, or in material violation of any applicable Privacy Laws and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Requirements. The Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems do not “sell” Personal Information as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error defined under applicable Privacy Laws and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT SystemsRequirements.
Appears in 1 contract
Samples: Stock Purchase Agreement (Universal Technical Institute Inc)
Privacy and Data Security. (a) In the prior three (3) yearsExcept as set forth on Schedule 4.20(a), the Company VH Companies are and its Subsidiaries since the Lookback Date, have been in compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”)Protection Requirements. The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are by this Agreement will not reasonably expected to, directly or indirectly, result in a any material violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeData Protection Requirement.
(b) In To the prior three (3) yearsKnowledge of the Company, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform VH Companies meet in all material respects the rules regarding the security of electronic Protected Health Information (otherwise known as the HIPAA Security Rule) applicable to its respective businesses and operations. The VH Companies maintain in all material respects: (i) administrative, technical, and physical safeguards reasonably designed to safeguard in all material respects the Privacy security, confidentiality, availability and integrity of Personal Information; and (ii) records reflecting applicable security program documents, including an information security policy, disaster recovery and business continuity plan, incident response policy, encryption standards and other computer security protection policies and procedures. The VH Companies require third parties that process Personal Information on behalf of the VH Companies to comply in all material respects with applicable Data Security Policies that govern Protection Requirements with respect to such Personal DataInformation.
(c) There Since the Lookback Date, the Company has not received any written notice from a Governmental Body that a claim has been filed, investigation has been initiated or Action is pending against the Company by such Governmental Body concerning an alleged violation of the Privacy Laws that, in each case, would be material to the VH Companies (and in the prior three years there has beentaken as a whole) no material Legal Proceeding pending orand, to the Knowledge of the Company’s knowledge, no such claim, investigation or Action by a Governmental Body has been threatened against or involving concerning an alleged violation of the Privacy Laws that, in each case, would be material to the VH Companies (taken as a whole).
(d) To the Knowledge of the Company, neither the Company or its Subsidiaries initiated by nor any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of third party processing Personal Data by or Information on behalf of the Company has experienced any failures, crashes, security breaches, unauthorized access, use, acquisition, or disclosure, or other adverse events or incidents related to Personal Information or its Subsidiaries is information technology systems that would require notification of individuals, law enforcement, or was any Governmental Body, any remedial action under any applicable Data Protection Requirement or that have caused any substantial disruption of or interruption in violation the use of the Company’s software, equipment or systems, except for any Privacy Commitmentssuch failure, crash, security breach, unauthorized access, use, acquisition, disclosure or other adverse event or incident that would not be material to the VH Companies (taken as a whole). To the Knowledge of the Company’s Knowledge, there are no factspending or expected complaints, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) yearsactions, (i) there has been no unauthorized access tofines, or other penalties facing the Company in connection with any such failures, crashes, security breaches, unauthorized access, use, or disclosure, or Processing of Personal Data in the possession other adverse events or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, exceptincidents, in each case of clauses (i)case, (ii), and (iii), as that would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, VH Companies (taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company IT Systems.
Appears in 1 contract
Samples: Merger Agreement
Privacy and Data Security. (a) In the prior three (3) yearsSince January 1, 2015, the Company Acquired Companies and its Subsidiaries Seller Group (to the extent relating to the EIS Business) have been in compliance with Privacy Laws, and complied in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data applicable provisions of the Privacy Laws and (ii) applicable written policies, public statements and other public representations all material contractual requirements including material “business associate” requirements or “subcontractor business associate” requirements relating to the Processing privacy, publicity, data protection and processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws Information (“Privacy the foregoing privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, security requirements collectively referred to as the “Privacy Commitments”). The execution, delivery EIS Business’ products and performance by services are capable of being used in a manner that is compliant in all material respects with the Company of this Agreement to which the Company is or will be a partyPrivacy Commitments. The EIS Business has adopted, and has in the consummation of the transactions contemplated hereby or therebypast and is currently in material compliance with, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company written privacy and its Subsidiaries, taken as a wholesecurity and compliance policies and procedures.
(b) In Since January 1, 2015, to the prior three (3) yearsKnowledge of the Seller Group, the Privacy Acquired Companies and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive the Seller Group (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of Personal Data conform extent related to the EIS Business) have complied in all material respects with all contractual and fiduciary obligations relating to the privacy, publicity, data protection and processing of Personal Information. Since January 1, 2015, the Acquired Companies and the Seller Group (to the extent related to the EIS Business) have employed commercially reasonable efforts to comply with all of its privacy and security policies and notices and the internal rules, policies and procedures established by the Acquired Companies or the Seller Group (to the extent related to the EIS Business) (collectively, the “Privacy and Data Security Policies that govern such Personal DataPolicies”).
(c) There is The Acquired Companies and the Seller Group (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledgeextent related to the EIS Business) have taken commercially reasonable measures to ensure that Personal Information is protected against loss, threatened theft and against unauthorized access, use, modification, disclosure, or involving the Company or its Subsidiaries initiated by any Person (including (iother misuse. Except as set forth in Section 2.17(c) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company Seller Disclosure Schedule, none of the Acquired Companies or its Subsidiaries members of the Seller Group (to the extent related to the EIS Business) has experienced or reported any incident in which any Personal Information was subject to an unauthorized access, use, modification, disclosure or other misuse which would constitute a “Breach” of “Unsecured Protected Health Information,” as such terms are defined at 45 C.F.R. § 164.402, or any use, disclosure, access or acquisition of “Protected Health Information” as such term is or was defined at 45 C.F.R. § 160.103, in violation of HIPAA, HITECH or the HIPAA Rules, that would trigger a requirement to notify any Privacy Commitments. To the Company’s KnowledgeGovernmental Entity, there are no factsor that otherwise has resulted in, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation result in a material Liability of any Privacy CommitmentsAcquired Company.
(d) In With respect to the prior three information technology and computer systems (3including information technology and telecommunication hardware, communications networks and data centers) yearsrelating to the transmission, storage, maintenance, organization, presentation, generation, processing or analysis of data and information (including Personal Information) whether or not in electronic format, primarily used by the EIS Business (the “IT Systems”): (i) there has have been no successful unauthorized access to, intrusions or unauthorized use, disclosure, or Processing of Personal Data in the possession or control breaches of the Company or its Subsidiaries or any of its contractors with regard security thereof except as would not reasonably be expected to any Personal Data obtained from or on behalf of be material to the Company or its Subsidiaries (“Security Incident”)EIS Business, (ii) there have has not been no unauthorized intrusions any material malfunction thereof that has not been remedied or breaches of security into replaced in all material respects, or any Company IT Systemsmaterial unplanned downtime or service interruption thereof, and (iii) none the EIS Business has, to the Knowledge of the Company Seller Group, implemented or any is in the process of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented implementing commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards measures in accordance with industry practice to protect the confidentiality, integrity and security of Personal Data its servers, systems, sites, circuits, networks and other computer and telecommunications assets and equipment (and all information and transactions stored or contained therein or transmitted thereby) against any Security Incidentunauthorized use, access, interruption, modification or corruption, in conformance with applicable industry practices, including taking all reasonable steps without limitation security patches or security upgrades that are generally available therefor, and (iv) to safeguard and back up Personal Data.
(e) Each the Knowledge of the Company and its Subsidiaries owns Seller Group, no third party providing technology services to the EIS Business has failed to meet any material service obligations. The EIS Business has implemented or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company process of implementing reasonable backup and its Subsidiaries, taken as a wholerecovery technology processes consistent with industry standard practices. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three The Seller Group (3) years, there have been no (except to the extent completely remediated)relating to the EIS Business) has established and is in material compliance with an information security program that: (w) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of EIS Business data and Personal Information; (x) is designed to protect against unauthorized access to the Company’s KnowledgeIT Systems and Personal Information of the EIS Business; (y) satisfies the Privacy Laws and Privacy Commitments; and (z) includes breach notification policies and procedures to provide notice to Persons regarding information security incidents involving acquisition, there are no material security deficiencies access, loss, theft, use or vulnerabilities disclosure of Personal Information in the Company IT Systemsan unauthorized manner.
Appears in 1 contract
Samples: Purchase Agreement (Allscripts Healthcare Solutions, Inc.)
Privacy and Data Security. (a) In The Company Entities have a privacy policy regarding the prior three (3) yearscollection, use and disclosure of personal information in connection with the operation of the Business for which any Company Entity is the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information, or otherwise held or processed on its Subsidiaries have behalf and each Company Entity is and has been in material compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”)privacy policy. The execution, delivery Company Entities have posted a privacy policy in a clear and performance conspicuous location on all public websites owned or operated by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a wholeEntities.
(b) In Without limiting the prior generality of Section 4.09, each Company Entity has in the past three (3) yearsyears materially complied with all applicable Laws regarding the collection, the Privacy retention, use and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices protection of the Company or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Datapersonal information.
(c) There is (and in Without limiting the prior three years there has been) no material Legal Proceeding pending orgenerality of Section 4.12(b), each applicable Company Entity and, to the Knowledge of the Company’s knowledge, threatened against each other party thereto is in compliance with the terms of all Material Contracts relating to data privacy, security or involving the Company or its Subsidiaries initiated by any Person breach notification (including (i) provisions that impose conditions or restrictions on the Federal Trade Commissioncollection, any state attorney general use, disclosure, transmission, destruction, maintenance, storage or similar state officialsafeguarding of personal information), (ii) any other Governmental authorityif any, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions except for such noncompliance that would not reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitmentshave a Material Adverse Effect.
(d) In No Person (including any Governmental Authority) has, in the prior past three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the commenced any Action against any Company or its Subsidiaries or any of its contractors with regard Entity relating to any Personal Data obtained from Company Entity’s information privacy or data security practices relating to the personal information of consumers, including with respect to the access, disclosure or use of personal information of consumers maintained by or on behalf of the any Company or its Subsidiaries (“Security Incident”)Entity, or, (ii) there have been no unauthorized intrusions to the Knowledge of the Company, threatened any such Action, or breaches made any complaint or investigation relating to such practices.
(e) The execution, delivery and performance of security into this Agreement and the consummation of the contemplated transactions, including any transfer of personal information resulting from such transactions, will not violate the privacy policy of any Company IT SystemsEntity as it currently exists, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as except for such violations that would not reasonably be expected to have a Company Material Adverse Effect. Each of the .
(f) The Company Entities have established and its Subsidiaries has implemented policies, programs and procedures that are commercially reasonable reasonable, in material compliance with applicable industry practices and appropriate, including administrative, technical and physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data personal information for which any Company Entity is the “controller” or similarly responsible under applicable Laws regarding the collection, retention, use and protection of personal information against any Security Incidentunauthorized access, including taking all reasonable steps to safeguard and back up Personal Datause, modification, disclosure or other misuse.
(eg) Each Without limiting the generality of Section 4.11, the Company and its Subsidiaries owns or Business has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) not in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) yearsyears experienced any material loss, there have been no (except to damage, or unauthorized access, disclosure, use or breach of security of any personal information for which any Company Entity is the extent completely remediated)“controller” or similarly responsible under applicable Laws regarding the collection, retention, use and to the Company’s Knowledge, there are no material security deficiencies protection of personal information or vulnerabilities in the Company IT Systemsotherwise held or processed on its behalf.
Appears in 1 contract
Privacy and Data Security. (a) In the prior three (3) years, the Company Seller and its Subsidiaries Affiliates are and have been in material compliance with Privacy Laws, and in all material respects with (i) Contracts all applicable Privacy and Information Security Laws (or portions thereof) between including in connection with any clinical trials conducted with respect to the Company or its Subsidiaries and other Persons relating to Personal Data and Product), (ii) applicable written policies, public statements contractual obligations governing the privacy and other public representations relating to the Processing security of Personal Data, inclusive and (iii) all current internal and public-facing privacy, data handling and/or security policies and other related public policies, programs and other notices of Seller or any of its Affiliates relating to the collection, use, storage, retention, disclosure, transfer, disposal or other processing of Personal Data (the “Seller Privacy Policy(ies)”), in each case to the extent applicable to the Product, Program or the Acquired Assets. True and correct copies of all disclosures required by applicable such Seller Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have been made available to Purchaser. Each Seller Privacy Policy has at all times been maintained included all information and made available all disclosures to individuals in accordance with reasonable industry practices and as users or customers reasonably required by Privacy and Information Security Laws, are accurate and complete and are not none of such disclosures made or contained in any Seller Privacy Policy has been inaccurate, misleading or deceptive or in material violation of applicable Privacy and Information Security Laws. There has been no unauthorized access to, disclosure of, appropriation of and/or any other misuse of any Personal Data in the control of Seller, nor has there been any breach in security of information systems used by the Seller or its Affiliates to store or otherwise process any Personal Data. Neither Seller nor any Affiliate has received any written complaints, notices, audits, proceedings, investigations or claims conducted or asserted by any other person (including by omission). The practices of the Company any Governmental Entity) regarding any collection or its Subsidiaries with respect to the Processing of Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal Data.
(c) There is (and in the prior three years there has been) no material Legal Proceeding pending or, to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing use of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy Commitments.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries Seller or any of its contractors Affiliates in connection with regard the Product or conduct of the Program (including in connection with any clinical trials conducted with respect to any the Product), nor alleging violation of Privacy and Information Security Laws, and to the knowledge of Seller, no such claim has been threatened or is currently pending. Seller and its Affiliates have at all times taken commercially reasonable steps (including implementing and monitoring compliance with commercially reasonable and industry standard measures with respect to technical and physical security) designed to protect Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”)against loss and against unauthorized access, (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systemsuse, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or usemodification, disclosure or other Processing of, Personal Data, except, in each case of clauses misuse.
(i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security b) The transfer of Personal Data against any from Seller to Purchaser in connection with the Acquisition will not violate applicable Privacy and Information Security Incident, including taking all reasonable steps to safeguard and back up Personal DataLaws or Seller Privacy Policies.
(ec) Each of the Company Seller and its Subsidiaries owns or has Affiliates have established and are in compliance with a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are written information security program that: (i) free from any defectincludes administrative, bugtechnical and physical safeguards designed to safeguard the security, virus or programmingconfidentiality, design or documentation error and integrity of Personal Data; and (ii) in sufficiently good working condition is designed to effectively perform all information technology operations necessary for protect against unauthorized access to Seller IT Systems, Personal Data and the operation systems of businesses of the Company any third party service providers that have access to Personal Data. Seller and its Subsidiaries Affiliates have taken commercially reasonable precautions to preserve the availability, security and integrity of Seller IT Systems and to monitor and control the security of its data and information (except for ordinary wear and tearincluding without limitation Personal Data), except in each case and neither Seller nor its Affiliates has experienced any material breach of clauses (i) and (ii), as is security or unauthorized access of Seller IT Systems or the data or information stored on Seller IT Systems. Seller IT Systems do not and contain any viruses or material vulnerabilities that reasonably would not reasonably be expected to be, individually or in the aggregate, material enable any person to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company access without authorization Seller IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures any data or disruptions that have been remediated information in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated), and to the Company’s Knowledge, there are no material security deficiencies or vulnerabilities in the Company Seller IT Systems.
Appears in 1 contract
Samples: Asset Purchase Agreement (Fusion Pharmaceuticals Inc.)
Privacy and Data Security. (a) In The Target Companies, and, to Knowledge of the prior Company, all vendors, processors, or other third parties acting for or on behalf of a Target Company in connection with the Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of the Target Companies, comply and at all times in the past three (3) yearsyears have complied, the Company and its Subsidiaries have been in compliance with Privacy Laws, and in all material respects with all of the following: (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal Data and Privacy Laws; (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Company Privacy and Data Security Policies,” ; and together with Privacy Laws and such Contracts, (iii) any Contract requirements or terms of use concerning the Processing of Personal Information to which a Target Company is a party or otherwise bound as of the date hereof (“Privacy CommitmentsAgreements”). To the Knowledge of the Company, the operation of the business of the Target Companies has not and does not violate any right to privacy or publicity of any third person under applicable Law.
(b) The execution, delivery delivery, and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby do not and will not: (i) conflict with or thereby, are not reasonably expected to, directly or indirectly, result in a violation or breach of any Privacy Commitments that would be materially adverse to the Laws, Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have (as currently existing or as existing at all times been maintained and made available any time during which any Personal Information was collected or Processed by or for the Target Companies, or Privacy Agreements); or (ii) require the consent of or notice to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect to the Processing of any Person concerning such Person’s Personal Data conform in all material respects to the Privacy and Data Security Policies that govern such Personal DataInformation.
(c) There is (and in the prior three years there The Company has been) no material Legal Proceeding pending or, delivered or made available to the Company’s knowledgePurchaser true, threatened against or involving the complete, and correct copies of all Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Privacy and Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy CommitmentsSecurity Policies.
(d) In To the prior three (3) yearsKnowledge of the Company, (i) there no Person has been no obtained unauthorized access to, or unauthorized use, disclosure, or Processing of to Personal Data Information in the possession or control of a Target Company, nor has there been any other material compromise of the Company security, confidentiality or its Subsidiaries integrity of such information or any of its contractors with regard data, and no written or, to any Personal Data obtained from or on behalf the Knowledge of the Company, oral complaint relating to an improper use or disclosure of, or a breach in the security of, any such information or data has been received by a Target Company or its Subsidiaries (a “Security Incident”). The Target Companies have not notified and, (ii) to Knowledge of the Company, there have been no unauthorized intrusions facts or breaches of security into circumstances that would require a Target Company to notify, any Company IT Systems, and (iii) none of the Company Governmental Authority or any of its Subsidiaries has notified or been required to notify any other Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, the Target Companies have not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Authority or other Person, and there have has not been no any audit, investigation, enforcement action (except including any fines or other sanctions), or other Action, (i) relating to any actual, alleged, or suspected Security Incident or violation of any Privacy Agreements, or any Person’s individual privacy rights involving Personal Information in the possession or control of the Target Companies, or held or Processed by any vendor, processor, or other third party for or on behalf of the Target Companies; (ii) prohibiting or threatening to prohibit the transfer of Personal Information to any place; or (iii) permitting or mandating any Governmental Authority to investigate, requisition information from, or enter the premises of, the Target Companies, and, to the extent completely remediated), and to Knowledge of the Company’s Knowledge, there are no material security deficiencies facts or vulnerabilities circumstances that would reasonably be expected to give rise to any of the foregoing.
(f) Each Target Company has at all times in the past three (3) years implemented and maintained, and required all vendors, processors, or other third parties that Process any Personal Information for or on behalf of the Target Companies to implement and maintain, commercially reasonable security measures, plans, procedures, controls, and programs consistent with Privacy Agreements.
(g) The Company IT Systemsmaintains a cyber insurance policy that is adequate and suitable for the nature and volume of Personal Information Processed by or on behalf of the Target Companies and is sufficient for compliance with all applicable Laws and Contracts to which any of the Target Companies is a party or by which it is bound. The Company has delivered or made available to the Purchaser a true, complete, and correct copy of such cyber insurance policy.
Appears in 1 contract
Privacy and Data Security. (a) In the prior three (3) years, the Company Each Seller and its Subsidiaries have been each subsidiary of Seller is in material compliance with Privacy Laws, and in all material respects with (i) Contracts (or portions thereof) between the Company or its Subsidiaries and other Persons relating to Personal applicable Data and (ii) applicable written policies, public statements and other public representations relating to the Processing of Personal Data, inclusive of all disclosures required by applicable Privacy Laws (“Privacy and Data Security Policies,” and together with Privacy Laws and such Contracts, “Privacy Commitments”). The execution, delivery and performance by the Company of this Agreement to which the Company is or will be a party, and the consummation of the transactions contemplated hereby or thereby, are not reasonably expected to, directly or indirectly, result in a violation of any Privacy Commitments that would be materially adverse to the Company and its Subsidiaries, taken as a whole.
(b) In the prior three (3) years, the Privacy and Data Security Policies have at all times been maintained and made available to individuals in accordance with reasonable industry practices and as required by Privacy Laws, are accurate and complete and are not misleading or deceptive (including by omission). The practices of the Company or its Subsidiaries with respect Protection Requirements related to the Processing of Personal Data conform in connection with the conduct of the Business. Each Seller and each of their Subsidiaries has maintained all material respects Personal Data in its possession or control in the country of collection.
(b) No Seller or its subsidiary has in the past three (3) years (and, with respect to the Privacy Telephone Consumer Protection Act and other similar Laws, in the past four (4) years) received any subpoenas, demands, or other written notices from any Governmental Entity investigating, inquiring into, or otherwise seeking information relating to any actual or potential violation of any Data Security Policies that govern such Protection Requirement in connection with the Processing of Personal DataData related to the conduct of the Business, and, to the Knowledge of the Sellers, no Seller or its subsidiary is under investigation by any Governmental Entity for any actual or potential violation of any applicable Data Protection Requirement with respect to the Business. No notice, complaint, claim, enforcement action, or litigation of any kind has been served on, or, to the Knowledge of the Sellers, initiated against any Seller or its subsidiaries for any material violation of any applicable Data Protection Requirement.
(c) There is Each Seller and each subsidiary of Seller currently maintains and, for the last three (3) years has maintained, commercially reasonable security measures designed to protect the security of the Business Data in their possession and control and the Business Products from unauthorized access, acquisition, destruction, or other misuse. Such measures comply in all material respects with applicable Data Protection Requirements and include notification procedures in compliance in all material respects with applicable Data Protection Requirements in the prior three years there has been) no material Legal Proceeding pending orcase of any Security Incident, in each case, with respect to the Company’s knowledge, threatened against or involving the Company or its Subsidiaries initiated by any Person (including (i) the Federal Trade Commission, any state attorney general or similar state official, (ii) any other Governmental authority, foreign or domestic or (iii) any regulatory or self-regulatory entity) alleging that any Processing of Personal Data by or on behalf of the Company or its Subsidiaries is or was in violation of any Privacy Commitments. To the Company’s Knowledge, there are no facts, circumstances or conditions that would reasonably be expected to form the basis for any proceeding for any potential violation of any Privacy CommitmentsBusiness.
(d) In the prior three (3) years, (i) there has been no unauthorized access to, or unauthorized use, disclosure, or Processing of Personal Data in the possession or control of the Company or its Subsidiaries or any of its contractors with regard to any Personal Data obtained from or on behalf of the Company or its Subsidiaries (“Security Incident”), (ii) there have been no unauthorized intrusions or breaches of security into any Company IT Systems, and (iii) none of the Company or any of its Subsidiaries has notified or been required to notify any Person of any (A) loss, theft or damage of, or (B) other unauthorized or unlawful access to, or use, disclosure or other Processing of, Personal Data, except, in each case of clauses (i), (ii), and (iii), as would not have a Company Material Adverse Effect. Each of the Company and its Subsidiaries has implemented commercially reasonable administrative, physical and technical safeguards, and ensures that its contractors processing Personal Data take such safeguards to protect the confidentiality, integrity and security of Personal Data against any Security Incident, including taking all reasonable steps to safeguard and back up Personal Data.
(e) Each of the Company and its Subsidiaries owns or has a license or other right to use the Company IT Systems as necessary to operate the business of each the Company or its Subsidiaries as currently conducted. All Company IT Systems are (i) free from any defect, bug, virus or programming, design or documentation error and (ii) in sufficiently good working condition to effectively perform all information technology operations necessary for the operation of businesses of the Company and its Subsidiaries (except for ordinary wear and tear), except in each case of clauses (i) and (ii), as is not and would not reasonably be expected to be, individually or in the aggregate, material to the Company and its Subsidiaries, taken as a whole. In the prior three years, there have not been any material failures, breakdowns or continued substandard performance of any Company IT Systems that have caused a material failure or disruption of the Company IT Systems other than routine failures or disruptions that have been remediated in the Ordinary Course of Business. In the past three (3) years, there have been no (except to the extent completely remediated)Knowledge of the Sellers, (i) neither the Sellers nor any of their subsidiaries have experienced any material security breaches or similar incidents, or any unauthorized access, use or disclosure of Personal Data Processed by the Sellers or any of their subsidiaries in the conduct of the Business (each, a “Security Incident”) that would require the Sellers or their subsidiaries to notify individuals, law enforcement, or any Governmental Entity or to take any remedial action, in each case, under any applicable Data Protection Requirements; and (ii) neither the Sellers, their Affiliates, nor any Person acting on their behalf has paid, or caused to be paid, any perpetrator of any actual or threatened Security Incident, including a ransomware attack or a denial-of-service attack in relation to the Company’s KnowledgeBusiness (including systems used in relation to or in connection with Business Data). None of the Sellers or their subsidiaries, there are no material security deficiencies or vulnerabilities in each case, in the Company IT Systemsconduct of the Business, is the subject of any pending complaints, actions, fines or other penalties resulting from such Security Incident.
(e) Neither the execution, delivery, or performance of this Agreement or the other operative documents nor the consummation of the transactions contemplated in this Agreement or the other operative documents, or the transfer of any or all Personal Data to Purchaser and Purchaser’s use of any or all of such Personal Data in the same manner as Sellers currently use such Personal Data will violate any Data Protection Requirements.
Appears in 1 contract
Samples: Asset Purchase Agreement (Progress Software Corp /Ma)
