Common use of Privacy; Data Security Clause in Contracts

Privacy; Data Security. (a) The Company, the Company Subsidiaries, and, to the Company’s Knowledge, all third parties Processing Personal Information on behalf of any Company Subsidiary pursuant to a written agreement with the Company or a Company Subsidiary (collectively, “Company Data Partners”), comply and have at all times since January 1, 2020 complied, in all material respects, with all applicable (i) Privacy Laws, (ii) external-facing policies, notices, and/or statements published by the Company or a Company Subsidiary, as applicable, related to Personal Information (“Company Privacy Policy”), and (iii) contractual commitments related to the Processing of Personal Information in a Company Material Contract (collectively, “Company Privacy Requirements”). All Company Privacy Policies are and have been materially accurate, consistent and complete and not misleading or deceptive (including by omission) in any material respect. To the Company’s Knowledge, the execution, delivery, and performance of this Agreement do not conflict with and will not result in a breach of any Company Privacy Requirements or require the consent of or provision of notice to any Person. (b) The Company and each Company Subsidiary have at all times since January 1, 2020 implemented and maintained commercially reasonable measures designed to protect Personal Information against any accidental, unlawful or unauthorized access, use, loss, disclosure, alteration, destruction, or compromise (a “Security Incident”). To the Company’s Knowledge, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners have experienced any material Security Incidents, including any successful ransomware attack or denial-of-service attack material to the Company or Company Subsidiary’s operations. In relation to any Security Incident and/or Company Privacy Requirement, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners, have (i) notified or been required to notify any Person under Privacy Laws, or (ii) received any notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any investigation or enforcement action by, any Person. To the Company’s Knowledge, there are no facts or circumstances that would reasonably be expected to give rise to the occurrence of (i) or (ii).

Privacy; Data Security. (a) The CompanyCompany and its Subsidiaries own, the Company Subsidiaries, and, or have valid rights to the Company’s Knowledge, all third parties Processing Personal Information on behalf of any Company Subsidiary access and use pursuant to a written agreement with the Company or a Company Subsidiary (collectivelyagreement, “Company Data Partners”), comply and have at all times since January 1, 2020 complied, in all material respects, with all applicable IT Systems. The IT Systems are (i) Privacy Lawssubject to commercially reasonable disaster recovery procedures, (ii) external-facing policiesfree from any defect, noticesbug, and/or statements published by the Company virus, corruption, malicious code or a Company Subsidiary, as applicable, related to Personal Information (“Company Privacy Policy”)other similar contaminants, and (iii) contractual commitments related adequate and sufficient (including with respect to working condition and capacity) for, and operate and perform in all material respects as required in connection with, the conduct and operation of Group Companies as currently conducted. The Company and its Subsidiaries have taken all commercially reasonable efforts to protect the confidentiality, integrity and security of the IT Systems. During the five (5) years prior to the Processing date of Personal Information in this Agreement, the IT Systems have not suffered a Company Material Contract (collectively, “Company Privacy Requirements”)material failure or malfunction. All Company Privacy Policies are and There have been materially accurateno unauthorized uses or intrusions of, consistent and complete and not misleading or deceptive breaches (including by omissionany “security incident” (as defined in 45 C.F.R § 164.304) or “breach” (as defined in 45 C.F.R § 164.402)) to, the IT Systems of the Company or any material respect. To Subsidiary of the Company’s Knowledge, the executionor any other loss, delivery, and performance of this Agreement do not conflict with and will not result in a breach unauthorized disclosure or use of any Company Privacy Requirements sensitive or require confidential information, including Personal Information, in the consent custody or control of or provision of notice to any Personthe Group Companies. (b) The Company and each of its Subsidiaries are, in compliance with all privacy and security obligations to which they are subject under (i) all applicable privacy policies and online terms of use, (ii) any applicable Law, including Privacy Laws, and (iii) any Contract, including all contractual commitments that the Company or a Subsidiary have at all times since January 1has entered into with respect to the receipt, 2020 implemented and maintained commercially reasonable measures designed to protect Personal Information against any accidentalcollection, unlawful or unauthorized accesscompilation, use, lossstorage, processing, sharing, safeguarding, security, disposal, destruction, disclosure, alterationor transfer of Personal Information or User Data (collectively, destruction, or compromise (a “Data Security IncidentRequirements”). To There have not been any investigations regarding, and neither the Company’s KnowledgeCompany nor its Subsidiaries have received any notice from any Governmental Authority or Person alleging, none any violation of any Data Security Requirements. The Company and each of its Subsidiaries have provided accurate and complete disclosure with respect to their privacy policies and privacy and data security practices, including providing any type of notice and obtaining any type of consent required by Privacy Laws. (c) The Company and its Subsidiaries have not incorporated or used any open source Software in connection with any Software developed, used or otherwise exploited by the Company and its Subsidiaries or any of their customers in a manner that requires the contribution, licensing, transfer, assignment, attribution or disclosure to any third Person of any portion of the Companysource code of any Software developed, the Company Subsidiarieslicensed, or, to the Company’s Knowledge, any Company Data Partners have experienced any material Security Incidents, including any successful ransomware attack distributed used or denial-of-service attack material to otherwise exploited by or for the Company or Company Subsidiary’s operationsits Subsidiaries. In relation No source code owned by the Group Companies has been delivered or licensed to any Security Incident and/or Company Privacy Requirement, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners, have (i) notified or been required to notify any Person under Privacy Lawsother Person, or (ii) received is subject to any notice, inquiry, request, claim, complaint, correspondence source code escrow or other communication from, or been the subject of any investigation or enforcement action by, any Person. To the Company’s Knowledge, there are no facts or circumstances that would reasonably be expected to give rise to the occurrence of (i) or (ii)assignment obligation.

Privacy; Data Security. (a) The CompanyCompany and its Subsidiaries own, the Company Subsidiaries, and, or have valid rights to the Company’s Knowledge, all third parties Processing Personal Information on behalf of any Company Subsidiary access and use pursuant to a written agreement with the Company or a Company Subsidiary (collectivelyagreement, “Company Data Partners”), comply and have at all times since January 1, 2020 complied, in all material respects, with all applicable IT Systems. The IT Systems are (i) Privacy Lawssubject to commercially reasonable disaster recovery procedures, (ii) external-facing policiesfree from any defect, noticesbug, and/or statements published by the Company virus, corruption, malicious code or a Company Subsidiary, as applicable, related to Personal Information (“Company Privacy Policy”)other similar contaminants, and (iii) contractual commitments related adequate and sufficient (including with respect to working condition and capacity) for, and operate and perform in all material respects as required in connection with, the conduct and operation of Group Companies as currently conducted. The Company and its Subsidiaries have taken all commercially reasonable efforts to protect the confidentiality, integrity and security of the IT Systems. During the three (3) years prior to the Processing date of Personal Information in this Agreement, the IT Systems have not suffered a Company Material Contract (collectively, “Company Privacy Requirements”)material failure or malfunction. All Company Privacy Policies are and There have been materially accurateno unauthorized uses or intrusions of, consistent and complete and not misleading or deceptive breaches (including by omissionany “security incident” (as defined in 45 C.F.R § 164.304) or “breach” (as defined in 45 C.F.R § 164.402)) to, the IT Systems of the Company or any material respect. To Subsidiary of the Company’s Knowledge, the executionor any other loss, delivery, and performance of this Agreement do not conflict with and will not result in a breach unauthorized disclosure or use of any Company Privacy Requirements sensitive or require confidential information, including Personal Information, in the consent custody or control of or provision of notice to any Personthe Group Companies. (b) The Company and each of its Subsidiaries are, and for the past three (3) years have been, in compliance with all privacy and security obligations to which they are subject under (i) all applicable privacy policies and online terms of use, (ii) any applicable Law, including Privacy Laws, and (iii) any Contract, including all contractual commitments that the Company or a Subsidiary have at all times since January 1has entered into with respect to the receipt, 2020 implemented and maintained commercially reasonable measures designed to protect Personal Information against any accidentalcollection, unlawful or unauthorized accesscompilation, use, lossstorage, processing, sharing, safeguarding, security, disposal, destruction, disclosure, alterationor transfer of Personal Information or User Data (collectively, destruction, or compromise (a “Data Security IncidentRequirements”). To There have not been any investigations regarding, and neither the Company’s KnowledgeCompany nor its Subsidiaries have received any written notice from any Governmental Authority or Person alleging, none any violation of any Data Security Requirements. The Company and each of its Subsidiaries have provided accurate and complete disclosure with respect to their privacy policies and privacy and data security practices, including providing any type of notice and obtaining any type of consent required by Privacy Laws. (c) The Company and its Subsidiaries have not incorporated or used any open source Software in connection with any Software developed, used or otherwise exploited by the Company and its Subsidiaries or any of their customers in a manner that requires the contribution, licensing, transfer, assignment, attribution or disclosure to any third Person of any portion of the Companysource code of any Software developed, the Company Subsidiarieslicensed, or, to the Company’s Knowledge, any Company Data Partners have experienced any material Security Incidents, including any successful ransomware attack distributed used or denial-of-service attack material to otherwise exploited by or for the Company or Company Subsidiary’s operationsits Subsidiaries. In relation No source code owned by the Group Companies has been delivered or licensed to any Security Incident and/or Company Privacy Requirement, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners, have (i) notified or been required to notify any Person under Privacy Lawsother Person, or (ii) received is subject to any notice, inquiry, request, claim, complaint, correspondence source code escrow or other communication from, or been the subject of any investigation or enforcement action by, any Person. To the Company’s Knowledge, there are no facts or circumstances that would reasonably be expected to give rise to the occurrence of (i) or (ii)assignment obligation.

Privacy; Data Security. (ai) The CompanyCompany is in compliance in all Material respects with all applicable Privacy Laws, the Company SubsidiariesPrivacy Policies and Privacy Contracts, andand has collected, processed, stored, maintained, transferred, disclosed, secured, shared, or otherwise used Personal Information in compliance in all material respects with all applicable Privacy Laws, Privacy Policies and Privacy Contracts. There has been no notice to, complaint against, or Action (or, to the Company’s Knowledge, investigation) commenced against the Company by any Person (including any Governmental Authority) related to the collection, use, storage, distribution, transfer, or disclosure of, or unauthorized access to, Personal Information. (ii) The Company has complete and accurate records of all third parties Processing Personal Information Persons who have notified the Company of such Person’s election not to receive any electronic communications or solicitations (“Opt-out Notifications”) from or on behalf of any the Company. The Company Subsidiary pursuant to a written agreement with the Company or a Company Subsidiary (collectively, “Company Data Partners”), comply and have at all times since January 1, 2020 complied, in all material respects, has complied with all applicable (i) Privacy Laws, (ii) externalsuch Opt-facing policies, notices, and/or statements published by the Company or a Company Subsidiary, as applicable, related to Personal Information (“Company Privacy Policy”), and out Notifications. (iii) contractual commitments related to the Processing of Personal Information in a Company Material Contract (collectively, “Company Privacy Requirements”). All Company Privacy Policies are and have been materially accurate, consistent and complete and not misleading or deceptive (including by omission) in any material respect. To the Company’s Knowledge, the execution, delivery, and or performance of this Agreement do not conflict with and consummation of transactions contemplated hereby will not violate any applicable Privacy Laws, Privacy Policies or Privacy Contracts or result in a breach of any Company Privacy Requirements or require the consent of or provision of notice give rise to any Person. (b) The right of termination or other right to impair or limit Buyer’s rights to own or use any Personal Information used in or necessary for the conduct of the Business as presently conducted. Each Privacy Policy, and all materials distributed or marketed by the Company and each Company Subsidiary have at all times since January 1made all disclosures to employees, 2020 implemented users, customers, prospective customers, and maintained commercially reasonable measures designed other applicable parties as the case may be, required by applicable Laws and none of such disclosures made or contained in any such materials have been inaccurate, misleading, or deceptive or in violation of any applicable Laws. (iv) There has been no notice to, complaint against or audit, proceeding or investigation conducted or claim asserted with respect to protect Personal Information against the Company by any accidentalPerson (including any Governmental Authority) related to the collection, unlawful or unauthorized accessprocessing, use, lossstorage, disclosuredistribution, alteration, destructiontransfer, or compromise disclosure of Personal Information (a each such event, an “Security Information Incident”)) that would have a Material Adverse Effect. To the Company’s Knowledge, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners have experienced any material Security Incidents, including any successful ransomware attack or denial-of-service attack material to the Company or Company Subsidiary’s operations. In relation to any Security Incident and/or Company Privacy Requirement, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners, have : (i) notified or no Information Incident has been required overtly threatened, including the receipt of a demand for payment at the risk of losing access to notify any Person under Privacy Lawsdata, or and (ii) received any notice, inquiry, request, claim, complaint, correspondence no event has occurred or other communication from, or been the subject of any investigation or enforcement action by, any Person. To the Company’s Knowledge, there are no facts or circumstances circumstance exists that would reasonably be expected to give rise to have a Material Adverse Effect. (v) The Company is, and for the occurrence of past five (i5) or (ii)years has been, in compliance with applicable PCI Requirements.

Privacy; Data Security. (a) The CompanyExcept as would not, individually or in the aggregate, have a Company Material Adverse Effect, (i) the Systems perform in a manner that permits the Company Subsidiaries, and, to the Company’s Knowledge, all third parties Processing Personal Information on behalf of any Company Subsidiary pursuant to a written agreement with and the Company or a Subsidiaries to conduct their respective businesses as currently conducted; (ii) the Company Subsidiary and the Company Subsidiaries have taken all commercially reasonable actions (collectivelyA) to monitor and protect the confidentiality, “integrity, operation and security of the Company Data Partners”)Platforms and Systems, comply and have at all times (B) to implement and maintain business continuity, backup, security and disaster recovery plans, procedures and facilities; (iii) since January 1, 2020 complied2018, in all material respectsto the Knowledge of the Company, with all applicable (i) Privacy Lawsthere has been no corruption, (ii) external-facing policiesmalfunction or failure of, noticesdisruption to, and/or statements published by the or malicious code contained in, any Systems or Company or a Company Subsidiary, as applicable, related to Personal Information (“Company Privacy Policy”), Platforms; and (iiiiv) contractual commitments related to the Processing Knowledge of Personal Information in a Company Material Contract (collectively, “Company Privacy Requirements”). All Company Privacy Policies are and have been materially accurate, consistent and complete and not misleading or deceptive (including by omission) in any material respect. To the Company’s Knowledge, there has been no unauthorized access, use, modification, interruption or corruption of the execution, delivery, and performance of this Agreement do not conflict with and will not result in a breach of any Systems or Company Privacy Requirements or require the consent of or provision of notice to any PersonPlatforms. (b) The Company and each Company Subsidiary Subsidiaries are, and have at all times been since January 1, 2020 2018, in compliance in all material respects with, and not in material default or violation of, Privacy and Security Laws, Privacy Policies and Privacy Contracts, and neither the execution and delivery of this Agreement nor the consummation of the Transactions will violate any Privacy and Security Laws, Privacy Policies or Privacy Contracts in any material respect. (c) Except as would not, individually or in the aggregate, have a Company Material Adverse Effect, (i) no Privacy Policies of the Company or any Company Subsidiary have contained any omissions or been misleading or deceptive; (ii) the Company and Company Subsidiaries have implemented and maintained commercially reasonable measures designed safeguards, consistent with industry practice, to protect Personal Information Relevant Data against any accidentalloss, unlawful theft, misuse or unauthorized access, use, loss, modification or disclosure, alteration, destruction, ; (iii) the Company and Company Subsidiaries have taken commercially reasonable steps to ensure that any Person to whom the Company or compromise any Company Subsidiary has granted access to Relevant Data has implemented and maintained the same; and (a “Security Incident”). To iv) to the Company’s Knowledge, none Knowledge of the Company, there has been no loss, theft, misuse or unauthorized access, use, modification or disclosure of Relevant Data. (d) Since January 1, 2018, (i) except as would not, individually or in the aggregate, have a Company Material Adverse Effect, to the Knowledge of the Company, there have been no (A) breaches, security incidents, misuse of or unauthorized access to or use of any Systems or any Relevant Data Processed thereon, stored or contained therein, or transmitted thereby or (B) unauthorized modifications or disclosures of any Relevant Data; (ii) the Company Subsidiariesand Company Subsidiaries have not provided or been legally required to provide any notices to any Person in connection with any breaches, security incidents, misuse or unauthorized access to or use of any Systems or Relevant Data, or unauthorized modifications or disclosures of any Relevant Data; and (iii) neither the Company nor any of the Company Subsidiaries has received any written notice (including from Persons acting on its behalf) of any claim or allegation of the violation of, or failure to comply with, any Privacy and Security Laws, Privacy Policies or Privacy Contracts. No Action is pending or, to the Company’s Knowledge, any Company Data Partners have experienced any material Security Incidents, including any successful ransomware attack or denial-of-service attack material to the Company or Company Subsidiary’s operations. In relation to any Security Incident and/or Company Privacy Requirement, none Knowledge of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, threatened alleging any Company Data Partners, have (i) notified such violation or been required to notify any Person under Privacy Lawsfailure that has had, or (ii) received any notice, inquiry, request, claim, complaint, correspondence or other communication from, or been the subject of any investigation or enforcement action by, any Person. To the Company’s Knowledge, there are no facts or circumstances that would reasonably be expected to give rise to have, individually or in the occurrence of (i) or (ii)aggregate, a Company Material Adverse Effect.