Privacy and Data Security. Parent and each of its Subsidiaries have complied with all Data Protection Requirements in the conduct of Parent’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Parent Material Adverse Effect. Parent and each of its Subsidiaries have all necessary authority, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for Parent and its Subsidiaries to the extent required in connection with the operation of Parent’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, Parent and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning Parent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to Parent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. The Company and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.
Appears in 3 contracts
Sources: Merger Agreement (Icon PLC), Merger Agreement (PRA Health Sciences, Inc.), Merger Agreement (Icon PLC)
Privacy and Data Security. Parent (a) Except as set forth on Section 3.26 of the Seller Disclosure Schedule, each Seller’s (solely with respect to the Business) and each the Acquired Entities’ collection, use, storage, dissemination, processing and disposal of its Subsidiaries have complied any personally identifiable information concerning individuals (including, as applicable, customers and employees) is, and has been since January 1, 2017, in compliance with all Data Protection Requirements in the conduct applicable privacy policies, terms of Parent’s use and its Subsidiaries’ businessescontractual obligations and with all applicable Laws, in each case except as would not reasonably be expected material to have, individually or in the aggregate, a Parent Material Adverse EffectBusiness. Parent Each Seller (solely with respect to the Business) and each of its Subsidiaries the Acquired Entities maintains, and have all necessary authoritymaintained since January 1, rights2017, consents commercially reasonable plans, policies and authorizations procedures regarding data security and privacy to engage safeguard sensitive data (including Personal Data), including reasonable and appropriate administrative, technical and physical safeguards to protect against unauthorized or unlawful access, use, modification, disclosure or other misuse the privacy, confidentiality and security of any such sensitive data in the Data Activities possession, custody or control of the Business, except as would not be material to the Business.
(b) Except as set forth on Section 3.26 of the Seller Disclosure Schedule, since January 1, 2016, no Seller nor any Acquired Entity has received any notice or allegation of, and there have been, to the Knowledge of Sellers, no security breaches relating to, or violations of any material security policy regarding, or any unauthorized access or use of, any Personal Data maintained collected, used, stored, disseminated, processed by or for Parent and its Subsidiaries disposed of by Sellers (solely with respect to the extent required Business) or the Acquired Entities in connection with the operation of Parent’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, Parent and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning Parent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to Parent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal ActionBusiness, in each case except as would not be material to the Business. Except as would not reasonably be expected to havebe material to the Business, individually each Seller and Acquired Entity has provided all legally required notices to each affected individual and any applicable Governmental Entity of any unauthorized access, use or in the aggregate, a Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. The Company and each disclosure of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirementsany Personal Data.
Appears in 2 contracts
Sources: Purchase and Sale Agreement, Purchase and Sale Agreement (Marathon Petroleum Corp)
Privacy and Data Security. (a) Except as would not reasonably be expected to have a Parent Material Adverse Effect, Parent and each the Parent Subsidiaries comply, and have since January 1, 2015 complied, in all material respects, with all (A) applicable laws, statutes, directives, rules and regulations , (B) contractual obligations (including, but not limited to, those with identified customers), (C) internal and public-facing privacy, data handling and/or security policies of its Parent and the Parent Subsidiaries, (D) public statements that Parent and the Parent Subsidiaries have complied made regarding their respective privacy, data handling and/or data security policies or practices and (E) rules of applicable self-regulatory organizations to which Parent and the Parent Subsidiaries purport to be bound, relating to (x) the privacy of users of any web properties, products and/or services of Parent and the Parent Subsidiaries; (y) the collection, use, storage, retention, disclosure, transfer, disposal, or any other processing of any Personal Information collected or used by Parent and the Parent Subsidiaries and/or by third parties having access to such information; and (z) the transmission of marketing and/or commercial messages through any means, including, without limitation, via email, text message and/or any other means ((A) through (E) collectively, “Parent Privacy Laws and Requirements”). Except as would not reasonably be expected to have a Parent Material Adverse Effect, the execution, delivery and performance of this Agreement by Parent and the Parent Subsidiaries complies in all material respects with all Data Protection Requirements in the conduct of Parent Privacy Laws and Requirements.
(b) Parent maintains privacy policies that describe Parent’s and its the Parent Subsidiaries’ businessespolicies with respect to the collection, use, storage, retention, disclosure, transfer, disposal or other processing of Personal Information. True and correct copies of all such privacy policies have been made available to Company or its Representatives. To the Knowledge of Parent, each such privacy policy has, since January 1, 2015, included all information and made all disclosures to users or customers required by all Parent Privacy Laws and Requirements, and none of such disclosures made or contained in each case any such privacy policy or in any such materials has been inaccurate in any material respect, misleading or deceptive or in violation of any Parent Privacy Laws and Requirements, except as would not reasonably be expected to havehave a Parent Material Adverse Effect,.
(c) To the Knowledge of Parent, there is no written complaint to, or any audit, formal proceeding, or suit currently pending against, Parent or any Parent Subsidiary by any private party, the Federal Trade Commission, any state attorney general or similar state official, or any other Governmental Entity, foreign or domestic, with respect to the collection, use, retention, disclosure, transfer, storage or disposal of Personal Information, except as would not, individually or in the aggregate, reasonably be expected to be material to Parent and the Parent Subsidiaries, taken as a Parent Material Adverse Effectwhole. Parent and each of its the Parent Subsidiaries have all necessary authorityhave, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for Parent and its Subsidiaries to the extent required in connection with the operation of Parent’s and its Subsidiaries’ business as currently conducted. Since since January 1, 20192015, taken reasonable steps (including implementing and monitoring compliance with reasonable measures with respect to technical and physical security) designed to protect Personal Information against loss and against unauthorized access, use, modification, disclosure or other misuse.
(d) To the extent that Parent or any Parent Subsidiary transfers Personal Information collected from natural persons outside of the United States, Parent has implemented mechanisms to comply in all material respects with applicable Parent Privacy Laws and its Requirements.
(e) Parent and the Parent Subsidiaries have notestablished and are in material compliance with a written information security program that: (i) experienced any actualincludes administrative, allegedtechnical and physical safeguards designed to safeguard the security, or suspected data breach or other security incident involving confidentiality, and integrity of Personal Data in their possession or controlInformation; or and (ii) been subject is designed to protect against unauthorized access to the Parent IT Systems or received any notice Personal Information and the systems of any auditthird party service providers that have access to Parent IT Systems and/or Personal Information. Except as set forth in Section 4.18(e) of the Parent Disclosure Letter, investigationneither Parent nor any of the Parent Subsidiaries has, complaintsince January 1, 2015, suffered any loss, damage, or other Legal Action by unauthorized access, disclosure, use or breach of security with respect to any Governmental Entity Personal Information in the control or other Person concerning Parent’s possession of Parent or any of its Subsidiaries’ Data Activities in relation to Personal Data or actualParent Subsidiary, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to Parent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to havenot, individually or in the aggregate, reasonably be expected to have a Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. The Company and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.
Appears in 2 contracts
Sources: Merger Agreement (Twilio Inc), Merger Agreement (SendGrid, Inc.)
Privacy and Data Security. (a) Parent and its Subsidiaries are, and at all times in the past three years have been, in compliance in all material respects with all (i) applicable Information Privacy and Security Laws; (ii) published policies or notices relating to Parent’s and its Subsidiaries’ Processing of Personal Information; (iii) terms of any Contracts to which Parent and/or any of its Subsidiaries are bound; and (iv) industry standards and/or codes-of-conduct to which Parent and/or any of its Subsidiaries are legally bound relating to Parent or any of its Subsidiaries’ Privacy Requirements.
(b) Neither Parent nor any of its Subsidiaries has received any subpoenas, demands, or other written notices from any Governmental Entity or other entity investigating, inquiring into, or otherwise relating to any actual or potential violation of any Information Privacy and Security Laws. To Parent’s knowledge, neither Parent nor any of its Subsidiaries is under investigation by any Governmental Entity or other entity for any actual or potential violation of any Information Privacy and Security Laws.
(c) Parent and its Subsidiaries have each taken commercially reasonable steps, materially compliant with applicable Privacy Requirements, designed to protect (i) the operation, confidentiality, integrity, and security of Parent’s and its Subsidiaries’ IT Assets that are involved in the Processing of Personal Information, and (ii) Personal Information in Parent or any of its Subsidiaries’ possession and/or control from unauthorized use, access, disclosure, deletion, and/or modification.
(d) To Parent’s knowledge, neither Parent nor any of its Subsidiaries has experienced any failures; crashes; security incidents; data breaches; unauthorized access, use, or disclosure; or other adverse events or incidents related to Personal Information that would require notification of individuals, law enforcement, any Governmental Entity, customers, vendors, or any others under any applicable Privacy Requirements. Parent has not received written notice of any complaints, Actions, fines, or other penalties facing Parent or any of its Subsidiaries in connection with any such failures; crashes; security incidents; data breaches; unauthorized access, use, or disclosure; or other adverse events or incidents.
(e) To the extent required by applicable Information Privacy and Security Laws, Parent and each of its Subsidiaries have complied with obligated all Data Protection Requirements of their applicable vendors and data processors authorized to process Personal Information on behalf of Parent or any of its Subsidiaries, including, without limitation, contract research organizations and clinical investigators, to be bound by contractual terms relating to the protection and Processing of Personal Information; and neither Parent nor any of its Subsidiaries is aware of any violations of such contractual obligations.
(f) To Parent’s knowledge, the Personal Information in the conduct possession, custody, and/or control of Parent’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Parent Material Adverse Effect. Parent and each of its Subsidiaries have all necessary authoritycan be transferred as part of the Mergers and the other transactions contemplated by this Agreement, rights, consents and authorizations to engage can be used after the Closing in a manner substantially the Data Activities of Personal Data maintained same as currently used by or for Parent and its Subsidiaries to the extent required in connection with the operation of Parent’s and its applicable Subsidiaries’ business as currently conducted. Since January 1, 2019, Parent and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning Parent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to Parent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. The Company and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.
Appears in 2 contracts
Sources: Merger Agreement (Coherus BioSciences, Inc.), Merger Agreement (Surface Oncology, Inc.)
Privacy and Data Security. Parent and each of its Subsidiaries have complied with all Data Protection Requirements in the conduct of Parent’s and its Subsidiaries’ businesses, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Parent Material Adverse Effect. Parent and each of its Subsidiaries have all necessary authority, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for Parent and its Subsidiaries to the extent required in connection with the (a) The operation of Parent’s and its Subsidiaries’ business as currently conductedare in compliance in all material respects with Data Protection Regulations, except to the extent that such noncompliance has not and would not have a Parent Material Adverse Effect. Since January 1, 20192021, there have been (i) no Security Incidents impacting Personal Data or any confidential information or Trade Secrets used in the business of Parent or its Subsidiaries (collectively, “Parent Sensitive Data”), (ii) no violations of any security policy of Parent or its Subsidiaries regarding any such Parent Sensitive Data and (iii) no unintended or improper disclosure of any Parent Sensitive Data in the possession, custody or control of Parent or its Subsidiaries or a contractor or agent acting on behalf of Parent or its Subsidiaries, in each case of (i) through (iii), except as would not have a Parent Material Adverse Effect. Between January 1, 2021 and the date hereof, none of Parent or its Subsidiaries has received any written notice from a vendor or data processor that processes Parent Sensitive Data on behalf of Parent or any of its Subsidiaries with respect to a Security Incident materially impacting Parent Sensitive Data.
(b) Each of Parent and its Subsidiaries has complied, and continues to comply, with applicable Data Protection Regulations, including with (i) binding principles relating to processing Personal Data, (ii) requirements to process Personal Data lawfully, (iii) contractual requirements applicable to the engagement of data processors processing Personal Data on behalf of Parent and its Subsidiaries, (iv) requirements to provide adequate security measures to protect Personal Data, (v) regulatory notification obligations to the extent required by applicable Data Protection Regulations, (vi) conduct of appropriate data privacy impact assessments to the extent required by applicable Data Protection Regulations and (vii) provisions related to lawful cross-border data transfers of Personal Data, except, in each case, as would not have a Parent Material Adverse Effect.
(c) Each of Parent and its Subsidiaries has implemented, and regularly assessed its implementation of, commercially reasonable physical, technical and organizational measures necessary to ensure that Personal Data is protected against loss, destruction and damage, unauthorized access, use, modification, disclosure or other misuse, except as would not have a Parent Material Adverse Effect.
(i) None of Parent or its Subsidiaries transfers Personal Data outside of a country of origin of the Personal Data unless Parent or such Subsidiary, as applicable, has ensured, if required by applicable Data Protection Regulations, that the recipient has adequate safeguards to protect such Personal Data in compliance with applicable Data Protection Regulations and has complied with all applicable transfer provisions of Data Protection Regulations, including consent of individuals where necessary; (ii) where any transfers of Personal Data outside the European Economic Area or the United Kingdom formerly relied upon the EU-US or Swiss-US Privacy Shield framework, Parent or such Subsidiary, as applicable, has ensured that the Personal Data transfers are lawful through an alternative mechanism or derogation in accordance with the GDPR; (iii) where required by applicable Data Protection Regulations, Parent or such Subsidiary, as applicable, has conducted a risk assessment regarding the transfer of Personal Data pursuant to standard contractual clauses or binding corporate rules or other requirements and has concluded that such transfers are adequately protected; and (iv) none of Parent or its Subsidiaries has suspended or terminated a transfer of Personal Data or notified a supervisory authority due to any concerns regarding a transfer of Personal Data pursuant to standard contractual clauses or binding corporate rules and, to the Company’s Knowledge, nor are there circumstances which reasonably justify such a notification, except in each case of clauses (i), (ii), (iii) and (iv), as would not have a Company Material Adverse Effect.
(e) (i) Each of Parent and its Subsidiaries has implemented and maintained commercially reasonable measures and policies to protect the integrity, continuous operation and security of the IT Systems of Parent and its Subsidiaries and the data stored thereon, including from Harmful Code; (ii) the IT Systems used in the business of Parent and its Subsidiaries operate and perform in all respects as required to permit Parent and its Subsidiaries to conduct their business as currently conducted; and (iii) Parent and its Subsidiaries have not: implemented commercially reasonable backup and disaster recovery technology and procedures consistent with standard practices applicable to entities similarly situated as Parent and its Subsidiaries for the industry in which Parent and its Subsidiaries operate in each applicable jurisdiction in which they conduct business and have acted in material compliance therewith, except, in each case of clauses (i), (ii) and (iii), as would not have a Parent Material Adverse Effect. Since January 1, 2021, the IT Systems of Parent and its Subsidiaries have not malfunctioned or failed, or been subject to any Security Incident that has caused or, to Parent’s Knowledge, would reasonably be expected to cause (A) material disruption of or interruption in the conduct of the business of Parent and its Subsidiaries as presently conducted; (B) material loss, destruction, damage or harm of Parent and its Subsidiaries or any of the businesses of Parent and its Subsidiaries; or (C) material liability of any kind to Parent and its Subsidiaries or their business as currently conducted, except in each case of clauses (A), (B) and (C), as would not have a Parent Material Adverse Effect.
(f) Between January 1, 2021 and the date hereof, none of Parent or its Subsidiaries has been notified in writing of, and, to Parent’s Knowledge, there has not been, (i) experienced any actual, allegedan actual or threatened Security Incident materially compromising, or suspected data breach or other security incident involving threatening to materially compromise, the processing of Personal Data in their possession (whether by Parent or control; any of its Subsidiaries or, to Parent’s Knowledge, any data processor engaged to process Personal Data on behalf of Parent or its Subsidiaries) or (ii) been subject any action or any circumstance requiring Parent or any of its Subsidiaries to notify a Governmental Entity or received any notice individual to comply with applicable notification requirements of Data Protection Regulations as a direct result of a Security Incident or a violation of any auditData Protection Regulations.
(g) Between January 1, investigation2021 and the date hereof, none of Parent or its Subsidiaries has received a written notice or allegation of any actual or alleged or, to Parent’s Knowledge, threatened Security Incident compromising or revealing a material weakness in the security of Personal Data or IT Systems of Parent and its Subsidiaries, or any other material breach of the Data Protection Regulations relating to Personal Data while in its possession or under its control.
(h) Between January 1, 2021 and the date hereof, none of Parent or its Subsidiaries has received a written claim, complaint, allegation or other Legal Action by any Governmental Entity notice of a dispute or other Person concerning violation (whether directly or indirectly) from or on behalf of an individual regarding Parent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to Parent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Parent Material Adverse Effect. Parent and its Subsidiaries processing activities.
(i) have executed current and valid “Business Associate Agreements” (as described by HIPAA Between January 1, 2021 and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations)date hereof, (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. The Company and each none of Parent or its Subsidiaries have obtainedhas received a written notice from any supervisory authority or Governmental Entity of any investigation, as applicableinquiry, all rights necessary to undertake derequest for information or for co-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other operation regarding its Personal Data Protection Requirementsprocessing activities.
Appears in 1 contract
Sources: Merger Agreement (SomaLogic, Inc.)
Privacy and Data Security. Parent (a) Galera and each of its Subsidiaries have complied with all Data Protection Requirements applicable Privacy Laws and the applicable terms of any Galera Contracts relating to privacy, security, collection or use of Personal Information of any individuals (including clinical trial participants, patients, patient family members, caregivers or advocates, physicians and other health care professionals, clinical trial investigators, researchers, pharmacists) that interact with Galera or any of its Subsidiaries in connection with the conduct operation of ParentGalera’s and its Subsidiaries’ businessesbusiness, in each case except for such noncompliance as has not had, and would not reasonably be expected to have, individually or in the aggregate, a Parent Galera Material Adverse Effect. Parent To the Knowledge of Galera, ▇▇▇▇▇▇ has implemented and each maintains reasonable written policies and procedures, satisfying the requirements of its Subsidiaries have all necessary authorityapplicable Privacy Laws and Galera Contracts, rightsconcerning the privacy, consents security, collection and authorizations to engage in the Data Activities use of Personal Data maintained by or Information (“Galera Privacy Policies”) and has complied with the same, except for Parent and its Subsidiaries such noncompliance as has not to the extent required in connection with the operation Knowledge of Parent’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, Parent and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning Parent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notificationObsidian had, and to Parent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, a Parent an Obsidian Material Adverse Effect. Parent To the Knowledge of ▇▇▇▇▇▇, as of the date hereof, no claims have been asserted or threatened against Galera by any Person alleging a violation of Privacy Laws, Galera Privacy Policies and/or the applicable terms of any Galera Contracts relating to privacy, security, collection or use of Personal Information of any individuals and Galera has not received written notice of any of the same. To the Knowledge of Galera, there have been no data security incidents, personal data breaches or other adverse events or incidents related to Personal Information or Galera data in the custody or control of Galera or any service provider acting on behalf of Galera, in each case where such incident, breach or event would result in a notification obligation to any Person under applicable law or pursuant to the terms of any Galera Contract.
(b) The information technology assets and equipment of Galera and its Subsidiaries (icollectively, “Galera IT Systems”) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations)are adequate for, and (C) “subcontractor” (operate and perform in all material respects as described by HIPAA required in connection with the operation of the business of Galera and its Subsidiaries as currently conducted, and to the corresponding regulations); Knowledge of Galera, free and (ii) materially comply with such Business Associate Agreementsclear of all material bugs, errors, defects, Trojan horses, time bombs, malware and other corruptants. The Company Galera and each of its Subsidiaries have obtainedimplemented and maintain commercially reasonable physical, as applicabletechnical and administrative safeguards to protect Personal Information processed by or on behalf of Galera and its Subsidiaries, all rights necessary any other material confidential information and the integrity and security of Galera IT Systems used in connection with their businesses, and during the past three years, there have been no breaches, violations, outages or unauthorized uses of or accesses to undertake de-identification of user data and has de-identified such user data in accordance with same, except for those that have been remedied without material cost or liability or the requirements of HIPAA and duty to notify any other Data Protection RequirementsPerson.
Appears in 1 contract
Privacy and Data Security. Parent (a) The Borrower is in compliance with the Data Privacy and each of its Subsidiaries have complied with all Data Protection Security Requirements in the conduct of Parent’s and its Subsidiaries’ businesses, in each case except as other than that has had or would not reasonably be expected to have, individually or in the aggregate, have a Parent Material Adverse Effect. Parent .
(b) The Borrower has implemented and each of its Subsidiaries have all necessary authoritymaintains commercially reasonable administrative, rightstechnical, consents and authorizations physical safeguards designed to engage ensure that Personal Data in the Data Activities of Personal Data maintained by Borrower’s possession or for Parent control is materially protected against unauthorized access, acquisition, destruction, use, or disclosure, and its Subsidiaries loss, damage, corruption, or other misuse other than that has had or would reasonably be expected to have a Material Adverse Effect (such program, collectively, the extent required in connection with the operation of Parent’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, Parent and its Subsidiaries have not: “Security Practices”).
(ic) The Borrower has not experienced any actual, alleged, or suspected data breach or other security incident involving unauthorized access, acquisition, destruction, use, or disclosure, loss, damage, corruption, or other misuse or compromise of Personal Data in their the possession or control; control of the Borrower (each, a “Security Incident”) that has had or (ii) would reasonably be expected to have a Material Adverse Effect. The Borrower has not notified and, to the Knowledge of the Borrower, there have been subject no facts or circumstances that would require the Borrower to or received any notice of any auditnotify, investigation, complaint, or other Legal Action by any Governmental Entity Authority or other Person concerning Parent’s of any Security Incident that has had or would reasonably be expected to have a Material Adverse Effect.
(d) No Person has made or commenced any of its Subsidiaries’ Data Activities in relation to Personal Data or actualcompliant, allegedclaim, proceeding, or suspected violation of any litigation with respect to the Borrower’s compliance with Data Protection Requirement concerning privacyPrivacy and Security Requirements, data securityand, or data breach notification, and to Parentthe Borrower’s Knowledge, there are no facts or circumstances which would form the basis for any such complaint or claim, each of the foregoing that could has had or would reasonably be expected to give rise to any such Legal Action, in each case except as would not reasonably be expected to have, individually or in the aggregate, have a Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA and the corresponding regulations) with each (A) “business associate” (as described by HIPAA and the corresponding regulations), (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. The Company and each of its Subsidiaries have obtained, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance with the requirements of HIPAA and other Data Protection Requirements.
Appears in 1 contract
Sources: Credit Agreement (Abacus Life, Inc.)
Privacy and Data Security. (a) The Company and the Company Subsidiaries and, to the knowledge of the Company, each vendor, processor and other third party Processing Personal Information Processed by or for the Company, solely with respect to each such third party’s Processing (collectively, “Data Partners”), complies in all material respects with, and has since January 1, 2021 have complied in all material respects with: (i) all Privacy Laws, (ii) all Privacy Policies applicable to the Company and (iii) all contractual commitments, including any terms of use, that the Company has entered into with respect to the Processing of Personal Information (collectively, the “Data Protection Requirements”). The Company and the Company Subsidiaries have a Privacy Policy regarding the collection and use of Personal Information, a true, correct and complete copy of which as in effect on the date of this Agreement has been made available to Parent prior to the date of this Agreement. The Company and the Company Subsidiaries have at all times presented an accurate Privacy Policy (which Privacy Policy the Company does not reasonably believe to be misleading or deceptive (including by omission)) to individuals prior to the collection of any Personal Information from such individuals, except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect.
(b) The execution, delivery and performance of this Agreement and the Transactions do not and will not: (i) conflict with or result in a violation or breach of any Data Protection Requirements, (ii) require the consent of or provision of notice to any person concerning such person’s Personal Information, (iii) give rise to any right of termination or other right to impair or limit Parent’s or the Company’s rights to own and Process any Personal Information used in or necessary for the operation of the Company’s or each of the Company Subsidiaries’ businesses or (iv) otherwise prohibit the transfer of Personal Information to Parent, in each case, except as would not, individually or in the aggregate, reasonably be expected to be material to the Company and the Company Subsidiaries, taken as a whole.
(c) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Company and the Company Subsidiaries, taken as a whole, (i) the Company and each of its the Company Subsidiaries have complied routinely engage in due diligence of Data Partners before allowing them to access, receive or Process Personal Information and audit such Data Partners’ compliance with their commitments with respect to the Data Protection Requirements, and (ii) to the knowledge of the Company, the Company and each Company Subsidiary has valid and enforceable agreements, subject to the Bankruptcy and Equity Exception, in place with all Data Partners that comply with applicable Data Protection Requirements.
(d) Except as would not, individually or in the aggregate, reasonably be expected to be material to the Company and the Company Subsidiaries, taken as a whole, the Company and each of the Company Subsidiaries since January 1, 2021 have implemented and maintained administrative, technical, physical and organizational safeguards, including commercially reasonable plans, procedures, controls, programs and a written information security program designed to (i) protect and maintain the security of any Personal Information and Company Data stored in their computer systems from any accidental, unlawful or unauthorized Security Incident, or any other use by a third party that would violate the Privacy Policy or Data Protection Requirements and (ii) identify and address internal and external risks to the privacy and security of Personal Information in the conduct Company’s possession or control.
(e) The Company maintains insurance coverage to respond to the risk of Parent’s liability relating to any unauthorized Processing of Company Data, a Security Incident or a violation of Privacy Laws of the Company or any Company Subsidiary, and its Subsidiaries’ businessesno claims have been made under such insurance policy(ies) since January 1, 2021, in each case except as would not reasonably be expected to havenot, individually or in the aggregate, a Parent Material Adverse Effect. Parent and each of its Subsidiaries have all necessary authority, rights, consents and authorizations to engage in the Data Activities of Personal Data maintained by or for Parent and its Subsidiaries to the extent required in connection with the operation of Parent’s and its Subsidiaries’ business as currently conducted. Since January 1, 2019, Parent and its Subsidiaries have not: (i) experienced any actual, alleged, or suspected data breach or other security incident involving Personal Data in their possession or control; or (ii) been subject to or received any notice of any audit, investigation, complaint, or other Legal Action by any Governmental Entity or other Person concerning Parent’s or any of its Subsidiaries’ Data Activities in relation to Personal Data or actual, alleged, or suspected violation of any Data Protection Requirement concerning privacy, data security, or data breach notification, and to Parent’s Knowledge, there are no facts or circumstances that could reasonably be expected to give rise be material to any such Legal Actionthe Company and the Company Subsidiaries, in each case except taken as a whole.
(f) Except as would not reasonably be expected to havenot, individually or in the aggregate, a Parent Material Adverse Effect. Parent and its Subsidiaries (i) have executed current and valid “Business Associate Agreements” (as described by HIPAA reasonably be expected to be material to the Company and the corresponding regulations) with each (A) “business associate” (Company Subsidiaries, taken as described by HIPAA and a whole, to the corresponding regulations)extent required, (B) “covered entity” (as described by HIPAA and the corresponding regulations), and (C) “subcontractor” (as described by HIPAA and the corresponding regulations); and (ii) materially comply with such Business Associate Agreements. The Company and each of its the Company Subsidiaries are, and since January 1, 2021 have obtainedbeen, as applicable, all rights necessary to undertake de-identification of user data and has de-identified such user data in accordance compliance with the Payment Card Industry Data Security Standards and the related card brand rules and requirements in any Contracts between the Company, and each of HIPAA the Company Subsidiaries, on the one hand, and any of the Company’s payment processors and/or acquiring banks, on the other Data Protection Requirementshand.
(g) Except as would not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, the Company and each of the Company Subsidiaries, have not (i) to the knowledge of the Company, experienced a Security Incident, (ii) been required pursuant to any Privacy Laws to notify customers, consumers, employees, Governmental Entities, or any other person of any Security Incident, (iii) received any written notice from any Governmental Entity with respect to any inquiry or investigation of any such Governmental Entity, or been the subject of any enforcement Proceeding of any Governmental Entity, with respect to noncompliance with any Privacy Law or (iv) to the knowledge of the Company, received any written notice, request, claim, complaint, correspondence or other communication relating to any Security Incident or violation of any Privacy Law by the Company or any Company Subsidiary.
Appears in 1 contract