Common use of Privacy and Data Security Clause in Contracts

Privacy and Data Security. The Company and each of its Subsidiaries have complied with all applicable Laws, contractual obligations, and internal or publicly posted policies, procedures, notices, and statements concerning the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and security (“Data Activities”) of personally identifiable information of individual natural persons (including any information that alone or in combination with any other information held by the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct of the Company’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. The Company and each of its Subsidiaries have all necessary authority, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for the Company and its Subsidiaries to the extent required in connection with the operation of the Company’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, the Company and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning the Company’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.

Privacy and Data Security. The Company Parent and each of its Subsidiaries have complied with all applicable Laws, contractual obligations, and internal or publicly posted policies, procedures, notices, and statements concerning the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and security (“Data Activities”) of personally identifiable information of individual natural persons (including any information that alone or in combination with any other information held by the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) Requirements in the conduct of the CompanyParent’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. The Company Parent and each of its Subsidiaries have all necessary authority, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for the Company Parent and its Subsidiaries to the extent required in connection with the operation of the CompanyParent’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, the Company Parent and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning the CompanyParent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the CompanyParent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent The Company and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.

Privacy and Data Security. The Company (a) Except as would not reasonably be expected to have a Parent Material Adverse Effect, Parent and each the Parent Subsidiaries comply, and have since January 1, 2015 complied, in all material respects, with all (A) applicable laws, statutes, directives, rules and regulations , (B) contractual obligations (including, but not limited to, those with identified customers), (C) internal and public-facing privacy, data handling and/or security policies of its Parent and the Parent Subsidiaries, (D) public statements that Parent and the Parent Subsidiaries have complied with all made regarding their respective privacy, data handling and/or data security policies or practices and (E) rules of applicable Lawsself-regulatory organizations to which Parent and the Parent Subsidiaries purport to be bound, contractual obligationsrelating to (x) the privacy of users of any web properties, products and/or services of Parent and internal or publicly posted policies, procedures, notices, and statements concerning the Parent Subsidiaries; (y) the collection, acquisitionuse, storage, retention, disclosure, transfer, disposal, or any other processing of any Personal Information collected or used by Parent and the Parent Subsidiaries and/or by third parties having access to such information; and (z) the transmission of marketing and/or commercial messages through any means, including, without limitation, via email, text message and/or any other means ((A) through (E) collectively, “Parent Privacy Laws and Requirements”). Except as would not reasonably be expected to have a Parent Material Adverse Effect, the execution, delivery and performance of this Agreement by Parent and the Parent Subsidiaries complies in all material respects with all Parent Privacy Laws and Requirements. (b) Parent maintains privacy policies that describe Parent’s and the Parent Subsidiaries’ policies with respect to the collection, use, processingstorage, storageretention, disclosure, transfer, distributiondisposal or other processing of Personal Information. True and correct copies of all such privacy policies have been made available to Company or its Representatives. To the Knowledge of Parent, disseminationeach such privacy policy has, disclosuresince January 1, protection 2015, included all information and security (“Data Activities”) made all disclosures to users or customers required by all Parent Privacy Laws and Requirements, and none of personally identifiable information of individual natural persons (including such disclosures made or contained in any information that alone such privacy policy or in combination with any other information held by the Company such materials has been inaccurate in any material respect, misleading or deceptive or in violation of any Parent Privacy Laws and its SubsidiariesRequirements, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct of the Company’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to havehave a Parent Material Adverse Effect,. (c) To the Knowledge of Parent, there is no written complaint to, or any audit, formal proceeding, or suit currently pending against, Parent or any Parent Subsidiary by any private party, the Federal Trade Commission, any state attorney general or similar state official, or any other Governmental Entity, foreign or domestic, with respect to the collection, use, retention, disclosure, transfer, storage or disposal of Personal Information, except as would not, individually or in the aggregate, reasonably be expected to be material to Parent and the Parent Subsidiaries, taken as a Company Material Adverse Effectwhole. The Company Parent and each of its the Parent Subsidiaries have all necessary authorityhave, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for the Company and its Subsidiaries to the extent required in connection with the operation of the Company’s and its Subsidiaries’ business as currently conducted. Since since January 1, 20192015, taken reasonable steps (including implementing and monitoring compliance with reasonable measures with respect to technical and physical security) designed to protect Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse. (d) To the Company extent that Parent or any Parent Subsidiary transfers Personal Information collected from natural persons outside of the United States, Parent has implemented mechanisms to comply in all material respects with applicable Parent Privacy Laws and its Requirements. (e) Parent and the Parent Subsidiaries have notestablished and are in material compliance with a written information security program that: (i) experienced any actualincludes administrative, allegedtechnical and physical safeguards designed to safeguard the security, or suspected data breach or other security incident involving confidentiality, and integrity of Personal Data in their possession or controlInformation; or and (ii) been subject is designed to protect against unauthorized access to the Parent IT Systems or received any notice Personal Information and the systems of any auditthird party service providers that have access to Parent IT Systems and/or Personal Information. Except as set forth in Section 4.18(e) of the Parent Disclosure Letter, investigationneither Parent nor any of the Parent Subsidiaries has, complaintsince January 1, 2015, suffered any loss, damage, or other Legal Action by unauthorized access, disclosure, use or breach of security with respect to any Governmental Entity Personal Information in the control or other Person concerning the Company’s possession of Parent or any of its Subsidiaries’ Data Activities in relation to Personal Data or actualParent Subsidiary, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to havenot, individually or in the aggregate, reasonably be expected to have a Company Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.

Privacy and Data Security. The Company (a) Except as set forth on Section 3.26 of the Seller Disclosure Schedule, each Seller’s (solely with respect to the Business) and each the Acquired Entities’ collection, use, storage, dissemination, processing and disposal of its Subsidiaries have complied any personally identifiable information concerning individuals (including, as applicable, customers and employees) is, and has been since January 1, 2017, in compliance with all applicable privacy policies, terms of use and contractual obligations and with all applicable Laws, contractual obligations, and internal or publicly posted policies, procedures, notices, and statements concerning the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and security (“Data Activities”) of personally identifiable information of individual natural persons (including any information that alone or in combination with any other information held by the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct of the Company’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected material to have, individually or in the aggregate, a Company Material Adverse EffectBusiness. The Company Each Seller (solely with respect to the Business) and each of its Subsidiaries the Acquired Entities maintains, and have all necessary authoritymaintained since January 1, rights2017, consents commercially reasonable plans, policies and authorizations procedures regarding data security and privacy to engage safeguard sensitive data (including Personal Data), including reasonable and appropriate administrative, technical and physical safeguards to protect against unauthorized or unlawful access, use, modification, disclosure or other misuse the privacy, confidentiality and security of any such sensitive data in the Data Activities possession, custody or control of the Business, except as would not be material to the Business. (b) Except as set forth on Section 3.26 of the Seller Disclosure Schedule, since January 1, 2016, no Seller nor any Acquired Entity has received any notice or allegation of, and there have been, to the Knowledge of Sellers, no security breaches relating to, or violations of any material security policy regarding, or any unauthorized access or use of, any Personal Data maintained collected, used, stored, disseminated, processed by or for the Company and its Subsidiaries disposed of by Sellers (solely with respect to the extent required Business) or the Acquired Entities in connection with the operation of the Company’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, the Company and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning the Company’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal ActionBusiness, in each case except as would not be material to the Business. Except as would not reasonably be expected to havebe material to the Business, individually each Seller and Acquired Entity has provided all legally required notices to each affected individual and any applicable Governmental Entity of any unauthorized access, use or in the aggregate, a Company Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent and each disclosure of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirementsany Personal Data.

Privacy and Data Security. The Company and each of its Subsidiaries have complied with all applicable Laws, contractual obligations, and internal or publicly posted policies, procedures, notices, and statements concerning the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and security (“Data Activities”a) of personally identifiable information of individual natural persons (including any information that alone or in combination with any other information held by the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct of the Company’s and its Subsidiaries’ businesses, in each case except Except as would not reasonably be expected to have, individually or in the aggregate, a Company have an MDC Material Adverse Effect. The Company , MDC and each the MDC Subsidiaries, and to the knowledge of its Subsidiaries have MDC, all necessary authority, rights, consents and authorizations to engage in the Data Activities of third Persons Processing Personal Data maintained by for or for the Company and its Subsidiaries to the extent required in connection with the operation on behalf of MDC or any of the Company’s and its MDC Subsidiaries’ business as currently conducted. Since , are in compliance and, since January 1, 20192018, have been in compliance with all Data Protection Laws applicable to the Company operations of MDC and its the MDC Subsidiaries have not: and all MDC Data Protection Commitments, in each case in all material respects. (ib) experienced any actual, allegedNo investigation or material claim relating to MDC or the MDC Subsidiaries’ Processing of Personal Data, or suspected data breach relating to MDC or other security incident involving Personal the MDC Subsidiaries’ compliance with Data in their possession Protection Laws applicable to the operations of MDC and the MDC Subsidiaries or control; or (ii) been subject to or received any notice of any auditMDC Data Protection Commitments, investigation, complaintis being, or other Legal Action since January 1, 2018 was, made, conducted, prosecuted, litigated, or, to the knowledge of MDC, threatened by any Governmental Entity or other Person concerning third party. (c) To the Company’s or any knowledge of its Subsidiaries’ Data Activities in relation to Personal Data or actualMDC, allegedthe execution, delivery and performance of this Agreement will not cause, constitute, or suspected result in a breach or violation of any Data Protection Requirement concerning privacyLaws applicable to the operations of MDC and the MDC Subsidiaries or MDC Data Protection Commitments. (d) MDC and the MDC Subsidiaries have implemented reasonable, data securityand otherwise in accordance with Laws applicable to the operations of MDC and the MDC Subsidiaries, or data breach notificationtechnical, physical, and organizational measures designed to preserve the availability, proper functioning, security and integrity of the MDC IT Systems and MDC-Related Confidential Information, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise respond to any such Legal Action, MDC IT or Security Incidents. The MDC IT Systems are adequate for MDC and the MDC Subsidiaries to operate their business as currently conducted in each case except all material respects. (e) Except as would not reasonably be expected to have, individually or in the aggregate, a Company have an MDC Material Adverse Effect. Parent and its Subsidiaries , since January 1, 2018, to the knowledge of MDC, neither MDC nor any MDC Subsidiary has experienced any material MDC IT or Security Incident. (if) Except as would not reasonably be expected to have executed current and valid “Business Associate Agreements” (as described by HIPAA an MDC Material Adverse Effect, MDC and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent and each of its MDC Subsidiaries have obtained, as applicable, established and maintain reasonable data backup and disaster recovery plans for the MDC IT Systems of a scope consistent in all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance material respects with the requirements of HIPAA and other Data Protection Requirementsall applicable industry standards.

Privacy and Data Security. The Company (a) Seller complies, and each of its Subsidiaries have complied has at all times since January 1, 2013 complied, in all material respects with all Privacy and Information Security Requirements applicable Lawsto the Business and the Assigned Assets. Neither Seller nor, contractual obligationsto the knowledge of Seller, any other Person, has since January 1, 2013 received any written notice or other communication, from any Governmental Entity or otherwise, regarding any actual or asserted violation of, or failure to comply with, any Privacy and Information Security Requirement by Seller with respect to the Business and the Assigned Assets. There is not currently pending, and internal there has not been since January 1, 2013, any Action against Seller alleging any violation of or publicly posted policiesfailure to comply with, proceduresany Privacy and Information Security Requirement by Seller with respect to the Business or the Assigned Assets. (b) Seller has not, noticeswith respect to the Business and the Assigned Assets since January 1, and statements concerning the collection2013, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and suffered a material security (“breach resulting in any unauthorized Processing of any Personal Data Activities”) of personally identifiable or confidential information of individual natural persons (including any information that alone or in combination with any other information held Processed by the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) Seller in the conduct of the Company’s and Business. Seller has not since January 1, 2013, notified, or been required to notify, any Person of any information security breach involving Personal Data or confidential information processed by Seller, or on its Subsidiaries’ businessesbehalf, with respect to the Business or the Assigned Assets. (c) Seller has, in each case all material respects, provided all requisite notices and obtained all required consents, and satisfied all other requirements (including but not limited to notification to Governmental Entities), necessary for the Processing (including international and onward transfer) of all Personal Data in connection with the conduct of the Business and the Assigned Assets as currently conducted and in connection with the consummation of the transactions contemplated hereunder. (d) Seller has since January 1, 2013, implemented with respect to the Business and the Assigned Assets, and maintains compliance in all material respects with, reasonable security measures (including data protection policies and procedures concerning the Processing of Personal Data, and training, use testing, audits or other documented mechanisms designed to ensure and monitor compliance with such policies and procedures) designed to ensure compliance in all material respects with all Privacy and Information Security Requirements. Seller has in place commercially reasonable disaster recovery and business continuity plans and procedures with respect to the Business and the Assigned Assets. Seller has required all vendors that Process Personal Data in connection with the conduct of the Business on its behalf to employ commercially reasonable security measures that comply in all material respects with all Privacy and Information Security Requirements. (e) The IT Systems and Business Products, to the knowledge of Seller, contain no code designed to disrupt, disable, harm, distort, or otherwise impede in any material respect the legitimate operation of such IT Systems or Business Products (including what are sometimes referred to as “viruses”, “worms”, “time bombs”, or “back doors”) that have not been fully removed or remedied. The Business and the Assigned Assets have not, since January 1, 2013, except as has not been and would not reasonably be expected to havebe material to the Business, individually experienced any disruption to, or interruption in, the conduct of the Business attributable to unauthorized access to, or introduction of a virus or other malicious programming within, the IT Systems or Business Products. (f) Notwithstanding the generality of the foregoing, Seller has, and has at all times since January 1, 2013 had, privacy and security policies, procedures and safeguards applicable to the Business and the Assigned Assets that comply in the aggregateall material respects with then-applicable requirements of Health Care Privacy Laws (collectively, a Company Material Adverse Effect“Health Care Privacy and Security Policies”) and has complied in all material respects with such Health Care Privacy and Security Policies. The Company and each of its Subsidiaries have all necessary authoritySeller has, rightssince January 1, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for the Company and its Subsidiaries 2016, to the extent required for compliance in connection all material respects with Health Care Privacy Laws in the operation conduct of the Company’s Business, entered into written and its Subsidiaries’ signed business associate agreements with each Person who is a “business associate” (as currently conducteddefined in HIPAA) of such Person and has a written and signed business associate agreement with each “covered entity” (as defined in HIPAA) and business associate of which such person is a business associate. Since January 1, 20192016, the Company and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning the Company’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as has not been and would not reasonably be expected to havebe material to the Business or the Assigned Assets, individually or in the aggregate, a Company Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid no “Business Associate Agreementsbreach” (as described by HIPAA and the corresponding regulationsdefined in HIPAA) has occurred with each (A) respect to unsecured “business associateprotected health information” (as described by HIPAA and defined in HIPAA) in the corresponding regulations)possession or under the control of Seller or, (B) “covered entity” (as described by HIPAA and to the corresponding regulations)knowledge of Seller, and (C) “subcontractor” (as described by HIPAA and its business associates with respect to the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with or the requirements of HIPAA and other Data Protection RequirementsAssigned Assets.

Privacy and Data Security. (a) The Company and the Company Subsidiaries and, to the knowledge of the Company, each of its Subsidiaries vendor, processor and other third party Processing Personal Information Processed by or for the Company, solely with respect to each such third party’s Processing (collectively, “Data Partners”), complies in all material respects with, and has since January 1, 2021 have complied with in all applicable material respects with: (i) all Privacy Laws, contractual obligations, and internal or publicly posted policies, procedures, notices, and statements concerning the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and security (“Data Activities”ii) of personally identifiable information of individual natural persons (including any information that alone or in combination with any other information held by all Privacy Policies applicable to the Company and its Subsidiaries(iii) all contractual commitments, can be used including any terms of use, that the Company has entered into with respect to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law the Processing of Personal Information (“Personal Data”) (such applicable Lawscollectively, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”). The Company and the Company Subsidiaries have a Privacy Policy regarding the collection and use of Personal Information, a true, correct and complete copy of which as in effect on the date of this Agreement has been made available to Parent prior to the date of this Agreement. The Company and the Company Subsidiaries have at all times presented an accurate Privacy Policy (which Privacy Policy the Company does not reasonably believe to be misleading or deceptive (including by omission)) to individuals prior to the collection of any Personal Information from such individuals, except as would not, individually or in the conduct aggregate, reasonably be expected to have a Company Material Adverse Effect. (b) The execution, delivery and performance of this Agreement and the Transactions do not and will not: (i) conflict with or result in a violation or breach of any Data Protection Requirements, (ii) require the consent of or provision of notice to any person concerning such person’s Personal Information, (iii) give rise to any right of termination or other right to impair or limit Parent’s or the Company’s rights to own and Process any Personal Information used in or necessary for the operation of the Company’s and its or each of the Company Subsidiaries’ businessesbusinesses or (iv) otherwise prohibit the transfer of Personal Information to Parent, in each case, except as would not, individually or in the aggregate, reasonably be expected to be material to the Company and the Company Subsidiaries, taken as a whole. (c) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Company and the Company Subsidiaries, taken as a whole, (i) the Company and each of the Company Subsidiaries routinely engage in due diligence of Data Partners before allowing them to access, receive or Process Personal Information and audit such Data Partners’ compliance with their commitments with respect to the Data Protection Requirements, and (ii) to the knowledge of the Company, the Company and each Company Subsidiary has valid and enforceable agreements, subject to the Bankruptcy and Equity Exception, in place with all Data Partners that comply with applicable Data Protection Requirements. (d) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Company and the Company Subsidiaries, taken as a whole, the Company and each of the Company Subsidiaries since January 1, 2021 have implemented and maintained administrative, technical, physical and organizational safeguards, including commercially reasonable plans, procedures, controls, programs and a written information security program designed to (i) protect and maintain the security of any Personal Information and Company Data stored in their computer systems from any accidental, unlawful or unauthorized Security Incident, or any other use by a third party that would violate the Privacy Policy or Data Protection Requirements and (ii) identify and address internal and external risks to the privacy and security of Personal Information in the Company’s possession or control. (e) The Company maintains insurance coverage to respond to the risk of liability relating to any unauthorized Processing of Company Data, a Security Incident or a violation of Privacy Laws of the Company or any Company Subsidiary, and no claims have been made under such insurance policy(ies) since January 1, 2021, in each case except as would not reasonably be expected to havenot, individually or in the aggregate, a Company Material Adverse Effect. The Company and each of its Subsidiaries have all necessary authority, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for the Company and its Subsidiaries to the extent required in connection with the operation of the Company’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, the Company and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning the Company’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise be material to any such Legal Actionthe Company and the Company Subsidiaries, in each case except taken as a whole. (f) Except as would not reasonably be expected to havenot, individually or in the aggregate, reasonably be expected to be material to the Company and the Company Subsidiaries, taken as a whole, to the extent required, the Company and each of the Company Subsidiaries are, and since January 1, 2021 have been, in compliance with the Payment Card Industry Data Security Standards and the related card brand rules and requirements in any Contracts between the Company, and each of the Company Subsidiaries, on the one hand, and any of the Company’s payment processors and/or acquiring banks, on the other hand. (g) Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect. Parent , the Company and its Subsidiaries each of the Company Subsidiaries, have not (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and to the corresponding regulations) with each (A) “business associate” (as described by HIPAA and knowledge of the corresponding regulations)Company, (B) “covered entity” (as described by HIPAA and the corresponding regulations)experienced a Security Incident, and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply been required pursuant to any Privacy Laws to notify customers, consumers, employees, Governmental Entities, or any other person of any Security Incident, (iii) received any written notice from any Governmental Entity with respect to any inquiry or investigation of any such Business Associate Agreements. Parent and each Governmental Entity, or been the subject of its Subsidiaries have obtainedany enforcement Proceeding of any Governmental Entity, as applicablewith respect to noncompliance with any Privacy Law or (iv) to the knowledge of the Company, all rights necessary received any written notice, request, claim, complaint, correspondence or other communication relating to undertake de-identification any Security Incident or violation of user data and has de-identified such user data in accordance with any Privacy Law by the requirements of HIPAA and other Data Protection RequirementsCompany or any Company Subsidiary.

Privacy and Data Security. The Company (a) Each Seller and each its Subsidiaries (with respect to the Salient JVs, to the Knowledge of the Sellers) materially comply with, and since January 1, 2019 have materially complied with, all applicable Data Protection Requirements. (b) There is no Proceeding pending, and since January 1, 2019, there has not been any Proceeding, against any Seller or any of its Subsidiaries have complied (with all applicable Lawsrespect to the Salient JVs, contractual obligationsto the Knowledge of the Sellers) by any private party or any Governmental Authority investigating, and internal inquiring into, or publicly posted policies, procedures, notices, and statements concerning otherwise relating to any actual or potential violation of any Data Protection Requirements with respect to the collection, acquisition, use, processingretention, storagedisclosure, transfer, distributionstorage or disposal of Personal Information or Business Data and no notice, disseminationcomplaint, disclosureclaim, protection and security (“Data Activities”) of personally identifiable information of individual natural persons (including any information that alone enforcement action, inquiry, audit, or in combination with any other information held by litigation has been served on, or, to the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct Knowledge of the Company’s and its Subsidiaries’ businessesSellers, in each case except as would not reasonably be expected to have, individually initiated against any Seller or in the aggregate, a Company Material Adverse Effect. The Company and each any of its Subsidiaries have all necessary authority, rights, consents and authorizations alleging violation of any Data Protection Requirements relating to engage in the Data Activities Sellers’ or any of their Subsidiaries’ use of Personal Data maintained by or for the Company Information and/or Business Data. (c) Each Seller and its Subsidiaries (with respect to the extent required in connection with Salient JVs, to the operation Knowledge of the Company’s Sellers) have, at all times since January 1, 2019, taken commercially reasonable steps compliant with applicable Data Protection Requirements that are designed to (i) protect the operation, confidentiality, integrity, availability, and its security of the Sellers’ and their Subsidiaries’ business as currently conducted. software, systems, and websites that are involved in the collection and/or processing of Personal Information and/or Business Data (ii) identify internal and organizational risks to the confidentiality, integrity, security, availability of Personal Information and/or Business Data, taking into account the sensitivity of the data or systems and (iii) maintain notification procedures in compliance with applicable Data Protection Requirements in the case of any breach of security compromising Personal Information and/or Business Data. (d) Since January 1, 2019, there have been no material failures, crashes, security incidents, or Data Security Breaches of any of the Company and its Subsidiaries have not: information systems used to store or process Personal Information and/or Business Data, or otherwise related to Personal Information and/or Business Data that would require (i) experienced notification of individuals, law enforcement or any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; Governmental Authority or (ii) been subject to or received any notice of any auditremedial action under Data Protection Requirements. There are no pending complaints, investigationactions, complaintfines, or other Legal Action by penalties facing any Governmental Entity or other Person concerning the Company’s Seller or any of its Subsidiaries’ Data Activities Subsidiaries (with respect to the Salient JVs, to the Knowledge of the Sellers) in relation to Personal Data or actualconnection with any such failures, allegedcrashes, security breaches, unauthorized access, use, or suspected violation of any Data Protection Requirement concerning privacy, data securitydisclosure, or data breach notification, and to the Company’s Knowledge, there are no facts other adverse events or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirementsincidents.

Privacy and Data Security. (a) The Company and each of its Subsidiaries have complied with all applicable Laws, contractual obligations, and internal or publicly posted policies, procedures, notices, and statements concerning the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and security (“Data Activities”) of personally identifiable information of individual natural persons (including any information that alone or in combination with any other information held by the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct of the Company’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. The Company and each of its Subsidiaries have all necessary authority, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for the Company and its Subsidiaries to the extent required in connection with the operation of the CompanyParent’s and its Subsidiaries’ business as currently conductedare in compliance in all material respects with Data Protection Regulations, except to the extent that such noncompliance has not and would not have a Parent Material Adverse Effect. Since January 1, 20192021, there have been (i) no Security Incidents impacting Personal Data or any confidential information or Trade Secrets used in the business of Parent or its Subsidiaries (collectively, “Parent Sensitive Data”), (ii) no violations of any security policy of Parent or its Subsidiaries regarding any such Parent Sensitive Data and (iii) no unintended or improper disclosure of any Parent Sensitive Data in the possession, custody or control of Parent or its Subsidiaries or a contractor or agent acting on behalf of Parent or its Subsidiaries, in each case of (i) through (iii), except as would not have a Parent Material Adverse Effect. Between January 1, 2021 and the date hereof, none of Parent or its Subsidiaries has received any written notice from a vendor or data processor that processes Parent Sensitive Data on behalf of Parent or any of its Subsidiaries with respect to a Security Incident materially impacting Parent Sensitive Data. (b) Each of Parent and its Subsidiaries has complied, and continues to comply, with applicable Data Protection Regulations, including with (i) binding principles relating to processing Personal Data, (ii) requirements to process Personal Data lawfully, (iii) contractual requirements applicable to the engagement of data processors processing Personal Data on behalf of Parent and its Subsidiaries, (iv) requirements to provide adequate security measures to protect Personal Data, (v) regulatory notification obligations to the extent required by applicable Data Protection Regulations, (vi) conduct of appropriate data privacy impact assessments to the extent required by applicable Data Protection Regulations and (vii) provisions related to lawful cross-border data transfers of Personal Data, except, in each case, as would not have a Parent Material Adverse Effect. (c) Each of Parent and its Subsidiaries has implemented, and regularly assessed its implementation of, commercially reasonable physical, technical and organizational measures necessary to ensure that Personal Data is protected against loss, destruction and damage, unauthorized access, use, modification, disclosure or other misuse, except as would not have a Parent Material Adverse Effect. (i) None of Parent or its Subsidiaries transfers Personal Data outside of a country of origin of the Personal Data unless Parent or such Subsidiary, as applicable, has ensured, if required by applicable Data Protection Regulations, that the recipient has adequate safeguards to protect such Personal Data in compliance with applicable Data Protection Regulations and has complied with all applicable transfer provisions of Data Protection Regulations, including consent of individuals where necessary; (ii) where any transfers of Personal Data outside the European Economic Area or the United Kingdom formerly relied upon the EU-US or Swiss-US Privacy Shield framework, Parent or such Subsidiary, as applicable, has ensured that the Personal Data transfers are lawful through an alternative mechanism or derogation in accordance with the GDPR; (iii) where required by applicable Data Protection Regulations, Parent or such Subsidiary, as applicable, has conducted a risk assessment regarding the transfer of Personal Data pursuant to standard contractual clauses or binding corporate rules or other requirements and has concluded that such transfers are adequately protected; and (iv) none of Parent or its Subsidiaries has suspended or terminated a transfer of Personal Data or notified a supervisory authority due to any concerns regarding a transfer of Personal Data pursuant to standard contractual clauses or binding corporate rules and, to the Company’s Knowledge, nor are there circumstances which reasonably justify such a notification, except in each case of clauses (i), (ii), (iii) and (iv), as would not have a Company Material Adverse Effect. (e) (i) Each of Parent and its Subsidiaries has implemented and maintained commercially reasonable measures and policies to protect the integrity, continuous operation and security of the IT Systems of Parent and its Subsidiaries and the data stored thereon, including from Harmful Code; (ii) the IT Systems used in the business of Parent and its Subsidiaries operate and perform in all respects as required to permit Parent and its Subsidiaries to conduct their business as currently conducted; and (iii) Parent and its Subsidiaries have not: implemented commercially reasonable backup and disaster recovery technology and procedures consistent with standard practices applicable to entities similarly situated as Parent and its Subsidiaries for the industry in which Parent and its Subsidiaries operate in each applicable jurisdiction in which they conduct business and have acted in material compliance therewith, except, in each case of clauses (i), (ii) and (iii), as would not have a Parent Material Adverse Effect. Since January 1, 2021, the IT Systems of Parent and its Subsidiaries have not malfunctioned or failed, or been subject to any Security Incident that has caused or, to Parent’s Knowledge, would reasonably be expected to cause (A) material disruption of or interruption in the conduct of the business of Parent and its Subsidiaries as presently conducted; (B) material loss, destruction, damage or harm of Parent and its Subsidiaries or any of the businesses of Parent and its Subsidiaries; or (C) material liability of any kind to Parent and its Subsidiaries or their business as currently conducted, except in each case of clauses (A), (B) and (C), as would not have a Parent Material Adverse Effect. (f) Between January 1, 2021 and the date hereof, none of Parent or its Subsidiaries has been notified in writing of, and, to Parent’s Knowledge, there has not been, (i) experienced any actual, allegedan actual or threatened Security Incident materially compromising, or suspected data breach or other security incident involving threatening to materially compromise, the processing of Personal Data in their possession (whether by Parent or control; any of its Subsidiaries or, to Parent’s Knowledge, any data processor engaged to process Personal Data on behalf of Parent or its Subsidiaries) or (ii) been subject any action or any circumstance requiring Parent or any of its Subsidiaries to notify a Governmental Entity or received any notice individual to comply with applicable notification requirements of Data Protection Regulations as a direct result of a Security Incident or a violation of any auditData Protection Regulations. (g) Between January 1, investigation2021 and the date hereof, none of Parent or its Subsidiaries has received a written notice or allegation of any actual or alleged or, to Parent’s Knowledge, threatened Security Incident compromising or revealing a material weakness in the security of Personal Data or IT Systems of Parent and its Subsidiaries, or any other material breach of the Data Protection Regulations relating to Personal Data while in its possession or under its control. (h) Between January 1, 2021 and the date hereof, none of Parent or its Subsidiaries has received a written claim, complaint, allegation or other Legal Action by any Governmental Entity notice of a dispute or other Person concerning the Companyviolation (whether directly or indirectly) from or on behalf of an individual regarding Parent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. Parent and its Subsidiaries processing activities. (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA Between January 1, 2021 and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations)date hereof, (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. none of Parent and each of or its Subsidiaries have obtainedhas received a written notice from any supervisory authority or Governmental Entity of any investigation, as applicableinquiry, all rights necessary to undertake derequest for information or for co-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other operation regarding its Personal Data Protection Requirementsprocessing activities.

Privacy and Data Security. (a) The Company Acquired Companies comply and each of its Subsidiaries since January 1, 2019 have complied complied, in all material respects with all of the following, to the extent applicable to the Acquired Companies and the Business: (i) Privacy and Security Laws; (ii) the applicable Acquired Company’s Privacy and Security Policies; and (iii) contractual requirements or terms of use concerning the Processing of Personal Data to which the Acquired Companies are a party or otherwise bound as of the date hereof. (b) The execution, contractual obligationsdelivery, and internal performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer of all Personal Data in the possession or publicly posted policiescontrol of the Acquired Companies to Buyer, procedures, notices, do not and statements concerning will not: (i) conflict with or result in a violation or breach of any of the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection Acquired Company’s Privacy and security Security Policies (“as currently existing or as existing at any time during which any Personal Data Activities”) of personally identifiable information of individual natural persons (including any information that alone was collected or in combination with any other information held Processed by the Company and its Subsidiaries, can be used Acquired Companies); or (ii) require the consent of or notice to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Person concerning such Person’s Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct of the Company’s and its Subsidiaries’ businessesexcept, in each case except case, as would not reasonably be expected to havenot, individually or in the aggregate, a Company Material Adverse Effect. The Company and result in any material liability to the Acquired Companies. (c) Except, in each of its Subsidiaries have all necessary authoritycase, rightsas would not, consents and authorizations to engage individually or in the Data Activities of Personal Data maintained by or for the Company and its Subsidiaries aggregate, reasonably be expected to result in material liability to the extent required Acquired Companies, since January 1, 2019, (i) the Acquired Companies have provided or otherwise made available to its customers in connection with the operation Business of any Acquired Company, one or more Public Privacy and Security Notices, (ii) to the Knowledge of Seller, no disclosure or representation made or contained in any Public Privacy and Security Notices has been inaccurate, misleading, deceptive, or in violation of any Privacy and Security Laws (including by containing any material omission) and (iii) the Acquired Companies are and since January 1, 2019 have been in compliance with the Public Privacy and Security Notices in all material respects. Seller has delivered or made available to Buyer true, complete, and correct copies of all Public Privacy and Security Notices that are currently or since January 1, 2019 were in effect. (d) Except, in each case, as would not, individually or in the aggregate, result in a material liability to the Acquired Companies, since January 1, 2019, (i) to the Knowledge of Seller, no Personal Data in the possession or control of the CompanyAcquired Companies has been subject to any data breach or other security incident that has resulted in unauthorized access, disclosure, use, denial of use, alteration, corruption, destruction, compromise, or loss of such Personal Data (a “Security Incident”) and (ii) the Acquired Companies have not notified and, to the Knowledge of Seller, there have been no facts or circumstances that would require the Acquired Companies to notify, any Governmental Authority or other Person of any Security Incident. (e) Except, in each case, as would not, individually or in the aggregate, result in a material liability to the Acquired Companies, since January 1, 2019 until the date of this Agreement, the Acquired Companies have not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Authority or other Person, and to the Knowledge of Seller, there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other claim, suit, action, or proceeding by a third party, relating to any Security Incident or violation of any Privacy and Security Laws, any Acquired Company Privacy and Data Security Policy, or any Person’s and its Subsidiaries’ business individual privacy rights by the Acquired Companies involving Personal Data in the possession or control of the Acquired Companies. (f) Except, in each case, as currently conducted. Since would not, individually or in the aggregate, result in a material liability to the Acquired Companies, since January 1, 2019, the Company Acquired Companies have implemented and its Subsidiaries have not: maintained all commercially reasonable security measures, plans, policies, procedures, controls, and programs, including a written information security program, to (i) experienced any actual, alleged, or suspected data breach or other identify and address internal and external risks to the privacy and security incident involving of Personal Data in their possession or control; or (ii) been subject implement and monitor administrative, technical, and physical safeguards to or received any notice of any auditprotect such Personal Data and the operation, investigationintegrity, complaint, or other Legal Action by any Governmental Entity or other Person concerning the Company’s or any and security of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to the Company’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or IT Systems involved in the aggregate, a Company Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations)Processing of Personal Data; and (iiiii) materially comply provide notification in compliance in all material respects with such Business Associate Agreements. Parent applicable Privacy and each Security Laws in the case of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirementsany Security Incident.

Privacy and Data Security. (a) The Company Borrower is in compliance with the Data Privacy and each of its Subsidiaries have complied with all applicable Laws, contractual obligations, and internal Security Requirements other than that has had or publicly posted policies, procedures, notices, and statements concerning the collection, acquisition, use, processing, storage, transfer, distribution, dissemination, disclosure, protection and security (“Data Activities”) of personally identifiable information of individual natural persons (including any information that alone or in combination with any other information held by the Company and its Subsidiaries, can be used to specifically identify an individual person and any “individually identifiable health information,” “personal data” or “personal information” or similar terms defined under applicable Law (“Personal Data”) (such applicable Laws, contractual obligations, and internal or publicly posted policies, procedures notices and statements, collectively the “Data Protection Requirements”) in the conduct of the Company’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to have, individually or in the aggregate, have a Company Material Adverse Effect. . (b) The Company Borrower has implemented and each of its Subsidiaries have all necessary authoritymaintains commercially reasonable administrative, rightstechnical, consents and authorizations physical safeguards designed to engage ensure that Personal Data in the Data Activities of Personal Data maintained by Borrower’s possession or for the Company control is materially protected against unauthorized access, acquisition, destruction, use, or disclosure, and its Subsidiaries loss, damage, corruption, or other misuse other than that has had or would reasonably be expected to the extent required in connection with the operation of the Company’s and its Subsidiaries’ business as currently conducted. Since January 1have a Material Adverse Effect (such program, 2019collectively, the Company and its Subsidiaries have not: “Security Practices”). (ic) The Borrower has not experienced any actual, alleged, or suspected data breach or other security incident involving unauthorized access, acquisition, destruction, use, or disclosure, loss, damage, corruption, or other misuse or compromise of Personal Data in their the possession or control; control of the Borrower (each, a “Security Incident”) that has had or (ii) would reasonably be expected to have a Material Adverse Effect. The Borrower has not notified and, to the Knowledge of the Borrower, there have been subject no facts or circumstances that would require the Borrower to or received any notice of any auditnotify, investigation, complaint, or other Legal Action by any Governmental Entity Authority or other Person concerning the Company’s of any Security Incident that has had or would reasonably be expected to have a Material Adverse Effect. (d) No Person has made or commenced any of its Subsidiaries’ Data Activities in relation to Personal Data or actualcompliant, allegedclaim, proceeding, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and litigation with respect to the CompanyBorrower’s compliance with Data Privacy and Security Requirements, and, to the Borrower’s Knowledge, there are no facts or circumstances which would form the basis for any such complaint or claim, each of the foregoing that could has had or would reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, have a Company Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. Parent and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.