Common use of Privacy and Protection of Personal Information Clause in Contracts

Privacy and Protection of Personal Information. (a) Each of Buyer and its Subsidiaries has at all times complied with the Privacy Requirements. Buyer and its Subsidiaries have a privacy policy that incorporates all disclosures to data subjects required by applicable Privacy Laws and none of the disclosures made or contained in such privacy policy has been materially inaccurate, misleading or deceptive or in violation of applicable Privacy Laws. (b) Buyer has adopted a written information security program approved by the Board of Directors of Buyer. Such information security program meets the requirements of the Information Security Requirements and includes (A) security measures in place to protect all Personal Information under its control and/or in its possession and to protect such Personal Information from unauthorized access or use by any parties and (B) Buyer’s hardware, software, encryption, systems, policies and procedures are sufficient to protect the privacy, security, confidentiality of all Personal Information in accordance with the Privacy Requirements and the Information Security Requirements. Buyer has implemented reasonable procedures to detect data security incidents and implemented and monitored compliance with such measures with respect to technical and physical security to protect Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse. (c) Buyer has: (i) conducted and conducts Information Security Reviews; (ii) corrected any critical exceptions or vulnerabilities identified in such Information Security Reviews; (iii) made available to Buyer true and accurate copies of all Information Security Reviews; and (iv) installed software security patches and other fixes to identified technical information security vulnerabilities. Buyer provides its employees with regular training on privacy and data security matters to the extent required by applicable Privacy Laws. In connection with each third-party servicing, outsourcing, processing, or otherwise using Personal Information collected, held, or controlled by or on behalf of Buyer, to the extent required under applicable Privacy Laws, Buyer has entered into written data processing agreements with any such third party in accordance with the requirements of applicable Privacy Laws. (d) Since January 1, 2017, there have been no material data security incidents, personal data breaches or other adverse events or incidents involving unauthorized use and access to Personal Information in the custody and control of Buyer or any of its Subsidiaries or any service provider acting on behalf of Buyer or any of its Subsidiaries, and no unresolved breach or violation of the information security systems of Buyer or any of its Subsidiaries has occurred or is known or suspected, and there has been no unauthorized or illegal use of or access to any Personal Information. Buyer has a data breach response plan in place and tests this plan on a no less than an annual basis. (e) The consummation of any of the transactions contemplated hereby will not violate any applicable Privacy Laws or the privacy policies of Buyer. (f) In the three years prior to the date of this Agreement, there have not been any actions related to violations of applicable Privacy Laws, and to Knowledge of Buyer, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims, and neither Buyer nor any of its Subsidiaries has received any correspondence relating to, or written notice of any proceedings, claims, investigations or alleged violations of, applicable Privacy Laws with respect to Personal Information from any person or Governmental Authority, and there is no such ongoing proceeding, claim, investigation or allegation.

Privacy and Protection of Personal Information. (a) Each of Buyer and its Subsidiaries has at all times complied complied, in all material respects, with the Privacy RequirementsRequirements (to the extent applicable to the Buyer and its Subsidiaries). Buyer and its Subsidiaries have a privacy policy that incorporates all disclosures to data subjects required by applicable Privacy Laws and none of the disclosures made or contained in such privacy policy is or has been materially inaccurate, misleading or deceptive or in violation of applicable Privacy Laws. (b) Buyer has adopted a written information security program approved by the Board of Directors of Buyer. Such information security program meets the requirements of the Information Security Requirements and includes (A) security measures in place to protect all Personal Information under its control and/or in its possession and to protect such Personal Information from unauthorized access or use by any parties and (B) Buyer’s hardware, software, encryption, systems, policies and procedures are sufficient to protect the privacy, security, confidentiality of all Personal Information in accordance with the Privacy Requirements and the Information Security Requirements. Buyer has implemented reasonable procedures to detect data security incidents and implemented and monitored compliance with such measures with respect to technical and physical security to protect Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse. (c) Buyer has: (i) conducted and conducts Information Security Reviews; (ii) corrected any critical exceptions or vulnerabilities identified in such Information Security Reviews; (iii) made available to Buyer true and accurate copies of all Information Security Reviews; and (iv) installed software security patches and other fixes to identified technical information security vulnerabilities. Buyer provides its employees with regular training on privacy and data security matters to the extent required by applicable Privacy Laws. . (c) In connection with each third-party servicing, outsourcing, processing, or otherwise using Personal Information collected, held, or controlled by or on behalf of Buyer, to the extent required under applicable Privacy Laws, Buyer has entered into written data processing agreements with any such third party in accordance with the requirements of applicable Privacy Laws. (d) Since January 1, 20172021, to the Knowledge of Buyer, there have been no material data security incidents, personal data breaches or other adverse events or incidents involving unauthorized use and of or access to Personal Information in the custody and control of Buyer or any of its Subsidiaries or any service provider acting on behalf of Buyer or any of its Subsidiaries, and no unresolved breach or violation of the information security systems of Buyer or any of its Subsidiaries has occurred or is known or suspected, and there has been no unauthorized or illegal use of or access to any Personal Information. Buyer has a data breach response plan in place and tests this plan on a no less than an annual basis. (e) The consummation of any of the transactions contemplated hereby will not violate any applicable Privacy Laws or the privacy policies of Buyer. (f) In the three years prior to the date of this Agreement, there have not been any actions related to violations of applicable Privacy Laws, and to Knowledge of Buyer, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims, and neither Buyer nor any of its Subsidiaries has received any correspondence relating to, or written notice of any proceedings, claims, investigations or alleged violations of, applicable Privacy Laws with respect to Personal Information from any person or Governmental Authority, and there is no such ongoing proceeding, claim, investigation or allegation.

Privacy and Protection of Personal Information. (a) Each of Buyer the Company and its Subsidiaries complies and has at all times complied complied, in all material respects, with all (i) applicable Privacy Laws (as defined in Section 9.2(a)), (ii) regulatory, industry, and self-regulatory guidelines and codes that are binding upon the Privacy Requirements. Buyer and Company and/or its Subsidiaries or to which the Company and/or its Subsidiaries have publicly represented themselves as complying with, including, to the extent applicable, the Payment Card Industry Data Security Standard and all other rules of the payment card brands relating to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security, disposal, destruction, disclosure, or transfer of Personal Information (as defined in Section 9.2(a)), (iii) internal privacy policies and all privacy policies published on each web site of the Company or any of its Subsidiaries or otherwise communicated by the Company or any of its Subsidiaries in writing to users of any such web site and other third parties, (iv) notice to or consent from the data subject whose Personal Information has been processed by the Company or any of its Subsidiaries, and (v) contractual commitments made by the Company or any of its Subsidiaries with respect to such Personal Information (the “Privacy Requirements”). The Company and each of its Subsidiaries maintains a privacy policy that incorporates all disclosures to data subjects required by applicable Privacy Laws Requirements and none of the disclosures made or contained in such privacy policy is or has been materially inaccurate, misleading or deceptive or in violation of applicable Privacy LawsRequirements. (b) Buyer The Company has adopted a written information security program approved by the Board of Directors of Buyerthe Company. Such information security program meets the requirements of 12 C.F.R. part 364, Appendix B, 201 C.M.R. 17.00, and all applicable laws, including state information security requirements (collectively, the “Information Security Requirements Requirements”) and includes (A) functioning security measures in place sufficient to protect all Personal Information under its the Company’s custody, control and/or in its possession and to protect such Personal Information from unauthorized access or use by any parties and (B) Buyerparties. The Company’s hardware, software, encryption, systems, policies and procedures are sufficient to protect the privacy, security, confidentiality of all Personal Information in accordance with the Privacy Requirements and the Information Security Requirements. Buyer has The Company has, consistent with industry standards, (i) implemented reasonable procedures to detect data security incidents any event affecting the security, availability, and/or integrity of the Company’s IT Systems, including any unauthorized access to, or acquisition, use, modification, loss or disclosure of, any Personal Information (“Security Incident”) and (ii) implemented and monitored compliance with such measures procedures with respect to technical and physical security to protect Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuseany Security Incident. (c) Buyer Since January 1, 2021, the Company has: (i) conducted and conducts vulnerability testing, risk assessments, and audits of, and tracks Security Incidents related to, the Company IT Systems and Products of the Company and its Subsidiaries (collectively, “Information Security Reviews”); (ii) corrected any critical all exceptions or vulnerabilities identified in such Information Security ReviewsReviews that have been identified as “critical” or “high” or a similar designation; (iii) made available to Buyer true and accurate copies of all Information Security Reviews; and (iv) installed software security patches and other fixes to identified technical information security vulnerabilities. Buyer The Company provides its employees with regular training on privacy and data security matters to the extent required by applicable Privacy Laws. matters. (d) In connection with each third-party servicing, outsourcing, processing, or otherwise using Personal Information collected, held, or controlled by or on behalf of Buyerthe Company, to the extent required under applicable Privacy Laws, Buyer the Company has entered into written data processing agreements with any such third party in accordance that comply with the requirements of applicable Privacy LawsRequirements. (de) Since January 1, 2017, there There have been no material data security incidents, personal data breaches or other adverse events or incidents Security Incidents involving unauthorized use and of or access to Personal Information in the possession, custody and or control of Buyer the Company or any of its Subsidiaries or or, to the Knowledge of the Company, any service provider acting on behalf of Buyer the Company or any of its Subsidiaries, and no unresolved breach or violation of the information security systems of Buyer or any of its Subsidiaries Company IT Systems has occurred or is known or suspected, and there has been no unauthorized or illegal use of or access to any Personal Information. Buyer The Company has a data breach response plan in place and tests this plan on a no less than an annual basisat least annually. (ef) The consummation of any of the transactions contemplated hereby will not violate any applicable Privacy Laws or the privacy policies of BuyerRequirements. (fg) In the three years prior to the date of this AgreementSince January 1, 2019, (i) there have not been any actions related to violations of applicable Privacy LawsRequirements or Information Security Requirements, and to the Knowledge of Buyerthe Company, there are no facts or circumstances which could reasonably serve as the basis for any such allegations or claims, and (ii) neither Buyer the Company nor any of its Subsidiaries has received any correspondence relating to, or written notice of any proceedings, claims, investigations or alleged violations of, applicable Privacy Laws with respect to Personal Requirements or Information Security Requirements from any person Person or Governmental Authority, and there is no such ongoing proceeding, claim, investigation or allegation. (h) The Company and its Subsidiaries do not distribute marketing communications to any Person except in accordance with applicable Privacy Requirements and the Company maintains auditable records of opt-in consents or opt-out requests for each data subject to whom it or any Subsidiary sends marketing communications. (i) To the Knowledge of the Company, the Company is not subject to the California Consumer Privacy Act (“CCPA”) or the European General Data Protection Regulation (“GDPR”) and has not engaged in any activities that would cause it to be required to comply with the CCPA or the GDPR. (j) The Company has employed commercially reasonable disaster recovery and business continuity plans, procedures and facilities, in each case, consistent in all material respects with industry standards, and has taken commercially reasonable steps to safeguard the Company IT Systems.