Common use of Privacy and Data Security Clause in Contracts

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contract.

Privacy and Data Security. The Company is Parent and has at all times its Subsidiaries are and since January 1, 2023, have been in compliance with all applicable Privacy Laws and the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company Parent or any of its Subsidiaries in connection with the operation of the CompanyParent’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, the Company Parent (i) has implemented and maintains reasonable written policies and procedures Privacy Policies that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, no Legal Proceeding has been asserted or threatened against the Company Parent by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the CompanyParent, there have been no data security incidents or data breaches breaches, or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company Parent or any service provider acting on behalf of the CompanyParent, in each case, where such incident, breach breach, or event has resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Parent Contract.

Privacy and Data Security. The (a) Each Group Company is and that maintains a web site has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or posted on its web site a privacy policy regarding the collection, handlinguse and disclosure of Personal Information that it collects, is in its possession, or in its custody or control. Each Group Company has complied in all material respects with all Information Privacy and Security Laws and material agreements to which it is a party that contain, involve or deal with receipt, collection, compilation, use, maintenancestorage, storageprocessing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, transferor transfer (including cross-border) Personal Information. No Group Company has been notified in writing of any Action or any other claim related to data security or privacy or alleging a violation of any of its privacy policies, or other processing ofany Information Privacy and Security Law, Personal Information (including any such information of individualsnor, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, has any such claim been threatened in writing. Each Group Company has taken commercially reasonable administrative, physical and technical measures designed to protect and maintain the confidentiality, security, integrity and accessibility (as applicable) of: (a) Systems and all data contained therein (including Company Data and Data Sets and other data subject to confidentiality obligations), (ib) all Personal Information and other Sensitive Data collected by or on behalf of the Group Companies in connection with their business, including in each case, in accordance with all Information Privacy and Security Laws and Group Company’s published policies. Each Group Company has implemented and maintains taken commercially reasonable written policies and procedures steps to ensure that all material third party service providers, outsourcers, contractors, or other persons who access, process, store or otherwise handle Personal Information for or on behalf of a Group Company have agreed in writing to materially comply with applicable Information Privacy and Security Laws and are designed taken reasonable steps to protect the privacy and security of secure Personal Information from loss, theft, misuse or unauthorized access, use, modification or disclosure. (the “b) There are no unsatisfied written requests that any Group Company has received from individuals seeking to exercise their data protection rights under Information Privacy Policies”and Security Laws. Except as set forth on Schedule 3.13.9(b), there is not and has not been any (i) and Action or (ii) written allegation that a Group Company has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company received by any Person alleging a violation of Privacy Lawsprivate party, Privacy Policiesany data protection authority, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, Governmental Authority with respect to, or to the Group Companies’ collection, handling, use, maintenance, storage, disclosure, transfer, or other processing ofof Personal Information or compliance with Information Privacy and Security Laws, Personal Informationnor has any such Action been threatened. To the Knowledge of the Company, there have There has been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access tomaterial Security Breach involving Systems, or collection, use, disclosure, modification or destruction ofCompany Data and Data Sets, Personal Information or other data Sensitive Data in the possession or control of any Group Company. No Group Company has notified, or been required to notify, any Person or Governmental Authority of any Security Breach, nor has the Group Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in paid a notification obligation ▇▇▇▇▇▇ to any Person under applicable Law or pursuant to the terms perpetrator as a result of any Company Contractactual or threatened cyber-attack.

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (ia) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (iib) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collectionaccess, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contract. To the Knowledge of the Company, the Company is not a “covered entity” or a “business associate” as those terms are defined under the Health Insurance Portability and Accountability Act, as amended.

Privacy and Data Security. The Seller and each of its Affiliates (with respect to the Company is Business) and has at all times the Company are and since July 1, 2024, have been in material compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse EffectInformation. To the Knowledge of the Company, Seller and each of its Affiliates (with respect to the Company Business) and the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against Seller or any of its Affiliates (with respect to the Company Business) or the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches breaches, or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control Seller or any of its Affiliates (with respect to the Company Business) or of the Company or any service provider acting on behalf of Seller or any of its Affiliates (with respect to the Company Business) or the Company, in each case, where such incident, breach breach, or event has resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contract.

Privacy and Data Security. The Company is (a) Q32 and has at all times been in compliance its Subsidiaries have complied with all applicable Privacy Laws and the applicable terms of any Company Q32 Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, use of Personal Information of any individuals (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists pharmacists) that interact with the Company Q32 or any of its Subsidiaries in connection with the operation of the CompanyQ32’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Q32 Material Adverse Effect. To the Knowledge of Q32, Q32 has implemented and maintains reasonable written policies and procedures, satisfying the Companyrequirements of applicable Privacy Laws and Q32 Contracts, concerning the privacy, security, collection and use of Personal Information (the “Q32 Privacy Policies”) and has complied with the same, except for such noncompliance as has not to the Knowledge of Q32 had, and would not reasonably be expected to have, individually or in the aggregate, a Q32 Material Adverse Effect. To the Knowledge of Q32, as of the date hereof, no Legal Proceeding has claims have been asserted or threatened against the Company Q32 by any Person alleging a violation of Privacy Laws, Q32 Privacy Policies, or Policies and/or the applicable terms of any Company Q32 Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or use of Personal Information of any individuals and Q32 has not received written notice of any of the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Informationsame. To the Knowledge of the CompanyQ32, there have been no data security incidents or incidents, personal data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, related to Personal Information or other Q32 data in the possession custody or control of the Company Q32 or any service provider acting on behalf of the CompanyQ32, in each case, case where such incident, breach or event resulted would result in a notification obligation to any Person under applicable Law law or pursuant to the terms of any Company Q32 Contract. (b) The information technology assets and equipment of Q32 and its Subsidiaries (collectively, “Q32 IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of Q32 and its Subsidiaries as currently conducted, and to the Knowledge of Q32, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Q32 and its Subsidiaries have implemented and maintain commercially reasonable physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Q32 and its Subsidiaries, any other material confidential information and the integrity and security of Q32 IT Systems used in connection with their businesses, and during the past three years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or Liability or the duty to notify any other Person.

Privacy and Data Security. (a) The Company and each of its Subsidiaries is currently and has at all times been in compliance with (i) HIPAA and all other applicable Privacy and Security Laws and Standards; and (ii) any obligations of the applicable terms of any Company or its Subsidiaries under Contracts governing privacy, data to which the Company or a Subsidiary is a party concerning the protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handlingaccess, use, maintenancestorage, disposal, disclosure, or transfer of Personal Information and any related notifications. Without limiting the foregoing, the Company and its Subsidiaries have entered into business associate agreements (“▇▇▇▇”) with each applicable third party to the extent required by HIPAA and have posted, in accordance with Privacy and Security Laws and Standards, a privacy policy governing the use of Personal Information on public-facing websites and internally for employees. (b) Except as set forth on Section 3.08(b) of the Company Disclosure Letter, the Company and each of its Subsidiaries has (i) developed, implemented, and conducted its business in compliance with any public privacy notices and data security or privacy policies and procedures (copies of which have been made available to Parent); (ii) maintained commercially reasonable administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Personal Information in its possession or control, and to prevent the loss and unauthorized use, access, alteration, destruction, or disclosure of such Personal Information; and (iii) trained its employees to follow these policies and procedures. (c) Neither the Company nor any of its Subsidiaries have been subject to or received notice of any Order or Legal Action by any Person (including any Governmental Entity) or any complaints regarding the protection, collection, access, use, storage, disposal, disclosure, transfer, or other processing of, transfer of Personal Information (including or the violation of any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians applicable Privacy and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, Security Laws and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse EffectStandards. To the Knowledge of the CompanyCompany and its Subsidiaries, no such Legal Action is threatened against the Company or any of its Subsidiaries. (d) Neither the Company nor any of its Subsidiaries have suffered, discovered, or been notified of any unauthorized acquisition, use, disclosure, access to, or breach of any Personal information that (i) has implemented and maintains reasonable written policies and procedures that materially comply with constitutes a breach or a data security incident under any applicable Privacy and Security Laws and are designed Standards or that would trigger a notification or reporting requirement under any BAA or Contract to protect which the privacy and security Company or any of Personal Information (its Subsidiaries is a party, or the “Privacy Policies”) and PCI-DSS; or (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, materially compromises (individually or in the aggregate) the security or privacy of such Personal Information. (e) The Company has not created, a Company Material Adverse Effect. To the Knowledge of the Companyreceived, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policiesmaintained, or the applicable terms of any Company Contracts governing privacytransmitted protected health information (“PHI”) or electronic PHI (“ePHI), data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control as defined by HIPAA regulations at 45 C.F.R. 160.103. (f) Except as set forth on Section 3.08(f) of the Company or any service provider acting on behalf Disclosure Letter, the Company and each of its Subsidiaries has complied with all Contracts and all Privacy and Security Laws and Standards, including the CompanyHIPAA standards for de-identification set forth in 45 C.F.R. 164.514(b) and for data aggregation, as that term is defined in 45 C.F.R. 164.501, in each case, where as applicable. (g) Neither the Company nor any of its Subsidiaries have any Contract obligation to maintain Personal Information in a manner that physically separates data of one customer from that of another. (h) The Company and each of its Subsidiaries has (i) annually performed a security risk assessment, (ii) created and maintained documentation in accordance with applicable Laws, including Privacy and Security Laws and Standards, and (iii) addressed and remediated all threats and deficiencies identified in such incident, security risk assessment. (i) Neither the Company nor any of its Subsidiaries have reported a breach or event resulted in a notification obligation compromise of Personal Information to any Person under or Governmental Authority, either voluntarily or based on Contract obligations or Privacy and Security Laws and Standards. (j) The consummation of the Transaction does not violate any Privacy and Security Laws and Standards, Contract obligation related to Personal Information, or an applicable Law privacy policy or pursuant notice. Upon the Closing Date, the Surviving Corporation will own and continue to have the right to use all Personal Information on identical terms and conditions as the Company and its Subsidiaries enjoyed immediately prior to the terms of any Company ContractClosing Date.

Privacy and Data Security. The Company is Parent and has at all times its Subsidiaries are and since January 1, 2024, have been in compliance with all applicable Privacy Laws and the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company Parent or any of its Subsidiaries in connection with the operation of the CompanyParent’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, the Company Parent (i) has implemented and maintains reasonable written policies and procedures Privacy Policies that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, no Legal Proceeding has been asserted or threatened against the Company Parent by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the CompanyParent, there have been no data security incidents or data breaches breaches, or other adverse events or incidents that have resulted in any unauthorized access to, or collectionaccess, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company Parent or any service provider acting on behalf of the CompanyParent, in each case, where such incident, breach breach, or event has resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Parent Contract. To the Knowledge of Parent, Parent is not a “covered entity” or a “business associate” as those terms are defined under the Health Insurance Portability and Accountability Act, as amended.

Privacy and Data Security. The (a) Since January 1, 2021, the Company is and has at its Subsidiaries have complied in all times been in compliance material respects with all applicable Privacy Laws and the applicable terms of any Company Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, use of Personal Information of any individuals (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists pharmacists) that interact with the Company and/or any of its Subsidiaries in connection with the operation of the Company’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, . The Company and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has its Subsidiaries have implemented and maintains maintain reasonable written policies and procedures that materially comply with procedures, satisfying the requirements of applicable Privacy Laws and are designed to protect Contracts, concerning the privacy privacy, security, collection and security use of Personal Information (the “Company Privacy Policies”) and (ii) has have materially complied with such Privacy Policiesthe same. As of the date hereof, except for such noncompliance as has not hadsince January 1, and would not reasonably be expected 2021, no claims have been asserted or, to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Company Privacy Policies, or Policies and/or the applicable terms of any Company Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or use of Personal Information of any individuals and the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge Company has not received written notice of any of the Company, there same. There have been no data security incidents or incidents, personal data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, related to Personal Information or other data in the possession custody or control of the Company or Company, its Subsidiaries and/or any service provider acting on behalf of the Company such that Privacy Laws require or required the Company to notify Governmental Entities, affected individuals or other parties of such occurrence. (b) The information technology assets and equipment of Company and its Subsidiaries (collectively, “IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of Company and its Subsidiaries as currently conducted, free and clear, to the knowledge of the Company, of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. The Company and its Subsidiaries have implemented and maintain commercially reasonable physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of the Company and its Subsidiaries, any other material confidential information and the integrity and security of the IT Systems used in each caseconnection with their businesses, where such incidentand during the past three years, breach there have been no breaches, violations, outages or event resulted unauthorized uses of or accesses to the same that would reasonably be expected to result in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company ContractMaterial Adverse Effect.

Privacy and Data Security. The Company is Parent and has at all times its Subsidiaries are and since January 1, 2025, have been in compliance with all applicable Privacy Laws and the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company Parent or any of its Subsidiaries in connection with the operation of the CompanyParent’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, the Company Parent (i) has implemented and maintains reasonable written policies and procedures Privacy Policies that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, no Legal Proceeding has been asserted or threatened against the Company Parent by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the CompanyParent, there have been no data security incidents or data breaches breaches, or other adverse events or incidents that have resulted in any unauthorized access to, or collectionaccess, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company Parent or any service provider acting on behalf of the CompanyParent, in each case, where such incident, breach breach, or event has resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Parent Contract. To the Knowledge of Parent, Parent is not a “covered entity” or a “business associate” as those terms are defined under the Health Insurance Portability and Accountability Act, as amended.

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collectionaccess, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company or any service provider acting on behalf of the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contract.

Privacy and Data Security. The Company is Parent and has at all times its Subsidiaries are and since January 1, 2023, have been in compliance with all applicable Privacy Laws and the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company Parent or any of its Subsidiaries in connection with the operation of the CompanyParent’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, the Company Parent (i) has implemented and maintains reasonable written policies and procedures Privacy Policies that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, no Legal Proceeding has been asserted or threatened against the Company Parent by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the CompanyParent, there have been no data security incidents or data breaches breaches, or other adverse events or incidents that have resulted in any unauthorized access to, or collectionaccess, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company Parent or any service provider acting on behalf of the CompanyParent, in each case, where such incident, breach breach, or event has resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Parent Contract.

Privacy and Data Security. The Company is (a) Korro and has at all times been in compliance its Subsidiaries have complied with all applicable Privacy Laws and the applicable terms of any Company Korro Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, use of Personal Information of any individuals (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists pharmacists) that interact with the Company Korro or any of its Subsidiaries in connection with the operation of the CompanyKorro’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge of the Company, the Company (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Korro Material Adverse Effect. To the Knowledge of Korro, ▇▇▇▇▇ has implemented and maintains reasonable written policies and procedures, satisfying the Companyrequirements of applicable Privacy Laws, concerning the privacy, security, collection and use of Personal Information (the “Privacy Policies”) and has complied with the same, except for such noncompliance as has not to the Knowledge of Korro had, and would not reasonably be expected to have, individually or in the aggregate, a Korro Material Adverse Effect. To the Knowledge of Korro, as of the date hereof, no Legal Proceeding has claims have been asserted or threatened against the Company Korro by any Person alleging a violation of Privacy Laws, Privacy Policies, or Policies and/or the applicable terms of any Company Korro Contracts governing relating to privacy, data protection, data security, trans-border data flow, data loss, data theft, collection or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, use of Personal InformationInformation of any individuals. To the Knowledge of the CompanyKorro, there have been no data security incidents or incidents, personal data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, related to Personal Information or other Korro data in the possession custody or control of the Company Korro or any service provider acting on behalf of the Company▇▇▇▇▇, in each case, case where such incident, breach or event resulted would result in a notification obligation to any Person under applicable Law law or pursuant to the terms of any Company Korro Contract. (b) The information technology assets and equipment of Korro and its Subsidiaries (collectively, “Korro IT Systems”) are adequate for, and operate and perform in all material respects as required in connection with the operation of the business of Korro and its Subsidiaries as currently conducted, and to the Knowledge of Korro, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. Korro and its Subsidiaries have implemented and maintain commercially reasonable physical, technical and administrative safeguards to protect Personal Information processed by or on behalf of Korro and its Subsidiaries, any other material confidential information and the integrity and security of Korro IT Systems used in connection with their businesses, and during the past three years, there have been no breaches, violations, outages or unauthorized uses of or accesses to same, except for those that have been remedied without material cost or Liability or the duty to notify any other Person.

Privacy and Data Security. The Company is (a) Parent and has at all times its Subsidiaries are and since January 1, 2023, have been in compliance with all applicable Privacy Laws and the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company Parent or any of its Subsidiaries in connection with the operation of the CompanyParent’s and its Subsidiaries’ business), except, in each case, for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, the Company Parent (i) has implemented and maintains reasonable written policies and procedures that materially comply with applicable Privacy Laws and are designed to protect the privacy and security of Personal Information (the “Privacy Policies”) and (ii) has complied with such Privacy Policies, except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Parent Material Adverse Effect. To the Knowledge of the CompanyParent, no Legal Proceeding has been asserted or threatened against the Company Parent or any of its Subsidiaries by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Parent Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the CompanyParent, there have been no data security incidents or data breaches breaches, or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control of the Company Parent, any of its Subsidiaries, or any service provider acting on behalf of the CompanyParent, in each case, where such incident, breach breach, or event has resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Parent Contract. (b) Parent and its Subsidiaries have implemented and maintain commercially reasonable administrative, technical, and physical safeguards, security measures, and policies designed to protect (i) the operation, confidentiality, integrity, and security of their software, systems, networks, databases, websites, servers, and other information technology assets (collectively, “IT Systems”) and (ii) all data (including confidential, proprietary, trade secret information, and Personal Information) processed thereby against unauthorized access, use, modification, disclosure, or other misuse. The IT Systems are adequate for, and operate and perform in all material respects as required in connection with, the operation of the business of Parent and its Subsidiaries as currently conducted, free and clear of all material bugs, errors, defects, Trojan horses, time bombs, malware, viruses, and other corruptants. (c) Since January 1, 2023, there have been no material failures, breakdowns, continued substandard performance, or other adverse events affecting the IT Systems of Parent or any of its Subsidiaries that have caused any material disruption to the business of Parent or any of its Subsidiaries. (d) Parent maintains, and has maintained since January 1, 2023, cyber liability insurance coverage, including coverage for data breaches and cybersecurity incidents, with coverage limits and terms that are reasonable and customary for companies of similar size operating in the same or similar industries. Such insurance policies are in full force and effect, and all premiums due and payable thereunder have been timely paid. Parent has not received any written notice of cancellation or non-renewal of any such policy, nor has any claim under any such policy been denied. Neither Parent nor any of its Subsidiaries has made any claims against such cyber liability insurance policy since its inception, nor has any claim thereunder been denied.

Privacy and Data Security. The Company is and has at all times been in compliance with all applicable Privacy Laws and the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information (including any such information of individuals, clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists that interact with the Company in connection with the operation of the Company’s business), except, in each case, for such noncompliance Except as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To the Knowledge , (a) each of the CompanyCompany and its Subsidiaries, has been since the Lookback Date, and is, in compliance with their written externally published privacy policies, contracts which impose requirements relating to the collection, processing, storage, disclosure, disposal or other handling of Personal Data, any applicable Laws relating to privacy, data protection and Personal Data, and any applicable binding industry standards which impose requirements on the collection, processing, storage, disclosure, disposal or other handling of Personal Data (collectively, the “Privacy Requirements”), (b) since the Lookback Date, none of the Company nor any of its Subsidiaries has experienced (i) has implemented and maintains reasonable written policies and procedures incidents of unauthorized access or other security breaches, including any loss, misuse, damage, unauthorized access, unauthorized disclosure or unauthorized use of any Personal Data, or (ii) any other event that materially comply with applicable required the Company or any of its Subsidiaries to give a data breach notice to any Person or Governmental Authority under Privacy Laws and are designed to protect the privacy and security Requirements, except, in each case of Personal Information clauses (the “Privacy Policies”i) and (ii) has complied with such Privacy Policies), except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect. To , and (c) the Knowledge hardware, software, databases, websites, mobile applications, servers, workstations, routers, hubs, switches, circuits, networks, communications networks, and other information technology owned, licensed or leased by the Company or its Subsidiaries (i) have not, since the Lookback Date, malfunctioned or failed in a manner that resulted in chronic or otherwise material disruptions to the operation of the Company, no Legal Proceeding has been asserted or threatened against the Company by any Person alleging a violation of Privacy Laws, Privacy Policies, or the applicable terms of any Company Contracts governing privacy, data protection, data security, trans-border data flow, data loss, data theft, or breach notification, data localization, sending solicited or unsolicited electronic mail or text messages, cookies or other tracking technology, with respect to, or the collection, handling, use, maintenance, storage, disclosure, transfer, or other processing of, Personal Information. To the Knowledge of the Company, there have been no data security incidents or data breaches or other adverse events or incidents that have resulted in any unauthorized access to, or collection, use, disclosure, modification or destruction of, Personal Information or other data in the possession or control business of the Company or any service provider acting on behalf of and its Subsidiaries, and (ii) are adequate for the Company, in each case, where such incident, breach or event resulted in a notification obligation to any Person under applicable Law or pursuant to the terms of any Company Contract’s and its Subsidiaries’ businesses as currently conducted.