Common use of Privacy and Data Security Clause in Contracts

Privacy and Data Security. (a) The computer systems, including the software, hardware and networks (collectively, the “Systems”), currently used by Seller with respect to the Program are sufficient for the current needs of the Program, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs in, or failures, breakdowns, or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect of the Program Candidate. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy Laws, its own privacy policies, terms of use, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby and thereby (i) will comply with all Privacy Requirements in all material respects, (ii) will not impair any material rights of, or impose any material obligations or restrictions on, Seller with respect to any use, disclosure, commercialization or exploitation of, or otherwise relating to, any Personal Data or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by or on behalf of Seller, has used false log-on credentials with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Program.

Privacy and Data Security. (a) The computer systemsCompany, and, to the Seller’s Knowledge, all vendors, processors, or other third parties acting for or on behalf of the Company in connection with the Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of the Company, comply and at all times in the past have complied, in all material respects with all of the following: (A) Privacy Laws; (B) applicable rules of self-regulatory organizations, including the softwarePayment Card Industry Data Security Standard; (C) the Company Privacy and Data Security Policies; (D) all obligations or restrictions concerning the privacy, hardware and networks (collectivelysecurity, or Processing of Personal Information under any Scheduled Contract to which the “Systems”), currently used by Seller with respect to the Program are sufficient for the current needs Company is a party or otherwise bound as of the Program, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs in, or failures, breakdowns, or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect of the Program Candidatedate hereof. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy LawsThe execution, its own privacy policies, terms of usedelivery, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby hereby, do not and thereby will not: (iA) will comply Conflict with all or result in a violation or breach of any Privacy Requirements Laws or Company Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company); or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (c) The Company has posted to its website a Company Privacy and Data Security Policy. To the Seller’s Knowledge, no disclosure or representation made or contained in all any Company Privacy and Data Security Policy has been materially inaccurate, misleading, deceptive, or in material respects, violation of any Privacy Laws (ii) will not impair including by containing any material rights ofomission), or impose any material obligations or restrictions on, Seller and the practices of the Company with respect to the Processing of Personal Information conform, and at all times in the past three (3) years have conformed, to the Company Privacy and Data Security Policies that govern the use of such Personal Information. The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy and Data Security Policies that are currently or in the past three (3) years were in effect. (d) In the past three (3) years, (A) to the Seller’s Knowledge, no Personal Information in the possession or control of the Company, or held or Processed by any usevendor, processor, or other third party for or on behalf of the Company, has been subject to any data or security breach or unauthorized access, disclosure, commercialization use, loss, denial or exploitation ofloss of use, alteration, destruction, compromise, or otherwise Processing (a “Security Incident”), and (B) the Company has not notified and, to the Seller’s Knowledge, there have been no facts or circumstances that would require the Company to notify, any Government Authority or other Person of any Security Incident. (e) Except as set forth in Section 5.30 of the Disclosure Schedule, in the past three (3) years, the Company has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Government Authority or other Person, and to the Company’s Knowledge there has not been any investigation, enforcement action (including any fines or other sanctions), or other Action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Data Information in the possession or control of the Company, or held or Processed by any vendor, processor, or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by third party for or on behalf of Sellerthe Company. (f) The Company has at all times implemented and maintained, and required all vendors, processors, or other third parties that Process any Personal Information for or on behalf of the Company to implement and maintain, commercially reasonable security measures, plans, procedures, controls, and programs, including a written information security program, to (A) identify and address internal and external risks to the privacy and security of Personal Information in their possession or control; (B) implement, monitor, and improve adequate and effective administrative, technical, and physical safeguards to protect such Personal Information; and (C) provide notification in compliance in all material respects with applicable Privacy Laws in the case of any Security Incident. (g) In the past three (3) years, the Company has used false log-on credentials with respect to any regularly performed a security risk assessment and obtained or performed an independent vulnerability assessment by a recognized third-party website firm or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action software application. The Company has used reasonable efforts to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, address and remediate all material threats and deficiencies identified in each case, relating to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Programsuch assessment.

Privacy and Data Security. (a) The computer systems, including the software, hardware and networks (collectively, the “Systems”), currently used by Seller with respect to the Program are sufficient for the current needs of the Program, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs in, or failures, breakdowns, or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect of the Program Candidate. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy Laws, its own privacy policies, terms of use, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending orand, to Seller’s Knowledge, are threatened against all vendors, processors, or other third parties acting for or on behalf of Seller by any Person alleging a violation in connection with the Processing of any Privacy Requirements Personal Information or that otherwise have been authorized to have access to Personal Information in respect the possession or control of Seller, comply and at all times in the past three (3) years have complied, in all material respects with all of the Program. following: (A) Privacy Laws; (B) industry standards, guidelines, and best practices including the National Institute of Standards and Technology (NIST) Cybersecurity Framework; (C) Seller Privacy and Data Security Policies; and (D) all obligations or restrictions concerning the privacy, security, or Processing of Personal Information under any Contract to which Seller is a party or otherwise bound as of the date hereof. (b) The execution execution, delivery, and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby hereby, do not and thereby will not: (iA) will comply conflict with or result in a violation or breach of any Privacy Laws or Seller Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for Seller); or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (c) Seller has posted to its website or published or otherwise made available in connection with any services of Seller a Seller Privacy and Data Security Policy. No disclosure or representation made or contained in any Seller Privacy and Data Security Policy has been materially inaccurate, misleading, deceptive, or in material violation of any Privacy Laws (including by containing any material omission), and the practices of Seller with respect to the Processing of Personal Information conform, and at all times have conformed, to Seller Privacy Requirements and Data Security Policies that govern the use of such Personal Information in all material respects. Seller has delivered or made available to Buyer true, complete, and correct copies of all Seller Privacy and Data Security Policies that are currently or in the past three (3) years were in effect. (d) In the past three (3) years, (iiA) will not impair any material rights ofto Seller’s Knowledge, or impose any material obligations or restrictions on, Seller with respect to any use, disclosure, commercialization or exploitation of, or otherwise relating to, any no Personal Data or other data Information in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights possession or impose any such obligations or restrictions. None control of Seller or held or Processed by any software tool created vendor, processor, or used by other third party for or on behalf of Seller, has used false log-on credentials with respect been subject to any third-party website data or security breach or unauthorized access, disclosure, use, loss, denial or loss of use, alteration, destruction, compromise, or Processing (a “Security Incident”), and (B) Seller has not notified and, to Seller’s Knowledge, there have been no facts or circumstances that would require Seller to notify, any Governmental Authority or other false representation or statement or unauthorized or unlawful mechanism, code Person of any Security Incident. (including markup languages, programming languages, or scripts), or action to access e) In the past three (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since January 1, 20213) years, Seller has not received a written complaint any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Authority or other Person, and there has not been the subject any audit, investigation, enforcement action (including any fines or other sanctions), or other action relating to, any actual, alleged, or suspected Security Incident or violation of any Proceeding Privacy Law involving Personal Information in the possession or investigation regarding its Processing control of Personal Data Seller, or held or Processed by any vendor, processor, or other data in each casethird party for or on behalf of Seller. (f) Seller has at all times implemented and maintained, in respect of the operation of the Program or its privacy or data security policiesand required all vendors, practicesprocessors, or activities as it relates other third parties that Process any Personal Information for or on behalf of Seller to the Program. In material compliance with the Privacy Requirementsimplement and maintain, Seller has adequate commercially reasonable and at a minimum industry standard security measures in place to protect Personal Data measures, plans, procedures, controls, and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Programprograms.

Privacy and Data Security. (a) The computer systemsSeller complies, including and at all times in the softwarepast five (5) years has complied, hardware and networks (collectively, the “Systems”), currently used by Seller in all material respects with respect to the Program are sufficient for the current needs all of the Programfollowing: (A) Privacy Laws; (B) the Seller Privacy and Data Security Policies; and (C) all obligations or restrictions concerning the privacy, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs insecurity, or failures, breakdowns, Processing of Personal Information under any Contract to which the Seller is a party or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect otherwise bound as of the Program Candidatedate hereof. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy LawsThe execution, its own privacy policies, terms of usedelivery, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby hereby, do not and thereby will not: (iA) will comply conflict with or result in a violation or breach of any Privacy Laws or Seller Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Seller); or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (c) Seller has delivered or made available to Buyer true, complete, and correct copies of all Seller Privacy Requirements and Data Security Policies that are currently in effect, and the Seller has complied in all material respectsrespects with such Seller Privacy and Data Security Policies. (d) In the past five (5) years, (iiA) will not impair any material rights ofto, no Personal Information in the possession or impose any material obligations or restrictions on, control of the Seller with respect has been subject to any usedata or security breach or unauthorized access, disclosure, commercialization use, loss, denial or exploitation ofloss of use, alteration, destruction, compromise, or otherwise Processing (a “Security Incident”), and (B) the Seller has not notified and there have been no facts or circumstances that would require the Seller to notify, any Governmental Authority or other Person of any Security Incident. (e) In the past five (5) years, the Seller has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Authority or other Person, and there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Data Information in the possession or control of the Seller, or held or Processed by any vendor, processor, or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by third party for or on behalf of the Seller, has used false log-on credentials with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Program.

Privacy and Data Security. (a) The computer systemsSeller complies and at all times in the past five (5) years has complied, in all material respects with all of the following: (A) Privacy Laws; (B) rules of self-regulatory organizations, including the softwarePayment Card Industry Data Security Standard (PCI-DSS); (C) industry standards, hardware guidelines, and networks best practices, including the National Institute of Standards and Technology (collectivelyNIST) Cybersecurity Framework; (D) Seller Privacy and Data Security Policies; and (E) all obligations or restrictions concerning the privacy, the “Systems”)security, currently used by or Processing of Personal Information under any Contract to which Seller with respect to the Program are sufficient for the current needs is a party or otherwise bound as of the Program, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs in, or failures, breakdowns, or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect of the Program Candidatedate hereof. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy LawsThe execution, its own privacy policies, terms of usedelivery, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby hereby, including the transfer of all Personal Information in the possession or control of Seller to Buyer or its Subsidiaries, do not and thereby will not: (iA) will comply conflict with or result in a violation or breach of any Privacy Laws or Seller Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for Seller; or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (c) No disclosure or representation made or contained in any Seller Privacy and Data Security Policy has been materially inaccurate, misleading, deceptive, or in violation of any Privacy Laws (including by containing any material omission), and the practices of the with respect to the Processing of Personal Information conform, and at all times in the past five (5) years have conformed, to Seller Privacy Requirements and Data Security Policies that govern the use of such Personal Information in all material respects. Seller has delivered or made available to Buyer true, complete, and correct copies of all Seller Privacy and Data Security Policies that are currently or in the past five (5) years were in effect. (d) In the past five (5) years, except as set forth in Section 2.25(d) of the Disclosure Schedules, (iiA) will not impair any material rights of, no Personal Information in the possession or impose any material obligations or restrictions on, control of Seller with respect has been subject to any usedata or security breach or unauthorized access, disclosure, commercialization use, loss, denial or exploitation ofloss of use, alteration, destruction, compromise, or otherwise Processing (a “Security Incident”), and (B) Seller has not notified and, there has been no facts or circumstances that would require Seller to notify, any Governmental Authority or other Person of any Security Incident. (e) In the past five (5) years, except as set forth in Section 2.25(e) of the Disclosure Schedules, Seller has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Authority or other Person, and there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Data Information in the possession or control of Seller, or held or Processed by any vendor, processor, or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by third party for or on behalf of Seller, has used false log-on credentials with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Program.

Privacy and Data Security. (a) The computer systemsSeller has a privacy policy regarding the collection, including use, and disclosure of personal information in connection with the software, hardware operation of the Business and networks (collectively, is and in the “Systems”), currently past two years has been in compliance in all material respects with such privacy policy. True and complete copies of all privacy policies that have been used by the Seller with respect in the past two years have been provided to the Program are sufficient for the current needs of the Program, including as to capacity and ability to process current peak volumes Buyer. The Seller has posted a privacy policy in a timely manner. In clear and conspicuous location on all websites and any mobile applications owned or operated by the past 12 months, there have been no bugs in, or failures, breakdowns, or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect of the Program CandidateSeller. (b) Each privacy policy The Seller and its Subsidiaries have complied at all times in all material respects with all Laws applicable to the Business or other policy the Acquired Assets regarding the collection, use, storage, transfer, or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaserdisposal of personal information. The Seller is in compliance in all material compliance respects with all applicable Privacy Laws, its own privacy policies, the terms of all agreements to which the Seller is a party applicable to the Business or the Acquired Assets relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, and other terms storage, transfer, or policies or Contracts binding on Seller to the extent disposal of personal information). (c) No Person (including any Governmental Entity) has commenced any action relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledgeinformation privacy or data security practices, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby and thereby (i) will comply with all Privacy Requirements in all material respects, (ii) will not impair any material rights of, or impose any material obligations or restrictions on, Seller including with respect to any the collection, use, disclosuretransfer, commercialization or exploitation ofstorage, or otherwise relating to, any Personal Data or other data in the operation disposal of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used personal information maintained by or on behalf of the Seller, has used false log-on credentials with respect or to the knowledge of the Seller, threatened any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languagessuch action, or scripts)made any complaint, investigation, or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, inquiry relating to such practices, except as would not, individually or in the Program. Since January 1aggregate, 2021reasonably be expected to have, individually or in the aggregate, a Business Material Adverse Effect. (d) The Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security established and implemented policies, practicesprograms, or activities as it relates to the Program. In and procedures that are in material compliance with the Privacy Requirementsindustry practice, Seller has adequate security measures in place including administrative, technical, and physical safeguards, to protect Personal Data the confidentiality, integrity and other data security of personal information in its possession, custody, custody or control as it relates to against unauthorized access, use, modification, disclosure or other misuse. To the Program. Since January 1, 2021knowledge of the Seller, Seller has not not, in the past two years, experienced any Data Breach as it relates loss, damage, or unauthorized access, disclosure, use, or breach of security of any personal information relating to the ProgramBusiness or the Acquired Assets in the possession of the Seller or any of its Subsidiaries, custody or control or otherwise held or processed on its behalf.

Privacy and Data Security. (a) The computer systemsCompany and, to the Company’s Knowledge, all vendors, processors, or other third parties acting for or on behalf of the Company in connection with the Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of the Company, comply, and for the past three (3) years have complied, in all material respects with all of the following: (A) Privacy Laws; (B) rules of self-regulatory organizations that are legally binding on the Company, including the software, hardware Payment Card Industry Data Security Standard; (C) the Company Privacy and networks Data Security Policies; and (D) any contractual requirements or terms of use concerning the processing of Personal Information by the Company to which the Company is a party or otherwise bound as of the date hereof (collectively, the “SystemsPrivacy Obligations”), currently used by Seller with respect to the Program are sufficient for the current needs of the Program, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs in, or failures, breakdowns, or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect of the Program Candidate. (b) Each privacy policy To the Knowledge of the Company, during the past three (3) years, no disclosure or other policy representation made or terms published by Seller that relates to Personal contained in any Company Privacy and Data Security Policy has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy Lawsmaterially inaccurate, its own privacy policiesmisleading, terms of use, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customersdeceptive, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect Laws (including by containing any material omission). The Company and to the Company’s Knowledge any vendor, processor, or other third party Processing Personal Information for or on behalf of the Program. Company are and have been in compliance with the Company Privacy and Data Security Policies. (c) Except as set forth in Section 3.13(c) of the Company Disclosure Schedule, during the past three (3) years, (A) no Personal Information in the possession or control of the Company, or to the Knowledge of the Company, Processed by any vendor, processor, or other third party for or on behalf of the Company (each, a “Data Partner”), has been subject to any material data breach or other security incident that has resulted in material unauthorized access, disclosure, use, denial of use, alteration, corruption, destruction, compromise, or loss of such Personal Information or that has caused a material disruption to the conduct of the Company’s business (a “Security Incident”), and (B) the Company has not notified and there have been no facts or circumstances that would require the Company to notify, any Governmental Entity or other Person of any Security Incident. (d) During the past three (3) years, the Company has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Entity or other Person, nor, to the Knowledge of the Company, has there been any audit, investigation, enforcement action (including any fines or other sanctions), or other action, relating to any actual, alleged, or suspected Security Incident or violation of any Privacy Law, any Company Privacy and Data Security Policy, or any Person’s individual privacy rights involving Personal Information in the possession or control of the Company. (e) The execution Company has at all times during the past three (3) years implemented and delivery maintained, commercially reasonable security measures, plans, procedures, controls, and programs, including a written information security program, designed to (A) identify and address internal and external risks to the privacy and security of this Agreement Personal Information and the Ancillary Documentssecurity, availability, and integrity of Company IT Systems; (B) implement, monitor, and improve adequate and effective administrative, technical, and physical safeguards to protect such Personal Information and the operation, integrity, and security of its software, systems, applications, and websites; and (C) provide notification in compliance with applicable Privacy Obligations in the case of any Security Incident. (f) During the past three (3) years, the performance by Seller of its obligations hereunder and thereunder, and the consummation Company has contractually obligated all Data Partners Processing Personal Information on behalf of the transactions contemplated hereby and thereby Company, to (i) will comply with all applicable Privacy Requirements Obligations in all material respects, (ii) will not impair any material rights ofmaintain reasonable and appropriate technical, or impose any material obligations or restrictions onphysical and administrative safeguards to protect the privacy, Seller with respect to any useconfidentiality, disclosure, commercialization or exploitation of, or otherwise relating to, any integrity and security of all Personal Data or other data in the operation of the ProgramInformation, and (iii) will not give rise take reasonable steps to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by or on behalf of Sellerprotect Personal Information from loss, has used false log-on credentials with respect to any third-party website or other false representation or statement or theft, unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data Processing or other datamisuse. To the Company’s Knowledge, during the past three (3) years, no Data Partner Processing the Company’s Personal Information has (A) suffered any Security Incident that resulted in each case, relating any unauthorized access to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject use of any Proceeding such Personal Information or investigation regarding its Processing of Personal Data or other data in each case(B) materially violated any Privacy Obligations. (g) The Company has developed a program and used reasonable efforts to identify, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data address and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Programremediate all threats and deficiencies on Company IT Systems.

Privacy and Data Security. (a) The computer systemsSellers are, including the softwareand since January 1, hardware 2017 have been, in all material respects in compliance with all applicable Information Privacy and networks (collectively, the “Systems”), currently used by Seller Security Laws with respect to the Program Business. With respect to the Business, the Sellers maintain policies and procedures regarding data security and privacy and maintain administrative, technical, organizational and physical security safeguards that are sufficient for required in compliance with all applicable Information Privacy and Security Laws. (b) Since January 1, 2017, and solely to the current needs extent required under applicable Information Privacy and Security Laws, the Sellers have had in place written data processing agreements with any key vendors acting as processors in material compliance with applicable Information Privacy and Security Laws in the case of processors. (c) With respect to the Business, to the Knowledge of the ProgramSellers, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 monthssince January 1, 2017, there have been no bugs inmaterial Personal Data breaches or material cybersecurity incidents (collectively, “Breaches“) subject to any Information Privacy and Security Laws. No notice or claim has been received by any of the Sellers from a third party vendor or any other Person alleging any Breach, including those alleging any breach of the GDPR since January 1, 2017. With respect to the Business, to the Knowledge of the Sellers, none of the Sellers has experienced a loss, or failuresan unauthorized disclosure, breakdownsuse, or continued substandard performance ofbreach of data protection, privacy or security, of any Sensitive Data that required notice to any Person (including any Governmental Authorities or parties to any Contract) under any applicable Information Privacy and Security Laws since January 1, 2017. No Person (including any Governmental Authority or parties to any Contract) has commenced any Action relating to any Seller’s information privacy or data security practices with respect to the Business or, to the Knowledge of the Sellers, threatened any such Systems that has caused the substantial disruption Action or interruption in made any complaint, investigation, or inquiry relating to the use of such Systems by Seller or the conduct of its business in respect practices since January 1, 2017. None of the Program Candidate. (b) Each privacy policy Sellers has received any notice, request or other policy communication from any supervisory authority (as defined in the GDPR), or terms published by Seller that relates to Personal Data has been delivered subject to any investigation or made available to Purchaser. Seller is in material compliance with all applicable Privacy Lawsproceedings (whether of a criminal, its own privacy policies, terms of use, and other terms civil or policies administrative nature) by any competent legal or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other dataregulatory authority, in each case in the operation relating to its processing of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby and thereby (i) will comply with all Privacy Requirements in all material respects, (ii) will not impair any material rights of, or impose any material obligations or restrictions on, Seller Personal Data with respect to any use, disclosure, commercialization or exploitation of, or otherwise relating to, any Personal Data or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by or on behalf of Seller, has used false log-on credentials with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since Business since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Program2017.

Privacy and Data Security. (a) The computer systemsNORCAL and each NORCAL Subsidiary, including the softwareand, hardware and networks (collectively, the “Systems”), currently used by Seller with respect to the Program are sufficient Knowledge of NORCAL, all vendors, processors, or other third parties acting for or on behalf of NORCAL or a NORCAL Subsidiary in connection with the current needs Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of NORCAL or any NORCAL Subsidiary comply and at all times in the past three years have complied, in all material respects with all of the Programfollowing: (A) Privacy Laws; (B) the Payment Card Industry Data Security Standard; (C) NORCAL Privacy and Data Security Policies; and (D) all obligations or restrictions concerning the privacy, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs insecurity, or failuresProcessing of Personal Information under any contracts or other written agreements, breakdownsarrangements, commitments, or continued substandard performance of, understandings to which NORCAL or any such Systems that has caused the substantial disruption NORCAL Subsidiary is a party or interruption in or to the use of such Systems by Seller or the conduct of its business in respect otherwise bound as of the Program Candidatedate hereof. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy LawsThe execution, its own privacy policies, terms of usedelivery, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby hereby, including the transfer of all Personal Information in the possession or control of NORCAL or any NORCAL Subsidiary to PRA or its Subsidiaries, do not and thereby will not: (iA) will comply conflict with all or result in a material violation or breach of 52 43126503 v1 (c) NORCAL and each NORCAL Subsidiary, in compliance with Privacy Requirements Laws in all material respects, has posted to each of their websites and mobile applications and published or otherwise made available in connection with any products or services offered by NORCAL, NORCAL Privacy and Data Policies. No disclosure or representation made or contained in any such policy has been materially inaccurate, misleading, deceptive, or in material violation of any Privacy Laws (ii) will not impair including by containing any material rights ofomission), or impose any material obligations or restrictions on, Seller and the practices of NORCAL and the NORCAL Subsidiaries with respect to the Processing of Personal Information conform, and at all times in the past three years have conformed, to NORCAL Privacy and Data Policies that govern the use of such Personal Information in all material respects. NORCAL has delivered or made available to PRA true, complete, and correct copies of all NORCAL Privacy and Data Policies that are in effect as of the date hereof or have been in effect in the past three years. (d) Except as set forth in Section 5.23(d) of the NORCAL Disclosure Schedules to the Knowledge of NORCAL, no Personal Information in the possession or control of NORCAL or any use, disclosure, commercialization or exploitation ofNORCAL Subsidiary, or otherwise relating toheld or Processed by any vendor, any Personal Data processor, or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by third party for or on behalf of SellerNORCAL or any NORCAL Subsidiary, has used false log-on credentials with respect been subject to any third-party website data or security breach or unauthorized access, disclosure, use, loss, denial or loss of use, alteration, destruction, compromise, or Processing that NORCAL or any NORCAL Subsidiary is required to report to a Governmental Authority or other false representation or statement or unauthorized or unlawful mechanism, code Person (including markup languages, programming languages, or scriptsa “Security Incident”), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Program.

Privacy and Data Security. (a) The computer systemsExcept as described in Schedule 5.26(a), including Company, and, to Knowledge of the softwareCompany, hardware all vendors, processors, or other third parties acting for or on behalf of the Company in connection with the Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of the Company, comply and networks at all times in the past three (collectively3) years have complied, in all material respects with all of the following: (i) Privacy Laws; (ii) the Company Privacy and Data Security Policies; and (iii) any Contract requirements or terms of use concerning the Processing of Personal Information to which the Company is a party or otherwise bound as of the date hereof (“Privacy Agreements”). To the Knowledge of the Company, the operation of the business of the Company has not and does not violate any right to privacy or publicity of any third person under applicable Law. (b) The Company has delivered or made available to the Purchaser true, complete, and correct copies of all Company Privacy and Data Security Policies. (c) To the Knowledge of the Company, no Person has obtained unauthorized access to Personal Information in the possession of the Company, nor has there been any other material compromise of the security, confidentiality or integrity of such information or data, and no written or, to the Knowledge of the Company, oral complaint relating to an improper use or disclosure of, or a breach in the security of, any such information or data has been received by the Company (a “SystemsSecurity Incident”). The Company has not notified and, currently used by Seller with respect to the Program are sufficient for the current needs Knowledge of the Program, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 monthsCompany, there have been no bugs in, facts or failures, breakdowns, or continued substandard performance ofcircumstances that would require the Company to notify, any such Systems that has caused the substantial disruption Governmental Authority or interruption in or to the use other Person of such Systems by Seller or the conduct of its business in respect of the Program Candidateany Security Incident. (bd) Each privacy policy Except as described in Schedule 5.26(d), in the past three (3) years, the Company has not received any notice, request, claim, complaint, correspondence, or other policy communication in writing from any Governmental Authority or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy Laws, its own privacy policies, terms of useother Person, and there has not been any audit, investigation, enforcement action (including any fines or other terms sanctions), or policies or Contracts binding on Seller to the extent other Action, (i) relating to the Program and with respect toany actual, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customersalleged, or the Processing of any Personal Data suspected Security Incident or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements Agreements, or any Person’s individual privacy rights involving Personal Information in respect the possession or control of the Program. The execution and delivery of this Agreement and the Ancillary DocumentsCompany, the performance or held or Processed by Seller of its obligations hereunder and thereunderany vendor, and the consummation processor, or other third party for or on behalf of the transactions contemplated hereby and thereby (i) will comply with all Privacy Requirements in all material respects, Company; (ii) will not impair any material rights of, prohibiting or impose any material obligations or restrictions on, Seller with respect threatening to prohibit the transfer of Personal Information to any use, disclosure, commercialization place; or exploitation of, or otherwise relating to, any Personal Data or other data in the operation of the Program, and (iii) will not permitting or mandating any Governmental Authority to investigate, requisition information from, or enter the premises of, the Company, and, to the Knowledge of the Company, there are no facts or circumstances that would reasonably be expected to give rise to any material right on of the part of foregoing. (e) The Company has at all times in the past three (3) years implemented and maintained, and required all vendors, processors, or other third parties that Process any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by Personal Information for or on behalf of Sellerthe Company to implement and maintain, has used false log-on credentials commercially reasonable security measures, plans, procedures, controls, and programs consistent with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the ProgramAgreements.

Privacy and Data Security. (a) The computer systemsSellers are, including the softwareand since January 1, hardware 2017 have been, in all material respects in compliance with all applicable Information Privacy and networks (collectively, the “Systems”), currently used by Seller Security Laws with respect to the Program Business. With respect to the Business, the Sellers maintain policies and procedures regarding data security and privacy and maintain administrative, technical, organizational and physical security safeguards that are sufficient for required in compliance with all applicable Information Privacy and Security Laws. (b) Since January 1, 2017, and solely to the current needs extent required under applicable Information Privacy and Security Laws, the Sellers have had in place written data processing agreements with any key vendors acting as processors in material compliance with applicable Information Privacy and Security Laws in the case of processors. (c) With respect to the Business, to the Knowledge of the ProgramSellers, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 monthssince January 1, 2017, there have been no bugs inmaterial Personal Data breaches or material cybersecurity incidents (collectively, "Breaches") subject to any Information Privacy and Security Laws. No notice or claim has been received by any of the Sellers from a third party vendor or any other Person alleging any Breach, including those alleging any breach of the GDPR since January 1, 2017. With respect to the Business, to the Knowledge of the Sellers, none of the Sellers has experienced a loss, or failuresan unauthorized disclosure, breakdownsuse, or continued substandard performance ofbreach of data protection, privacy or security, of any Sensitive Data that required notice to any Person (including any Governmental Authorities or parties to any Contract) under any applicable Information Privacy and Security Laws since January 1, 2017. No Person (including any Governmental Authority or parties to any Contract) has commenced any Action relating to any Seller's information privacy or data security practices with respect to the Business or, to the Knowledge of the Sellers, threatened any such Systems that has caused the substantial disruption Action or interruption in made any complaint, investigation, or inquiry relating to the use of such Systems by Seller or the conduct of its business in respect practices since January 1, 2017. None of the Program Candidate. (b) Each privacy policy Sellers has received any notice, request or other policy communication from any supervisory authority (as defined in the GDPR), or terms published by Seller that relates to Personal Data has been delivered subject to any investigation or made available to Purchaser. Seller is in material compliance with all applicable Privacy Lawsproceedings (whether of a criminal, its own privacy policies, terms of use, and other terms civil or policies administrative nature) by any competent legal or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other dataregulatory authority, in each case in the operation relating to its processing of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby and thereby (i) will comply with all Privacy Requirements in all material respects, (ii) will not impair any material rights of, or impose any material obligations or restrictions on, Seller Personal Data with respect to any use, disclosure, commercialization or exploitation of, or otherwise relating to, any Personal Data or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by or on behalf of Seller, has used false log-on credentials with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since Business since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Program2017.

Privacy and Data Security. (a) The computer systemsNORCAL and each NORCAL Subsidiary, including the softwareand, hardware and networks (collectively, the “Systems”), currently used by Seller with respect to the Program are sufficient Knowledge of NORCAL, all vendors, processors, or other third parties acting for or on behalf of NORCAL or a NORCAL Subsidiary in connection with the current needs Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of NORCAL or any NORCAL Subsidiary comply and at all times in the past three years have complied, in all material respects with all of the Programfollowing: (A) Privacy Laws; (B) the Payment Card Industry Data Security Standard; (C) NORCAL Privacy and Data Security Policies; and (D) all obligations or restrictions concerning the privacy, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs insecurity, or failuresProcessing of Personal Information under any contracts or other written agreements, breakdownsarrangements, commitments, or continued substandard performance of, understandings to which NORCAL or any such Systems that has caused the substantial disruption NORCAL Subsidiary is a party or interruption in or to the use of such Systems by Seller or the conduct of its business in respect otherwise bound as of the Program Candidatedate hereof. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy LawsThe execution, its own privacy policies, terms of usedelivery, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby hereby, including the transfer of all Personal Information in the possession or control of NORCAL or any NORCAL Subsidiary to PRA or its Subsidiaries, do not and thereby will not: (iA) will comply conflict with all or result in a material violation or breach of any Privacy Requirements Laws or NORCAL Privacy and Data Policies; or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (c) NORCAL and each NORCAL Subsidiary, in compliance with Privacy Laws in all material respects, has posted to each of their websites and mobile applications and published or otherwise made available in connection with any products or services offered by NORCAL, NORCAL Privacy and Data Policies. No disclosure or representation made or contained in any such policy has been materially inaccurate, misleading, deceptive, or in material violation of any Privacy Laws (ii) will not impair including by containing any material rights ofomission), or impose any material obligations or restrictions on, Seller and the practices of NORCAL and the NORCAL Subsidiaries with respect to the Processing of Personal Information conform, and at all times in the past three years have conformed, to NORCAL Privacy and Data Policies that govern the use of such Personal Information in all material respects. NORCAL has delivered or made available to PRA true, complete, and correct copies of all NORCAL Privacy and Data Policies that are in effect as of the date hereof or have been in effect in the past three years. (d) Except as set forth in Section 5.23(d) of the NORCAL Disclosure Schedules to the Knowledge of NORCAL, no Personal Information in the possession or control of NORCAL or any useNORCAL Subsidiary, or held or Processed by any vendor, processor, or other third party for or on behalf of NORCAL or any NORCAL Subsidiary, has been subject to any data or security breach or unauthorized access, disclosure, commercialization use, loss, denial or exploitation ofloss of use, alteration, destruction, compromise, or otherwise Processing that NORCAL or any NORCAL Subsidiary is required to report to a Governmental Authority or other Person (a “Security Incident”). (e) Except as set forth in Section 5.23(e) of the NORCAL Disclosure Schedules, in the past three years, NORCAL and the NORCAL Subsidiaries have not received any written or, to the Knowledge of NORCAL, oral notice, request, claim, complaint, correspondence, or other communication from any Governmental Authority or other Person, and to the Knowledge of NORCAL there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Data Information in the possession or control of NORCAL or any NORCAL Subsidiary, or held or Processed by any vendor, processor, or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by third party for or on behalf of SellerNORCAL or any NORCAL Subsidiary, except as would not, individually or in the aggregate, reasonably be expected to have a Material Adverse Effect. (f) NORCAL and each NORCAL Subsidiary has used false log-on credentials with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanismat all times in the past three years implemented and maintained, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use and required all vendors that Process any Personal Data Information for or other dataon behalf of NORCAL or any NORCAL Subsidiary to implement and maintain, in each casecommercially reasonable security measures, relating plans, procedures, controls, and programs, including written information security programs, designed to (A) identify and reasonably address internal and external risks to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing privacy and security of Personal Data Information in their possession or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the Program.control;

Privacy and Data Security. (a) The computer systemsCompany complies, including and at all times in the softwarepast three (3) years has complied, hardware and networks (collectively, the “Systems”), currently used by Seller in all material respects with respect to the Program are sufficient for the current needs all of the Programfollowing: (A) Privacy Laws; (B) the Company Privacy and Data Security Policies; and (C) all obligations or restrictions concerning the privacy, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs insecurity, or failures, breakdowns, Processing of Personal Information under any Contract to which the Company is a party or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect otherwise bound as of the Program Candidatedate hereof. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy LawsThe execution, its own privacy policies, terms of usedelivery, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby hereby, do not and thereby will not: (iA) will comply conflict with or result in a violation or breach of any Privacy Laws or Company Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or for the Company); or (B) require the consent of or notice to any Person concerning such Person’s Personal Information. (c) The Company has delivered or made available to Buyer true, complete, and correct copies of all Company Privacy Requirements and Data Security Policies that are currently in effect, and the Company has complied in all material respectsrespects with such Company Privacy and Data Security Policies. (d) In the past three (3) years, (iiA) will not impair any material rights ofto, no Personal Information in the possession or impose any material obligations or restrictions on, Seller with respect control of the Company has been subject to any usedata or security breach or unauthorized access, disclosure, commercialization use, loss, denial or exploitation ofloss of use, alteration, destruction, compromise, or otherwise Processing (a “Security Incident”), and (B) the Company has not notified and, to Sellers’ Knowledge, there have been no facts or circumstances that would require the Company to notify, any Governmental Authority or other Person of any Security Incident. (e) In the past three (3) years, the Company has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Authority or other Person, and there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Data Information in the possession or control of the Company, or held or Processed by any vendor, processor, or other data in the operation of the Program, and (iii) will not give rise to any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by third party for or on behalf of Seller, has used false log-on credentials with respect to any third-party website or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scripts), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each case, relating to the Program. Since January 1, 2021, Seller has not received a written complaint or been the subject of any Proceeding or investigation regarding its Processing of Personal Data or other data in each case, in respect of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the ProgramCompany.

Privacy and Data Security. (a) The computer systemsTarget Companies comply and at all times in the past three (3) years have complied, including in all material respects with all of the software, hardware following: (i) Privacy Laws; (ii) the Company Privacy and networks Data Security Policies; and (collectivelyiii) any Contract requirements or terms of use concerning the Processing of Personal Information to which a Target Company is a party or otherwise bound as of the date hereof (“Privacy Agreements”). To the Knowledge of the Company, the “Systems”), currently used by Seller with respect to the Program are sufficient for the current needs operation of the Program, including as to capacity and ability to process current peak volumes in a timely manner. In the past 12 months, there have been no bugs in, or failures, breakdowns, or continued substandard performance of, any such Systems that has caused the substantial disruption or interruption in or to the use of such Systems by Seller or the conduct of its business in respect of the Program CandidateTarget Companies has not and does not violate any right to privacy of any third person under applicable Law. (b) Each privacy policy or other policy or terms published by Seller that relates to Personal Data has been delivered or made available to Purchaser. Seller is in material compliance with all applicable Privacy LawsThe execution, its own privacy policies, terms of usedelivery, and other terms or policies or Contracts binding on Seller to the extent relating to the Program and with respect to, in each case, data security, Data Breach notification requirements, the privacy of service providers, users, visitors, and customers, or the Processing of any Personal Data or other data, in each case in the operation of the Program (collectively, the “Privacy Requirements”). No material claims are currently pending or, to Seller’s Knowledge, are threatened against Seller by any Person alleging a violation of any Privacy Requirements in respect of the Program. The execution and delivery performance of this Agreement and the Ancillary Documents, the performance by Seller of its obligations hereunder and thereunder, and the consummation of the transactions contemplated hereby do not and thereby will not: (i) will comply conflict with all or result in a violation or breach by the Company of any Privacy Requirements in all material respectsLaws, Company Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by the Company, or Privacy Agreements); or (ii) will not impair require the consent of or notice to any Person concerning such Person’s Personal Information. (c) The Company has delivered or made available to SPAC true, complete, and correct copies of all Company Privacy and Data Security Policies. (d) To the Knowledge of the Company, no Person has obtained unauthorized access to Personal Information in the possession of the Company, nor has there been any other material rights compromise of the security, confidentiality or integrity of such information or data, and no written or, to the Knowledge of the Company, oral complaint relating to an improper use or disclosure of, or impose any material obligations or restrictions on, Seller with respect to any use, disclosure, commercialization or exploitation a breach in the security of, any such information or otherwise relating todata has been received by the Company (a “Security Incident”). The Company has not notified and, to Knowledge of the Company, there have been no facts or circumstances that would require the Company to notify, any Personal Data Governmental Authority or other data Person of any Security Incident. (e) In the past three (3) years, the Company has not received any notice, request, claim, complaint, correspondence, or other communication in the operation of the Programwriting from any Governmental Authority or other Person, and there has not been any audit, investigation, enforcement action (iii) will not give rise to including any material right on the part of any Person to impair any such rights or impose any such obligations or restrictions. None of Seller or any software tool created or used by or on behalf of Seller, has used false log-on credentials with respect to any third-party website fines or other false representation or statement or unauthorized or unlawful mechanism, code (including markup languages, programming languages, or scriptssanctions), or action to access (including access in excess of authorization), obtain, damage, exploit, Process, or otherwise use any Personal Data or other data, in each caseAction, relating to the Program. Since January 1any actual, 2021alleged, Seller has not received a written complaint or been the subject suspected Security Incident or violation of any Proceeding Privacy Agreements, or investigation regarding its Processing of any Person’s individual privacy rights involving Personal Data Information in the possession or other data in each case, in respect control of the operation of the Program or its privacy or data security policies, practices, or activities as it relates to the Program. In material compliance with the Privacy Requirements, Seller has adequate security measures in place to protect Personal Data and other data in its possession, custody, or control as it relates to the Program. Since January 1, 2021, Seller has not experienced any Data Breach as it relates to the ProgramCompany.