Privacy; Information Security. (a) Parent and its Subsidiaries (in each case, as related to the Business) and the Transferred Companies have taken commercially reasonable steps to monitor and protect against unauthorized use, access, interruption, modification or corruption to the confidentiality, integrity and security of, the information technology systems, including Software and hardware, owned or used in the conduct of the Business (the “Business IT Systems”) and the Personal Information stored therein or processed thereon, and have implemented backup, data recovery, disaster recovery and business continuity plans, procedures and facilities for the Business. The Business IT Systems operate, in all material respects, in accordance with their specifications and related documentation, as applicable. Except as would not reasonably be expected to be material to the Business, (x) the Transferred Companies lawfully own, lease or license all Business IT Systems and (y) the Business IT Systems are reasonably sufficient for the current needs of the Business, including as to capacity, scalability, and ability to process peak volumes in a timely manner. (b) In the past three (3) years, the Business IT Systems have not suffered any failures, Security Breaches or cybersecurity incidents that have resulted in a material disruption or loss to the Business. (c) Except as would not reasonably be expected to be material to the Business, the Business IT Systems do not contain any “back door,” “drop dead device,” “time bomb,” virus, Trojan horse, worm, malware or any other similar malicious code designed or intended to have, or capable of disrupting, disabling, harming or otherwise impeding effect on the operation of, or providing unauthorized access to, a computer system or network or other device on which such code is stored or installed, or damaging or destroying any data or file without the user’s consent. (d) Except as set forth in Section 4.14(d) of the Disclosure Schedules, except as would not reasonably be expected to be material to the Business, Parent and its Subsidiaries (in each case, as related to the Business) and the Transferred Companies are (and have been in the past three (3) years) in compliance with their external privacy statements and policies (and internal privacy statements and policies notified to employees), all applicable Laws and any Contracts, in each case, to the extent related to the processing of Personal Information, including (i) through the implementation and regular maintenance of commercially appropriate data protection policies, procedures, records and logs concerning the collection, use, storage, retention, transfer and security of Personal Information; and (ii) in Contracts with third-party suppliers, as necessary to meet the requirements of applicable Law. (e) Except as would not reasonably be expected to be material to the Business, in the past three (3) years, Parent and its Subsidiaries (in each case, as related to the Business) and the Transferred Companies have not (i) experienced any Security Breach that resulted in a requirement to notify any Person of any such Security Breach under applicable Law; (ii) notified in writing, or been required by applicable Law or Governmental Entity to notify in writing, any Person of any Security Breach; or (iii) received any written notice of any claims, investigations (including investigations by a Governmental Entity), or alleged violations of applicable Laws with respect to Personal Information possessed by Parent and its Subsidiaries (in each case, as related to the Business) or the Transferred Companies. Parent and its Subsidiaries (in each case, as related to the Business) and the Transferred Companies have implemented and maintained an information security program that is comprised of commercially reasonable safeguards designed to protect the security and confidentiality of the Business IT Systems and all Personal Information processed thereby against Security Breaches, through regular penetration tests and vulnerability assessments, and have taken reasonable steps to remediate all such incidents and all high level or critical vulnerabilities identified therein.
Appears in 1 contract
