Common use of Data Privacy and Security Laws Clause in Contracts

Data Privacy and Security Laws. The Company and each of its subsidiaries are, and at all prior times was, in compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”), except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company has in place, complies with, and takes reasonable steps to ensure compliance with its policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, at all times, made all disclosures to users or customers required by applicable Privacy Laws, and none of such disclosures made or contained in any Policy have been inaccurate or in violation of any applicable Privacy Laws, except in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company and each of its subsidiaries: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries areis, and at all prior times was, in compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”), except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company has in place, complies with, and takes reasonable steps to ensure compliance with its policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, has at all times, times made all disclosures to users or customers required by applicable Privacy Laws, and none of such disclosures made or contained in any Policy have been inaccurate or in violation of any applicable Privacy Laws, except in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company and each of its subsidiariesCompany: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; (iii) it has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries and, to the Company’s knowledge, their respective agents and subcontractors, are, and at all prior times waswere, in compliance in all material respects with all applicable state state, federal, and federal international data privacy and data security laws laws, regulations, and regulationsrelated rules and requirements, including without limitation, as applicable, limitation the Health Insurance Portability and Accountability Act of 1996 and the HITECH Act (collectively “HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and ), the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”). To address compliance with the Privacy Laws, except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to Company and its subsidiaries have a Material Adverse Effect. The Company has in place, complies comply with, and takes take commercially reasonable steps to ensure achieve compliance in all material respects with its their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis transfer of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of identifies such natural personperson and is defined in or addressed by Privacy Laws. At all times, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, at all times, have made all disclosures to users or customers required by applicable Privacy Laws, and none of such disclosures made or contained in any Policy have have, to the knowledge of the Company, been inaccurate or in violation of any applicable Privacy Laws, except in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company and each of its subsidiariesfurther certifies that (a) neither it nor any subsidiary at any time: (i) has not received receive written notice of any actual or potential liability liability, including, but not limited to security or data privacy breaches or other unauthorized or improper access to, use of, or destruction of its Sensitive Data (defined below) owned or controlled by the Company or its subsidiaries, under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) other than pursuant to its ongoing compliance efforts in the ordinary course of business, is not currently conducting conducting, subject to, or paying forpaying, in whole or in part, any material investigation, remediation, or other corrective action required by any governmental entity pursuant to resulting from the Company’s or its subsidiaries’ non-compliance with any Privacy Law; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, settlement agreement, or settlement agreement judgment from a governmental entity that imposes any obligation or liability under any Privacy Law; and (b) it is not aware of any specific events rendering any of the foregoing reasonably likely to occur.

Data Privacy and Security Laws. The Company and each of its subsidiaries are, and at all prior times was, in compliance have taken commercially reasonable actions to prepare to comply with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) and all other applicable laws and regulations with respect to Personal Data (defined below) that have been announced as of the date hereof as becoming effective within 12 months after the date hereof, and for which any non-compliance with same would be reasonably likely to create a material liability (collectively, the “Privacy Laws”). To the Company’s knowledge, except to since May 25, 2018, the extent that any non-Company and its subsidiaries have been and currently are in material compliance would notwith the GDPR. To support material compliance with the Privacy Laws, individually or in the aggregate, reasonably be expected to Company and its subsidiaries have a Material Adverse Effect. The Company has in place, complies withtaken, and takes currently take, commercially reasonable steps reasonably designed to ensure compliance in all material respects with its policies and procedures Privacy Laws relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (that the “Policies”)Company has collected, and collects, or is in the Company’s possession. “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPR; , and (viv) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, since inception have at all times, times made all disclosures to users or customers required by applicable Privacy Laws, and none of such disclosures made or contained in any Policy have been inaccurate or in violation of any applicable Privacy Laws, except in each case as where the failure to do so would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. None of such disclosures made have been inaccurate, misleading, deceptive or in violation of any Privacy Laws in any material respect. The execution, delivery and performance of this Agreement or any other agreement referred to in this Agreement will not result in a breach of violation of any Privacy Laws. The Company and each of its subsidiariesfurther certifies that neither it nor any subsidiary: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law, except, in the case of (i), (ii), or (iii), where such violation, investigation, remediation, order, decree or agreement would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect.

Data Privacy and Security Laws. The Company and each of its subsidiaries areis, and at all prior times wassince its inception has been, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, limitation the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”). To ensure compliance with the Privacy Laws, except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company has in place, complies with, and takes reasonable appropriate steps reasonably designed to ensure compliance in all material respects with its its, policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; and (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of such natural person, or his or her familyfamily or household, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, has at all times, times made all disclosures to users or customers required by applicable Privacy Lawslaws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have have, to the knowledge of the Company, been inaccurate or in violation of any applicable Privacy Laws, except laws and regulatory rules or requirements in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectany material respect. The Company and each of its subsidiariesfurther certifies that: (i) it has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) it is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; and (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries are, and at all prior times waswere, in material compliance with all applicable state and federal data privacy and security laws and regulations, including including, without limitation, as applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) ), the California Consumer Privacy Act of 2018 (“CCPA”), and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”), except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company has in place, complies with, and takes reasonable steps to ensure compliance with its policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by the GDPR; (v) “personal information” as defined by the CCPA; and (vvi) any other piece of information that allows allows, directly or indirectly, the identification of such natural person, or his or her familyfamily or household, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Neither the Company and nor any of its subsidiaries have, at all times, made all disclosures to users or customers required by applicable Privacy Laws, and none of such disclosures made or contained in any Policy have been inaccurate or in violation of any applicable Privacy Laws, except in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company and each of its subsidiaries: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; and (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries are, and at all prior times washave been, in compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, limitation the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”)) , except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The To ensure compliance with the Privacy Laws, the Company has and its subsidiaries have in place, complies comply with, and takes reasonable take commercially appropriate steps reasonably designed to ensure compliance in all material respects with its their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; and (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, have at all times, times made all disclosures to users or customers as required by applicable Privacy Lawslaws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have have, to the knowledge of the Company, been inaccurate or in violation of any applicable Privacy Laws, except laws and regulatory rules or requirements in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectany material respect. The Company and each of its subsidiariesfurther certifies that neither it nor any subsidiary: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law, other than in the ordinary course; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement with any Governmental Entity that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries are, and at all prior times wasduring the past three (3) years preceding the end of the most recent fiscal year were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) regulations (collectively, the “Privacy Laws”), ) except to where the extent that any non-compliance noncompliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The To ensure compliance with the Privacy Laws, the Company has and its subsidiaries have in place, complies comply in material respects with, and takes reasonable take appropriate steps reasonably designed to ensure compliance in all material respects with its their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” for protection under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPRapplicable Privacy Laws; and (viii) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, at all times, have made all disclosures to users or customers required by applicable Privacy Lawslaws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have have, to the knowledge of the Company, been inaccurate or in violation of any applicable Privacy Laws, except laws and regulatory rules or requirements in each case as would not, individually or in any material respect. Neither the aggregate, reasonably be expected to have a Material Adverse Effect. The Company and each of its subsidiariesnor any subsidiary: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries areis, and at all prior times was, in material compliance with all applicable state and federal data privacy and security laws and regulationsregulations in the United States, including including, without limitation, as applicableHIPAA, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (Act, and the “HITECH Act”) Company has taken commercially reasonable actions to prepare to comply with, and have been and currently are in compliance with, the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”). To ensure compliance with the Privacy Laws, except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company has in place, complies comply with, and takes reasonable take appropriate steps reasonably designed to ensure compliance in all material respects with its their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, has at all times, times made all disclosures to users or customers required by applicable Privacy Lawslaws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have have, to the knowledge of the Company, been inaccurate or in violation of any applicable Privacy Laws, except laws and regulatory rules or requirements in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectany material respect. The Company and each of its subsidiariesfurther certifies: (i) it has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries areis, and at all prior times was, in compliance in all material respects with all applicable state state, federal and federal international data privacy, security and, with respect to data privacy and security security, consumer protection laws and regulations, including without limitation, as applicable, limitation the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) , and since May 25, 2018, the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”), except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Except as would not reasonably be expected to have a Material Adverse Effect, the Company (i) has in place, complies with, and takes reasonable steps to ensure compliance with its policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”), and (ii) implements and maintains (I) information technology and equipment, computer systems, networks, software, websites, applications, and databases (collectively, “IT Systems”) commercially reasonable for the operation of the business of the Company as currently conducted and (II) commercially reasonable controls and safeguards to maintain and protect its material confidential information and the integrity, continuous operation, redundancy and security of all IT Systems and data within its operational control used in connection with its businesses. “Personal Data” means, as applicable, (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related relates to an identified person’s health or sexual orientation. The Company and its subsidiaries have, has at all times, times made all disclosures to users or customers required by applicable Privacy Laws, and none of such disclosures made or contained in any Policy privacy policy of the Company have been inaccurate or in violation of any applicable Privacy Laws, except in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company and each of its subsidiariesExcept as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect, the Company: (i) has not received written notice of any actual or potential liability of the Company relating to, security or data privacy breaches or other unauthorized or improper access to, use of or destruction of its confidential information or Personal Data, or under or relating to, or to any actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to other than in the use, disclosure or breaches ordinary course of Personal Databusiness; or (iviii) is not a party to any order, decree, or settlement agreement with any governmental entity that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Except as could not reasonably be expected to have a Material Adverse Effect or as disclosed in the Registration Statement, the Pricing Disclosure Package and the Prospectus, the Company and each of its subsidiaries Evolent Health are, and at all prior times wassince the Company’s and Evolent Health’s inception have been, in compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, limitation the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) , and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”). To ensure compliance with the Privacy Laws, except to the extent that any non-compliance would not, individually or in the aggregate, reasonably be expected to Company and Evolent Health have a Material Adverse Effect. The Company has in place, complies comply with, and takes reasonable take appropriate steps reasonably designed to ensure compliance in all material respects with its their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; and (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its Evolent Health and their respective subsidiaries have, have at all times, times made all disclosures to users or customers required by applicable Privacy Lawslaws and regulatory rules or requirements, and none of no such disclosures made or contained in any Policy have been inaccurate or in violation of any applicable Privacy Lawslaws and regulatory rules or requirements, except in each case as would not, individually or in the aggregate, could not reasonably be expected to have result in a Material Adverse Effect. The Neither the Company and each of its subsidiariesnor Evolent Health: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries are, and at all prior times wasduring the past three (3) years were, in material compliance with all applicable state and federal data privacy and security laws and regulations, including without limitation, as applicable, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) regulations (collectively, the “Privacy Laws”), ) except to where the extent that any non-compliance noncompliance would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The To ensure compliance with the Privacy Laws, the Company has and its subsidiaries have in place, complies comply in material respects with, and takes reasonable take appropriate steps reasonably designed to ensure compliance in all material respects with its their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” for protection under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal data” as defined by GDPRapplicable Privacy Laws; and (viii) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, at all times, have made all disclosures to users or customers required by applicable Privacy Lawslaws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have have, to the knowledge of the Company, been inaccurate or in violation of any applicable Privacy Laws, except laws and regulatory rules or requirements in each case as would not, individually or in any material respect. Neither the aggregate, reasonably be expected to have a Material Adverse Effect. The Company and each of its subsidiariesnor any subsidiary: (i) has not received written notice of any actual or potential liability under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is not currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action required by any governmental entity pursuant to any Privacy Law; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, or settlement agreement that imposes any obligation or liability under any Privacy Law.

Data Privacy and Security Laws. The Company and each of its subsidiaries areis, and at all prior times washas been, in compliance in all material respects with all applicable state state, federal, and federal international data privacy and data security laws and regulations, including without limitation, as applicable, limitation HIPAA and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) , and the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”), except . To address compliance with the Privacy Laws to the extent that any non-compliance would notapplicable, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. The Company has in place, complies with, and takes commercially reasonable steps designed to ensure achieve compliance in all material respects with its policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis transfer of Personal Data (the “Policies”)Data. “Personal Data” means, as applicable, means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (iv) “personal data” as defined by GDPR; and (v) any other piece of information that allows the identification of identifies such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company and its subsidiaries have, at At all times, the Company has made all disclosures to users or customers required by applicable Privacy LawsLaws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have have, to the knowledge of the Company, been inaccurate or in violation of any applicable Privacy Laws, except laws and regulatory rules or requirements in each case as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effectany material respect. The Company and each of its subsidiariesfurther certifies that (a) neither it nor any subsidiary at any time: (i) has not received written notice of any actual or potential liability liability, including, but not limited to security or data privacy breaches or other unauthorized or improper access to, use of, or destruction of its Personal Data owned or controlled by the Company, under or relating to, or actual or potential violation by the Company of, any of the Privacy Laws Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) other than pursuant to its ongoing compliance efforts in the ordinary course of business, is not currently conducting conducting, subject to, or paying forpaying, in whole or in part, any material investigation, remediation, or other corrective action required by any governmental entity pursuant to resulting from the Company’s non-compliance with any Privacy Law; or (iii) has made all notices to all persons, including affected individuals and applicable governmental or regulatory authorities, required under any Privacy Law with respect to the use, disclosure or breaches of Personal Data; or (iv) is not a party to any order, decree, settlement agreement, or settlement agreement judgment from a governmental entity that imposes any obligation or liability under any Privacy Law; and (b) it is not aware of any specific events rendering any of the foregoing reasonably likely to occur. The Company is not a “covered entity” or “business associate” as such terms are defined under HIPAA.