Common use of Privacy and Data Security Clause in Contracts

Privacy and Data Security. “Business Privacy and Data Security Policies” means all of the Company’s past or present, internal or public-facing policies, notices, and statements concerning the privacy, security, or Processing of Personal Information. “Personal Information” means any information that identifies or, alone or in combination with any other information, could reasonably be used to identify, locate, or contact a natural person, including name, street address, telephone number, email address, identification number issued by a Governmental Entity, credit card number, bank information, customer or account number, online identifier, device identifier, IP address, browsing history, search history, or other website, application, or online activity or usage data, location data, biometric data, medical or health information, or any other information that is considered “personally identifiable information,” “personal information,” or “personal data” under Applicable Law. “Privacy Laws” means all applicable Laws, Governmental Orders, and binding guidance issued by any Governmental Entity concerning the privacy, security, or Processing of Personal Information (including Applicable Laws of jurisdictions where Personal Information was collected), including, as applicable, data breach notification Applicable Laws, consumer protection Applicable Laws, Applicable Laws concerning requirements for website and mobile application privacy policies and practices, Social Security number protection Applicable Laws, data security Applicable Laws, and Applicable Laws concerning email, text message, or telephone communications. Without limiting the foregoing, Privacy Laws include: the Federal Trade Commission Act, the Telephone Consumer Protection Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, the Children’s Online Privacy Protection Act, the California Consumer Privacy Act of 2018, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transaction Act, the Health Insurance Portability and Accountability Act of 1996, as amended and supplemented by the Health Information Technology for Economic and Clinical Health Act of the American Recovery and Reinvestment Act of 2009, the Xxxxx-Xxxxx-Xxxxxx Act, the Family Educational Rights and Privacy Act, the GDPR, and all other similar international, federal, state, provincial, and local Applicable Laws. “Processing” means any operation performed on Personal Information, including the collection, creation, receipt, access, use, handling, compilation, analysis, monitoring, maintenance, storage, transmission, transfer, protection, disclosure, destruction, or disposal of Personal Information. The Company, and to the Company’s knowledge, all vendors, processors, or other third parties acting for or on behalf of the Company in connection with the Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of the Company, comply and at all times in the past two (2) years have complied, with all of the following in the conduct of the Company’s business, except where the failure to so comply would not result in a Material Adverse Change: (A) Privacy Laws; (B) rules of self-regulatory organizations, including the Payment Card Industry Data Security Standard; (C) industry standards, guidelines, and best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework; (D) the Business Privacy and Data Security Policies; and (E) all obligations or restrictions concerning the privacy, security, or Processing of Personal Information under any contract, commitment, undertaking or other agreement to which the Company is a party or otherwise bound as of the date hereof. The Company has posted to each of its websites and published or otherwise made available in connection with each of its business products a Business Privacy and Data Security Policy. No disclosure or representation made or contained in any Business Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy Laws (including by containing any material omission), and the Company’s practices with respect to the Processing of Personal Information in the Business conform in all material respects, and at all times in the past two (2) years have conformed in all material respects, to the Business Privacy and Data Security Policies that govern the use of such Personal Information. In the past two (2) years, (A) to the Company’s knowledge, no Personal Information in the possession or control of the Company, or held or Processed by any vendor, processor, or other third party for or on behalf of the Company has been subject to any data or security breach or unauthorized access, disclosure, use, loss, denial or loss of use, alteration, destruction, compromise, or Processing (a “Security Incident”), and (B) the Company has not notified and, to the Company’s knowledge, there have been no facts or circumstances that would require the Company to notify, any Governmental Entity or other person of any Security Incident in the conduct of the Business. In the past two (2) years, the Company has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Entity or other person, and to the Company’s knowledge there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Information in the possession or control of the Company, or held or Processed by any vendor, processor, or other third party for or on behalf of the Company. The Company has at all times in the past two (2) years implemented and maintained, and required all vendors, processors, and other third parties that Process any Personal Information for or on behalf of the Company to implement and maintain, all security measures, plans, procedures, controls, and programs, including written information security programs, to (A) identify and address internal and external risks to the privacy and security of Personal Information in their possession or control; (B) implement, monitor, and improve adequate and effective administrative, technical, and physical safeguards to protect such Personal Information and the operation, integrity, and security of its software, systems, applications, and websites involved in the Processing of Personal Information; and (C) provide notification in compliance with applicable Privacy Laws in the case of any Security Incident. In the past two (2) years, the Company has at least annually performed a security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company has used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessment.

Privacy and Data Security. “Business Privacy and Data Security Policies” means all of the Company’s past or present, internal or public-facing policies, notices, and statements concerning the privacy, security, or Processing of Personal Information. “Personal Information” means any information that identifies or, alone or in combination with any other information, could reasonably be used to identify, locate, or contact a natural person, including name, street address, telephone number, email address, identification number issued by a Governmental Entity, credit card number, bank information, customer or account number, online identifier, device identifier, IP address, browsing history, search history, or other website, application, or online activity or usage data, location data, biometric data, medical or health information, or any other information that is considered “personally identifiable information,” “personal information,” or “personal data” under Applicable Law. “Privacy Laws” means all applicable Applicable Laws, Governmental Ordersgovernmental orders, and binding guidance issued by any Governmental Entity concerning the privacy, security, or Processing of Personal Information (including Applicable Laws of jurisdictions where Personal Information was collected), including, as applicable, data breach notification Applicable Laws, consumer protection Applicable Laws, Applicable Laws concerning requirements for website and mobile application privacy policies and practices, Social Security number protection Applicable Laws, data security Applicable Laws, and Applicable Laws concerning email, text message, or telephone communications. Without limiting the foregoing, Privacy Laws include: the Federal Trade Commission Act, the Telephone Consumer Protection Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, the Children’s Online Privacy Protection Act, the California Consumer Privacy Act of 2018, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transaction Act, the Health Insurance Portability and Accountability Act of 1996, as amended and supplemented by the Health Information Technology for Economic and Clinical Health Act of the American Recovery and Reinvestment Act of 2009, the Xxxxx-Xxxxx-Xxxxxx Act, the Family Educational Rights and Privacy Act, the GDPR, and all other similar international, federal, state, provincial, and local Applicable Laws. “Processing” means any operation performed on Personal Information, including the collection, creation, receipt, access, use, handling, compilation, analysis, monitoring, maintenance, storage, transmission, transfer, protection, disclosure, destruction, or disposal of Personal Information. The Company, and to the Company’s knowledge, all vendors, processors, or other third parties acting for or on behalf of the Company in connection with the Processing of Personal Information or that otherwise have been authorized to have access to Personal Information in the possession or control of the Company, comply and at all times in the past two (2) years have complied, with all of the following in the conduct of the Company’s business, except where the failure to so comply would not result in a Material Adverse ChangeEffect: (A) Privacy Laws; (B) rules of self-regulatory selfregulatory organizations, including the Payment Card Industry Data Security Standard; (C) industry standards, guidelines, and best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework; (D) the Business Privacy and Data Security Policies; and (E) all obligations or restrictions concerning the privacy, security, or Processing of Personal Information under any contract, commitment, undertaking or other agreement to which the Company is a party or otherwise bound as of the date hereof. The Company has posted to each of its websites and published or otherwise made available in connection with each of its business products a Business Privacy and Data Security Policy. No disclosure or representation made or contained in any Business Privacy and Data Security Policy has been inaccurate, misleading, deceptive, or in violation of any Privacy Laws (including by containing any material omission), and the Company’s practices with respect to the Processing of Personal Information in the Business business of the Company conform in all material respects, and at all times in the past two (2) years have conformed in all material respects, to the Business Privacy and Data Security Policies that govern the use of such Personal Information. In the past two (2) years, (A) to the Company’s knowledge, no Personal Information in the possession or control of the Company, or held or Processed by any vendor, processor, or other third party for or on behalf of the Company has been subject to any data or security breach or unauthorized access, disclosure, use, loss, denial or loss of use, alteration, destruction, compromise, or Processing (a “Security Incident”), and (B) the Company has not notified and, to the Company’s knowledge, there have been no facts or circumstances that would require the Company to notify, any Governmental Entity or other person of any Security Incident in the conduct of the Businessbusiness of the Company. In the past two (2) years, the Company has not received any notice, request, claim, complaint, correspondence, or other communication in writing from any Governmental Entity or other person, and to the Company’s knowledge there has not been any audit, investigation, enforcement action (including any fines or other sanctions), or other Action action relating to, any actual, alleged, or suspected Security Incident or violation of any Privacy Law involving Personal Information in the possession or control of the Company, or held or Processed by any vendor, processor, or other third party for or on behalf of the Company. The Company has at all times in the past two (2) years implemented and maintained, and required all vendors, processors, and other third parties that Process any Personal Information for or on behalf of the Company to implement and maintain, all security measures, plans, procedures, controls, and programs, including written information security programs, to (A) identify and address internal and external risks to the privacy and security of Personal Information in their possession or control; (B) implement, monitor, and improve adequate and effective administrative, technical, and physical safeguards to protect such Personal Information and the operation, integrity, and security of its software, systems, applications, and websites involved in the Processing of Personal Information; and (C) provide notification in compliance with applicable Privacy Laws in the case of any Security Incident. In the past two (2) years, the Company has at least annually performed a security risk assessment and a privacy impact assessment and obtained an independent vulnerability assessment performed by a recognized third-party audit firm. The Company has used reasonable efforts to address and remediate all threats and deficiencies identified in each such assessment.