Common use of Cybersecurity; Data Protection Clause in Contracts

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used in connection with its business, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the Company is presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.

Cybersecurity; Data Protection. Except as could not be expected (A) There has been no known security breach or incident, unauthorized access or disclosure, or other compromise of or relating to have a Material Adverse Effect, the Company’s Parent Guarantor or its subsidiaries information technology assets and equipment, computers, computer systems, networks, hardware, software, websitesdata and databases (including the data and information of their respective customers, applicationsemployees, suppliers, vendors and any third party data maintained, processed or stored by the Parent Guarantor and its subsidiaries, and databases any such data processed or stored by third parties on behalf of the Parent Guarantor and its subsidiaries), equipment or technology (collectively, “IT SystemsSystems and Data”) are adequate for), and operate and perform except as would not, individually or in all material respects as required in connection with the operation of the business of the Company as currently conductedaggregate, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect; (B) neither the Parent Guarantor nor its subsidiaries have been notified of, and each of them have no knowledge of any event or condition that could result in, any security breach or incident, unauthorized access or disclosure or other compromise to their IT Systems and Data, except as would not, individually or in the Company has aggregate, have a Material Adverse Effect and (C) the Parent Guarantor and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and technological safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all their IT Systems and data (including all personalData reasonably consistent with industry standards and practices, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used in connection with as required by applicable regulatory standards. The Parent Guarantor and its business, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the Company is subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s (i) Each Company Party and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the such Company Party and its subsidiaries as currently conducted, and are, to the knowledge of the Company Parties, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to ; (ii) each Company Party and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, procedures and safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the ; (iii) each Company is Party and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The ; and (iv) each Company further certifies Party and its subsidiaries have taken all necessary actions to comply with the European Union General Data Protection Regulation and have taken all necessary actions to prepare to comply with all other applicable laws and regulations with respect to Personal Data that neither it nor have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any subsidiary: non-compliance with same would be reasonably likely to create a liability, as soon they take effect, except as would not, in the case of each of clause (i) has received notice of any actual or potential liability under or relating to), or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for), in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is and (iv), reasonably be expected, individually or in the aggregate, to have a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy LawMaterial Adverse Effect.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, including, without limitation, those owned, licensed or otherwise used (excluding any public networks), such as its data communications lines, computers, systems, networks, hardware, servers, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conductedconducted and as proposed to be conducted as described in the Registration Statement, the Pricing Disclosure Package and the Prospectus, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has at all times implemented and maintained commercially reasonable all reasonably necessary controls, policies, procedures, and safeguards consistent with industry standards and practices for similarly situated companies to maintain and protect its material confidential information and the integrity, availability, privacy, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data data) (“Sensitive Company Data”)) used in connection with its their business, and there have been no breaches, violations, outages outages, compromises, or unlawful or unauthorized acquisitions of, disclosures of, uses of or accesses to the same, except for those that in each case as would not, individually or in the aggregate, reasonably be expected to have been remedied without material cost a Material Adverse Effect. There are no privacy or liability or the duty to notify any other person, nor any security incidents under internal review or investigations relating to the samesame that would, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. Except in each case as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company is and its subsidiaries are presently and, at all times, have been in compliance with all (i) applicable laws or statutes (including without limitation all applicable privacy and security laws and regulationslaws, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectivelystatutes, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or court, arbitrator, governmental or regulatory authority, ; and (ii) internal policies and contractual obligations obligations, each (i) and (ii) relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy LawData.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with for the operation and performance for the operation of the business of the Company and its subsidiaries as currently conducted, and, to the Company’s knowledge, the IT Systems are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not , that would reasonably be expected likely to have a Material Adverse Effect, the Change. The Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses. “Personal Data” means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) “personal data” as defined by European Union General Data Protection Regulation; (iv) any information which would qualify as “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the HIPAA; and (v) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. To the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not , that, in each case, would reasonably be expected likely to have result in a Material Adverse Effect, the Change. The Company is and its subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its Subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its Subsidiaries as currently conducted, and to the Company’s knowledge free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its Subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir respective businesses, and and, to the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses access to the same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the The Company is and its Subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual modification except where such non-compliance would not, individually or potential liability under or relating toin the aggregate, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in have a Company Material Adverse Effect. The Company and its Subsidiaries have taken all necessary actions to materially comply with the European Union General Data Protection Regulation if and to the extent applicable (and to prepare to materially comply with all other applicable laws and regulations with respect to Personal Data that have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any non-compliance with the same would be reasonably likely to create a material liability) as soon they take effect except where such notice; (ii) is currently conducting or paying fornon-compliance would not, in whole individually or in partthe aggregate, any investigation, remediation, reasonably be expected to have a Company Material Adverse Effect. Any certificate signed by or other corrective action pursuant on behalf of the Company and delivered to any Privacy Law; the Representatives or (iii) is to counsel for the Underwriters shall be deemed to be a party representation and warranty by the Company to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawthe Underwriters as to the matters covered thereby.

Cybersecurity; Data Protection. Except as could not be expected to (i) The Company and its subsidiaries have a Material Adverse Effect, the Company’s information technology assets and equipment, computers, systems, networks, hardware, software, websites, applicationscomplied, and databases (collectivelyare presently in compliance, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection respects, with the operation of the business of the Company as currently conducted, free all internal and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, external privacy policies, procedurescontractual obligations, and safeguards to maintain and protect its material confidential information and the integrityindustry standards, continuous operationapplicable laws, redundancy and security of all IT Systems and data (including all personalstatutes, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used in connection with its business, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the Company is presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all #95429626v5 #95429626v9 judgments, orders, rules and regulations of any court or arbitrator or other governmental or regulatory authorityauthority and any legal obligations regarding the collection, internal policies use, transfer, import, export, storage, protection, disposal and contractual obligations relating disclosure by the Company and its subsidiaries of Data (“Data Security Obligations”); (ii) neither the Company nor any of its subsidiaries has received any notification of or complaint regarding, and are aware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance with any Data Security Obligation; and (iii) there is no pending, or to the privacy and security knowledge of IT Systems and Sensitive the Company, threatened, action, suit or proceeding by or before any court or governmental agency, authority or body pending or threatened alleging non-compliance with any Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modificationSecurity Obligation. The Company further certifies and its subsidiaries have taken steps reasonably necessary in accordance with industry standard practices to protect such information against loss and against unauthorized access, use, modification, disclosure or other misuse, except in each case to the extent that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that failure to do so would not reasonably be expected to result have a Material Adverse Effect on the Company and its subsidiaries, taken as a whole. To the knowledge of the Company, except as disclosed in any such notice; (ii) is currently conducting the Registration Statement, the Disclosure Package and the Prospectus or paying for, in whole as would not individually or in partthe aggregate have a Material Adverse Effect on the Company and its subsidiaries, taken as a whole, there has been no unauthorized access to such information. The Company and its subsidiaries have taken or will take all necessary actions to comply with all applicable laws and regulations with respect to Personal Data that have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any investigationnon-compliance with same would be reasonably likely to have a Material Adverse Effect on the Company and its subsidiaries, remediationtaken as a whole, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawas soon they take effect.

Cybersecurity; Data Protection. Except as could would not be expected expected, individually or in the aggregate, to have a Material Adverse Effect, the Company’s and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of, to the knowledge of the Company, all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected expected, individually or in the aggregate, to have a Material Adverse Effect, (i) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and all personal data (including all personal, personally identifiable, and sensitive, proprietary, confidential or regulated data maintained or processed by the Company and its subsidiaries in connection with their businesses (collectively, the “Sensitive Confidential Data”)) used in connection with its business, and (ii) to the knowledge of the Company, there have been no breaches, violations, outages or unauthorized uses of or accesses to samesuch Confidential Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected expected, individually or in the aggregate, to have a Material Adverse Effect, to the knowledge of the Company, the Company is and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, and all internal policies and contractual obligations relating to of the Company and its subsidiaries, governing the privacy and security of IT Systems and Sensitive Confidential Data and to the protection of such IT Systems and Sensitive Confidential Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases owned or used by the Company or its subsidiaries (collectively, “IT Systems”) ), to the knowledge of the Company, are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conductedconducted and as proposed to be conducted in the Registration Statement, the Pricing Disclosure Package and the Prospectus, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used collected, used, stored or processed in connection with its businesstheir businesses, and and, to the knowledge of the Company, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other personperson or entity, nor any incidents under internal review or investigations relating to the same. Except as could would not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, the Company is and its subsidiaries have complied with and are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulationslimitation, to the extent applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, the California Consumer Privacy Act (the “HITECH Act”); and the European Union General Data Protection Regulation (the “GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all applicable judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and external policies, and contractual obligations relating to the privacy and security of IT Systems and Sensitive the collection, use, transfer, import, export, storage, disposal and disclosure of Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modificationmodification (“Data Security Obligations”). Neither the Company nor any of its subsidiaries have received any notification of or complaint regarding non-compliance with any Data Security Obligation, and there is no pending or, to the knowledge of the Company, threatened, action, suit or proceeding by or before any court or governmental agency, authority or body alleging non-compliance with any Data Security Obligation. The Company further certifies that neither it nor any subsidiary: (i) has received notice and its subsidiaries have made all disclosures as required by applicable laws and regulatory rules or requirements in connection with such Data Security Obligations, and no such disclosures have been inaccurate or in violation of any actual applicable laws or potential liability under or relating to, or actual or potential violation of, any regulatory rules and requirements. The Company and its subsidiaries have taken all necessary actions to prepare to comply with the GDPR and all other applicable laws and regulations with respect to Personal Data that have been announced as of the Privacy Lawsdate hereof as becoming effective within 12 months after the date hereof, and has no knowledge of for which any event or condition that non-compliance with same would be reasonably be expected likely to result in any such notice; (ii) is currently conducting or paying forcreate a material liability, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawas soon they take effect.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, including, without limitation, those owned, licensed or otherwise used (excluding any public networks), such as its data communications lines, computers, systems, networks, hardware, servers, software, websites, applications, and databases (collectively, “IT Systems”) are (i) adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conductedconducted and as proposed to be conducted as described in the Registration Statement, the Pricing Disclosure Package and the Prospectus, and (ii) free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except , except in each case as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the . The Company has and its subsidiaries have at all times implemented and maintained commercially reasonable all reasonably necessary controls, policies, procedures, and safeguards consistent with industry standards and practices for similarly situated companies to maintain and protect its material confidential information and the integrity, availability, privacy, continuous operation, redundancy and security of all IT Systems and data (including all personalPersonal Data, personally identifiable, and other sensitive, proprietary, confidential or regulated data data) (“Sensitive Company Data”)) used in connection with its businesstheir respective businesses, and there have been no breaches, violations, outages outages, compromises, or unlawful or unauthorized acquisitions of, disclosures of, uses of or accesses to the same, except for those that in each case as would not, individually or in the aggregate, reasonably be expected to have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the samea Material Adverse Effect. Except in each case as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company is and its subsidiaries are presently and, at all times, have been in compliance with all (i) applicable laws or statutes (including without limitation all applicable privacy and security laws and regulationslaws, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectivelystatutes, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or court, arbitrator, governmental or regulatory authority, ; and (ii) internal policies and contractual obligations obligations, each (i) and (ii) relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy LawData.

Cybersecurity; Data Protection. Except as could would not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, the Company’s Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could would not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, (i) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and (ii) there have been no breaches, violations, outages or unauthorized uses of, accesses to, encryptions of or accesses to compromises of same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could would not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, the Company is presently and its subsidiaries have been for the past five (5) years in compliance with all applicable laws or statutes statutes, binding guidance and standards (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Payment Card Industry Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)Security Standard) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating toThere are no pending or, or actual or potential violation of, any to the knowledge of the Privacy LawsCompany, and has no knowledge threatened Actions in relation to the matters of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawthis Section 3(jj).

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, applications and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business respective businesses of the Company and its subsidiaries as currently conductedconducted and as proposed to be conducted as described in the Registration Statement, the Pricing Disclosure Package and the Prospectus, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except , except in each case as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the . The Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, procedures and safeguards consistent with industry standards and practices for similarly-situated companies to maintain and protect its material their confidential information and the integrity, continuous operation, redundancy and security of all its IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data data) used or held for use in connection with their respective businesses (collectively, “Sensitive Data”)) used in connection with its business, and there . There have been no breaches, violations, outages or outages, unauthorized uses of or accesses to samethe IT Systems or Data, except for those that in each case as would not, individually or in the aggregate, reasonably be expected to have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the samea Material Adverse Effect. Except in each case as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, (i) the Company is and its subsidiaries have complied, and are presently in compliance compliance, with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulationslaws, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectivelystatutes, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or other governmental or regulatory authorityauthority and all privacy policies, internal policies and contractual obligations and industry standards relating to the privacy and security of the IT Systems and Sensitive Data and to or the protection of such IT Systems and Sensitive Data from unauthorized collection, use, accesstransfer, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: import, export, storage, protection, disposal and disclosure of Data (i“Data Security Obligations”) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) there is currently conducting no action, suit, investigation or paying forproceeding by or before any court, in whole governmental agency, authority or in part, any investigation, remediation, body or other corrective action pursuant third party pending or, to the knowledge of the Company, threatened against the Company or any Privacy Law; or (iii) is a party to of its subsidiaries alleging non-compliance with any order, decree, or agreement that imposes any obligation or liability under any Privacy LawData Security Obligation,.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except , except as could not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, the . The Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietaryconfidential, confidential or regulated data (“Personal or Sensitive Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except , except as could not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect. The Company and its subsidiaries are presently, the Company is presently and at all times have been, in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Personal or Sensitive Data and to the protection of such IT Systems and Personal or Sensitive Data from unauthorized use, access, misappropriation or modification, except as could not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect. The Company further certifies and its subsidiaries have taken commercially reasonable actions to comply with any applicable laws and regulations with respect to Personal or Sensitive Data that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any are effective as of the Privacy Lawsdate hereof, and has no knowledge of any event to prepare to comply with applicable laws and regulations with respect to Personal or condition Sensitive Data that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying forwill become effective within 12 months after the date hereof, in whole or in part, each case for which any investigation, remediation, or other corrective action pursuant non-compliance with the same would be reasonably likely to any Privacy Law; or (iii) is create a party material liability to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawthe Company and its subsidiaries.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse EffectThe Company, the Company’s Guarantor and their subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, applications and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and the Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except , except in each case as could not be expected to have would not, singly or in the aggregate, result in a Material Adverse Effect. The Company, the Company has Guarantor and their subsidiaries (i) (x) have implemented and maintained commercially reasonable controls, policies, procedures, procedures and safeguards to maintain and protect its material their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated identifiable data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and (y) there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the Company is ; (ii) are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies ; and (iii) have taken all necessary actions to prepare to comply with the European Union General Data Protection Regulation (and all other applicable laws and regulations with respect to Personal Data that neither it nor have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any subsidiary: non-compliance with same would be reasonably likely to create a material liability) as soon they take effect; except, with respect to each of the foregoing clauses (i) has received notice of any actual or potential liability under or relating to), or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying forand (iii), in whole as would not, singly or in partthe aggregate, any investigation, remediation, result in a Material Adverse Effect. Any certificate signed by an officer of the Company or other corrective action pursuant the Guarantor and delivered to any Privacy Law; the Representative or (iii) is to counsel for the Initial Purchasers shall be deemed to be a party representation and warranty by the Company and the Guarantor to any order, decree, or agreement that imposes any obligation or liability under any Privacy Laweach Initial Purchaser as to the matters set forth therein.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effectdisclosed in the Registration Statement, the Company’s Pricing Disclosure Package and the Prospectus, (i) the Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform perform, in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and are, to the knowledge of the Company, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected corruptants designed to have a Material Adverse Effect, damage or corrupt the IT Systems; (ii) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its protect, in all material confidential information and respects, the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no material breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, ; (iii) the Company is and its subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, and internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The ; and (iv) the Company further certifies and its subsidiaries have taken all necessary actions to comply, in all material respects, with the European Union General Data Protection Regulation (and to prepare to comply with all other applicable laws and regulations with respect to Personal Data that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any have been announced as of the Privacy Lawsdate hereof as becoming effective within 12 months after the date hereof, and has no knowledge of for which any event or condition that non-compliance with same would be reasonably be expected likely to result in any such notice; (iicreate a material liability) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawas soon they take effect.

Cybersecurity; Data Protection. Except as could disclosed in the Registration Statement, the Pricing Disclosure Package and the Prospectus or in each case as would not be expected to have otherwise result in a Material Adverse Effect, the Company’s Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects perform, as required in connection with the operation of the business of the Company and its subsidiaries as currently conductedconducted and as proposed to be conducted in the Registration Statement, Prospectus and Pricing Disclosure Package, and are, to the Company’s knowledge, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data and information (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages destructions, losses, outages, disablements, misappropriations, modifications or unauthorized uses of or accesses to samethe same (“Breaches”), except for those that have been remedied without material cost would not, individually or liability or in the duty to notify any other personaggregate, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have result in a Material Adverse Effect. The Company and its subsidiaries have not been notified, and have no knowledge of, any event or condition that would reasonably be expected to result in a Breach. Without limiting the foregoing, the Company is and its subsidiaries have established, maintained, implemented and complied with commercially reasonable information technology, information security, cybersecurity and data protection controls, policies and procedures, including oversight, access controls, encryption, technological and physical safeguards and business continuity/disaster recovery and security plans to protect against Breaches. The Company and its subsidiaries have complied, and are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to (i) the collection, use, transfer, processing, import, export, storage, protection, disposal and disclosure of Personal Data by the Company or any of its subsidiaries, (ii) the privacy and security of IT Systems and Sensitive Personal Data and to (iii) the protection of such IT Systems and Sensitive Personal Data from unauthorized useBreaches (the “Data Security Obligations”), accessin each case, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that except as would not reasonably be expected to result in have a Material Adverse Effect. Neither the Company nor any such notice; (ii) of its subsidiaries has received any notification of or complaint regarding, and is currently conducting or paying forunaware of any other facts that, in whole individually or in partthe aggregate, would reasonably indicate, material non-compliance with any investigationData Security Obligation. There is no action, remediationsuit or proceeding by or before any court or governmental agency, authority or other corrective action pursuant body pending or, to the knowledge of the Company, threatened, alleging non-compliance with any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy LawData Security Obligation.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and to the knowledge of the Company, are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and and, to the knowledge of the Company, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other personperson (other than those notifications provided in accordance with applicable law and which did not result in material cost or liability), nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the The Company is and its subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies and its subsidiaries have taken all necessary actions to comply in all material respects with the European Union General Data Protection Regulation (and to prepare to comply with all other applicable laws and regulations with respect to Personal Data that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any have been announced as of the Privacy Lawsdate hereof as becoming effective within 12 months after the date hereof, and has no knowledge of for which any event or condition that non-compliance with same would be reasonably be expected likely to result in any such notice; (iicreate a material liability) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawas soon as they take effect.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its Subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its Subsidiaries as currently conducted, and to the Company’s knowledge free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its Subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir respective businesses, and and, to the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses access to the same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the The Company is and its Subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual modification except where such non-compliance would not, individually or potential liability under or relating toin the aggregate, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in have a Company Material Adverse Effect. The Company and its Subsidiaries have taken all necessary actions to materially comply with the European Union General Data Protection Regulation if and to the extent applicable (and to prepare to materially comply with all other applicable laws and regulations with respect to Personal Data that have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any non-compliance with the same would be reasonably likely to create a material liability) as soon they take effect except where such notice; (ii) is currently conducting or paying fornon-compliance would not, in whole individually or in partthe aggregate, any investigation, remediation, reasonably be expected to have a Company Material Adverse Effect. Any certificate signed by or other corrective action pursuant on behalf of the Company and delivered to any Privacy Law; the Representatives or (iii) is counsel for the Underwriters shall be deemed to be a party representation and warranty by the Company to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawthe Underwriters as to the matters covered thereby.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s (i) The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and are, to the knowledge of the Company, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, ; (ii) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, ; and (iii) the Company is and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification, except, with respect to each of clauses (i) and (iii), as would not, individually or in the aggregate, have a Material Adverse Effect. The Company further certifies and its subsidiaries have taken commercially reasonable actions to prepare to comply with all applicable laws and regulations with respect to Personal Data that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any have been announced as of the Privacy Lawsdate hereof as becoming effective within 12 months after the date hereof, and has no knowledge of for which any event or condition that non-compliance with same would be reasonably be expected likely to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is create a party to any order, decree, or agreement that imposes any obligation or material liability under any Privacy Lawas soon they take effect.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s Company Parties’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company Parties and their Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except corruptants except as could would not reasonably be expected to have a Material Adverse Effect, the . The Company has Parties and their Subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential identifiable or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses. To the knowledge of the Company Parties, and there have been no breaches, violations, outages or unauthorized uses of or accesses to samethe IT Systems or Personal Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except same and the Company Parties and its Subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in, any security breach or other compromise to the IT Systems and Personal Data, except as could would not reasonably be expected to have a Material Adverse Effect, the . The Company is Parties and their Subsidiaries are presently in compliance in all material respects with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, Parties and has no knowledge of any event or condition that would reasonably be expected their Subsidiaries have used reasonable best efforts to result implement backup and disaster recovery technology consistent with industry standards and practices in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawall material respects.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effectdisclosed in the Registration Statement, the Pricing Disclosure Package and the Prospectus, (i) the Company’s and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are are, in the Company’s reasonable belief, adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as corruptants that could not reasonably be expected to have a Material Adverse Effect, ; (ii) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to the same, except for (x) those that did not or would not reasonably be expected to result in a Material Adverse Effect and (y) those that have been remedied without material cost or liability or the duty to notify any other person, nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, investigation; (iii) the Company is and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and to the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)extent applicable) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation ofexcept as would not, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole individually or in partthe aggregate, any investigation, remediation, or other corrective action pursuant have a Material Adverse Effect; and (iv) the Company and its subsidiaries have initiated steps reasonably necessary to any prepare to timely comply with applicable requirements under the California Consumer Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy LawAct of 2018.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s Company Parties’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company Parties and their Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except corruptants except as could would not reasonably be expected to have a an Issuer Material Adverse Effect, the . The Company has and its Subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential identifiable or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses. To the knowledge of the Company Parties, and there have been no breaches, violations, outages or unauthorized uses of or accesses to samethe IT Systems or Personal Data, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except same and the Company Parties and its Subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to result in, any security breach or other compromise to the IT Systems and Personal Data, except as could would not reasonably be expected to have a an Issuer Material Adverse Effect, the . The Company is Parties and its Subsidiaries are presently in compliance in all material respects with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, Parties and has no knowledge of any event or condition that would reasonably be expected their Subsidiaries have used reasonable best efforts to result implement backup and disaster recovery technology consistent with industry standards and practices in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawall material respects.

Cybersecurity; Data Protection. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse EffectEffect and except as described in each of the Registration Statement, the Company’s Pricing Disclosure Package and the Prospectus, the Company and its subsidiaries’ information technology assets and assets, equipment, computers, systems, networks, software, hardware, softwarecomputers, websites, applications, applications and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse EffectEffect and except as described in each of the Registration Statement, the Pricing Disclosure Package and the Prospectus, (i) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (data, including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used in connection with its businesstheir businesses, and (ii) there have been no breaches, violations, outages or unauthorized uses of or accesses to the same, except for those that have been remedied without material cost or liability or the duty to notify any other personremedied, nor any incidents currently under internal review or investigations relating to the same. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse EffectEffect and except as described in each of the Registration Statement, the Pricing Disclosure Package and the Prospectus, the Company is and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation and all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to collected, stored, processed, transferred, disclosed or used by the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation Company or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawits subsidiaries.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effectdescribed in the Registration Statement and the Prospectus, the Company’s information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, applications and databases owned by, or leased or licensed to, the Company or any of its subsidiaries (collectively, “IT Systems”) ), to the knowledge of the Company, are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conducted, and to the Company’s knowledge are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, ; the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data of their respective customers, employees, suppliers, vendors and any third-party data maintained by or on behalf of them (“Sensitive Personal Data”)) used in connection with its businesstheir businesses; to the knowledge of the Company, and there have been no material breaches, violations, outages or outages, unauthorized uses of, accesses to or other compromise of or accesses relating to sameany of the Company’s or any of its subsidiaries’ Personal Data or IT Systems, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any third party; there are no material incidents under internal review or investigations relating to any security breach or other compromise of the same. Except as could Company’s or any of its subsidiaries’ Personal Data or IT Systems and the Company and its subsidiaries have not been notified of, and have no knowledge of any event or condition that would reasonably be expected to have a Material Adverse Effectresult in, any security breach or other compromise to their IT Systems or Personal Data; the Company is and its subsidiaries have implemented commercially reasonable backup and disaster recovery technology consistent with industry standards and practices; and the Company and its subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authorityauthority and internal policies, internal policies procedures and contractual obligations relating to the privacy and security of IT Systems and Sensitive the privacy, collection, use, transfer, storage, protection, disposal or disclosure of Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.

Cybersecurity; Data Protection. Except as could would not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, the Company’s Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (including protected health information) (“Sensitive Personal Data”)) used collected, used, stored or processed in connection with its businesstheir businesses, and except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could would not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, the Company is presently and its subsidiaries are presently, and since January 1, 2017 have been, in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulationslimitation, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and external privacy policies, applicable industry standards and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modificationmodification and regarding the collection, use, transfer, import, export, storage, disposal and disclosure by the Company and its subsidiaries of Personal Data (“Data Protection Obligations”). Neither the Company nor any of its subsidiaries has received any written notification of or written complaint regarding, or is aware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance in any material respect with any Data Protection Obligation. There is no pending, or to the knowledge of the Company, threatened, action, suit or proceeding by or before any court or governmental agency, authority or body pending or threatened alleging non-compliance in any material respect with any Data Protection Obligation. The Company further certifies that neither it nor and its subsidiaries have taken commercially reasonable steps in accordance with industry standard practices (including, without limitation, implementing and monitoring compliance with adequate measures with respect to technical and physical security) designed to protect Personal Data collected, used or otherwise processed by the Company or any subsidiary: (i) has received notice of its subsidiaries. Except as would not reasonably be expected, individually or in the aggregate, to have a Material Adverse Effect, the Company and its subsidiaries have made all disclosures to users or customers required by applicable laws and regulatory rules or requirements and no such disclosures have been inaccurate or in violation of any actual applicable laws or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, regulatory rules and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawrequirements.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used in connection with its business, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the The Company is presently in compliance in all material respects with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.. (yy)

Cybersecurity; Data Protection. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, (i) the Company’s , the Operating LLC and their respective subsidiaries’ respective information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, data (including confidential information, trade secrets or other data of the Company, the Operating LLC or any of their respective subsidiaries or their respective users, customers, employees, suppliers, vendors, personal data and any third party data maintained by or on behalf of them) and databases (collectively, “IT SystemsSystems and Data”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company Company, the Operating LLC and their respective subsidiaries as currently conducted, and (ii) to the Company’s knowledge such IT Systems and Data are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse EffectEach of the Company, the Company has implemented Operating LLC and maintained commercially reasonable controls, policies, procedurestheir respective subsidiaries have complied, and safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used in connection with its business, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the Company is are presently in compliance with with, all applicable laws laws, statutes or statutes (including without limitation all applicable privacy and security laws and regulationsany judgment, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectivelyorder, the “Privacy Laws”)) and all judgments, orders, rules and regulations rule or regulation of any court or arbitrator or other governmental or regulatory authority, and all industry guidelines, standards, internal policies and external policies, contractual obligations and any other legal obligations, in each case, relating to the privacy and security of IT Systems and Sensitive Data Data, and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modification and the collection, use, transfer, processing, import, export, storage, protection, disposal and disclosure of Data (collectively, the “Data Security Obligations”), except as would not, individually or in the aggregate, reasonably be expected to result in a Material Adverse Effect. Each of the Company, the Operating LLC and their respective subsidiaries have used reasonable efforts to establish and maintain, and have established, implemented and maintained, and comply with, reasonable information technology, information security, cyber security and data protection controls, policies and procedures, including oversight, access controls, encryption, technological and physical safeguards and backup and disaster recovery procedures, consistent with reasonable industry standards and practices, that are designed to protect against and prevent breach, destruction, loss, unauthorized distribution, use, access, disablement, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice , or other compromise or misuse of any actual or potential liability under or relating toto any IT Systems and Data (“Breach”). (A) There have been no material Breaches, violations, outages, or actual unauthorized uses of or potential violation accesses to any IT Systems and Data used in connection with the operation of the Company’s, the Operating LLC’s and their respective subsidiaries’ businesses, and (B) each of the Company, the Operating LLC and their respective subsidiaries have not received written notification of, any of the Privacy Laws, and has have no knowledge of of, any event or condition that would reasonably be expected to result in in, a material Breach to their IT Systems and Data. None the Company, the Operating LLC or any such notice; (ii) of their respective subsidiaries has received any written notification of or complaint alleging material non-compliance with any Data Security Obligation by the Company, the Operating LLC or any of their respective subsidiaries, and there is currently conducting no action, suit or paying forproceeding by or before any court or governmental agency, in whole authority or in partbody, pending or, to the Company’s knowledge, threatened, alleging material non-compliance with any investigationData Security Obligation by the Company, remediation, the Operating LLC or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawof their respective subsidiaries.

Cybersecurity; Data Protection. Except as could described in the Registration Statement, the Pricing Disclosure Package and the Prospectus or as would not reasonably be expected expected, individually or in the aggregate, to have a Material Adverse Effect, (i) the Company’s Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conducted, including in terms of functionality and performance, and, to the knowledge of the Company, are free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, ; (ii) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and confidential data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data, including, without limitation, any data which would qualify as “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, “Sensitive HIPAA”), “personal data” as defined by the European Union General Data Protection Regulation (EU 2016/679 or “GDPR”), and any other piece of information that allows the identification of a natural person, or his or her family, or data related to an identified person’s health or sexual orientation (collectively, “Personal Data”)) used in connection with its businesstheir businesses; (iii) to the knowledge of the Company, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost any IT Systems or liability or the duty to notify any other personPersonal Data, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, same and (iv) the Company is presently and its subsidiaries are and have been at all times in compliance with all applicable laws laws, directives or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or supragovernmental or regulatory authority, internal policies and policies, contractual obligations and industry standards relating to the privacy and security of IT Systems and Sensitive Personal Data, including, without limitation, the GDPR, the UK Data Protection Xxx 0000, EU Directive 2002/58/EC and all applicable national implementing legislation (“Data Protection Laws”) and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The ; and (v) the Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating toand its subsidiaries have used commercially reasonable efforts to require their vendors, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, service providers or other corrective action pursuant third parties that have received access to any Privacy Law; Personal Data from the Company or (iii) is a party its subsidiaries to any orderprotect the privacy, decree, or agreement that imposes any obligation or liability under any Privacy Lawsecurity and confidentiality of such Personal Data.

Cybersecurity; Data Protection. Except as could would not reasonably be expected to have have, individually or in the aggregate, a Material Adverse Effect, the CompanyIssuer’s information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company Issuer as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, the Company The Issuer has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (including protected health information) (“Sensitive Personal Data”)) used collected, used, stored or processed in connection with its businesstheir businesses, and except as would not reasonably be expected to have, individually or in the aggregate, a Material Adverse Effect, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could would not reasonably be expected to have have, individually or in the aggregate, a Material Adverse Effect, the Company is Issuer has been for the past three (3) years and are presently in compliance with all applicable laws Laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy LawsHIPAA”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and external privacy policies, applicable industry standards and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modificationmodification and regarding the collection, use, transfer, import, export, storage, disposal and disclosure by the Issuer of Personal Data (“Data Protection Obligations”). The Company further certifies that neither it nor Issuer has not received any subsidiary: (i) has received notice written notification of or written complaint regarding, or is aware of any actual other facts that, individually or potential liability under or relating toin the aggregate, would reasonably indicate non-compliance in any material respect with any Data Protection Obligation. There is no pending, or actual or potential violation of, any to the knowledge of the Privacy LawsIssuer, threatened, action, suit or proceeding by or before any court or governmental agency, authority or body pending or threatened alleging non-compliance in any material respect with any Data Protection Obligation. The Issuer has taken commercially reasonable steps in accordance with industry standard practices (including implementing and has no knowledge of any event monitoring compliance with adequate measures with respect to technical and physical security) designed to protect Personal Data collected, used or condition that otherwise processed by the Issuer. Except as would not reasonably be expected to result in any such notice; (ii) is currently conducting or paying forhave, in whole individually or in partthe aggregate, a Material Adverse Effect, the Issuer has made all disclosures to users or customers required by applicable Laws and regulatory rules or requirements and no such disclosures have been inaccurate or in violation of any investigation, remediation, applicable Laws or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawregulatory rules and requirements.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conducted, and to the Company’s knowledge free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir respective businesses, and and, to the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses access to the same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the The Company is and its subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual modification except where such non-compliance would not, individually or potential liability under or relating toin the aggregate, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in have a Company Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to materially comply with the European Union General Data Protection Regulation if and to the extent applicable (and to prepare to materially comply with all other applicable laws and regulations with respect to Personal Data that have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any non-compliance with the same would be reasonably likely to create a material liability) as soon they take effect except where such notice; (ii) is currently conducting or paying fornon-compliance would not, in whole individually or in partthe aggregate, any investigation, remediation, reasonably be expected to have a Company Material Adverse Effect. Any certificate signed by or other corrective action pursuant on behalf of the Company and delivered to any Privacy Law; the Representative or (iii) is to counsel for the Underwriters shall be deemed to be a party representation and warranty by the Company to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawthe Underwriters as to the matters covered thereby.

Cybersecurity; Data Protection. Except in each case as could not be expected to would not, individually or in the aggregate, have a Material Adverse Effect, : (i) the Company’s Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, ; (ii) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material their confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, ; (iii) the Company is and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The ; and (iv) the Company further certifies and its subsidiaries have taken all necessary actions to prepare to comply with the European Union General Data Protection Regulation (and all other applicable laws and regulations with respect to Personal Data that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any have been announced as of the Privacy Lawsdate hereof as becoming effective within 12 months after the date hereof, and has no knowledge for which any non-compliance with same would be reasonably likely to create a material liability) as soon they take effect. Any certificate signed by an officer of any event the Company and delivered to the Managers or condition that would reasonably to counsel for the Underwriters shall be expected deemed to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant be a representation and warranty by the Company to any Privacy Law; or (iii) is a party each Underwriter as to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawthe matters set forth therein.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s (i) Each Company Party and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the such Company Party and its subsidiaries as currently conducted, and are, to the knowledge of the Company, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to ; (ii) each Company Party and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, procedures and safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the ; (iii) each Company is Party and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The ; and (iv) each Company further certifies Party and its subsidiaries have taken all necessary actions to comply with the European Union General Data Protection Regulation and have taken all necessary actions to prepare to comply with all other applicable laws and regulations with respect to Personal Data that neither it nor have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any subsidiary: non-compliance with same would be reasonably likely to create a liability, as soon they take effect, except as would not, in the case of each of clause (i) has received notice of any actual or potential liability under or relating to), or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for), in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is and (iv), reasonably be expected, individually or in the aggregate, to have a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy LawMaterial Adverse Effect.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the The Company’s and its Subsidiaries’ and Affiliated Entities’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its Subsidiaries and Affiliated Entities as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its Subsidiaries and Affiliated Entities have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the The Company is and its Subsidiaries and Affiliated Entities are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies and its Subsidiaries and Affiliated Entities have taken all necessary actions to prepare to comply with the European Union General Data Protection Regulation (and all other applicable laws and regulations with respect to Personal Data that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any have been announced as of the Privacy Lawsdate hereof as becoming effective within 12 months after the date hereof, and has no knowledge of for which any event or condition that non-compliance with same would be reasonably be expected likely to result in any such notice; (iicreate a material liability) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawas soon they take effect.

Cybersecurity; Data Protection. Except as could not be expected (A)(i) There has been no security breach, improper use, loss, access, disclosure, interruption, modification, corruption (including ransomware attacks) or other compromise of or relating to have (collectively, a Material Adverse Effect, “Security Breach”) any of the Company’s or its subsidiaries’ information technology assets and equipment, computers, computer systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all the personal, personally identifiable, sensitive, proprietary, confidential or regulated information or other data of their respective customers, employees, suppliers, vendors and any third party data maintained by or on behalf of them), equipment or technology (collectively, “Sensitive IT Systems and Data”)) used in connection with and (ii) the Company and its businesssubsidiaries have not been notified of, and there have been no breaches, violations, outages or unauthorized uses knowledge of or accesses to same, except for those any event that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not would reasonably be expected to have a Material Adverse Effectresult in, any Security Breach and (B) the Company is presently in compliance and its subsidiaries have complied with all applicable laws or and statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies policies, current and former public-facing privacy policies, and contractual obligations relating to privacy, data protection, breach notification, processing of personal information or the privacy and security of the IT Systems and Sensitive Data (“Privacy and to Data Security Requirements”), except in such case in (A)(i) and (ii) and (B) as would not, individually or in the protection of such IT Systems and Sensitive Data from unauthorized useaggregate, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in have a Material Adverse Effect. The Company and its subsidiaries have taken reasonable and appropriate actions, consistent with applicable industry standards (including implementing and monitoring compliance with administrative, technical and physical safeguards, policies, procedures and security measures that conform with all Privacy and Data Security Requirements) to protect the operation, confidentiality, integrity and security of the IT Systems and Data (and all data and information and transactions stored or contained therein or transmitted thereby, including personal information) against any such notice; unauthorized or improper use, loss, access, disclosure, interruption, modification or corruption. The Company and its subsidiaries have implemented backup and disaster recovery technology reasonably adequate for their businesses and consistent with industry standards and practices. No actions have been asserted or, to the knowledge of the Company or its subsidiaries, threatened against, and no written notices or claims (iiincluding any communication from any governmental authority) is currently conducting have been received by, the Company or paying forits subsidiaries (nor, in whole to the knowledge of the Company or in partits subsidiaries, by any investigation, remediation, or other corrective action pursuant to third parties processing personal information on their behalf) alleging a violation of any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawand Data Security Requirements.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect(A) To the knowledge of the Company, there has been no material security breach or other compromise of the Company’s or its Subsidiaries’ information technology assets and equipment, computers, computer systems, networks, hardware, software, websites, applications, software and databases (collectively, collectively “IT Systems”) are adequate foror data (including all personal, personally identifiable, sensitive, confidential or regulated data (“Personal Data”) and information of their respective customers, employees, suppliers, vendors and any third parties maintained, processed or stored by the Company and its Subsidiaries, and operate and perform in all material respects as required in connection with the operation of the business any such data processed or stored by third parties on behalf of the Company and its Subsidiaries); (B) neither the Company nor its Subsidiaries have been notified of, and each of them have no knowledge of any material event or condition that would reasonably be expected to result in, any security breach or other compromise to their IT Systems or Personal Data; (C) except as currently conductedwould not, free and clear of all material bugsindividually or in the aggregate, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not reasonably be expected to have a Material Adverse Effect, the Company has and its Subsidiaries have implemented and maintained commercially reasonable appropriate controls, policies, procedures, and technical safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all their IT Systems and data Personal Data reasonably consistent with industry standards and practices, or as required by applicable regulatory standards; (including D) the Company and its Subsidiaries have at all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used times in connection with its businessthe past three years been in material compliance with, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the Company is are presently in material compliance with with, all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The modification and all applicable legal obligations regarding the collection, use, transfer, import, export, storage, protection, disposal and disclosure by the Company further certifies that neither it nor any subsidiary: and its Subsidiaries of Personal Data (i“Data Security Obligations”); and (E) has received notice of any actual except as would not, individually or potential liability under or relating toin the aggregate, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) have a Material Adverse Effect, there is currently conducting or paying for, in whole or in part, any investigation, remediationno pending, or other corrective action pursuant to the knowledge of the Company, threatened, action, suit or proceeding by or before any Privacy Law; applicable court or (iii) is a party to governmental agency, authority or body alleging non-compliance by the Company or its subsidiaries with any order, decree, or agreement that imposes any obligation or liability under any Privacy LawData Security Obligations.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with with, the operation of the business of the Company and its subsidiaries as currently conducted, and to the Company’s knowledge free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards designed to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir respective businesses, and and, to the Company’s knowledge, there have been no breaches, violations, outages or unauthorized uses of or accesses to the same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the The Company is and its subsidiaries are presently in material compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual modification except where such non-compliance would not, individually or potential liability under or relating toin the aggregate, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in have a Company Material Adverse Effect. The Company and its subsidiaries have taken all necessary actions to materially comply with the European Union General Data Protection Regulation if and to the extent applicable (and to prepare to materially comply with all other applicable laws and regulations with respect to Personal Data that have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any non-compliance with the same would be reasonably likely to create a material liability) as soon they take effect except where such notice; (ii) is currently conducting or paying fornon-compliance would not, in whole individually or in partthe aggregate, any investigation, remediation, reasonably be expected to have a Company Material Adverse Effect. Any certificate signed by or other corrective action pursuant on behalf of the Company and delivered to any Privacy Law; the Representative or (iii) is to counsel for the Underwriters shall be deemed to be a party representation and warranty by the Company to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawthe Underwriters as to the matters covered thereby.

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s (i) The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, and are, to the knowledge of the Company, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected corruptants designed to have a Material Adverse Effect, damage or corrupt the IT Systems; (ii) the Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its protect, in all material confidential information and respects, the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Personal Data”)) used in connection with its businesstheir businesses, and there have been no material breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any material incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, ; (iii) the Company is and its subsidiaries are presently in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, and internal policies and contractual obligations relating to the privacy and security of IT Systems and Sensitive Personal Data and to the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modification. The ; and (iv) the Company further certifies and its subsidiaries have taken all necessary actions to comply with the European Union General Data Protection Regulation (and to prepare to comply with all other applicable laws and regulations with respect to Personal Data that neither it nor have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any subsidiary: non-compliance with same would be reasonably likely to create a material liability) as soon they take effect, except as would not, in the case of each of clause (i) has received notice of any actual or potential liability under or relating to), or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is and (iv), reasonably be expected, individually or in the aggregate, to have a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy LawMaterial Adverse Effect.

Cybersecurity; Data Protection. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company’s Company and its subsidiaries’ respective information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (including the data of their respective customers, employees, suppliers, vendors and any third-party data maintained by or on behalf of the Company or any of its subsidiaries ) (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except as could not be expected to The Company and its subsidiaries have a Material Adverse Effect, the Company has implemented and maintained commercially reasonable controls, policies, procedures, and safeguards necessary to maintain and protect its their material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (including protected health information) (“Sensitive Personal Data”)) used collected, used, stored or otherwise processed in connection with its businesstheir businesses, and except as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company is presently and its subsidiaries are presently, and since formation have been, in compliance with all applicable laws or statutes (including without limitation all applicable privacy and security laws and regulationslimitation, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and external privacy policies, applicable industry standards and contractual obligations obligations, in each case, relating to the privacy and security of IT Systems and Sensitive Data and to Personal Data, the protection of such IT Systems and Sensitive Personal Data from unauthorized use, access, misappropriation or modificationmodification or the collection, use, transfer, import, export, storage, disposal, disclosure or other processing by the Company and its subsidiaries of Personal Data (“Data Protection Obligations”). Neither the Company nor any of its subsidiaries has received any written notification of or written complaint regarding, or is aware of any other facts that, individually or in the aggregate, would reasonably indicate non-compliance in any material respect with any Data Protection Obligation. There is no pending, or to the knowledge of the Company, threatened, action, suit or proceeding by or before any court or governmental agency, authority or body alleging non-compliance in any material respect with any Data Protection Obligation. The Company further certifies that neither it nor any subsidiary: and its subsidiaries have taken commercially reasonable steps in accordance with industry standard practices (iincluding, without limitation, implementing and monitoring compliance with adequate measures with respect to technical and physical security) has received notice of any actual designed to protect Personal Data collected, used or potential liability under otherwise processed by the Company or relating to, or actual or potential violation of, any of its subsidiaries. Except as would not, individually or in the Privacy Lawsaggregate, and has no knowledge of any event or condition that would reasonably be expected to result have a Material Adverse Effect, the Company and its subsidiaries have made all disclosures to users or customers required by the Data Protection Obligations, including applicable laws and regulatory rules or requirements, and no such disclosures have been inaccurate or in violation of any such notice; (ii) is currently conducting Data Protection Obligations, applicable laws or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Lawregulatory rules and requirements.

Cybersecurity; Data Protection. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, (i) to the Company’s knowledge of the Company and the Guarantors, the information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, equipment and databases software used by the Company or any of its subsidiaries in their respective businesses (collectively, the “IT SystemsAssets”) (A) are adequate for, and operate and perform in all material respects as required in connection with for the operation of the business of the Company and its subsidiaries as currently conducted, free ; (B) operate and clear of perform in all material bugsrespects in accordance with their documentation and functional specifications and otherwise as required by the Company’s and its subsidiaries’ respective businesses as currently conducted and (C) are free of any viruses, errors, defects, “back doors,” “Trojan horses, ,” “time bombs,” “worms,” “drop dead devices” or other software or hardware components that are designed or intended to interrupt use of, malware permit unauthorized access to, or disable, damage or erase, any software material to the business of the Company or any of its subsidiaries; (ii) the Company and other corruptantsits subsidiaries have implemented commercially reasonable backup and disaster recovery technology processes consistent with standard industry practices; and (iii) to the knowledge of the Company and the Guarantors, no person has gained unauthorized access to any IT Asset since the Company’s inception. Except as could not would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company has implemented (i) with regard to their receipt, collection, handling, processing, sharing, transfer, usage, disclosure, interception, security, storage and maintained commercially reasonable controlsdisposal of all data and information that identifies or relates to a distinct individual, policiesincluding without limitation IP addresses, proceduresmobile device identifiers, and safeguards to maintain and protect its material confidential geolocation information and the integritywebsite usage activity data, continuous operationor that is directly linked to such information (collectively, redundancy “Personal and security of all IT Systems and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Device Data”)) used in connection with its business, and there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or liability or the duty to notify any other person, nor any incidents under internal review or investigations relating to the same. Except as could not be expected to have a Material Adverse Effect, the Company is presently and its subsidiaries have operated at all times in compliance a manner compliant with all applicable laws or statutes laws, regulations, and contractual obligations (including without limitation all applicable privacy and security laws and regulations, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation Regulation) (“GDPRPrivacy Legal Obligations”) (EU 2016/679); (ii) the Company and the California Consumer Privacy Act (“CCPA”) (collectively, the “Privacy Laws”)) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal its subsidiaries have commercially reasonable policies and contractual obligations relating procedures consistent with standard industry practices designed to ensure the Company and its subsidiaries comply with such Privacy Legal Obligations and take appropriate steps that are reasonably designed to assure compliance with such policies and procedures, and such policies and procedures comply with all Privacy Legal Obligations; (iii) the Company and its subsidiaries maintain commercially reasonable data security policies and procedures consistent with standard industry practices designed to protect the confidentiality, security, and integrity of Personal and Device Data and to prevent unauthorized use of and access to Personal and Device Data; (iv) the Company and its subsidiaries have commercially reasonable policies and procedures consistent with standard industry practices to require all third parties to which they provide any Personal and Device Data to maintain the privacy and security of IT Systems such Personal and Sensitive Device Data and to comply with applicable Privacy Legal Obligations; and (v) to the protection knowledge of such IT Systems the Company and Sensitive Data from the Guarantors, there has been no unauthorized use, access, misappropriation or modification. The Company further certifies that neither it nor any subsidiary: (i) has received notice of any actual or potential liability under or relating access to, or actual use or potential violation disclosure of, any of Personal and Device Data maintained by or for the Privacy Laws, and has no knowledge of any event Company or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.its subsidiaries

Cybersecurity; Data Protection. Except as could not be expected to have a Material Adverse Effect, the Company’s The Company and its subsidiaries’ information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of the Company and its subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Except , except as could not would not, individually or in the aggregate, be reasonably expected to have result in a Material Adverse Effect, the Change. The Company has and its subsidiaries have implemented and maintained commercially reasonable controls, policies, procedures, and safeguards to maintain and protect its material their Personal Data, confidential information and the integrity, continuous operation, redundancy and security of all IT Systems information technology assets and equipment, computers, systems, networks, hardware, software, websites, applications, and databases and data (including all personal, personally identifiable, sensitive, proprietary, confidential or regulated data (“Sensitive Data”)) used in connection with its businesstheir businesses, and there have been no breaches, violations, outages or unauthorized uses of or accesses to the same, except for those such controls, policies, procedures and safeguards the failure to maintain, or such breaches, violations, outages or unauthorized uses or accesses that would not, individually or in the aggregate, reasonably be expected to have been remedied without material cost or liability or the duty to notify any other persona Material Adverse Change, nor any incidents under internal review or investigations relating to the same. Except as could not where non-compliance would not, individually or in the aggregate, reasonably be expected to have result in a Material Adverse EffectChange, the Company is presently and each of its subsidiaries are in compliance with all applicable laws or statutes (including without limitation all applicable data privacy and security and data protection laws and regulationsregulations regarding the collection, the Health Insurance Portability and Accountability Act use, transfer, storage, protection, disposal or disclosure of 1996 Personal Data (“HIPAA”as defined below) as amended processed, stored or collected by the Health Information Technology for Economic Company and Clinical Health Act (the “HITECH Act”); the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679); and the California Consumer Privacy Act (“CCPA”) its subsidiaries (collectively, the “Privacy Laws”). “Personal Data” means personally identifiable information, protected health information, financial information, “personal data” as defined by the EU General Data Protection Regulations (EU 2016 679) and all judgments, orders, rules and regulations of any court or arbitrator or governmental or regulatory authority, internal policies and contractual obligations relating other information subject to the privacy and security of IT Systems and Sensitive Data and to the protection of such IT Systems and Sensitive Data from unauthorized use, access, misappropriation or modificationPrivacy Laws. The Company further certifies that neither it nor any subsidiary: and its subsidiaries have policies and procedures reasonably designed to (i) ensure compliance with Privacy Laws and its privacy policies on its website or other consumer facing communications; and (ii) reasonably protect the security and confidentiality of all Personal Data. Neither the Company nor any subsidiary has received written notice of any actual or potential material liability under or relating to, or actual or potential material violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.