Common use of Privacy; Data Security Clause in Contracts

Privacy; Data Security. Except as would not reasonably be expected, individually or in the aggregate, to be material to Washington and its Subsidiaries, taken as a whole: (a) the data, privacy and information security practices of Washington (and Subsidiaries thereof) are, and since January 1, 2022, have been, in compliance with all (i) applicable Laws, (ii) contractual obligations or industry standards to which Washington or any of its Subsidiaries are bound including with respect to Affiliates and/or third parties with respect to the processing of Personally Identifiable Information on behalf of, and/or sharing Personally Identifiable Information with the Washington Business (collectively, “Washington Data Partners”) and the Payment Card Industry Data Security Standard, and (iii) Washington’s (and its Subsidiaries’) publicly facing privacy and information security policies concerning the collection, use, storage, processing, transfer, disclosure, or protection of Personally Identifiable Information (clauses (i) through (iii), collectively, the “Washington Data Security Requirements”); (b) Washington (and its Subsidiaries), and to the Knowledge of Washington, Washington Data Partners, have implemented and maintain reasonable and appropriate organizational, physical, administrative and technical safeguards and measures, including a written information security program that are designed to (i) comply with applicable Washington Data Security Requirements and (ii) protect the Information Technology owned by Washington or its Subsidiaries, together with any Personally Identifiable Information held or processed by Washington or its Subsidiaries, against a Security Incident. Washington (and Subsidiaries thereof) regularly test their written information security program by conducting security audits, penetration tests, and/or vulnerability scans, and, to the Knowledge of Washington, no entity has identified any medium, high, or critical vulnerability that has not been fully remediated; (c) since January 1, 2022, Washington and its Subsidiaries, and to the Knowledge of Washington, Washington Data Partners have not experienced any Security Incidents. In relation to any Security Incident and/or actual, alleged, or potential violation of a Business Data Security Requirement, Washington and its Subsidiaries have not (i) notified or been required to notify any Person, or (ii) received any notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any investigation or enforcement action by, any Person and, to the Knowledge of Washington, there are no facts or circumstances that could give rise to the occurrence of the foregoing clauses (i) or (ii).

Privacy; Data Security. Except as would not reasonably be expected, individually or in the aggregate, to be material to Washington the Business and the Purchased Entity (and its Subsidiaries), taken as a whole: (a) the data, privacy and information security practices of Washington the Purchased Entity (and Subsidiaries thereof) are, and since January 1, 2022, have been, in compliance with all (i) applicable Laws, (ii) contractual obligations or industry standards to which Washington the Purchased Entity or any of its Subsidiaries or, in respect of the Business, Georgia or any of its Subsidiaries are bound bound, including with respect to Affiliates and/or third parties with respect to the processing of Personally Identifiable Information on behalf of, and/or sharing Personally Identifiable Information with the Washington Business (collectively, “Washington Data Partners”) and the Payment Card Industry Data Security Standard, and (iii) Washingtonwith the Purchased Entity’s (and its Subsidiaries’) and, in respect of the Business, Georgia’s (and its Subsidiaries’) publicly facing privacy and information security policies concerning the collection, use, storage, processing, transfer, disclosure, or protection of Personally Identifiable Information Information; (clauses (i) through (iii), collectively, the “Washington Business Data Security Requirements”); (b) Washington the Purchased Entity (and Subsidiaries thereof) and Georgia and its Subsidiaries), and to the Knowledge of WashingtonGeorgia, Washington its Data Partners, have implemented and maintain reasonable and appropriate organizational, physical, administrative and technical safeguards and measures, including a written information security program program, that are designed to (i) comply with applicable Washington Business Data Security Requirements and (ii) protect the Information Technology owned by Washington the Purchased Entity or its Subsidiaries, together with any Personally Identifiable Information held or processed by Washington the Purchased Entity or its SubsidiariesSubsidiaries in connection with the Business, against a Security Incident. Washington The Purchased Entity (and Subsidiaries thereof) and Georgia and its Subsidiaries regularly test their written information security program by conducting security audits, penetration tests, and/or vulnerability scans, and, to the Knowledge of WashingtonGeorgia, no entity has identified any medium, high, or critical vulnerability that has not been fully remediated;; and (c) since January 1, 2022, Washington Georgia and its Subsidiaries, and to the Knowledge of WashingtonGeorgia, Washington its Data Partners Partners, in each case, in connection with the Business, have not experienced any Security Incidents. In relation to any Security Incident and/or actual, alleged, or potential violation of a Business Data Security Requirement, Washington Georgia and its Subsidiaries Subsidiaries, in each case, in connection with the Business have not (i) notified or been required to notify any Person, or (ii) received any notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any investigation or enforcement action by, any Person and, to Person. To the Knowledge of WashingtonGeorgia, there are no facts or circumstances that could give rise to the occurrence of the foregoing clauses (i) or (ii).

Privacy; Data Security. Except as would not reasonably be expected, individually or in the aggregate, to be material to Washington the Business and the Purchased Entity (and its Subsidiaries), taken as a whole: (a) the data, privacy and information security practices of Washington the Purchased Entity (and Subsidiaries thereof) are, and since January 1, 20222021, have been, in compliance with all (i) applicable Laws, (ii) contractual obligations or industry standards to which Washington the Purchased Entity or any of its Subsidiaries or, in respect of the Business, Seller or any of its Subsidiaries are bound including with respect to Affiliates and/or third parties with respect to the processing of Personally Identifiable Information on behalf of, and/or sharing Personally Identifiable Information with the Washington Business (collectively, “Washington Data Partners”) and the Payment Card Industry Data Security Standard, and (iii) Washingtonwith the Purchased Entity’s (and its Subsidiaries’) and, in respect of the Business, Seller’s (and its Subsidiaries’) publicly facing privacy and information security policies concerning the collection, use, storage, processing, transfer, disclosure, or protection of Personally Identifiable Information Information; (clauses (i) through (iii), collectively, the “Washington Data Security Requirements”); (b) Washington the Purchased Entity (and Subsidiaries thereof) and Seller and its Subsidiaries), and to the Knowledge of Washington, Washington Data Partners, Subsidiaries have implemented and maintain reasonable and appropriate organizational, physical, administrative and technical safeguards and measures, including a written information security program that are designed to (i) comply with applicable Washington Data Security Requirements and (ii) protect the Information Technology owned by Washington the Purchased Entity or its Subsidiaries, together with any Personally Identifiable Information held or processed by Washington the Purchased Entity or its SubsidiariesSubsidiaries in connection with the Business, against a Security Incident. Washington (unauthorized access and Subsidiaries thereof) regularly test their written information security program by conducting security audits, penetration tests, and/or vulnerability scans, misuse; and, to the Knowledge of Washington, no entity has identified any medium, high, or critical vulnerability that has not been fully remediated; (c) since January 1, 2022, Washington and its Subsidiaries, and to the Knowledge of Washington, Washington Data Partners have not experienced any Security Incidents. In relation to any Security Incident and/or actual, alleged, or potential violation of a Business Data Security Requirement, Washington and its Subsidiaries have not (i) notified or been required to notify any Person, or (ii) received any notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any investigation or enforcement action by, any Person and2021, to the Knowledge of WashingtonSeller, there are has been no facts breach, cybersecurity incident, or circumstances that could give rise other third-party unauthorized access to any Personally Identifiable Information held or processed by any of Seller or its Subsidiaries, in each case, in connection with the occurrence of the foregoing clauses (i) or (ii)Business.

Privacy; Data Security. Except as would not reasonably be expected, individually or in the aggregate, to be material to Washington and its Subsidiaries, taken as a whole: (a) the data, privacy and information security practices of Washington (and Subsidiaries thereof) are, and since January 131, 20222024, have been, in compliance with all (i) applicable Laws, (ii) contractual obligations or industry standards to which Washington or any of its Subsidiaries are bound including with respect to Affiliates and/or third parties with respect to the processing of Personally Identifiable Information on behalf of, and/or sharing Personally Identifiable Information with the Washington Business (collectively, “Washington Data Partners”) and the Payment Card Industry Data Security Standard, and (iii) Washington’s (and its Subsidiaries’) publicly facing privacy and information security policies concerning the collection, use, storage, processing, transfer, disclosure, or protection of Personally Identifiable Information (clauses (i) through (iii), collectively, the “Washington Data Security Requirements”); (b) Washington (and its Subsidiaries), and to the Knowledge of Washington, Washington Data Partners, have implemented and maintain reasonable and appropriate organizational, physical, administrative and technical safeguards and measures, including a written information security program that are designed to (i) comply with applicable Washington Data Security Requirements and (ii) protect the Information Technology owned by Washington or its Subsidiaries, together with any Personally Identifiable Information held or processed by Washington or its Subsidiaries, against a Security Incident. Washington (and Subsidiaries thereof) regularly test their written information security program by conducting security audits, penetration tests, and/or vulnerability scans, and, to the Knowledge of Washington, no entity has identified any medium, high, or critical vulnerability that has not been fully remediated;; and (c) since January 131, 20222024, Washington and its Subsidiaries, and to the Knowledge of Washington, Washington Data Partners have not experienced any Security Incidents. In relation to any Security Incident and/or actual, alleged, or potential violation of a Business Washington Data Security Requirement, Washington and its Subsidiaries have not (i) notified or been required to notify any Person, or (ii) received any notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any investigation or enforcement action by, any Person and, to the Knowledge of Washington, there are no facts or circumstances that could give rise to the occurrence of the foregoing clauses (i) or (ii).