Common use of Privacy and Personal Data Clause in Contracts

Privacy and Personal Data. (i) The Company, at all times during the past three years, has complied in all material respects with (A) all of the Company Privacy Commitments (as defined below); and (B) Privacy Laws; except in each case of (A) and (B), as would not reasonably be expected to result in liability material to the Company. (ii) The Company has at all times during the past three years, except as would not reasonably be expected to result in liability material to the Company: (A) obtained or received any consents from data subjects required for the Company to comply with applicable Privacy Laws governing the Processing of Personal Data as conducted by or for the Company, (B) abided by any privacy choices (including opt-out preferences) of data subjects relating to Personal Data exercised pursuant to applicable Privacy Laws, and (C) complied in all material respects with all (1) then-current Company Privacy Policies; (2) obligations of the Company under Contracts relating to the Processing of Company Data; and (3) Third Party access program agreements to which the Company is a party, in each case, as required by applicable Privacy Law or by the terms of any Contract by which the Company is bound, or by the terms of the applicable Company Privacy Policy (collectively, Sections 2.8(q)(ii)(A) through 2.8(q)(ii)(C), the “Company Privacy Commitments”. The execution, delivery and performance of this Agreement, including the consummation of the Contemplated Transactions, will not cause, constitute, or result in a material breach or violation by the Company of any Company Privacy Commitments or Privacy Laws. The Company has made available to Parent complete copies of Company Privacy Policies posted at any time in the past three years. No disclosures made or contained in any Company Privacy Policy in the past three years have been materially inaccurate, misleading or deceptive, including by containing any material omission. (iii) Except as would not reasonably be expected to result in liability material to the Company, in the past three years, (i) the Company has at all times taken commercially reasonable steps (including implementing and maintaining security systems and technologies in material compliance with all Privacy Laws and in compliance in all material respects with all Company Privacy Commitments) designed to preserve and protect Company Data against (A) loss; (B) theft; and (C) accidental, unauthorized or unlawful Processing in a manner reasonably appropriate to the risks represented by the Processing of such data by the Company and for the Company by its data processors or service providers; and (ii) the Company has taken commercially reasonable steps designed to ensure the reliability of the employees and contractors that have access to Company Data and designed to ensure that all employees and contractors with the right to access to such data are under written obligations of confidentiality with respect to such data. At all times during the past three years, except as would not reasonably be expected to result in liability material to the Company, taken as a whole, the Company has contractually obligated Third Parties that service, host, manage, access or otherwise Process Company Data to comply with applicable Privacy Laws and applicable obligations under Company Privacy Commitments. The Company has no Knowledge that any such Third Parties that service, host, manage, access or otherwise process Company Data, in their provision of services to the Company, have failed to comply in any material respect with applicable Privacy Laws or applicable Company Privacy Commitments. (iv) Except as would not reasonably be expected to result in liability material to the Company, in the three years prior to the date of this Agreement, to the Knowledge of the Company, (i) no unauthorized access to any Company systems used by the Company to maintain Company Data, or any Company Products, or any Company Data in the possession, custody or control of any data processor or service provider of the Company, and (ii) no loss, theft, unauthorized access to, or unauthorized use, acquisition, handling, disclosure, or other Processing of, any Company Data or Personal Data maintained by or otherwise in the possession, custody or control of the Company (each, a “Security Incident”) has occurred. Except as would not reasonably be expected to result in liability material to the Company, taken as a whole, (i) to the Knowledge of the Company, as of the date of this Agreement, no “high” or “critical” security vulnerabilities exist in the Company Product or any of the Company’s on-premises or cloud-based software implemented by the Company, which vulnerabilities have not been remediated in a commercially reasonable manner; and (ii) the Company has taken commercially reasonable actions to address, and where applicable, remedy the cause of, all Security Incidents that have occurred in the three years prior to the date of this Agreement. The Company has made all notifications to Persons, Governmental Bodies, media, customers or other Third Parties required under Privacy Laws or Company Privacy Commitments arising out of or relating to any Security Incident of which the Company has Knowledge that has occurred in the three years prior to the date of this Agreement. (v) As of the date of this Agreement, the Company has not received and to the Knowledge of the Company, there is no circumstance, except as would not reasonably be expected to result in liability material to the Company, taken as whole, that has arisen in the three years prior to the date of this Agreement that would reasonably be expected to give rise to any (A) written notice of any Legal Proceeding, order, regulatory opinion, audit result or allegation from a Governmental Body, (B) written notice from any Governmental Body, or (C) any written notice from any other Person (including a data subject): (1) alleging or confirming non-compliance by the Company with an applicable requirement of Privacy Laws or Company Privacy Commitments, (2) requiring or requesting the Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data, (3) permitting or mandating relevant Governmental Bodies to investigate, requisition information from, or enter the premises of, the Company relating to the Company’s actual or alleged noncompliance with Privacy Laws or Company Privacy Commitments; or (4) claiming compensation from the Company relating to the Company’s actual or alleged noncompliance with Privacy Laws or Company Privacy Commitments; excluding, in the case of all subparts of item (C), any notice relating to customer service or any requests by individuals that would not reasonably be expected to result in liability material to the Company. The Company has not received written notice of being involved in any Legal Proceedings involving a breach or alleged breach of Privacy Laws or Company Privacy Commitments by the Company.

Privacy and Personal Data. (i) The Company, at all times during the past three years, has complied in all material respects with (A) all of the Company Privacy Commitments (as defined below); and (B) Privacy Laws; except in each case of (A) and (B), as would not reasonably be expected to result in liability material to the Company. (ii) The Company has at all times during the past three years, except as would not reasonably be expected to result in liability material to the Company: (A) obtained or received any consents from data subjects required for the Company to comply with applicable Privacy Laws governing the Processing of Personal Data as conducted by or for the Company, (B) abided by any privacy choices (including opt-out preferences) of data subjects relating to Personal Data exercised pursuant to applicable Privacy Laws, and (C) complied in all material respects with all (1) then-current Company Privacy Policies; (2) obligations of the Company under Contracts relating to the Processing of Company Data; and (3) Third Party access program agreements to which the Company is a party, in each case, as required by applicable Privacy Law or by the terms of any Contract by which the Company is bound, or by the terms of the applicable Company Privacy Policy (collectively, Sections 2.8(q)(ii)(A) through 2.8(q)(ii)(C) (Privacy and Personal Data), the “Company Privacy Commitments”). The execution, delivery and performance of this Agreement, including the consummation of the Contemplated Transactions, will not cause, constitute, or result in a material breach or violation by the Company of any Company Privacy Commitments or Privacy Laws. The Company has made available to Parent complete copies of Company Privacy Policies posted at any time in the past three years. No disclosures made or contained in any Company Privacy Policy in the past three years have been materially inaccurate, misleading or deceptive, including by containing any material omission. (iii) Except as would not reasonably be expected to result in liability material to the Company, in the past three years, (i) the Company has at all times taken commercially reasonable steps (including implementing and maintaining security systems and technologies in material compliance with all Privacy Laws and in compliance in all material respects with all Company Privacy Commitments) designed to preserve and protect Company Data against (A) loss; (B) theft; and (C) accidental, unauthorized or unlawful Processing in a manner reasonably appropriate to the risks represented by the Processing of such data by the Company and for the Company by its data processors or service providers; and (ii) the Company has taken commercially reasonable steps designed to ensure the reliability of the employees and contractors that have access to Company Data and designed to ensure that all employees and contractors with the right to access to such data are under written obligations of confidentiality with respect to such data. At all times during the past three five years, except as would not reasonably be expected to result in liability material to the Company, taken as a whole, the Company has contractually obligated Third Parties third parties that service, host, manage, access or otherwise Process Company Data to comply with applicable Privacy Laws and applicable obligations under Company Privacy Commitments. The Company has no Knowledge that any such Third Parties third parties that service, host, manage, access or otherwise process Company Data, in their provision of services to the Company, have failed to comply in any material respect with applicable Privacy Laws or applicable Company Privacy Commitments. (iv) Except as would not reasonably be expected to result in liability material to the Company, in the three years prior to the date of this Agreement, to the Knowledge of the Company, (i) no unauthorized access to any Company systems used by the Company to maintain Company Data, or any Company Products, or any Company Data in the possession, custody or control of any data processor or service provider of the Company, and (ii) no loss, theft, unauthorized access to, or unauthorized use, acquisition, handling, disclosure, or other Processing of, any Company Data or Personal Data maintained by or otherwise in the possession, custody or control of the Company (each, a “Security Incident”) has occurred. Except as would not reasonably be expected to result in liability material to the Company, taken as a whole, (i) to the Knowledge of the Company, as of the date of this Agreement, no “high” or “critical” security vulnerabilities exist in the Company Product or any of the Company’s on-premises or cloud-based software implemented by the Company, which vulnerabilities have not been remediated or otherwise remediated in a commercially reasonable manner; and (ii) the Company has taken commercially reasonable actions to address, and where applicable, remedy the cause of, all Security Incidents that have occurred in the three years prior to the date of this Agreement. The Company has made all notifications to Persons, Governmental Bodies, media, customers or other Third Parties third parties required under Privacy Laws or Company Privacy Commitments arising out of or relating to any Security Incident of which the Company has Knowledge that has occurred in the three years prior to the date of this Agreement. (v) As of the date of this Agreement, the Company has not received and to the Knowledge of the Company, there is no circumstance, except as would not reasonably be expected to result in liability material to the Company, taken as whole, that has arisen in the three years prior to the date of this Agreement that would reasonably be expected to give rise to any (A) written notice of any Legal Proceeding, order, regulatory opinion, audit result or allegation from a Governmental Body, (B) written notice from any Governmental Body, or (C) any written notice from any other Person (including a data subject): (1) alleging or confirming non-compliance by the Company with an applicable requirement of Privacy Laws or Company Privacy Commitments, (2) requiring or requesting the Company to amend, rectify, cease Processing, de-combine, permanently anonymize, block or delete any Company Data, (3) permitting or mandating relevant Governmental Bodies to investigate, requisition information from, or enter the premises of, the Company relating to the Company’s actual or alleged noncompliance with Privacy Laws or Company Privacy Commitments; or (4) claiming compensation from the Company relating to the Company’s actual or alleged noncompliance with Privacy Laws or Company Privacy Commitments; excluding, in the case of all subparts of item (C), any notice relating to customer service or any requests by individuals that would not reasonably be expected to result in liability material to the Company. The Company has not received written notice of being involved in any Legal Proceedings involving a breach or alleged breach of Privacy Laws or Company Privacy Commitments by the Company.