Common use of Cybersecurity and Data Protection Clause in Contracts

Cybersecurity and Data Protection. (a) The information technology systems used in the business of Borrower and its Subsidiaries operate and perform in all material respects as required to permit Borrower and its Subsidiaries to conduct their business as presently conducted. Neither Borrower, nor any of its Subsidiaries, nor to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has suffered any data breaches that (A) have resulted in any unauthorized access, acquisition, use, control, disclosure, destruction, or modification of any information subject to Data Protection Laws or any Company IP, or (B) have resulted in unauthorized access to, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries. Except as would not cause or could not be reasonably expected to result in, individually or in the aggregate, a Material Adverse Change, (i) Borrower and its Subsidiaries have implemented and maintain a reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws and the information technology systems of Borrower and each of its Subsidiaries from any unauthorized access, use, control, disclosure, destruction or modification, (ii) Borrower and each of its Subsidiaries is in compliance with all applicable Requirements of Law and Material Contracts regarding the privacy and security of customer, consumer, patient, employee and other personal data and is compliant with their respective published privacy policies and (iii) there have not been any incidents of, or, to the Knowledge of Borrower, any third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Borrower or any of its Subsidiaries creates, receives, maintains, or transmits.

Cybersecurity and Data Protection. (a) The Issuer, the Parent Guarantor and its Subsidiaries’ information technology systems used in assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are reasonably believed by the business of Borrower and its Subsidiaries operate and perform Parent Guarantor to be adequate in all material respects for, and operate and perform as required to permit Borrower in connection with, the operation of the business of the Issuer, the Parent Guarantor and its Subsidiaries to conduct their business as presently conducted. Neither Borrowercurrently conducted and, nor any of its Subsidiaries, nor to the Knowledge Parent Guarantor’s knowledge, are free and clear of Borrowerall material bugs, any vendor of Borrower or any of its Subsidiarieserrors, has suffered any data breaches that (A) have resulted in any unauthorized accessdefects, acquisitionTrojan horses, usetime bombs, controlmalware and other corruptants, disclosure, destruction, or modification of any information subject to Data Protection Laws or any Company IP, or (B) have resulted in unauthorized access to, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries. Except except as would not cause or could not be reasonably expected to result in, individually or in the aggregate, aggregate reasonably be expected to result in a Material Adverse ChangeEffect. The Issuer, (i) Borrower the Parent Guarantor and its Subsidiaries have implemented and maintain a maintained commercially reasonable enterprise-wide privacy controls, policies, procedures, and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to maintain and protect their material confidential information subject to Data Protection Laws and the information technology systems integrity, continuous operation, redundancy and security of Borrower all IT Systems and each data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”)) used in connection with the business of the Issuer, the Parent Guarantor and its Subsidiaries from as currently conducted, and, to the knowledge of the Parent Guarantor, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any unauthorized accessother person, usenor any incidents under internal review or investigations relating to the same, controlexcept for such failures as would not individually or in the aggregate reasonably be expected to result in a Material Adverse Effect. The Issuer, disclosure, destruction or modification, (ii) Borrower the Parent Guarantor and each of its Subsidiaries is are presently in compliance with all applicable Requirements laws or statutes and all judgments, orders, rules and regulations of Law any court or arbitrator or governmental or regulatory authority, internal policies and Material Contracts regarding contractual obligations relating to the privacy and security of customer, consumer, patient, employee IT Systems and other personal data Personal Data and is compliant with their respective published privacy policies and (iii) there have not been any incidents of, or, to the Knowledge protection of Borrowersuch IT Systems and Personal Data from unauthorized use, any third party claims related toaccess, any loss, theft, unauthorized access to, misappropriation or unauthorized acquisition, modification, disclosure, corruption, destruction, except for such failures as would not individually or other misuse of any information subject in the aggregate reasonably be expected to Data Protection Laws (including any ransomware incident) that Borrower or any of its Subsidiaries creates, receives, maintains, or transmitsresult in a Material Adverse Effect.

Cybersecurity and Data Protection. (aA) The To the knowledge of the Company, there has been no security breach or incident, unauthorized access or disclosure, or other compromise of or relating to the Company information technology systems used and computer systems, networks, hardware, software, data and databases (including the data and information of its patients, customers, employees, suppliers, vendors and any third party data maintained, processed or stored by the Company, and any such data processed or stored by third parties on behalf of the Company), equipment or technology (collectively, “IT Systems and Data”); (B) the Company has not been notified of, and has no knowledge of any event or condition that could result in, any security breach or incident, unauthorized access or disclosure of or other compromise to its IT Systems and Data; and (C) the Company has implemented appropriate controls, policies, procedures, and technological safeguards to maintain and protect the integrity, continuous operation, redundancy, disaster recovery and security of its IT Systems and Data reasonably consistent with industry standards and practices, or as required by applicable data protection laws, healthcare laws and regulatory standards. The IT Systems and Data are adequate and operational for, in accordance with their documentation and functional specifications, the business of Borrower the Company as now operated by it and its Subsidiaries operate as currently proposed to be operated as described in the Registration Statement, the General Disclosure Package and perform the Prospectus. The Company is in compliance in all material respects as required to permit Borrower and its Subsidiaries to conduct their business as presently conducted. Neither Borrower, nor any of its Subsidiaries, nor to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has suffered any data breaches that (A) have resulted in any unauthorized access, acquisition, use, control, disclosure, destruction, or modification of any information subject to Data Protection Laws or any Company IP, or (B) have resulted in unauthorized access to, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries. Except as would not cause or could not be reasonably expected to result in, individually or in the aggregate, a Material Adverse Change, (i) Borrower and its Subsidiaries have implemented and maintain a reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws and the information technology systems of Borrower and each of its Subsidiaries from any unauthorized access, use, control, disclosure, destruction or modification, (ii) Borrower and each of its Subsidiaries is in compliance with all applicable Requirements laws or statutes and all judgments, orders, rules and regulations of Law any court or arbitrator or governmental or regulatory authority, internal policies and Material Contracts regarding contractual obligations relating to the privacy and security of customerthe IT Systems and Data, consumerincluding the collection, patientuse, employee and other personal data and is compliant with their respective published privacy policies and (iii) there have not been any incidents oftransfer, orprocessing, to the Knowledge of Borrower, any third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modificationdisposal, disclosure, corruptionhandling, destructionstorage and analysis of personally identifiable information, protected health information, consumer information and other confidential information of the Company and any third parties in their possession (“Sensitive Company Data”), and the protection of such IT Systems and Data and Sensitive Company Data from unauthorized use, access, misappropriation or other misuse modification. The Company has taken reasonable steps necessary to maintain the confidentiality of the Sensitive Company Data. The Company has not received any written notice, claim, complaint, demand or letter from any Person or Governmental Entity in respect of its business under applicable data security and data protection laws and regulations and industry standards regarding misuse, loss, unauthorized destruction or unauthorized disclosure of any Sensitive Company Data. To the knowledge of the Company, there has been no unauthorized or illegal use of or access to any Sensitive Company Data by any third party. The Company has not been required to notify any individual, Governmental Entity or data protection authority of any information security breach, compromise or incident involving Sensitive Company Data and are not the subject to Data Protection Laws (including of any ransomware incident) that Borrower inquiry or investigation by any Governmental Entity or data protection authority regarding any of its Subsidiaries creates, receives, maintains, or transmitsthe foregoing.

Cybersecurity and Data Protection. Except for those would not reasonably be expected to have a Material Adverse Effect, (ai) The the Company and the Group Entities have complied and are presently in compliance with all internal and external privacy policies and information technology systems used notices, contractual obligations, industry standards, regulatory guidelines, applicable laws, statutes, judgments, orders, rules and regulations of any court or arbitrator or other governmental or regulatory authority and any other legal obligations, in the business of Borrower and its Subsidiaries operate and perform in all material respects as required to permit Borrower and its Subsidiaries to conduct their business as presently conducted. Neither Borrowereach case, nor any of its Subsidiaries, nor relating to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has suffered any data breaches that (A) have resulted in any unauthorized access, acquisitioncollection, use, controltransfer, disclosureimport, destructionexport, storage, protection, disposal, disclosure and any other processing by the Company or the Group Entities of personal, personally identifiable, household, sensitive, confidential or regulated data (“Data Security Obligations”, and such data, “Data”), (ii) none of the Company or the Group Entities has received any notification of or complaint regarding, or modification is aware of any information subject to Data Protection Laws or any Company IP, or (B) have resulted in unauthorized access to, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries. Except as would not cause or could not be reasonably expected to result inother facts that, individually or in the aggregate, would reasonably indicate, non-compliance by any of them with any Data Security Obligation, (iii) to the Company’s knowledge, there is no action, suit or proceeding by or before any court or governmental agency, authority or body pending or threatened alleging the Company’s or any Group Entity’s non-compliance with any Data Security Obligation, (iv) the Company and each Group Entity have implemented and maintained reasonable technical and organizational measures designed to protect the security and integrity of the Data used in connection with the operation of the Company’s and each of the Group Entities’ businesses, (v) without limiting the foregoing, the Company and each of the Group Entities have used reasonable efforts to establish and maintain, and have established, maintained, implemented and complied with, reasonable information technology, information security, cybersecurity and data protection controls, policies and procedures, including oversight, access controls, encryption, technological, organizational and physical safeguards and business continuity/disaster recovery and security plans that are designed to protect against and prevent breach, destruction, loss, unauthorized or unlawful distribution, use, access, disablement, misappropriation or modification, or other compromise or misuse of or relating to any Data used in connection with the operation of the Company’s or any of the Group Entities’ businesses (“Breach”), and (vi) there has been no such Breach, and neither the Company or any of the Group Entities has been notified of or has any knowledge of any event or condition that would reasonably be expected to result in, any such Breach. Except as disclosed in the Hong Kong Public Offering Documents, Registration Statement, the Disclosure Package and the Prospectus, none of the Company or Group Entities is the subject of any investigation, or has received any inquiry, notice, warning, sanction or claim, or is a party to or affected by any pending or, threatened action, suit, proceeding or claim, or is bound by any judgment, decree or order, or has entered into any agreement, in each case relating to any alleged violation of any Cybersecurity Law of the PRC, in particular, neither the Company nor Group Entities is currently subject to a cybersecurity review by the Cyberspace Administration of the PRC (the “CAC”), except which would not, if determined adversely to the Company or any of the Group Entities, individually or in the aggregate, result in a Material Adverse Change, (i) Borrower and its Subsidiaries have implemented and maintain a reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws and the information technology systems of Borrower and each of its Subsidiaries from any unauthorized access, use, control, disclosure, destruction or modification, (ii) Borrower and each of its Subsidiaries is in compliance with all applicable Requirements of Law and Material Contracts regarding the privacy and security of customer, consumer, patient, employee and other personal data and is compliant with their respective published privacy policies and (iii) there have not been any incidents of, or, to the Knowledge of Borrower, any third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Borrower or any of its Subsidiaries creates, receives, maintains, or transmits.

Cybersecurity and Data Protection. (a) The Except as set forth in Schedule 4.22(a) of the Disclosure Letter, the information technology systems used in the business of Borrower and its Subsidiaries operate and perform in all material respects as required to permit Borrower and its Subsidiaries to conduct their business as presently conducted. Neither Borrower, nor any of its Subsidiaries, nor to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has suffered any data breaches that (AExcept as set forth on Schedule 4.22(a) have resulted in any unauthorized access, acquisition, use, control, disclosure, destruction, or modification of any information subject to Data Protection Laws or any Company IP, or (B) have resulted in unauthorized access to, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries. Except as would not cause or could not be reasonably expected to result inDisclosure Letter, individually or in the aggregate, a Material Adverse Change, (i) Borrower and its Subsidiaries have implemented and maintain a commercially reasonable enterprise-wide privacy and information security program with plans, policies and procedures for privacy, physical and cyber security, disaster recovery, business continuity and incident response, including reasonable and appropriate administrative, technical and physical safeguards to protect information subject to Data Protection Laws as well as information and other materials in which Borrower or any of its Subsidiaries have Intellectual Property rights (including Company IP) or nondisclosure obligations, and the information technology systems of Borrower and each of its Subsidiaries Subsidiaries, from any unauthorized access, use, control, disclosure, destruction or modification. Except as set forth on Schedule 4.22(a) of the Disclosure Letter, (ii) neither Borrower nor any of its Subsidiaries, nor to the Knowledge of Borrower, any vendor of Borrower or any of its Subsidiaries, has suffered any data breaches or other incidents that have resulted in such unauthorized access, acquisition, use, control, disclosure, destruction, or modification of any information subject to Data Protection Laws, any information or other materials subject to non-disclosure obligations or any material Company IP, or have resulted in such unauthorized access to, control of, or disruption of the information technology systems of Borrower or any of its Subsidiaries, as could have a material adverse effect on the Company and its Subsidiaries as a whole. Borrower and each of its Subsidiaries is in material compliance with the requirements of (A) their respective enterprise-wide privacy and information security programs, (B) Data Protection Laws, (C) all applicable Requirements of Law and Material Contracts regarding the privacy and security of customer, consumer, patient, clinical trial participant, employee and other personal data data, (D) their respective contractual non-disclosure obligations and is compliant with (E) their respective published privacy policies and policies. In the past six (iii6) years, there have not been any incidents of, or, to the Knowledge of Borrower, any third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruption, destruction, or other misuse of any information subject to Data Protection Laws (including any ransomware incident) that Borrower or any of its Subsidiaries creates, receives, maintains, or transmits.

Cybersecurity and Data Protection. (a) The Except as set forth in Schedule 4.22(a) of the Disclosure Letter, to the Knowledge of Borrower, the information technology systems used in the business of Borrower each of Parent and its Subsidiaries Subsidiaries, including technology systems and applications (such as the MyLink™ device) made available by Parent or any of its Subsidiaries, including Borrower, to medical partners, physicians, patients, payors, and other third parties in connection with Product, (altogether, “Systems”) operate and perform in all material respects as required to permit Borrower each of Parent and its Subsidiaries to conduct their business respective businesses as presently conductedconducted in the Territory. Neither Borrower, nor any of its Subsidiaries, nor to To the Knowledge of Borrower, no System contains any vendor of Borrower material ransomware, disabling codes or instructions, spyware, Trojan horses, worms, viruses or other software routines that are designed or intended to delete, destroy, disable, disrupt, impair, interfere with, perform unauthorized modifications to, or provide unauthorized access to any data, files, software, system, network, or other device. Parent and each of its Subsidiaries, has suffered any data breaches that (A) including Borrower, have resulted and maintain back-up systems, consistent with the industry in any unauthorized accesswhich Parent and each of its Subsidiaries operate and the size and condition of Parent and each of its Subsidiaries, acquisition, use, control, disclosure, destruction, or modification designed to provide continuing availability of the material functionality provided by the Systems in the event of any information subject to Data Protection Laws or any Company IP, or (B) have resulted in unauthorized access to, control malfunction of, or disruption of other event interrupting access to or the information technology systems of Borrower or any functionality of, such Systems. Parent and each of its Subsidiaries, including Borrower, use commercially reasonable efforts to maintain System security, including promptly implementing material security patches that are generally available for the Systems. (b) Except as would not cause or could not be reasonably expected to result inset forth on Schedule 4.22(b) of the Disclosure Letter, individually or in the aggregateParent and each of its Subsidiaries, a Material Adverse Changeincluding Borrower, (i) Borrower and its Subsidiaries have has implemented and maintain maintains a reasonable commercially reasonable, enterprise-wide privacy and information security program (“Security Program”) with plans, policies policies, and procedures for privacy, privacy and physical and cyber security, security (including for disaster recovery, business continuity continuity, encryption, data back-up, System access controls, workstation use and security, incident detection, and incident response), including that includes commercially reasonable and appropriate administrative, technical and physical safeguards designed to protect information subject to Data Protection Laws the integrity and availability of the information technology systems of Borrower Systems, consistent with the industry in which Parent and each of its Subsidiaries from operate and the size and condition of Parent and its Subsidiaries, and to protect against (i) any unauthorized accessunauthorized, accidental, or unlawful access to or acquisition, use, disclosure, transmission, retention, processing, loss, destruction, or modification of Personal Data that would require notification to any affected individuals or any Governmental Authority under any applicable Data Protection Laws (each, a “Personal Data Breach”), (ii) any unauthorized, accidental, or unlawful access to or acquisition, use, disclosure, transmission, or loss of Sensitive Information that is not Personal Data, and (iii) any security incidents that would result in unauthorized, accidental, or unlawful access to or acquisition, use, control, disclosure, destruction or modification, (ii) Borrower and each of its Subsidiaries is in compliance with all applicable Requirements of Law and Material Contracts regarding the privacy and security of customer, consumer, patient, employee and other personal data and is compliant with their respective published privacy policies and (iii) there have not been any incidents of, or, to the Knowledge of Borrower, any third party claims related to, any loss, theft, unauthorized access to, or unauthorized acquisition, modification, disclosure, corruptiondisruption, destruction, or other misuse modification of any information subject to Data Protection Laws of the Systems (including any ransomware incidentcyber-attacks) that Borrower would reasonably be expected to result in a material and adverse effect on the operation of Parent’s or any of its Subsidiaries createsSubsidiaries’ business operations as currently conducted (sub-clauses (i) through (iii), receivescollectively, maintains, or transmits“Security Incidents”).